Includes the change PeBenito requested. Signed off by Russell. Index: refpolicy-2.20200209/policy/modules/services/memlockd.fc =================================================================== --- /dev/null +++ refpolicy-2.20200209/policy/modules/services/memlockd.fc @@ -0,0 +1 @@ +/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0) Index: refpolicy-2.20200209/policy/modules/services/memlockd.if =================================================================== --- /dev/null +++ refpolicy-2.20200209/policy/modules/services/memlockd.if @@ -0,0 +1,2 @@ +## <summary>memory lock daemon, keeps important files in RAM.</summary> + Index: refpolicy-2.20200209/policy/modules/services/memlockd.te =================================================================== --- /dev/null +++ refpolicy-2.20200209/policy/modules/services/memlockd.te @@ -0,0 +1,42 @@ +policy_module(memlockd, 1.0.0) + +######################################## +# +# Declarations +# + +type memlockd_t; +type memlockd_exec_t; +init_daemon_domain(memlockd_t, memlockd_exec_t) + +######################################## +# +# Local policy +# + +allow memlockd_t self:capability { setgid setuid ipc_lock }; +allow memlockd_t self:fifo_file rw_file_perms; +allow memlockd_t self:unix_dgram_socket { create connect }; + +# cache /etc/shadow too +auth_read_shadow(memlockd_t) +auth_map_shadow(memlockd_t) + +sysnet_mmap_read_config(memlockd_t) +files_read_etc_files(memlockd_t) + +# for ldd +corecmd_exec_bin(memlockd_t) +corecmd_exec_shell(memlockd_t) +libs_exec_ld_so(memlockd_t) + +corecmd_search_bin(memlockd_t) +files_map_etc_files(memlockd_t) +# has to exec for ldd +corecmd_exec_all_executables(memlockd_t) +corecmd_read_all_executables(memlockd_t) + +logging_send_syslog_msg(memlockd_t) + +miscfiles_read_localization(memlockd_t) + Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.if +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.if @@ -366,6 +366,31 @@ interface(`sysnet_read_config',` ####################################### ## <summary> +## map network config files. +## </summary> +## <desc> +## <p> +## Allow the specified domain to mmap the +## general network configuration files. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sysnet_mmap_read_config',` + gen_require(` + type net_conf_t; + ') + + files_search_etc($1) + allow $1 net_conf_t:file { read_file_perms map }; +') + +####################################### +## <summary> ## Do not audit attempts to read network config files. ## </summary> ## <param name="domain"> Index: refpolicy-2.20200209/policy/modules/system/authlogin.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20200209/policy/modules/system/authlogin.if @@ -577,6 +577,23 @@ interface(`auth_read_shadow',` ######################################## ## <summary> +## Map the shadow passwords file (/etc/shadow) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`auth_map_shadow',` + gen_require(` + type shadow_t; + ') + allow $1 shadow_t:file map; +') + +######################################## +## <summary> ## Pass shadow assertion for reading. ## </summary> ## <desc>