From: russell@coker.com.au (Russell Coker)
Date: Wed, 19 Apr 2017 20:47:51 +1000
Subject: [refpolicy] [PATCH] fist "strict" patch
Message-ID: <20170419104751.w42bk2et4dzoj2ia@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This is the first patch for policy I developed running in a "strict"
configuration.  That means with the unconfined module removed from the
policy.  It is possible that some patches from this are needed even in a
"targeted" configuration.  But most are only related to strict configuration.

There are no dependencies with other patches I've sent recently.

Index: refpolicy-2.20170419/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170419/policy/modules/system/fstools.te
@@ -134,6 +134,8 @@ files_search_all(fsadm_t)
 mls_file_read_all_levels(fsadm_t)
 mls_file_write_all_levels(fsadm_t)
 
+selinux_getattr_fs(fsadm_t)
+
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
Index: refpolicy-2.20170419/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170419/policy/modules/system/selinuxutil.te
@@ -196,6 +196,7 @@ seutil_libselinux_linked(load_policy_t)
 
 userdom_use_user_terminals(load_policy_t)
 userdom_use_all_users_fds(load_policy_t)
+dev_read_urand(load_policy_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -358,6 +359,7 @@ fs_getattr_pstore_dirs(restorecond_t)
 fs_getattr_tracefs(restorecond_t)
 fs_list_inotifyfs(restorecond_t)
 fs_relabelfrom_noxattr_fs(restorecond_t)
+fs_getattr_pstorefs(restorecond_t)
 
 selinux_validate_context(restorecond_t)
 selinux_compute_access_vector(restorecond_t)
@@ -488,6 +490,7 @@ kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 
 corecmd_exec_bin(semanage_t)
+corecmd_exec_shell(semanage_t)
 
 dev_read_urand(semanage_t)
 
@@ -590,6 +593,7 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_nfs(setfiles_t)
 fs_getattr_pstore_dirs(setfiles_t)
 fs_getattr_pstorefs(setfiles_t)
 fs_getattr_tracefs(setfiles_t)
Index: refpolicy-2.20170419/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170419/policy/modules/system/systemd.te
@@ -854,6 +854,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	apt_use_fds(systemd_tmpfiles_t)
+	dpkg_script_rw_inherited_fifos(systemd_tmpfiles_t)
+')
+
+optional_policy(`
 	xfs_create_tmp_dirs(systemd_tmpfiles_t)
 ')
 
Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.if
+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.if
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
 
 ########################################
 ## <summary>
+##	Inherit and use file descriptors
+##	from dpkg scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_script_rw_inherited_fifos',`
+	gen_require(`
+		type dpkg_script_t;
+	')
+
+	allow $1 dpkg_script_t:fd use;
+	allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read dpkg package database content.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.te
@@ -33,6 +33,7 @@ type dpkg_script_t;
 domain_type(dpkg_script_t)
 domain_entry_file(dpkg_t, dpkg_var_lib_t)
 domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
 corecmd_shell_entry_type(dpkg_script_t)
 corecmd_bin_entry_type(dpkg_script_t)
 domain_obj_id_change_exemption(dpkg_script_t)
@@ -69,6 +70,7 @@ allow dpkg_t self:msg { send receive };
 allow dpkg_t dpkg_lock_t:file manage_file_perms;
 
 spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
 
 manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
 manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
Index: refpolicy-2.20170419/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170419/policy/modules/contrib/mta.te
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
 userdom_use_user_terminals(system_mail_t)
 
 optional_policy(`
+	apt_use_fds(system_mail_t)
+	apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
 	apache_dontaudit_append_log(system_mail_t)
Index: refpolicy-2.20170419/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170419/policy/modules/roles/sysadm.te
@@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t)
 init_exec(sysadm_t)
 init_admin(sysadm_t)
 
+selinux_read_policy(sysadm_t)
+
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
@@ -99,6 +101,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	system_mail_role(sysadm_r)
+')
+
+optional_policy(`
 	amanda_run_recover(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy-2.20170419/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20170419/policy/modules/services/xserver.te
@@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_
 files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 
 allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, ".xsession-errors")
 
 allow xauth_t xdm_t:process sigchld;
 allow xauth_t xdm_t:fd use;
Index: refpolicy-2.20170419/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20170419/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
 # Groupadd local policy
 #
 
-allow groupadd_t self:capability { audit_write chown dac_override kill setuid sys_resource };
+allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
Index: refpolicy-2.20170419/policy/modules/contrib/apt.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/apt.te
+++ refpolicy-2.20170419/policy/modules/contrib/apt.te
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
 # Local policy
 #
 
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
 allow apt_t self:process { signal setpgid fork };
 allow apt_t self:fd use;
 allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp
 fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 files_var_filetrans(apt_t, apt_var_cache_t, dir)
 
 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
@@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l
 
 allow apt_t apt_var_log_t:file manage_file_perms;
 logging_log_filetrans(apt_t, apt_var_log_t, file)
+allow apt_t apt_var_log_t:dir manage_dir_perms;
 
 can_exec(apt_t, apt_exec_t)
 
Index: refpolicy-2.20170419/policy/modules/contrib/mta.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.if
+++ refpolicy-2.20170419/policy/modules/contrib/mta.if
@@ -121,6 +121,23 @@ interface(`mta_role',`
 
 ########################################
 ## <summary>
+##	Enable system_mail_t to run in the specified role
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`system_mail_role',`
+	gen_require(`
+		type system_mail_t;
+	')
+	role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
 ##	Make the specified domain usable for a mail server.
 ## </summary>
 ## <param name="type">