From: russell@coker.com.au (Russell Coker)
Date: Mon, 6 Nov 2017 17:42:27 +1100
Subject: [refpolicy] [PATCH] map permission and systemd_tmpfiles_t stuff
Message-ID: <20171106064227.5c42aucs5pqnqxqv@xev>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch allows some map permissions and allows systemd_tmpfiles_t to
stat some things it wants to stat and append and relabel the lastlog.

Index: refpolicy-2.20171105/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/logging.te
+++ refpolicy-2.20171105/policy/modules/system/logging.te
@@ -257,7 +257,7 @@ corecmd_exec_shell(audisp_t)
 
 domain_use_interactive_fds(audisp_t)
 
-files_read_etc_files(audisp_t)
+files_map_etc_files(audisp_t)
 files_read_etc_runtime_files(audisp_t)
 
 mls_file_write_all_levels(audisp_t)
@@ -418,6 +418,8 @@ files_pid_filetrans(syslogd_t, syslogd_t
 # manage temporary files
 manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+allow syslogd_t syslogd_tmp_t:file map;
+
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
@@ -426,6 +428,8 @@ files_search_var_lib(syslogd_t)
 
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+allow syslogd_t syslogd_var_run_t:file map;
+
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
 
Index: refpolicy-2.20171105/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20171105/policy/modules/system/lvm.te
@@ -211,6 +211,8 @@ manage_sock_files_pattern(lvm_t, lvm_var
 files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
 
 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+allow lvm_t lvm_etc_t:file map;
+
 read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
 manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
Index: refpolicy-2.20171105/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20171105/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
 
 #######################################
 ## <summary>
+##	relabel the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
 ##	Read and write to the last logins log.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20171105/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20171105/policy/modules/system/systemd.if
@@ -346,6 +346,7 @@ interface(`systemd_manage_journal_files'
 
 	manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
 	manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+	allow $1 systemd_journal_t:file map;
 ')
 
 
Index: refpolicy-2.20171105/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20171105/policy/modules/system/systemd.te
@@ -868,9 +868,11 @@ allow systemd_tmpfiles_t systemd_journal
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
+kernel_getattr_proc(systemd_tmpfiles_t)
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 kernel_read_network_state(systemd_tmpfiles_t)
 
+dev_getattr_fs(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
 dev_read_urand(systemd_tmpfiles_t)
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
@@ -897,14 +899,17 @@ files_relabelto_etc_dirs(systemd_tmpfile
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
+fs_getattr_tmpfs(systemd_tmpfiles_t)
 fs_getattr_xattr_fs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_search_fs(systemd_tmpfiles_t)
 
+auth_append_lastlog(systemd_tmpfiles_t)
 auth_manage_faillog(systemd_tmpfiles_t)
 auth_manage_login_records(systemd_tmpfiles_t)
 auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_lastlog(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
Index: refpolicy-2.20171105/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20171105/policy/modules/kernel/files.if
@@ -2944,6 +2944,38 @@ interface(`files_read_etc_files',`
 
 ########################################
 ## <summary>
+##	Read and map generic files in /etc.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read and map generic
+##	files in /etc.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_read_etc_files()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_map_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	files_read_etc_files($1)
+	allow $1 etc_t:file map;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write generic files in /etc.
 ## </summary>
 ## <param name="domain">