This is the last of the strict patches for now.
Index: refpolicy-2.20170427/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20170427/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
# Groupadd local policy
#
-allow groupadd_t self:capability { audit_write chown dac_override kill setuid sys_resource };
+allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
Index: refpolicy-2.20170427/policy/modules/contrib/mta.if
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/contrib/mta.if
+++ refpolicy-2.20170427/policy/modules/contrib/mta.if
@@ -121,6 +121,23 @@ interface(`mta_role',`
########################################
## <summary>
+## Enable system_mail_t to run in the specified role
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`system_mail_role',`
+ gen_require(`
+ type system_mail_t;
+ ')
+ role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
## Make the specified domain usable for a mail server.
## </summary>
## <param name="type">
Index: refpolicy-2.20170427/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170427/policy/modules/roles/sysadm.te
@@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
init_admin(sysadm_t)
+selinux_read_policy(sysadm_t)
+
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
@@ -104,6 +106,10 @@ optional_policy(`
')
optional_policy(`
+ system_mail_role(sysadm_r)
+')
+
+optional_policy(`
amanda_run_recover(sysadm_t, sysadm_r)
')
Index: refpolicy-2.20170427/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20170427/policy/modules/services/xserver.te
@@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, ".xsession-errors")
allow xauth_t xdm_t:process sigchld;
allow xauth_t xdm_t:fd use;
Index: refpolicy-2.20170427/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170427/policy/modules/system/fstools.te
@@ -134,6 +134,8 @@ files_search_all(fsadm_t)
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
+selinux_getattr_fs(fsadm_t)
+
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
Index: refpolicy-2.20170427/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170427/policy/modules/system/selinuxutil.te
@@ -196,6 +196,7 @@ seutil_libselinux_linked(load_policy_t)
userdom_use_user_terminals(load_policy_t)
userdom_use_all_users_fds(load_policy_t)
+dev_read_urand(load_policy_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -358,6 +359,7 @@ fs_getattr_pstore_dirs(restorecond_t)
fs_getattr_tracefs(restorecond_t)
fs_list_inotifyfs(restorecond_t)
fs_relabelfrom_noxattr_fs(restorecond_t)
+fs_getattr_pstorefs(restorecond_t)
selinux_validate_context(restorecond_t)
selinux_compute_access_vector(restorecond_t)
@@ -488,6 +490,7 @@ kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
corecmd_exec_bin(semanage_t)
+corecmd_exec_shell(semanage_t)
dev_read_urand(semanage_t)
@@ -590,6 +593,7 @@ files_read_usr_symlinks(setfiles_t)
files_dontaudit_read_all_symlinks(setfiles_t)
fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_nfs(setfiles_t)
fs_getattr_pstore_dirs(setfiles_t)
fs_getattr_pstorefs(setfiles_t)
fs_getattr_tracefs(setfiles_t)
On 04/27/2017 02:48 AM, Russell Coker via refpolicy wrote:
> This is the last of the strict patches for now.
>
> Index: refpolicy-2.20170427/policy/modules/admin/usermanage.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/admin/usermanage.te
> +++ refpolicy-2.20170427/policy/modules/admin/usermanage.te
> @@ -189,7 +189,7 @@ optional_policy(`
> # Groupadd local policy
> #
>
> -allow groupadd_t self:capability { audit_write chown dac_override kill setuid sys_resource };
> +allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
> dontaudit groupadd_t self:capability { fsetid sys_tty_config };
> allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
> allow groupadd_t self:process { setrlimit setfscreate };
> Index: refpolicy-2.20170427/policy/modules/contrib/mta.if
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/contrib/mta.if
> +++ refpolicy-2.20170427/policy/modules/contrib/mta.if
> @@ -121,6 +121,23 @@ interface(`mta_role',`
>
> ########################################
> ## <summary>
> +## Enable system_mail_t to run in the specified role
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`system_mail_role',`
> + gen_require(`
> + type system_mail_t;
> + ')
> + role $1 types system_mail_t;
> +')
> +
> +########################################
> +## <summary>
> ## Make the specified domain usable for a mail server.
> ## </summary>
> ## <param name="type">
> Index: refpolicy-2.20170427/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20170427/policy/modules/roles/sysadm.te
> @@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t)
> init_exec(sysadm_t)
> init_admin(sysadm_t)
>
> +selinux_read_policy(sysadm_t)
> +
> # Add/remove user home directories
> userdom_manage_user_home_dirs(sysadm_t)
> userdom_home_filetrans_user_home_dir(sysadm_t)
> @@ -104,6 +106,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + system_mail_role(sysadm_r)
I'm not particularly fond of interfaces that simply add a type to a
role, as it seems like there should be some other path to get that
association. I dropped this pending further explanation, e.g. why
sysadm would be using the system_mail_t domain.
> +')
> +
> +optional_policy(`
> amanda_run_recover(sysadm_t, sysadm_r)
> ')
>
> Index: refpolicy-2.20170427/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20170427/policy/modules/services/xserver.te
> @@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_
> files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
>
> allow xdm_t xauth_home_t:file manage_file_perms;
> -userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
> +userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
> +userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, ".xsession-errors")
Fixed this last line to use the correct interface,
userdom_user_home_dir_filetrans_user_home_content().
> allow xauth_t xdm_t:process sigchld;
> allow xauth_t xdm_t:fd use;
> Index: refpolicy-2.20170427/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20170427/policy/modules/system/fstools.te
> @@ -134,6 +134,8 @@ files_search_all(fsadm_t)
> mls_file_read_all_levels(fsadm_t)
> mls_file_write_all_levels(fsadm_t)
>
> +selinux_getattr_fs(fsadm_t)
> +
> storage_raw_read_fixed_disk(fsadm_t)
> storage_raw_write_fixed_disk(fsadm_t)
> storage_raw_read_removable_device(fsadm_t)
> Index: refpolicy-2.20170427/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20170427/policy/modules/system/selinuxutil.te
> @@ -196,6 +196,7 @@ seutil_libselinux_linked(load_policy_t)
>
> userdom_use_user_terminals(load_policy_t)
> userdom_use_all_users_fds(load_policy_t)
> +dev_read_urand(load_policy_t)
>
> ifdef(`distro_ubuntu',`
> optional_policy(`
> @@ -358,6 +359,7 @@ fs_getattr_pstore_dirs(restorecond_t)
> fs_getattr_tracefs(restorecond_t)
> fs_list_inotifyfs(restorecond_t)
> fs_relabelfrom_noxattr_fs(restorecond_t)
> +fs_getattr_pstorefs(restorecond_t)
>
> selinux_validate_context(restorecond_t)
> selinux_compute_access_vector(restorecond_t)
> @@ -488,6 +490,7 @@ kernel_read_system_state(semanage_t)
> kernel_read_kernel_sysctls(semanage_t)
>
> corecmd_exec_bin(semanage_t)
> +corecmd_exec_shell(semanage_t)
>
> dev_read_urand(semanage_t)
>
> @@ -590,6 +593,7 @@ files_read_usr_symlinks(setfiles_t)
> files_dontaudit_read_all_symlinks(setfiles_t)
>
> fs_getattr_all_xattr_fs(setfiles_t)
> +fs_getattr_nfs(setfiles_t)
> fs_getattr_pstore_dirs(setfiles_t)
> fs_getattr_pstorefs(setfiles_t)
> fs_getattr_tracefs(setfiles_t)
Otherwise merged.
--
Chris PeBenito