Lots of little stuff. Also the sysnet_dns_name_resolve() change the previous patch needed. Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te +++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te @@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t) files_dontaudit_read_all_symlinks(setfiles_t) fs_getattr_all_xattr_fs(setfiles_t) +fs_getattr_cgroup(setfiles_t) fs_getattr_nfs(setfiles_t) fs_getattr_pstore_dirs(setfiles_t) fs_getattr_pstorefs(setfiles_t) Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if @@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',` optional_policy(` nscd_use($1) ') + optional_policy(` + # for /etc/resolv.conf symlink + networkmanager_read_pid_files($1) + ') ifdef(`init_systemd',` optional_policy(` Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te @@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t, allow dhcpc_t dhcp_state_t:file read_file_perms; manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) +allow dhcpc_t dhcpc_state_t:file map; # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) @@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t) logging_send_syslog_msg(ifconfig_t) +# dhclient reads /etc/ssl +miscfiles_read_generic_certs(dhcpc_t) miscfiles_read_localization(ifconfig_t) seutil_use_runinit_fds(ifconfig_t) Index: refpolicy-2.20180701/policy/modules/services/consolekit.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te +++ refpolicy-2.20180701/policy/modules/services/consolekit.te @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_ # Local policy # -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config }; +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config }; allow consolekit_t self:process { getsched signal setfscreate }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket { accept listen }; Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te +++ refpolicy-2.20180701/policy/modules/admin/usermanage.te @@ -189,7 +189,7 @@ optional_policy(` # allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource }; -dontaudit groupadd_t self:capability { fsetid sys_tty_config }; +dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config }; allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow groupadd_t self:fd use; allow groupadd_t self:fifo_file rw_fifo_file_perms; @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) userdom_dontaudit_search_user_home_dirs(groupadd_t) optional_policy(` + dbus_system_bus_client(groupadd_t) +') + +optional_policy(` dpkg_use_fds(groupadd_t) dpkg_rw_pipes(groupadd_t) ') @@ -269,6 +273,10 @@ optional_policy(` rpm_rw_pipes(groupadd_t) ') +optional_policy(` + unconfined_use_fds(groupadd_t) +') + ######################################## # # Passwd local policy @@ -446,7 +454,7 @@ optional_policy(` # allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource }; -dontaudit useradd_t self:capability sys_tty_config; +dontaudit useradd_t self:capability { net_admin sys_tty_config }; allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow useradd_t self:fd use; allow useradd_t self:fifo_file rw_fifo_file_perms; @@ -538,6 +546,10 @@ optional_policy(` ') optional_policy(` + dbus_system_bus_client(useradd_t) +') + +optional_policy(` dpkg_use_fds(useradd_t) dpkg_rw_pipes(useradd_t) ') @@ -560,3 +572,7 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') + +optional_policy(` + unconfined_use_fds(useradd_t) +') Index: refpolicy-2.20180701/policy/modules/admin/apt.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if +++ refpolicy-2.20180701/policy/modules/admin/apt.if @@ -171,7 +171,7 @@ interface(`apt_read_cache',` files_search_var($1) allow $1 apt_var_cache_t:dir list_dir_perms; - allow $1 apt_var_cache_t:file read_file_perms; + allow $1 apt_var_cache_t:file mmap_read_file_perms; ') ######################################## @@ -191,7 +191,7 @@ interface(`apt_manage_cache',` files_search_var($1) allow $1 apt_var_cache_t:dir manage_dir_perms; - allow $1 apt_var_cache_t:file manage_file_perms; + allow $1 apt_var_cache_t:file { manage_file_perms map }; ') ######################################## Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te +++ refpolicy-2.20180701/policy/modules/admin/dpkg.te @@ -317,6 +317,10 @@ optional_policy(` ') optional_policy(` + init_dbus_chat(dpkg_script_t) +') + +optional_policy(` modutils_run(dpkg_script_t, dpkg_roles) ') Index: refpolicy-2.20180701/policy/modules/system/udev.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/udev.te +++ refpolicy-2.20180701/policy/modules/system/udev.te @@ -306,10 +306,6 @@ optional_policy(` ') optional_policy(` - lvm_domtrans(udev_t) -') - -optional_policy(` fstools_domtrans(udev_t) ') @@ -328,6 +324,11 @@ optional_policy(` ') optional_policy(` + iptables_domtrans(udev_t) + iptables_write_pipe(udev_t) +') + +optional_policy(` lvm_domtrans(udev_t) ') Index: refpolicy-2.20180701/policy/modules/system/iptables.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/iptables.if +++ refpolicy-2.20180701/policy/modules/system/iptables.if @@ -25,6 +25,24 @@ interface(`iptables_domtrans',` ######################################## ## <summary> +## Allow iptables to write to a pipe +## </summary> +## <param name="domain"> +## <summary> +## Domain to be written to +## </summary> +## </param> +# +interface(`iptables_write_pipe',` + gen_require(` + type iptables_t; + ') + + allow iptables_t $1:fifo_file write; +') + +######################################## +## <summary> ## Execute iptables in the iptables domain, and ## allow the specified role the iptables domain. ## </summary> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te @@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t) fs_getattr_xattr_fs(logrotate_t) fs_list_inotifyfs(logrotate_t) fs_getattr_tmpfs(logrotate_t) +# killall reads nsfs files +fs_read_nsfs_files(logrotate_t) mls_file_read_all_levels(logrotate_t) mls_file_write_all_levels(logrotate_t) Index: refpolicy-2.20180701/policy/modules/services/gpm.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/gpm.if +++ refpolicy-2.20180701/policy/modules/services/gpm.if @@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl' ') dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; + dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms; ') ########################################