From: russell@coker.com.au (Russell Coker)
Date: Mon, 17 Apr 2017 22:22:51 +1000
Subject: [refpolicy] [PATCH] devicekit, mount, xserver, and selinuxutil
Message-ID: <20170417122251.6xiakocl2uazg54l@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Allow devicekit_power_t to chat to xdm via dbus and log via syslog.

Allow mount_t to do more with it's runtime files and stat more filesystem
types.

Allow xauth to send sigchld to xdm.

Allow semanage to search policy_src_t dirs and read /dev/urandom.

Index: refpolicy-2.20170417/policy/modules/contrib/devicekit.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/devicekit.te
+++ refpolicy-2.20170417/policy/modules/contrib/devicekit.te
@@ -56,6 +56,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xserver_dbus_chat_xdm(devicekit_power_t)
+')
+
+optional_policy(`
 	udev_read_db(devicekit_t)
 ')
 
@@ -65,6 +69,7 @@ optional_policy(`
 #
 
 allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability2 wake_alarm;
 allow devicekit_disk_t self:process { getsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -263,6 +268,8 @@ init_all_labeled_script_domtrans(devicek
 init_read_utmp(devicekit_power_t)
 init_search_run(devicekit_power_t)
 
+logging_send_syslog_msg(devicekit_power_t)
+
 miscfiles_read_localization(devicekit_power_t)
 
 sysnet_domtrans_ifconfig(devicekit_power_t)
Index: refpolicy-2.20170417/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/mount.te
+++ refpolicy-2.20170417/policy/modules/system/mount.te
@@ -53,8 +53,8 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
-create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
-create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+manage_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+manage_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
 rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
 files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
 
@@ -101,7 +101,10 @@ files_dontaudit_write_all_mountpoints(mo
 files_dontaudit_setattr_all_mountpoints(mount_t)
 
 fs_getattr_xattr_fs(mount_t)
+fs_getattr_tmpfs(mount_t)
+fs_getattr_rpc_pipefs(mount_t)
 fs_getattr_cifs(mount_t)
+fs_getattr_nfs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
Index: refpolicy-2.20170417/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20170417/policy/modules/services/xserver.te
@@ -274,6 +274,7 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t
 
 allow xdm_t xauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+allow xauth_t xdm_t:process sigchld;
 
 allow xauth_t xdm_t:fd use;
 allow xauth_t xdm_t:fifo_file { getattr read };
@@ -643,6 +644,7 @@ allow xserver_t input_xevent_t:x_event s
 
 allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
 dontaudit xserver_t self:capability chown;
+allow xserver_t self:capability2 wake_alarm;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20170417/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170417/policy/modules/system/selinuxutil.te
@@ -478,6 +478,8 @@ allow semanage_t policy_config_t:file rw
 
 filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
 
+allow semanage_t policy_src_t:dir search;
+
 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
@@ -572,6 +574,7 @@ kernel_dontaudit_list_all_proc(setfiles_
 kernel_dontaudit_list_all_sysctls(setfiles_t)
 kernel_getattr_debugfs(setfiles_t)
 
+dev_read_urand(setfiles_t)
 dev_relabel_all_dev_nodes(setfiles_t)
 # to handle when /dev/console needs to be relabeled
 dev_rw_generic_chr_files(setfiles_t)