From: russell@coker.com.au (Russell Coker)
Date: Thu, 16 Feb 2017 14:18:58 +1100
Subject: [refpolicy]  [PATCH] dpkg related patches version 2
Message-ID: <20170216031858.ckyproc6ehwksody@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Here is the latest version.

Index: refpolicy-2.20170216/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170216/policy/modules/contrib/dpkg.te
@@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
 domain_interactive_fd(dpkg_script_t)
 role dpkg_roles types dpkg_script_t;
 
+spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
+
 type dpkg_script_tmp_t;
 files_tmp_file(dpkg_script_tmp_t)
 
@@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var
 kernel_read_system_state(dpkg_t)
 kernel_read_kernel_sysctls(dpkg_t)
 
-corecmd_exec_all_executables(dpkg_t)
-
 corenet_all_recvfrom_unlabeled(dpkg_t)
 corenet_all_recvfrom_netlabel(dpkg_t)
 corenet_tcp_sendrecv_generic_if(dpkg_t)
@@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t)
 
 userdom_use_user_terminals(dpkg_t)
 userdom_use_unpriv_users_fds(dpkg_t)
+userdom_use_all_users_fds(dpkg_t)
 
 dpkg_domtrans_script(dpkg_t)
 
@@ -176,18 +178,10 @@ optional_policy(`
 	unconfined_domain(dpkg_t)
 ')
 
-# TODO: the following was copied from dpkg_script_t, and could probably
-# be removed again when dpkg_script_t is actually used...
-domain_signal_all_domains(dpkg_t)
-domain_signull_all_domains(dpkg_t)
-files_read_etc_runtime_files(dpkg_t)
-files_exec_usr_files(dpkg_t)
-miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-seutil_run_setfiles(dpkg_t, dpkg_roles)
-userdom_use_all_users_fds(dpkg_t)
+optional_policy(`
+	modutils_run_depmod(dpkg_t, dpkg_roles)
+	modutils_run_insmod(dpkg_t, dpkg_roles)
+')
 
 optional_policy(`
 	mta_send_mail(dpkg_t)
@@ -202,8 +196,8 @@ optional_policy(`
 # Script Local policy
 #
 
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
 allow dpkg_script_t self:fd use;
 allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
 allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
@@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_
 allow dpkg_script_t self:sem create_sem_perms;
 allow dpkg_script_t self:msgq create_msgq_perms;
 allow dpkg_script_t self:msg { send receive };
+allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow dpkg_script_t self:udp_socket create_socket_perms;
 
 allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
 
@@ -231,8 +227,10 @@ fs_tmpfs_filetrans(dpkg_script_t, dpkg_s
 kernel_read_kernel_sysctls(dpkg_script_t)
 kernel_read_system_state(dpkg_script_t)
 
+auth_manage_shadow(dpkg_script_t)
 corecmd_exec_all_executables(dpkg_script_t)
 
+dev_manage_null_service(dpkg_script_t)
 dev_list_sysfs(dpkg_script_t)
 # Use named file transition to fix this
 # dev_manage_generic_blk_files(dpkg_script_t)
@@ -267,17 +265,26 @@ selinux_compute_access_vector(dpkg_scrip
 selinux_compute_create_context(dpkg_script_t)
 selinux_compute_relabel_context(dpkg_script_t)
 selinux_compute_user_contexts(dpkg_script_t)
+selinux_read_policy(dpkg_script_t)
 
 storage_raw_read_fixed_disk(dpkg_script_t)
 storage_raw_write_fixed_disk(dpkg_script_t)
 
 term_use_all_terms(dpkg_script_t)
 
-auth_dontaudit_getattr_shadow(dpkg_script_t)
 files_manage_non_auth_files(dpkg_script_t)
 
 init_all_labeled_script_domtrans(dpkg_script_t)
+init_get_generic_units_status(dpkg_script_t)
 init_use_script_fds(dpkg_script_t)
+init_status(dpkg_script_t)
+init_start_generic_units(dpkg_script_t)
+init_stop_generic_units(dpkg_script_t)
+init_reload(dpkg_script_t)
+init_system_stop(dpkg_script_t)
+init_telinit(dpkg_script_t)
+initrc_manage_service(dpkg_script_t)
+init_restart_script_service(dpkg_script_t)
 
 libs_exec_ld_so(dpkg_script_t)
 libs_exec_lib_files(dpkg_script_t)
@@ -287,13 +294,11 @@ logging_send_syslog_msg(dpkg_script_t)
 
 miscfiles_read_localization(dpkg_script_t)
 
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
-
 seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
 seutil_run_setfiles(dpkg_script_t, dpkg_roles)
 
 userdom_use_all_users_fds(dpkg_script_t)
+usermanage_run_passwd(dpkg_script_t, sysadm_r)
 
 tunable_policy(`allow_execmem',`
 	allow dpkg_script_t self:process execmem;
@@ -309,6 +314,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	modutils_run_depmod(dpkg_script_t, dpkg_roles)
+	modutils_run_insmod(dpkg_script_t, dpkg_roles)
+')
+
+optional_policy(`
 	mta_send_mail(dpkg_script_t)
 ')
 
@@ -317,6 +327,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_read_logind_state(dpkg_script_t)
+	systemd_dbus_chat_logind(dpkg_script_t)
+')
+
+optional_policy(`
 	unconfined_domain(dpkg_script_t)
 ')
 
Index: refpolicy-2.20170216/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20170216/policy/modules/admin/bootloader.te
@@ -149,6 +149,11 @@ ifdef(`distro_debian',`
 	fstools_relabelto_entry_files(bootloader_t)
 
 	libs_relabelto_lib_files(bootloader_t)
+
+	# for apt-cache
+	dpkg_read_db(bootloader_t)
+	apt_read_db(bootloader_t)
+	apt_read_cache(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
Index: refpolicy-2.20170216/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/init.if
+++ refpolicy-2.20170216/policy/modules/system/init.if
@@ -809,6 +809,42 @@ interface(`init_udp_send',`
 
 ########################################
 ## <summary>
+##	start service (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_system_start',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system start;
+')
+
+########################################
+## <summary>
+##	stop service (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_system_stop',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system stop;
+')
+
+########################################
+## <summary>
 ##	Get all service status (systemd).
 ## </summary>
 ## <param name="domain">
@@ -2514,3 +2550,58 @@ interface(`init_reload_all_units',`
 
 	allow $1 systemdunit:service reload;
 ')
+
+########################################
+## <summary>
+##     Start and stop init_script_file_type services
+## </summary>
+## <param name="domain">
+##     <summary>
+##     domain that can start and stop the services
+##     </summary>
+## </param>
+#
+interface(`init_restart_script_service',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	allow $1 init_script_file_type:service { start status stop };
+')
+
+########################################
+## <summary>
+##     Get the system status information from init
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_status',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+##      Allow manage service for initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Target domain
+##      </summary>
+## </param>
+#
+interface(`initrc_manage_service',`
+	gen_require(`
+		type initrc_exec_t;
+		class service { status start stop };
+	')
+
+	allow $1 initrc_exec_t:service { start stop status };
+')
Index: refpolicy-2.20170216/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170216/policy/modules/kernel/devices.if
@@ -3260,6 +3260,26 @@ interface(`dev_create_null_dev',`
 
 ########################################
 ## <summary>
+##     Manage services with script type null_device_t for when
+##     /lib/systemd/system/something.service is a link to /dev/null
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_manage_null_service',`
+	gen_require(`
+		type null_device_t;
+		class service { status start stop reload };
+	')
+
+	allow $1 null_device_t:service { status start stop reload };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of the BIOS non-volatile RAM device.
 ## </summary>
Index: refpolicy-2.20170216/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170216/policy/modules/system/systemd.if
@@ -190,3 +190,22 @@ interface(`systemd_start_power_units',`
 
 	allow $1 power_unit_t:service start;
 ')
+
+########################################
+## <summary>
+##     Allow systemd_logind_t to read process state for cgroup file
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain systemd_logind_t may access.
+##     </summary>
+## </param>
+#
+interface(`systemd_read_logind_state',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow systemd_logind_t $1:dir list_dir_perms;
+	allow systemd_logind_t $1:file read_file_perms;
+')
Index: refpolicy-2.20170216/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170216/policy/modules/system/unconfined.if
@@ -319,6 +319,23 @@ interface(`unconfined_run_to',`
 
 ########################################
 ## <summary>
+##     Allow the specified domain to be in the unconfined role
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to permit in unconfined_r
+##     </summary>
+## </param>
+#
+interface(`permit_in_unconfined_r',`
+	gen_require(`
+		role unconfined_r;
+	')
+	role unconfined_r types $1;
+')
+
+########################################
+## <summary>
 ##	Inherit file descriptors from the unconfined domain.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20170216/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/init.te
+++ refpolicy-2.20170216/policy/modules/system/init.te
@@ -277,8 +277,6 @@ ifdef(`init_systemd',`
 
 	term_relabel_pty_dirs(init_t)
 
-	clock_read_adjtime(init_t)
-
 	logging_manage_pid_sockets(init_t)
 	logging_send_audit_msgs(init_t)
 	logging_relabelto_devlog_sock_files(init_t)
@@ -289,6 +287,10 @@ ifdef(`init_systemd',`
 	udev_create_kobject_uevent_sockets(init_t)
 
 	optional_policy(`
+		clock_read_adjtime(init_t)
+	')
+
+	optional_policy(`
 		systemd_relabelto_kmod_files(init_t)
 		systemd_dbus_chat_logind(init_t)
 	')
Index: refpolicy-2.20170216/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170216/policy/modules/system/userdomain.if
@@ -674,6 +674,10 @@ template(`userdom_common_user_template',
 	')
 
 	optional_policy(`
+		dpkg_read_db($1_t)
+	')
+
+	optional_policy(`
 		hwloc_exec_dhwd($1_t)
 		hwloc_read_runtime_files($1_t)
 	')