[PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix

Russell Coker <russell@xxxxxxxxxxxx> · Wed, 2 Jan 2019 20:20:27 +1100

Trivial stuff.


Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================

--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
 allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow NetworkManager_t self:packet_socket create_socket_perms;
 allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
 
 allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 
Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20180701/policy/modules/admin/apt.fc
@@ -1,9 +1,12 @@
 /etc/cron\.daily/apt	--	gen_context(system_u:object_r:apt_exec_t,s0)
 
-ifndef(`distro_redhat',`
+/usr/bin/apt		--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/lib/packagekit/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
 mls_file_write_all_levels(bootloader_t)
 
 term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
 
 corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
 files_manage_boot_files(bootloader_t)
 files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
 files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
+fs_list_hugetlbfs(bootloader_t)
 fs_mount_fusefs(bootloader_t)
 fs_mount_xattr_fs(bootloader_t)
 fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
 
 	# for apt-cache
 	apt_read_db(bootloader_t)
-	apt_read_cache(bootloader_t)
+	apt_manage_cache(bootloader_t)
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
@@ -204,6 +207,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gpm_getattr_gpmctl(bootloader_t)
+')
+
+optional_policy(`
 	hal_dontaudit_append_lib_files(bootloader_t)
 	hal_write_log(bootloader_t)
 ')
@@ -230,5 +237,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	raid_read_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
 
 	allow $1 dpkg_script_tmp_t:file map;
 ')
+
+########################################
+## <summary>
+##	read dpkg_script_tmp_t links
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_script_tmp_links',`
+	gen_require(`
+		type dpkg_script_tmp_t;
+	')
+
+	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')
Index: refpolicy-2.20180701/policy/modules/system/raid.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/raid.if
+++ refpolicy-2.20180701/policy/modules/system/raid.if
@@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
 
 ########################################
 ## <summary>
+##	read mdadm pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+	gen_require(`
+		type mdadm_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 mdadm_var_run_t:dir list_dir_perms;
+	allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	mdadm pid files.
 ## </summary>
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -136,6 +136,7 @@ optional_policy(`
 	# for postinst of a new kernel package
 	dpkg_manage_script_tmp_files(kmod_t)
 	dpkg_map_script_tmp_files(kmod_t)
+	dpkg_read_script_tmp_links(kmod_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
 corenet_tcp_sendrecv_all_reserved_ports(tor_t)
 
 dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
 dev_read_urand(tor_t)
 
 domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
 
 logging_send_syslog_msg(tor_t)
 
+miscfiles_read_generic_certs(tor_t)
 miscfiles_read_localization(tor_t)
 
 tunable_policy(`tor_bind_all_unreserved_ports',`
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
 kernel_read_system_state(devicekit_t)
 
 dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
 dev_read_urand(devicekit_t)
 
 files_read_etc_files(devicekit_t)
Index: refpolicy-2.20180701/policy/modules/services/dictd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
+++ refpolicy-2.20180701/policy/modules/services/dictd.te
@@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
 userdom_dontaudit_use_unpriv_user_fds(dictd_t)
 
 optional_policy(`
+	dbus_system_bus_client(dictd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(dictd_t)
 ')
 
Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
+++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
@@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
 
 fs_getattr_all_fs(irqbalance_t)
 fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
 
 domain_use_interactive_fds(irqbalance_t)
 
Index: refpolicy-2.20180701/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20180701/policy/modules/services/policykit.te
@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
 
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
+	init_dbus_chat(policykit_t)
 
 	userdom_dbus_send_all_users(policykit_t)
 
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
 manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 
+optional_policy(`
+	init_dbus_chat(postfix_bounce_t)
+')
+
 ########################################
 #
 # Cleanup local policy






