From: russell@coker.com.au (Russell Coker)
Date: Mon, 17 Apr 2017 22:13:54 +1000
Subject: [refpolicy] [PATCH] kmod, lvm, brctl patches
Message-ID: <20170417121354.w3lrn7ua4zr6tumt@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.

Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.

Patch for brctl to allow it to create sysfs files.

Index: refpolicy-2.20170417/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20170417/policy/modules/system/modutils.te
@@ -89,6 +89,7 @@ files_read_etc_runtime_files(kmod_t)
 files_read_etc_files(kmod_t)
 files_read_usr_files(kmod_t)
 files_exec_etc_files(kmod_t)
+files_search_tmp(kmod_t)
 # for nscd:
 files_dontaudit_search_pids(kmod_t)
 # to manage modules.dep
@@ -127,6 +128,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dpkg_manage_script_tmp_files(kmod_t)
+')
+
+optional_policy(`
 	firstboot_dontaudit_rw_pipes(kmod_t)
 	firstboot_dontaudit_rw_stream_sockets(kmod_t)
 ')
@@ -140,6 +145,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	iptables_dontaudit_var_run(kmod_t)
+')
+
+optional_policy(`
 	mount_domtrans(kmod_t)
 ')
 
Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.if
+++ refpolicy-2.20170417/policy/modules/contrib/dpkg.if
@@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',`
 
 ########################################
 ## <summary>
+##	access dpkg_script fifos
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dpkg_script_rw_fifo',`
+	gen_require(`
+		type dpkg_script_t;
+	')
+
+	allow $1 dpkg_script_t:fd use;
+	allow $1 dpkg_script_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute dpkg programs in the dpkg domain.
 ## </summary>
 ## <param name="domain">
@@ -242,3 +261,23 @@ interface(`dpkg_lock_db',`
 	allow $1 dpkg_var_lib_t:dir list_dir_perms;
 	allow $1 dpkg_lock_t:file manage_file_perms;
 ')
+
+########################################
+## <summary>
+##	manage dpkg_script_tmp_t files and dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_manage_script_tmp_files',`
+	gen_require(`
+		type dpkg_script_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
+	allow $1 dpkg_script_tmp_t:file manage_file_perms;
+')
Index: refpolicy-2.20170417/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170417/policy/modules/system/lvm.te
@@ -342,6 +342,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dpkg_script_rw_fifo(lvm_t)
+')
+
+optional_policy(`
 	gpm_dontaudit_getattr_gpmctl(lvm_t)
 ')
 
Index: refpolicy-2.20170417/policy/modules/system/iptables.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/iptables.if
+++ refpolicy-2.20170417/policy/modules/system/iptables.if
@@ -165,6 +165,24 @@ interface(`iptables_manage_config',`
 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
 
+###################################
+## <summary>
+##	dontaudit reading iptables_var_run_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`iptables_dontaudit_var_run',`
+	gen_require(`
+		type iptables_var_run_t;
+	')
+
+	dontaudit $1 iptables_var_run_t:file read;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
Index: refpolicy-2.20170417/policy/modules/contrib/brctl.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/brctl.te
+++ refpolicy-2.20170417/policy/modules/contrib/brctl.te
@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
 
 corenet_rw_tun_tap_dev(brctl_t)
 
+dev_create_sysfs_files(brctl_t)
 dev_rw_sysfs(brctl_t)
 dev_write_sysfs_dirs(brctl_t)
 
Index: refpolicy-2.20170417/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170417/policy/modules/kernel/devices.if
@@ -4100,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',
 
 ########################################
 ## <summary>
+##	Add a sysfs file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_sysfs_files',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	create_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
 ##     mounton sysfs directories.
 ## </summary>
 ## <param name="domain">