From: russell@coker.com.au (Russell Coker)
Date: Thu, 27 Apr 2017 02:23:47 +1000
Subject: [refpolicy] [PATCH] somme little misc things
Message-ID: <20170426162347.md5u552q7zrhje2g@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).

Index: refpolicy-2.20170421/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170421/policy/modules/system/selinuxutil.te
@@ -670,5 +670,9 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
+	apt_use_fds(setfiles_t)
+')
+
+optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')
Index: refpolicy-2.20170421/policy/modules/contrib/rsync.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/rsync.te
+++ refpolicy-2.20170421/policy/modules/contrib/rsync.te
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
 fs_getattr_all_fs(rsync_t)
 fs_search_auto_mountpoints(rsync_t)
 
+files_getattr_all_pipes(rsync_t)
+files_getattr_all_sockets(rsync_t)
 files_search_home(rsync_t)
 
 auth_can_read_shadow_passwords(rsync_t)
Index: refpolicy-2.20170421/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170421/policy/modules/system/fstools.te
@@ -154,6 +154,9 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
+# for /run/mount/utab
+mount_getattr_runfile(fsadm_t)
+
 # losetup: bind mount_loopback_t files to loop devices
 mount_rw_loopback_files(fsadm_t)
 
Index: refpolicy-2.20170421/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/mount.if
+++ refpolicy-2.20170421/policy/modules/system/mount.if
@@ -228,3 +228,20 @@ interface(`mount_rw_runtime_files',`
 	rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
 ')
 
+########################################
+## <summary>
+##     Getattr on mount_var_run_t files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_getattr_runfile',`
+	gen_require(`
+		type mount_var_run_t;
+	')
+
+	allow $1 mount_var_run_t:file getattr;
+')
Index: refpolicy-2.20170421/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170421/policy/modules/contrib/cron.te
@@ -336,6 +336,23 @@ ifdef(`distro_debian',`
 	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')
+	optional_policy(`
+		apt_manage_cache(system_cronjob_t)
+		apt_read_db(system_cronjob_t)
+		dpkg_manage_db(system_cronjob_t)
+	')
+')
+
+optional_policy(`
+	acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
+	ntp_admin(system_cronjob_t, system_r)
+')
+
+optional_policy(`
+	apache_delete_lib_files(system_cronjob_t)
 ')
 
 ifdef(`distro_redhat',`
@@ -425,6 +442,7 @@ optional_policy(`
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
 	init_stream_connect(system_cronjob_t)
+	init_manage_script_service(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -436,14 +454,15 @@ optional_policy(`
 # System local policy
 #
 
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+logging_manage_generic_logs(system_cronjob_t)
 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -460,7 +479,8 @@ files_lock_filetrans(system_cronjob_t, s
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
+allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;
 
 manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 
@@ -471,7 +491,8 @@ allow system_cronjob_t crond_t:process s
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
@@ -563,6 +584,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	read_mrtg_etc(system_cronjob_t)
+')
+
+optional_policy(`
 	cyrus_manage_data(system_cronjob_t)
 ')
 
Index: refpolicy-2.20170421/policy/modules/contrib/mrtg.if
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/mrtg.if
+++ refpolicy-2.20170421/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
 
 ########################################
 ## <summary>
+##	Read mrtg configuration
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`read_mrtg_etc',`
+	gen_require(`
+		type mrtg_etc_t;
+	')
+
+	allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create and append mrtg log files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20170421/policy/modules/contrib/apt.if
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/apt.if
+++ refpolicy-2.20170421/policy/modules/contrib/apt.if
@@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
 ##	</summary>
 ## </param>
 #
+interface(`apt_manage_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir manage_dir_perms;
+	allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read apt package cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`apt_read_cache',`
 	gen_require(`
 		type apt_var_cache_t;