This patch has a number of small patches most of which are needed in a "strict" configuration. Also remove the systemd_analyze_t domain which does no good. Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> Index: refpolicy-2.20210112/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20210112.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20210112/policy/modules/system/userdomain.if @@ -68,6 +68,8 @@ template(`userdom_base_user_template',` dontaudit $1_t user_tty_device_t:chr_file ioctl; kernel_read_kernel_sysctls($1_t) + kernel_read_crypto_sysctls($1_t) + kernel_read_vm_overcommit_sysctl($1_t) kernel_dontaudit_list_unlabeled($1_t) kernel_dontaudit_getattr_unlabeled_files($1_t) kernel_dontaudit_getattr_unlabeled_symlinks($1_t) Index: refpolicy-2.20210112/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20210112.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20210112/policy/modules/roles/sysadm.te @@ -33,11 +33,22 @@ ifndef(`enable_mls',` # Local policy # +allow sysadm_t self:netlink_generic_socket { create setopt bind write read }; + +# for ptrace +allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read }; + +allow sysadm_t self:capability audit_write; +allow sysadm_t self:system status; + corecmd_exec_shell(sysadm_t) corenet_ib_access_unlabeled_pkeys(sysadm_t) corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) +domain_getsched_all_domains(sysadm_t) + +dev_read_cpuid(sysadm_t) dev_read_kmsg(sysadm_t) mls_process_read_all_levels(sysadm_t) @@ -55,6 +66,9 @@ init_admin(sysadm_t) userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) +# for systemd-analyze +files_get_etc_unit_status(sysadm_t) + ifdef(`direct_sysadm_daemon',` optional_policy(` init_run_daemon(sysadm_t, sysadm_r) @@ -1117,6 +1131,10 @@ optional_policy(` ') optional_policy(` + systemd_dbus_chat_logind(sysadm_t) +') + +optional_policy(` tboot_run_txtstat(sysadm_t, sysadm_r) ') @@ -1184,6 +1202,7 @@ optional_policy(` ') optional_policy(` + dev_rw_generic_usb_dev(sysadm_t) usbmodules_run(sysadm_t, sysadm_r) ') Index: refpolicy-2.20210112/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20210112.orig/policy/modules/services/xserver.if +++ refpolicy-2.20210112/policy/modules/services/xserver.if @@ -100,6 +100,7 @@ interface(`xserver_restricted_role',` xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) + xserver_use_user_fonts($2) # certain apps want to read xdm.pid file xserver_read_xdm_runtime_files($2) # gnome-session creates socket under /tmp/.ICE-unix/ @@ -141,7 +142,7 @@ interface(`xserver_role',` gen_require(` type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - type mesa_shader_cache_t; + type mesa_shader_cache_t, xdm_t; ') xserver_restricted_role($1, $2) @@ -184,6 +185,8 @@ interface(`xserver_role',` xserver_read_xkb_libs($2) + allow $2 xdm_t:unix_stream_socket accept; + optional_policy(` xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") ') @@ -1239,6 +1242,7 @@ interface(`xserver_read_xkb_libs',` allow $1 xkb_var_lib_t:dir list_dir_perms; read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) + allow $1 xkb_var_lib_t:file map; ') ######################################## Index: refpolicy-2.20210112/policy/modules/services/dbus.if =================================================================== --- refpolicy-2.20210112.orig/policy/modules/services/dbus.if +++ refpolicy-2.20210112/policy/modules/services/dbus.if @@ -84,6 +84,7 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:unix_stream_socket connectto; allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $1_dbusd_t $3:dbus send_msg; allow $3 $1_dbusd_t:fd use; allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; @@ -99,9 +100,13 @@ template(`dbus_role_template',` allow $1_dbusd_t $3:process sigkill; + allow $1_dbusd_t self:process getcap; + corecmd_bin_domtrans($1_dbusd_t, $3) corecmd_shell_domtrans($1_dbusd_t, $3) + dev_read_sysfs($1_dbusd_t) + auth_use_nsswitch($1_dbusd_t) ifdef(`hide_broken_symptoms',` @@ -111,6 +116,15 @@ template(`dbus_role_template',` optional_policy(` systemd_read_logind_runtime_files($1_dbusd_t) ') + + optional_policy(` + init_dbus_chat($1_dbusd_t) + dbus_system_bus_client($1_dbusd_t) + ') + + optional_policy(` + xdg_read_data_files($1_dbusd_t) + ') ') ####################################### Index: refpolicy-2.20210112/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20210112.orig/policy/modules/services/ssh.if +++ refpolicy-2.20210112/policy/modules/services/ssh.if @@ -439,6 +439,7 @@ template(`ssh_role_template',` xserver_use_xdm_fds($1_ssh_agent_t) xserver_rw_xdm_pipes($1_ssh_agent_t) xserver_sigchld_xdm($1_ssh_agent_t) + xserver_write_inherited_xsession_log($1_ssh_agent_t) ') ') Index: refpolicy-2.20210112/policy/modules/kernel/corecommands.te =================================================================== --- refpolicy-2.20210112.orig/policy/modules/kernel/corecommands.te +++ refpolicy-2.20210112/policy/modules/kernel/corecommands.te @@ -13,7 +13,7 @@ attribute exec_type; # # bin_t is the type of files in the system bin/sbin directories. # -type bin_t alias { ls_exec_t sbin_t }; +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t }; corecmd_executable_file(bin_t) dev_associate(bin_t) #For /dev/MAKEDEV Index: refpolicy-2.20210112/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20210112.orig/policy/modules/system/systemd.te +++ refpolicy-2.20210112/policy/modules/system/systemd.te @@ -55,10 +55,6 @@ type systemd_activate_t; type systemd_activate_exec_t; init_system_domain(systemd_activate_t, systemd_activate_exec_t) -type systemd_analyze_t; -type systemd_analyze_exec_t; -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) - type systemd_backlight_t; type systemd_backlight_exec_t; init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) @@ -1363,6 +1359,7 @@ tunable_policy(`systemd_tmpfiles_manage_ ') optional_policy(` + dbus_manage_lib_files(systemd_tmpfiles_t) dbus_read_lib_files(systemd_tmpfiles_t) dbus_relabel_lib_dirs(systemd_tmpfiles_t) ') Index: refpolicy-2.20210112/policy/modules/services/cron.te =================================================================== --- refpolicy-2.20210112.orig/policy/modules/services/cron.te +++ refpolicy-2.20210112/policy/modules/services/cron.te @@ -493,6 +493,7 @@ kernel_getattr_core_if(system_cronjob_t) kernel_getattr_message_if(system_cronjob_t) kernel_read_crypto_sysctls(system_cronjob_t) +kernel_read_fs_sysctls(system_cronjob_t) kernel_read_irq_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) Index: refpolicy-2.20210112/policy/modules/apps/pulseaudio.te =================================================================== --- refpolicy-2.20210112.orig/policy/modules/apps/pulseaudio.te +++ refpolicy-2.20210112/policy/modules/apps/pulseaudio.te @@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau userdom_manage_user_tmp_dirs(pulseaudio_t) userdom_manage_user_tmp_files(pulseaudio_t) userdom_manage_user_tmp_sockets(pulseaudio_t) +userdom_write_all_user_runtime_named_sockets(pulseaudio_t) tunable_policy(`pulseaudio_execmem',` allow pulseaudio_t self:process execmem;