From: russell@coker.com.au (Russell Coker)
Date: Sun, 12 Feb 2017 22:38:32 +1100
Subject: [refpolicy]   [PATCH] little misc patches
Message-ID: <20170212113832.h4damrekbuv6d4xn@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This is a bunch of minor fixes that I split out from another patch which also
has some of the interfaces needed for the systemd core patch I sent a few
days ago (which is why that one didn't work).

After we get this one done I'll create a patch set for systemd that should
make pebenito happy.  ;)

Fix some minor labelling issues for init.

Make lots of things optional_policy to allow more modular builds.

Remove the sysadm_shell_domtrans(init_t) line, it causes problems with systemd
as well as upstart.

Allow kerneloops_t to read /proc/cpuinfo etc

make xserver_create_xdm_tmp_socket() also allow unlinking the socket in
question


Index: refpolicy-2.20170212/policy/modules/system/init.fc
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/init.fc
+++ refpolicy-2.20170212/policy/modules/system/init.fc
@@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
 
+/usr/lib/systemd/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -42,6 +44,8 @@ ifdef(`distro_gentoo', `
 /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/startx	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
 /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
Index: refpolicy-2.20170212/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/logging.te
+++ refpolicy-2.20170212/policy/modules/system/logging.te
@@ -124,7 +124,9 @@ term_use_all_terms(auditctl_t)
 
 init_dontaudit_use_fds(auditctl_t)
 
-locallogin_dontaudit_use_fds(auditctl_t)
+optional_policy(`
+	locallogin_dontaudit_use_fds(auditctl_t)
+')
 
 logging_set_audit_parameters(auditctl_t)
 logging_send_syslog_msg(auditctl_t)
@@ -565,6 +567,8 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(syslogd_t)
+	# for systemd-journal to read seat data from /run/udev/data
+	udev_read_pid_files(syslogd_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20170212/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170212/policy/modules/system/lvm.te
@@ -301,6 +301,9 @@ init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
 
+# for systemd-cryptsetup
+dev_write_kmsg(lvm_t)
+
 logging_send_syslog_msg(lvm_t)
 
 miscfiles_read_localization(lvm_t)
Index: refpolicy-2.20170212/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170212/policy/modules/system/selinuxutil.te
@@ -343,7 +343,9 @@ files_relabel_non_auth_files(restorecond
 files_read_non_auth_files(restorecond_t)
 auth_use_nsswitch(restorecond_t)
 
-locallogin_dontaudit_use_fds(restorecond_t)
+optional_policy(`
+	locallogin_dontaudit_use_fds(restorecond_t)
+')
 
 logging_send_syslog_msg(restorecond_t)
 
@@ -482,7 +484,9 @@ term_use_all_terms(semanage_t)
 # Running genhomedircon requires this for finding all users
 auth_use_nsswitch(semanage_t)
 
-locallogin_use_fds(semanage_t)
+optional_policy(`
+	locallogin_use_fds(semanage_t)
+')
 
 logging_send_syslog_msg(semanage_t)
 
Index: refpolicy-2.20170212/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20170212/policy/modules/system/sysnetwork.te
@@ -145,7 +145,9 @@ logging_send_syslog_msg(dhcpc_t)
 
 miscfiles_read_localization(dhcpc_t)
 
-modutils_run_insmod(dhcpc_t, dhcpc_roles)
+optional_policy(`
+	modutils_run_insmod(dhcpc_t, dhcpc_roles)
+')
 
 sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
 
@@ -333,7 +335,9 @@ logging_send_syslog_msg(ifconfig_t)
 
 miscfiles_read_localization(ifconfig_t)
 
-modutils_domtrans_insmod(ifconfig_t)
+optional_policy(`
+	modutils_domtrans_insmod(ifconfig_t)
+')
 
 seutil_use_runinit_fds(ifconfig_t)
 
Index: refpolicy-2.20170212/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/init.te
+++ refpolicy-2.20170212/policy/modules/system/init.te
@@ -304,10 +304,6 @@ ifdef(`init_systemd',`
 ',`
 	tunable_policy(`init_upstart',`
 		corecmd_shell_domtrans(init_t, initrc_t)
-	',`
-		# Run the shell in the sysadm role for single-user mode.
-		# causes problems with upstart
-		sysadm_shell_domtrans(init_t)
 	')
 ')
 
@@ -561,8 +557,10 @@ miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
 miscfiles_read_generic_certs(initrc_t)
 
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
+optional_policy(`
+	modutils_read_module_config(initrc_t)
+	modutils_domtrans_insmod(initrc_t)
+')
 
 seutil_read_config(initrc_t)
 
Index: refpolicy-2.20170212/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170212/policy/modules/system/udev.te
@@ -56,6 +56,7 @@ allow udev_t self:unix_stream_socket con
 allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:netlink_generic_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
+fs_read_cgroup_files(udev_t)
 
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
@@ -82,6 +83,8 @@ files_pid_filetrans(udev_t, udev_var_run
 kernel_load_module(udev_t)
 kernel_read_system_state(udev_t)
 kernel_request_load_module(udev_t)
+# systemd-udevd needs kernel_load_module
+kernel_load_module(udev_t)
 kernel_getattr_core_if(udev_t)
 kernel_use_fds(udev_t)
 kernel_read_device_sysctls(udev_t)
Index: refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/contrib/kerneloops.te
+++ refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
@@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerne
 files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
 
 kernel_read_ring_buffer(kerneloops_t)
+kernel_read_system_state(kerneloops_t)
 
 domain_use_interactive_fds(kerneloops_t)
 
Index: refpolicy-2.20170212/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170212/policy/modules/system/locallogin.te
@@ -62,6 +62,8 @@ kernel_link_key(local_login_t)
 
 corecmd_list_bin(local_login_t)
 corecmd_read_bin_symlinks(local_login_t)
+# for /bin/uname
+corecmd_exec_bin(local_login_t)
 # cjp: these are probably not needed:
 corecmd_read_bin_files(local_login_t)
 corecmd_read_bin_pipes(local_login_t)
Index: refpolicy-2.20170212/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170212/policy/modules/services/xserver.if
@@ -913,7 +913,7 @@ interface(`xserver_setattr_xdm_tmp_dirs'
 
 ########################################
 ## <summary>
-##	Create a named socket in a XDM
+##	Create and unlink a named socket in a XDM
 ##	temporary directory.
 ## </summary>
 ## <param name="domain">
@@ -930,6 +930,7 @@ interface(`xserver_create_xdm_tmp_socket
 	files_search_tmp($1)
 	allow $1 xdm_tmp_t:dir list_dir_perms;
 	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+	allow $1 xdm_tmp_t:sock_file unlink;
 ')
 
 ########################################