This patch has some small interface changes as well as the policy patches to use the new interfaces. Index: refpolicy-2.20180701/policy/modules/admin/apt.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if +++ refpolicy-2.20180701/policy/modules/admin/apt.if @@ -171,7 +171,7 @@ interface(`apt_read_cache',` files_search_var($1) allow $1 apt_var_cache_t:dir list_dir_perms; - allow $1 apt_var_cache_t:file read_file_perms; + allow $1 apt_var_cache_t:file mmap_read_file_perms; ') ######################################## @@ -191,7 +191,7 @@ interface(`apt_manage_cache',` files_search_var($1) allow $1 apt_var_cache_t:dir manage_dir_perms; - allow $1 apt_var_cache_t:file manage_file_perms; + allow $1 apt_var_cache_t:file { manage_file_perms map }; ') ######################################## Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if @@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',` allow $1 dpkg_script_tmp_t:file map; ') + +######################################## +## <summary> +## read dpkg_script_tmp_t links +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_read_script_tmp_links',` + gen_require(` + type dpkg_script_tmp_t; + ') + + allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms; +') Index: refpolicy-2.20180701/policy/modules/services/gpm.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/gpm.if +++ refpolicy-2.20180701/policy/modules/services/gpm.if @@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl' ') dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; + dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms; ') ######################################## Index: refpolicy-2.20180701/policy/modules/system/authlogin.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20180701/policy/modules/system/authlogin.if @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',` ####################################### ## <summary> +## relabel the last logins log. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`auth_relabel_lastlog',` + gen_require(` + type lastlog_t; + ') + + logging_search_logs($1) + allow $1 lastlog_t:file { relabelfrom relabelto }; +') + +####################################### +## <summary> ## Read and write to the last logins log. ## </summary> ## <param name="domain"> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',` ') ######################################## +## <summary> +## Manage the last logins log. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`auth_manage_lastlog',` + gen_require(` + type lastlog_t; + ') + + allow $1 lastlog_t:file manage_file_perms; + logging_rw_generic_log_dirs($1) +') + +######################################## ## <summary> ## Execute pam programs in the pam domain. ## </summary> Index: refpolicy-2.20180701/policy/modules/system/raid.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/raid.if +++ refpolicy-2.20180701/policy/modules/system/raid.if @@ -48,6 +48,26 @@ interface(`raid_run_mdadm',` ######################################## ## <summary> +## read mdadm pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`raid_read_mdadm_pid',` + gen_require(` + type mdadm_var_run_t; + ') + + files_search_pids($1) + allow $1 mdadm_var_run_t:dir list_dir_perms; + allow $1 mdadm_var_run_t:file read_file_perms; +') + +######################################## +## <summary> ## Create, read, write, and delete ## mdadm pid files. ## </summary> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if @@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',` optional_policy(` nscd_use($1) ') + optional_policy(` + # for /etc/resolv.conf symlink + networkmanager_read_pid_files($1) + ') ifdef(`init_systemd',` optional_policy(` Index: refpolicy-2.20180701/policy/modules/system/modutils.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te +++ refpolicy-2.20180701/policy/modules/system/modutils.te @@ -136,6 +136,7 @@ optional_policy(` # for postinst of a new kernel package dpkg_manage_script_tmp_files(kmod_t) dpkg_map_script_tmp_files(kmod_t) + dpkg_read_script_tmp_links(kmod_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te +++ refpolicy-2.20180701/policy/modules/system/systemd.te @@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfile # for /etc/mtab files_manage_etc_symlinks(systemd_tmpfiles_t) +fs_getattr_tmpfs(systemd_tmpfiles_t) +fs_getattr_tmpfs_dirs(systemd_tmpfiles_t) fs_getattr_xattr_fs(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_search_fs(systemd_tmpfiles_t) +auth_append_lastlog(systemd_tmpfiles_t) auth_manage_faillog(systemd_tmpfiles_t) +auth_manage_lastlog(systemd_tmpfiles_t) auth_manage_login_records(systemd_tmpfiles_t) auth_manage_var_auth(systemd_tmpfiles_t) +auth_relabel_lastlog(systemd_tmpfiles_t) auth_relabel_login_records(systemd_tmpfiles_t) auth_setattr_login_records(systemd_tmpfiles_t) Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te +++ refpolicy-2.20180701/policy/modules/admin/bootloader.te @@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t) mls_file_write_all_levels(bootloader_t) term_getattr_all_ttys(bootloader_t) +term_getattr_generic_ptys(bootloader_t) term_dontaudit_manage_pty_dirs(bootloader_t) corecmd_exec_all_executables(bootloader_t) @@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_ domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) +files_getattr_default_dirs(bootloader_t) files_manage_boot_files(bootloader_t) files_manage_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) @@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade files_etc_filetrans_etc_runtime(bootloader_t, file) files_dontaudit_search_home(bootloader_t) +fs_list_hugetlbfs(bootloader_t) fs_mount_fusefs(bootloader_t) fs_mount_xattr_fs(bootloader_t) fs_mounton_fusefs(bootloader_t) @@ -172,7 +175,7 @@ ifdef(`distro_debian',` # for apt-cache apt_read_db(bootloader_t) - apt_read_cache(bootloader_t) + apt_manage_cache(bootloader_t) dpkg_read_db(bootloader_t) dpkg_rw_pipes(bootloader_t) @@ -204,6 +207,10 @@ optional_policy(` ') optional_policy(` + gpm_getattr_gpmctl(bootloader_t) +') + +optional_policy(` hal_dontaudit_append_lib_files(bootloader_t) hal_write_log(bootloader_t) ') @@ -230,5 +237,9 @@ optional_policy(` ') optional_policy(` + raid_read_mdadm_pid(bootloader_t) +') + +optional_policy(` rpm_rw_pipes(bootloader_t) ')