Russell Coker <russell@xxxxxxxxxxxx> writes:
> Misc patches for services policy, ready to merge.
>
> Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
>
> Index: refpolicy-2.20210120/policy/modules/services/apache.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
> +++ refpolicy-2.20210120/policy/modules/services/apache.fc
> @@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
> /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> /usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/php7..-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
> +/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
>
> ifdef(`distro_suse',`
> /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
> @@ -144,7 +146,7 @@ ifdef(`distro_suse',`
> /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
> /var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> +/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> /var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> @@ -170,6 +172,7 @@ ifdef(`distro_suse',`
> /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0)
>
> /run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
> @@ -178,6 +181,7 @@ ifdef(`distro_suse',`
> /run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> +/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
>
> Index: refpolicy-2.20210120/policy/modules/services/apache.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.if
> +++ refpolicy-2.20210120/policy/modules/services/apache.if
> @@ -71,6 +71,7 @@ template(`apache_content_template',`
>
> manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> + allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
> manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> @@ -97,6 +98,8 @@ template(`apache_content_template',`
>
> tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
> filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
> + allow httpd_t httpd_$1_content_t:file map;
> + allow httpd_t httpd_$1_rw_content_t:file map;
> ')
> ')
>
> @@ -1005,6 +1008,7 @@ interface(`apache_manage_sys_rw_content'
> apache_search_sys_content($1)
> manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
> manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
> + allow $1 httpd_sys_rw_content_t:file map;
> manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
> ')
>
> @@ -1132,6 +1136,25 @@ interface(`apache_append_squirrelmail_da
> ')
>
> ########################################
> +## <summary>
> +## delete httpd squirrelmail spool files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_delete_squirrelmail_spool',`
> + gen_require(`
> + type squirrelmail_spool_t;
> + ')
> +
> + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
> + allow $1 squirrelmail_spool_t:file delete_file_perms;
delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
> +')
> +
> +########################################
> ## <summary>
> ## Search httpd system content.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20210120/policy/modules/services/apache.te
> @@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache
> manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
> manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
> files_var_filetrans(httpd_t, httpd_cache_t, dir)
> +allow httpd_t httpd_cache_t:file map;
>
> allow httpd_t httpd_config_t:dir list_dir_perms;
> read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
> @@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_co
> allow httpd_t httpd_htaccess_type:file read_file_perms;
>
> allow httpd_t httpd_ro_content:dir list_dir_perms;
> -allow httpd_t httpd_ro_content:file read_file_perms;
> +allow httpd_t httpd_ro_content:file { map read_file_perms };
> allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
>
> allow httpd_t httpd_keytab_t:file read_file_perms;
> @@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process
> manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
> manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
> manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
> +allow httpd_t httpd_squirrelmail_t:file map;
>
> allow httpd_t httpd_suexec_exec_t:file read_file_perms;
>
> @@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process
>
> manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> +allow httpd_t httpd_tmp_t:file map;
> manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
> @@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
>
> manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> +allow httpd_t httpd_var_lib_t:file map;
> manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
>
> @@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelo
> domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
>
> kernel_read_kernel_sysctls(httpd_t)
> +kernel_read_crypto_sysctls(httpd_t)
> kernel_read_vm_sysctls(httpd_t)
> kernel_read_vm_overcommit_sysctl(httpd_t)
> kernel_read_network_state(httpd_t)
> @@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
> dev_read_rand(httpd_t)
> dev_read_urand(httpd_t)
> dev_rw_crypto(httpd_t)
> +dev_rwx_zero(httpd_t)
>
> domain_use_interactive_fds(httpd_t)
>
> @@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)
>
> fs_read_anon_inodefs_files(httpd_t)
> fs_rw_inherited_hugetlbfs_files(httpd_t)
> +fs_mmap_rw_hugetlbfs_files(httpd_t)
> fs_read_iso9660_files(httpd_t)
>
> files_dontaudit_getattr_all_runtime_files(httpd_t)
> files_read_usr_files(httpd_t)
> +files_map_usr_files(httpd_t)
> files_list_mnt(httpd_t)
> files_search_spool(httpd_t)
> files_read_var_symlinks(httpd_t)
> @@ -504,6 +512,7 @@ files_search_home(httpd_t)
> files_getattr_home_dir(httpd_t)
> files_read_etc_runtime_files(httpd_t)
> files_read_var_lib_symlinks(httpd_t)
> +files_map_etc_files(httpd_t)
>
> auth_use_nsswitch(httpd_t)
>
> @@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting'
> exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
>
> allow httpd_t httpdcontent:dir list_dir_perms;
> - allow httpd_t httpdcontent:file read_file_perms;
> + allow httpd_t httpdcontent:file { map read_file_perms };
> allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
>
> allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
> @@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && http
>
> manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
> manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
> + allow httpd_t httpdcontent:file map;
> manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
> manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
> manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
> @@ -625,7 +635,7 @@ tunable_policy(`httpd_enable_ftp_server'
> ')
>
> tunable_policy(`httpd_enable_homedirs',`
> - userdom_search_user_home_dirs(httpd_t)
> + userdom_list_user_home_content(httpd_t)
this is not how it was designed. If you want that functionality then set
httpd_read_user_content boolean to true instead
> ')
>
> tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
> @@ -903,6 +913,7 @@ optional_policy(`
> #
>
> read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
> +allow httpd_t httpd_config_t:file map;
>
> append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
> read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
> Index: refpolicy-2.20210120/policy/modules/services/aptcacher.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.fc
> +++ refpolicy-2.20210120/policy/modules/services/aptcacher.fc
> @@ -2,12 +2,15 @@
>
> /usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
>
> -/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
> +/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
>
> +/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
> /run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
>
> +/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
> /var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
>
> /var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)
>
> +/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
> /var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
> Index: refpolicy-2.20210120/policy/modules/services/aptcacher.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.if
> +++ refpolicy-2.20210120/policy/modules/services/aptcacher.if
> @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
> files_search_runtime($1)
> stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
> ')
> +
> +######################################
> +## <summary>
> +## read aptcacher config
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to read it.
> +## </summary>
> +## </param>
> +#
> +interface(`aptcacher_read_config',`
> + gen_require(`
> + type aptcacher_etc_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 aptcacher_etc_t:dir list_dir_perms;
> + allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> +')
> Index: refpolicy-2.20210120/policy/modules/services/aptcacher.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.te
> +++ refpolicy-2.20210120/policy/modules/services/aptcacher.te
> @@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_
>
> auth_use_nsswitch(aptcacher_t)
>
> +files_read_etc_files(aptcacher_t)
> +
> # Uses sd_notify() to inform systemd it has properly started
> init_dgram_send(aptcacher_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/bind.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/bind.te
> +++ refpolicy-2.20210120/policy/modules/services/bind.te
> @@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)
>
> files_read_etc_runtime_files(named_t)
> files_read_usr_files(named_t)
> +files_map_usr_files(named_t)
>
> fs_getattr_all_fs(named_t)
> fs_search_auto_mountpoints(named_t)
> Index: refpolicy-2.20210120/policy/modules/services/colord.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/colord.te
> +++ refpolicy-2.20210120/policy/modules/services/colord.te
> @@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_ueve
> allow colord_t self:tcp_socket { accept listen };
> allow colord_t self:shm create_shm_perms;
>
> +can_exec(colord_t, colord_exec_t)
> +
> manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
> manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
> files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
> @@ -128,6 +130,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + snmp_read_snmp_var_lib_files(colord_t)
> +')
> +
> +optional_policy(`
> sysnet_exec_ifconfig(colord_t)
> ')
>
> @@ -136,6 +142,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + unconfined_dbus_send(colord_t)
> +')
> +
> +optional_policy(`
> xserver_read_xdm_lib_files(colord_t)
> xserver_use_xdm_fds(colord_t)
> ')
> Index: refpolicy-2.20210120/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20210120/policy/modules/services/cron.te
> @@ -304,6 +304,8 @@ init_start_all_units(system_cronjob_t)
> init_get_generic_units_status(system_cronjob_t)
> init_get_system_status(system_cronjob_t)
>
> +backup_manage_store_files(system_cronjob_t)
> +
> auth_manage_var_auth(crond_t)
> auth_use_pam(crond_t)
>
> @@ -340,6 +342,11 @@ ifdef(`distro_debian',`
> ')
>
> optional_policy(`
> + aptcacher_read_config(system_cronjob_t)
> + corenet_tcp_connect_aptcacher_port(system_cronjob_t)
> + ')
> +
> + optional_policy(`
> logwatch_search_cache_dir(crond_t)
> ')
> ')
> @@ -435,6 +442,7 @@ optional_policy(`
> init_dbus_chat(crond_t)
> init_dbus_chat(system_cronjob_t)
> systemd_dbus_chat_logind(system_cronjob_t)
> + systemd_read_journal_files(system_cronjob_t)
> systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
> # so cron jobs can restart daemons
> init_stream_connect(system_cronjob_t)
> @@ -505,6 +513,7 @@ corenet_tcp_sendrecv_generic_if(system_c
> corenet_udp_sendrecv_generic_if(system_cronjob_t)
> corenet_tcp_sendrecv_generic_node(system_cronjob_t)
> corenet_udp_sendrecv_generic_node(system_cronjob_t)
> +corenet_udp_bind_generic_node(system_cronjob_t)
>
> dev_getattr_all_blk_files(system_cronjob_t)
> dev_getattr_all_chr_files(system_cronjob_t)
> @@ -587,6 +596,7 @@ optional_policy(`
> apache_read_log(system_cronjob_t)
> apache_read_sys_content(system_cronjob_t)
> apache_delete_lib_files(system_cronjob_t)
> + apache_delete_squirrelmail_spool(system_cronjob_t)
> ')
>
> optional_policy(`
> @@ -659,6 +669,8 @@ optional_policy(`
>
> optional_policy(`
> spamassassin_manage_lib_files(system_cronjob_t)
> + spamassassin_status(system_cronjob_t)
> + spamassassin_reload(system_cronjob_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20210120/policy/modules/services/cups.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/cups.te
> +++ refpolicy-2.20210120/policy/modules/services/cups.te
> @@ -111,11 +111,12 @@ ifdef(`enable_mls',`
>
> allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
> dontaudit cupsd_t self:capability { net_admin sys_tty_config };
> -allow cupsd_t self:capability2 block_suspend;
> +allow cupsd_t self:capability2 { block_suspend wake_alarm };
> allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
> allow cupsd_t self:fifo_file rw_fifo_file_perms;
> allow cupsd_t self:unix_stream_socket { accept connectto listen };
> allow cupsd_t self:netlink_selinux_socket create_socket_perms;
> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
> getattr read setopt };
create_socket_perms, use the permission sets and patterns where appropriate
> allow cupsd_t self:shm create_shm_perms;
> allow cupsd_t self:sem create_sem_perms;
> allow cupsd_t self:tcp_socket { accept listen };
> @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
>
> libs_read_lib_files(cupsd_t)
> libs_exec_lib_files(cupsd_t)
> +libs_legacy_use_ld_so(cupsd_t)
>
> logging_send_audit_msgs(cupsd_t)
> logging_send_syslog_msg(cupsd_t)
> Index: refpolicy-2.20210120/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20210120/policy/modules/services/devicekit.te
> @@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
> fs_unmount_all_fs(devicekit_disk_t)
> fs_search_all(devicekit_disk_t)
>
> +mount_rw_runtime_files(devicekit_disk_t)
> +
> mls_file_read_all_levels(devicekit_disk_t)
> mls_file_write_to_clearance(devicekit_disk_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/entropyd.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/entropyd.te
> +++ refpolicy-2.20210120/policy/modules/services/entropyd.te
> @@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)
>
> fs_getattr_all_fs(entropyd_t)
> fs_search_auto_mountpoints(entropyd_t)
> +fs_search_tmpfs(entropyd_t)
>
> domain_use_interactive_fds(entropyd_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/fail2ban.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/fail2ban.te
> +++ refpolicy-2.20210120/policy/modules/services/fail2ban.te
> @@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ba
> files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
>
> kernel_read_system_state(fail2ban_t)
> +kernel_search_fs_sysctls(fail2ban_t)
>
> corecmd_exec_bin(fail2ban_t)
> corecmd_exec_shell(fail2ban_t)
> @@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
> auth_use_nsswitch(fail2ban_t)
>
> logging_read_all_logs(fail2ban_t)
> +logging_read_audit_log(fail2ban_t)
> logging_send_syslog_msg(fail2ban_t)
>
> miscfiles_read_localization(fail2ban_t)
> Index: refpolicy-2.20210120/policy/modules/services/jabber.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/jabber.te
> +++ refpolicy-2.20210120/policy/modules/services/jabber.te
> @@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
> # usr for lua modules
> files_read_usr_files(jabberd_t)
>
> +files_search_var_lib(jabberd_t)
> +
> fs_search_auto_mountpoints(jabberd_t)
>
> +miscfiles_read_generic_tls_privkey(jabberd_t)
> miscfiles_read_all_certs(jabberd_t)
>
> sysnet_read_config(jabberd_t)
> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
> allow l2tpd_t self:tcp_socket { accept listen };
> allow l2tpd_t self:unix_dgram_socket sendto;
> allow l2tpd_t self:unix_stream_socket { accept listen };
> +allow l2tpd_t self:pppox_socket create;
create_socket_perms probably eventually
>
> read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210120/policy/modules/services/mon.te
> @@ -150,6 +150,10 @@ optional_policy(`
> bind_read_zone(mon_net_test_t)
> ')
>
> +optional_policy(`
> + mysql_stream_connect(mon_net_test_t)
> +')
> +
> ########################################
> #
> # Local policy
> @@ -159,7 +163,8 @@ optional_policy(`
> # try not to use dontaudit rules for this
> #
>
> -allow mon_local_test_t self:capability sys_admin;
> +# sys_ptrace is for reading /proc/1/maps etc
> +allow mon_local_test_t self:capability { sys_ptrace sys_admin };
> allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
> allow mon_local_test_t self:process getsched;
>
> Index: refpolicy-2.20210120/policy/modules/services/mysql.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mysql.fc
> +++ refpolicy-2.20210120/policy/modules/services/mysql.fc
> @@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system
> /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
> /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
> /usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
> +/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
>
> /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
> /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
> Index: refpolicy-2.20210120/policy/modules/services/mysql.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mysql.if
> +++ refpolicy-2.20210120/policy/modules/services/mysql.if
> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
> type mysqld_t;
> ')
>
> - allow $1 mysqld_t:process signal;
> + allow $1 mysqld_t:process { signull signal };
create a new mysql_signull()
by generalizing interfaces and putting them out of context youre
shutting down doors for fine grained access control.
> ')
>
> ########################################
> Index: refpolicy-2.20210120/policy/modules/services/mysql.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mysql.te
> +++ refpolicy-2.20210120/policy/modules/services/mysql.te
> @@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime
> # Local policy
> #
>
> -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
> +allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
> dontaudit mysqld_t self:capability sys_tty_config;
> allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
> allow mysqld_t self:fifo_file rw_fifo_file_perms;
> @@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept
>
> manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> +allow mysqld_t mysqld_db_t:file map;
> manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
>
> @@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_l
>
> manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
> manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
> +allow mysqld_t mysqld_tmp_t:file map;
> files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
>
> manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
> @@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
> kernel_read_network_state(mysqld_t)
> kernel_read_system_state(mysqld_t)
> kernel_read_vm_sysctls(mysqld_t)
> +kernel_read_vm_overcommit_sysctl(mysqld_t)
>
> corenet_all_recvfrom_netlabel(mysqld_t)
> corenet_tcp_sendrecv_generic_if(mysqld_t)
> @@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)
>
> fs_getattr_all_fs(mysqld_t)
> fs_search_auto_mountpoints(mysqld_t)
> +fs_search_tmpfs(mysqld_t)
> fs_rw_hugetlbfs_files(mysqld_t)
>
> files_read_etc_runtime_files(mysqld_t)
> @@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)
>
> logging_send_syslog_msg(mysqld_t)
>
> +miscfiles_read_generic_certs(mysqld_t)
> miscfiles_read_localization(mysqld_t)
>
> userdom_search_user_home_dirs(mysqld_t)
> Index: refpolicy-2.20210120/policy/modules/services/openvpn.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/openvpn.te
> +++ refpolicy-2.20210120/policy/modules/services/openvpn.te
> @@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)
>
> auth_use_pam(openvpn_t)
>
> +init_read_state(openvpn_t)
> +
> miscfiles_read_localization(openvpn_t)
> miscfiles_read_all_certs(openvpn_t)
>
> @@ -163,6 +165,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dpkg_script_rw_inherited_pipes(openvpn_t)
> +')
> +
> +optional_policy(`
> dbus_system_bus_client(openvpn_t)
> dbus_connect_system_bus(openvpn_t)
>
> @@ -174,3 +180,7 @@ optional_policy(`
> optional_policy(`
> systemd_use_passwd_agent(openvpn_t)
> ')
> +
> +optional_policy(`
> + unconfined_use_fds(openvpn_t)
> +')
> Index: refpolicy-2.20210120/policy/modules/services/postgrey.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/postgrey.te
> +++ refpolicy-2.20210120/policy/modules/services/postgrey.te
> @@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, po
> manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
>
> manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
> +allow postgrey_t postgrey_var_lib_t:file map;
> files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
>
> manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
> Index: refpolicy-2.20210120/policy/modules/services/rpc.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/rpc.te
> +++ refpolicy-2.20210120/policy/modules/services/rpc.te
> @@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
>
> kernel_read_network_state(nfsd_t)
> kernel_dontaudit_getattr_core_if(nfsd_t)
> +kernel_search_debugfs(nfsd_t)
> kernel_setsched(nfsd_t)
> kernel_request_load_module(nfsd_t)
> # kernel_mounton_proc(nfsd_t)
> Index: refpolicy-2.20210120/policy/modules/services/samba.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/samba.te
> +++ refpolicy-2.20210120/policy/modules/services/samba.te
> @@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)
>
> allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
> allow samba_net_t self:capability2 block_suspend;
> -allow samba_net_t self:process { getsched setsched };
> +allow samba_net_t self:process { sigkill getsched setsched };
> allow samba_net_t self:unix_stream_socket { accept listen };
> +allow samba_net_t self:fifo_file rw_file_perms;
>
> allow samba_net_t samba_etc_t:file read_file_perms;
>
> +allow samba_net_t samba_var_run_t:file { map read_file_perms };
> +
> manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
> filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
>
> @@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_n
>
> manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
> manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
> +allow samba_net_t samba_var_t:file map;
> manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
> files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
>
> @@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem {
>
> manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
> manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
> +allow smbd_t samba_var_t:file map;
> manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
> manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
> files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
> @@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t,
>
> manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
> manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
> +allow smbd_t samba_runtime_t:file map;
> manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
> files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
>
> @@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file
> stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)
>
> stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
> +allow smbd_t nmbd_t:unix_dgram_socket sendto;
>
> kernel_getattr_core_if(smbd_t)
> kernel_getattr_message_if(smbd_t)
> @@ -480,6 +487,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dbus_send_system_bus(smbd_t)
> + dbus_system_bus_client(smbd_t)
dbus_send_system_bus(smbd_t) is redundant (already implied with dbus_system_bus_client(smbd_t)
> +')
> +
> +optional_policy(`
> kerberos_read_keytab(smbd_t)
> kerberos_use(smbd_t)
> ')
> @@ -520,6 +532,7 @@ allow nmbd_t self:unix_stream_socket { a
>
> manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
> manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
> +allow nmbd_t samba_runtime_t:file map;
> manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
> files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
>
> @@ -532,7 +545,7 @@ create_files_pattern(nmbd_t, samba_log_t
> setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
>
> manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> +allow nmbd_t samba_var_t:file map;
> manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
> @@ -613,6 +626,8 @@ allow smbcontrol_t self:process { signal
>
> allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
> read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> +allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
> +init_use_fds(smbcontrol_t)
>
> manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/smartmon.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/smartmon.te
> +++ refpolicy-2.20210120/policy/modules/services/smartmon.te
> @@ -38,7 +38,7 @@ ifdef(`enable_mls',`
> # Local policy
> #
>
> -allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
> +allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
> dontaudit fsdaemon_t self:capability sys_tty_config;
> allow fsdaemon_t self:process { getcap setcap signal_perms };
> allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
> Index: refpolicy-2.20210120/policy/modules/services/squid.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
> +++ refpolicy-2.20210120/policy/modules/services/squid.te
> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
> allow squid_t self:unix_dgram_socket sendto;
> allow squid_t self:unix_stream_socket { accept connectto listen };
> allow squid_t self:tcp_socket { accept listen };
> +allow squid_t self:netlink_netfilter_socket
> all_netlink_netfilter_socket_perms;
probably just create_socket_perms?
>
> manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
> manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
> @@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_
> files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
>
> manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
> +allow squid_t squid_tmpfs_t:file map;
> fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
>
> manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
> init_dbus_chat(sshd_t)
> systemd_dbus_chat_logind(sshd_t)
> init_rw_stream_sockets(sshd_t)
> + systemd_read_logind_sessions_files(sshd_t)
This should probably be addressed on the lower authlogin level instead
> ')
>
> tunable_policy(`ssh_sysadm_login',`
> Index: refpolicy-2.20210120/policy/modules/services/tor.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/tor.te
> +++ refpolicy-2.20210120/policy/modules/services/tor.te
> @@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runti
> kernel_read_kernel_sysctls(tor_t)
> kernel_read_net_sysctls(tor_t)
> kernel_read_system_state(tor_t)
> +kernel_read_vm_overcommit_sysctl(tor_t)
>
> corenet_all_recvfrom_netlabel(tor_t)
> corenet_tcp_sendrecv_generic_if(tor_t)
> Index: refpolicy-2.20210120/policy/modules/services/watchdog.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/watchdog.te
> +++ refpolicy-2.20210120/policy/modules/services/watchdog.te
> @@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)
>
> logging_send_syslog_msg(watchdog_t)
>
> +mcs_killall(watchdog_t)
> +
> miscfiles_read_localization(watchdog_t)
>
> sysnet_dns_name_resolve(watchdog_t)
> Index: refpolicy-2.20210120/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20210120/policy/modules/services/xserver.if
> @@ -1662,6 +1662,7 @@ interface(`xserver_rw_mesa_shader_cache'
>
> rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> + allow $1 mesa_shader_cache_t:file map;
> xdg_search_cache_dirs($1)
> ')
>
>
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
