Allow devicekit_power_t to chat to xdm via dbus and log via syslog.
Allow mount_t to do more with it's runtime files and stat more filesystem
types.
Allow xauth to send sigchld to xdm.
Allow semanage to search policy_src_t dirs and read /dev/urandom.
Index: refpolicy-2.20170417/policy/modules/contrib/devicekit.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/devicekit.te
+++ refpolicy-2.20170417/policy/modules/contrib/devicekit.te
@@ -56,6 +56,10 @@ optional_policy(`
')
optional_policy(`
+ xserver_dbus_chat_xdm(devicekit_power_t)
+')
+
+optional_policy(`
udev_read_db(devicekit_t)
')
@@ -65,6 +69,7 @@ optional_policy(`
#
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability2 wake_alarm;
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -263,6 +268,8 @@ init_all_labeled_script_domtrans(devicek
init_read_utmp(devicekit_power_t)
init_search_run(devicekit_power_t)
+logging_send_syslog_msg(devicekit_power_t)
+
miscfiles_read_localization(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
Index: refpolicy-2.20170417/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/mount.te
+++ refpolicy-2.20170417/policy/modules/system/mount.te
@@ -53,8 +53,8 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
-create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
-create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+manage_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+manage_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
@@ -101,7 +101,10 @@ files_dontaudit_write_all_mountpoints(mo
files_dontaudit_setattr_all_mountpoints(mount_t)
fs_getattr_xattr_fs(mount_t)
+fs_getattr_tmpfs(mount_t)
+fs_getattr_rpc_pipefs(mount_t)
fs_getattr_cifs(mount_t)
+fs_getattr_nfs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
Index: refpolicy-2.20170417/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20170417/policy/modules/services/xserver.te
@@ -274,6 +274,7 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t
allow xdm_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+allow xauth_t xdm_t:process sigchld;
allow xauth_t xdm_t:fd use;
allow xauth_t xdm_t:fifo_file { getattr read };
@@ -643,6 +644,7 @@ allow xserver_t input_xevent_t:x_event s
allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
dontaudit xserver_t self:capability chown;
+allow xserver_t self:capability2 wake_alarm;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20170417/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170417/policy/modules/system/selinuxutil.te
@@ -478,6 +478,8 @@ allow semanage_t policy_config_t:file rw
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
+allow semanage_t policy_src_t:dir search;
+
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
allow semanage_t semanage_tmp_t:file manage_file_perms;
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
@@ -572,6 +574,7 @@ kernel_dontaudit_list_all_proc(setfiles_
kernel_dontaudit_list_all_sysctls(setfiles_t)
kernel_getattr_debugfs(setfiles_t)
+dev_read_urand(setfiles_t)
dev_relabel_all_dev_nodes(setfiles_t)
# to handle when /dev/console needs to be relabeled
dev_rw_generic_chr_files(setfiles_t)
On 04/17/2017 08:22 AM, Russell Coker via refpolicy wrote:
> Allow devicekit_power_t to chat to xdm via dbus and log via syslog.
>
> Allow mount_t to do more with it's runtime files and stat more filesystem
> types.
>
> Allow xauth to send sigchld to xdm.
>
> Allow semanage to search policy_src_t dirs and read /dev/urandom.
Merged with some line moving.
> Index: refpolicy-2.20170417/policy/modules/contrib/devicekit.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/devicekit.te
> +++ refpolicy-2.20170417/policy/modules/contrib/devicekit.te
> @@ -56,6 +56,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xserver_dbus_chat_xdm(devicekit_power_t)
> +')
> +
> +optional_policy(`
> udev_read_db(devicekit_t)
> ')
>
> @@ -65,6 +69,7 @@ optional_policy(`
> #
>
> allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
> +allow devicekit_disk_t self:capability2 wake_alarm;
> allow devicekit_disk_t self:process { getsched signal_perms };
> allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
> allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
> @@ -263,6 +268,8 @@ init_all_labeled_script_domtrans(devicek
> init_read_utmp(devicekit_power_t)
> init_search_run(devicekit_power_t)
>
> +logging_send_syslog_msg(devicekit_power_t)
> +
> miscfiles_read_localization(devicekit_power_t)
>
> sysnet_domtrans_ifconfig(devicekit_power_t)
> Index: refpolicy-2.20170417/policy/modules/system/mount.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/mount.te
> +++ refpolicy-2.20170417/policy/modules/system/mount.te
> @@ -53,8 +53,8 @@ can_exec(mount_t, mount_exec_t)
>
> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>
> -create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
> -create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
> +manage_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
> +manage_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
> rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
> files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
>
> @@ -101,7 +101,10 @@ files_dontaudit_write_all_mountpoints(mo
> files_dontaudit_setattr_all_mountpoints(mount_t)
>
> fs_getattr_xattr_fs(mount_t)
> +fs_getattr_tmpfs(mount_t)
> +fs_getattr_rpc_pipefs(mount_t)
> fs_getattr_cifs(mount_t)
> +fs_getattr_nfs(mount_t)
> fs_mount_all_fs(mount_t)
> fs_unmount_all_fs(mount_t)
> fs_remount_all_fs(mount_t)
> Index: refpolicy-2.20170417/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20170417/policy/modules/services/xserver.te
> @@ -274,6 +274,7 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t
>
> allow xdm_t xauth_home_t:file manage_file_perms;
> userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
> +allow xauth_t xdm_t:process sigchld;
>
> allow xauth_t xdm_t:fd use;
> allow xauth_t xdm_t:fifo_file { getattr read };
> @@ -643,6 +644,7 @@ allow xserver_t input_xevent_t:x_event s
>
> allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
> dontaudit xserver_t self:capability chown;
> +allow xserver_t self:capability2 wake_alarm;
> allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> allow xserver_t self:fd use;
> allow xserver_t self:fifo_file rw_fifo_file_perms;
> Index: refpolicy-2.20170417/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20170417/policy/modules/system/selinuxutil.te
> @@ -478,6 +478,8 @@ allow semanage_t policy_config_t:file rw
>
> filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
>
> +allow semanage_t policy_src_t:dir search;
> +
> allow semanage_t semanage_tmp_t:dir manage_dir_perms;
> allow semanage_t semanage_tmp_t:file manage_file_perms;
> files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
> @@ -572,6 +574,7 @@ kernel_dontaudit_list_all_proc(setfiles_
> kernel_dontaudit_list_all_sysctls(setfiles_t)
> kernel_getattr_debugfs(setfiles_t)
>
> +dev_read_urand(setfiles_t)
> dev_relabel_all_dev_nodes(setfiles_t)
> # to handle when /dev/console needs to be relabeled
> dev_rw_generic_chr_files(setfiles_t)
--
Chris PeBenito