From: russell@coker.com.au (Russell Coker)
Date: Mon, 17 Apr 2017 23:46:33 +1000
Subject: [refpolicy] [PATCH] misc daemons
Message-ID: <20170417134633.32uttndeazdcksne@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Put in libx32 subs entries that refer to directories with fc entries.

Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.

Some dontaudit rules for mta processes spawned by mon for notification.

Lots of tiny changes that are obvious.

Index: refpolicy-2.20170417/config/file_contexts.subs_dist
===================================================================
--- refpolicy-2.20170417.orig/config/file_contexts.subs_dist
+++ refpolicy-2.20170417/config/file_contexts.subs_dist
@@ -12,13 +12,14 @@
 /lib /usr/lib
 /lib32 /usr/lib
 /lib64 /usr/lib
-/libx32 /usr/libx32
+/libx32 /usr/lib
 /sbin /usr/sbin
 /etc/init.d /etc/rc.d/init.d
 /lib/systemd /usr/lib/systemd
 /run/lock /var/lock
 /usr/lib32 /usr/lib
 /usr/lib64 /usr/lib
+/usr/libx32 /usr/lib
 /usr/local/lib32 /usr/lib
 /usr/local/lib64 /usr/lib
 /usr/local/lib /usr/lib
Index: refpolicy-2.20170417/policy/modules/admin/dmesg.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/admin/dmesg.te
+++ refpolicy-2.20170417/policy/modules/admin/dmesg.te
@@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
 kernel_change_ring_buffer_level(dmesg_t)
 kernel_list_proc(dmesg_t)
 kernel_read_proc_symlinks(dmesg_t)
+dev_read_kmsg(dmesg_t)
+
 # for when /usr is not mounted:
 kernel_dontaudit_search_unlabeled(dmesg_t)
 
Index: refpolicy-2.20170417/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20170417/policy/modules/admin/netutils.te
@@ -133,6 +133,7 @@ files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
 kernel_read_system_state(ping_t)
+dev_read_urand(ping_t)
 
 auth_use_nsswitch(ping_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/alsa.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
+++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
@@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a
 
 allow alsa_t alsa_home_t:file read_file_perms;
 
+files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
+manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
+manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
 list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
 read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
 read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
Index: refpolicy-2.20170417/policy/modules/contrib/backup.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/backup.te
+++ refpolicy-2.20170417/policy/modules/contrib/backup.te
@@ -21,7 +21,7 @@ files_type(backup_store_t)
 # Local policy
 #
 
-allow backup_t self:capability dac_override;
+allow backup_t self:capability { chown dac_override fsetid };
 allow backup_t self:process signal;
 allow backup_t self:fifo_file rw_fifo_file_perms;
 allow backup_t self:tcp_socket create_socket_perms;
Index: refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/bitlbee.te
+++ refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v
 
 kernel_read_kernel_sysctls(bitlbee_t)
 kernel_read_system_state(bitlbee_t)
+kernel_read_crypto_sysctls(bitlbee_t)
 
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_all_recvfrom_netlabel(bitlbee_t)
Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170417/policy/modules/contrib/dpkg.te
@@ -66,6 +66,8 @@ allow dpkg_t self:msgq create_msgq_perms
 allow dpkg_t self:msg { send receive };
 
 allow dpkg_t dpkg_lock_t:file manage_file_perms;
+corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
+corecmd_bin_entry_type(dpkg_script_t)
 
 spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
 
@@ -307,6 +309,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	devicekit_dbus_chat_power(dpkg_script_t)
+')
+
+optional_policy(`
 	modutils_run(dpkg_script_t, dpkg_roles)
 ')
 
Index: refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
 
 files_read_etc_runtime_files(fetchmail_t)
+files_search_tmp(fetchmail_t)
 files_dontaudit_search_home(fetchmail_t)
 
 fs_getattr_all_fs(fetchmail_t)
Index: refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/kerneloops.te
+++ refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
@@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel
 
 kernel_read_ring_buffer(kerneloops_t)
 kernel_read_system_state(kerneloops_t)
+dev_read_urand(kerneloops_t)
 
 domain_use_interactive_fds(kerneloops_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/loadkeys.te
+++ refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
@@ -40,6 +40,7 @@ term_use_unallocated_ttys(loadkeys_t)
 locallogin_use_fds(loadkeys_t)
 
 miscfiles_read_localization(loadkeys_t)
+init_read_script_tmp_files(loadkeys_t)
 
 userdom_use_user_ttys(loadkeys_t)
 userdom_list_user_home_content(loadkeys_t)
Index: refpolicy-2.20170417/policy/modules/contrib/mon.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.if
+++ refpolicy-2.20170417/policy/modules/contrib/mon.if
@@ -1 +1,37 @@
 ## <summary>mon network monitoring daemon.</summary>
+
+######################################
+## <summary>
+##      dontaudit searching /var/lib/mon
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit
+##      </summary>
+## </param>
+#
+interface(`mon_dontaudit_search_var_lib',`
+	gen_require(`
+		type mon_var_lib_t;
+	')
+
+	dontaudit $1 mon_var_lib_t:dir search;
+')
+
+######################################
+## <summary>
+##      dontaudit using an inherited fd from mon_t
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit
+##      </summary>
+## </param>
+#
+interface(`mon_dontaudit_fd_use',`
+	gen_require(`
+		type mon_t;
+	')
+
+	dontaudit $1 mon_t:fd use;
+')
Index: refpolicy-2.20170417/policy/modules/contrib/mon.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.te
+++ refpolicy-2.20170417/policy/modules/contrib/mon.te
@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
 files_read_etc_files(mon_t)
 files_read_etc_runtime_files(mon_t)
 files_read_usr_files(mon_t)
+files_search_var_lib(mon_t)
 
 fs_getattr_all_fs(mon_t)
 fs_search_auto_mountpoints(mon_t)
Index: refpolicy-2.20170417/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170417/policy/modules/contrib/mta.te
@@ -324,6 +324,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	mon_dontaudit_fd_use(mta_user_agent)
+')
+
 ########################################
 #
 # Mailserver delivery local policy
@@ -379,6 +383,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mon_dontaudit_search_var_lib(mailserver_delivery)
+')
+
+optional_policy(`
 	postfix_rw_inherited_master_pipes(mailserver_delivery)
 ')
 
Index: refpolicy-2.20170417/policy/modules/contrib/munin.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/munin.te
+++ refpolicy-2.20170417/policy/modules/contrib/munin.te
@@ -386,6 +386,7 @@ optional_policy(`
 #
 
 allow system_munin_plugin_t self:udp_socket create_socket_perms;
+allow system_munin_plugin_t self:capability net_admin;
 
 rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
@@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu
 
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
+files_read_usr_files(system_munin_plugin_t)
 
 domain_read_all_domains_state(system_munin_plugin_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/mysql.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
+++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
@@ -78,7 +78,7 @@ interface(`mysql_signal',`
 		type mysqld_t;
 	')
 
-	allow $1 mysqld_t:process signal;
+	allow $1 mysqld_t:process { signal signull };
 ')
 
 ########################################
Index: refpolicy-2.20170417/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20170417/policy/modules/contrib/ntp.te
@@ -70,7 +70,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t,
 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
-allow ntpd_t ntpd_lock_t:file write_file_perms;
+allow ntpd_t ntpd_lock_t:file rw_file_perms;
 
 allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
 append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
Index: refpolicy-2.20170417/policy/modules/contrib/rsync.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
+++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
@@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
 	files_list_non_auth_dirs(rsync_t)
 	files_read_non_auth_files(rsync_t)
 	files_read_non_auth_symlinks(rsync_t)
+	getattr_fifo_files_pattern(rsync_t, file_type, file_type)
+	getattr_sock_files_pattern(rsync_t, file_type, file_type)
 	auth_tunable_read_shadow(rsync_t)
 ')
 
Index: refpolicy-2.20170417/policy/modules/contrib/rtkit.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/rtkit.te
+++ refpolicy-2.20170417/policy/modules/contrib/rtkit.te
@@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t)
 
 miscfiles_read_localization(rtkit_daemon_t)
 
+selinux_getattr_fs(rtkit_daemon_t)
+seutil_search_default_contexts(rtkit_daemon_t)
+
 optional_policy(`
 	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/smartmon.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/smartmon.te
+++ refpolicy-2.20170417/policy/modules/contrib/smartmon.te
@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
 files_read_etc_files(fsdaemon_t)
 files_read_etc_runtime_files(fsdaemon_t)
 files_read_usr_files(fsdaemon_t)
+files_search_var_lib(fsdaemon_t)
 
 fs_getattr_all_fs(fsdaemon_t)
 fs_search_auto_mountpoints(fsdaemon_t)
Index: refpolicy-2.20170417/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170417/policy/modules/system/fstools.te
@@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
 allow fsadm_t fsadm_run_t:file manage_file_perms;
 files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
 
+# for /run/mount/utab
+stat_mount_var_run(fsadm_t)
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
@@ -208,6 +211,10 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(fsadm_t)
+
+	# Xen causes losetup to run with a presumably accidentally inherited
+	# file handle for /run/xen-hotplug/block
+	dontaudit_udev_pidfile_rw(fsadm_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20170417/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/udev.if
+++ refpolicy-2.20170417/policy/modules/system/udev.if
@@ -301,6 +301,24 @@ interface(`udev_list_pids',`
 
 ########################################
 ## <summary>
+##	dontaudit attempts to read/write udev pidfiles
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dontaudit_udev_pidfile_rw',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	dontaudit $1 udev_var_run_t:file { read write };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev pid directories
 ## </summary>