Russell Coker <russell@xxxxxxxxxxxx> writes:
> Lots of little patches for services.
>
>
> Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
>
> Index: refpolicy-2.20210203/policy/modules/services/accountsd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/accountsd.te
> +++ refpolicy-2.20210203/policy/modules/services/accountsd.te
> @@ -21,8 +21,8 @@ files_type(accountsd_var_lib_t)
> # Local policy
> #
>
> -allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
> -allow accountsd_t self:process signal;
> +allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace sys_nice };
> +allow accountsd_t self:process { signal getsched setsched };
> allow accountsd_t self:fifo_file rw_fifo_file_perms;
> allow accountsd_t self:passwd { rootok passwd chfn chsh };
>
> Index: refpolicy-2.20210203/policy/modules/services/acpi.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/acpi.te
> +++ refpolicy-2.20210203/policy/modules/services/acpi.te
> @@ -45,6 +45,8 @@ files_type(acpid_var_lib_t)
> #
>
> allow acpi_t self:capability { dac_override sys_admin };
> +# for pidof and pgrep
> +allow acpid_t self:cap_userns sys_ptrace;
>
> kernel_read_system_state(acpi_t)
>
> @@ -105,6 +107,7 @@ dev_rw_acpi_bios(acpid_t)
> dev_rw_sysfs(acpid_t)
> dev_dontaudit_getattr_all_chr_files(acpid_t)
> dev_dontaudit_getattr_all_blk_files(acpid_t)
> +dev_watch_dev_dirs(acpid_t)
>
> files_exec_etc_files(acpid_t)
> files_read_etc_runtime_files(acpid_t)
> @@ -136,6 +139,7 @@ domain_dontaudit_list_all_domains_state(
> auth_use_nsswitch(acpid_t)
>
> init_domtrans_script(acpid_t)
> +init_read_utmp(acpid_t)
> init_telinit(acpid_t)
>
> libs_exec_ld_so(acpid_t)
> @@ -218,6 +222,7 @@ optional_policy(`
>
> optional_policy(`
> init_list_unit_dirs(acpid_t)
> + systemd_dbus_chat_logind(acpid_t)
> systemd_start_power_units(acpid_t)
> systemd_status_power_units(acpid_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/services/apache.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/apache.fc
> +++ refpolicy-2.20210203/policy/modules/services/apache.fc
> @@ -172,7 +172,7 @@ ifdef(`distro_suse',`
> /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/log/php[^/]+-fpm\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/php[^/]+-fpm\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
>
> /run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20210203/policy/modules/services/apache.te
> @@ -505,6 +505,7 @@ files_list_mnt(httpd_t)
> files_search_spool(httpd_t)
> files_read_var_symlinks(httpd_t)
> files_read_var_lib_files(httpd_t)
> +files_map_var_lib_files(httpd_t)
> files_search_home(httpd_t)
> files_getattr_home_dir(httpd_t)
> files_read_etc_runtime_files(httpd_t)
> Index: refpolicy-2.20210203/policy/modules/services/aptcacher.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/aptcacher.te
> +++ refpolicy-2.20210203/policy/modules/services/aptcacher.te
> @@ -64,6 +64,7 @@ manage_files_pattern(aptcacher_t, aptcac
>
> manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
>
> +kernel_read_system_state(aptcacher_t)
> kernel_read_vm_overcommit_sysctl(aptcacher_t)
>
> # Calls system()
> @@ -76,6 +77,7 @@ corenet_tcp_connect_http_port(aptcacher_
> auth_use_nsswitch(aptcacher_t)
>
> files_read_etc_files(aptcacher_t)
> +files_read_usr_files(aptcacher_t)
>
> # Uses sd_notify() to inform systemd it has properly started
> init_dgram_send(aptcacher_t)
> Index: refpolicy-2.20210203/policy/modules/services/bind.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/bind.te
> +++ refpolicy-2.20210203/policy/modules/services/bind.te
> @@ -76,7 +76,7 @@ role ndc_roles types ndc_t;
>
> allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
> dontaudit named_t self:capability sys_tty_config;
> -allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
> +allow named_t self:process { getsched setsched getcap setcap setrlimit signal_perms };
> allow named_t self:fifo_file rw_fifo_file_perms;
> allow named_t self:unix_stream_socket { accept listen };
> allow named_t self:tcp_socket { accept listen };
> @@ -212,9 +212,9 @@ optional_policy(`
> # NDC local policy
> #
>
> -allow ndc_t self:capability { dac_override net_admin };
> +allow ndc_t self:capability { dac_override dac_read_search net_admin };
> allow ndc_t self:capability2 block_suspend;
> -allow ndc_t self:process signal_perms;
> +allow ndc_t self:process { signal_perms getsched setsched };
> allow ndc_t self:fifo_file rw_fifo_file_perms;
> allow ndc_t self:unix_stream_socket { accept listen };
>
> Index: refpolicy-2.20210203/policy/modules/services/bluetooth.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/bluetooth.te
> +++ refpolicy-2.20210203/policy/modules/services/bluetooth.te
> @@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_str
> allow bluetooth_t self:unix_stream_socket { accept connectto listen };
> allow bluetooth_t self:tcp_socket { accept listen };
> allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
>
> read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
>
> @@ -87,6 +88,7 @@ files_runtime_filetrans(bluetooth_t, blu
>
> can_exec(bluetooth_t, bluetooth_helper_exec_t)
>
> +kernel_read_crypto_sysctls(bluetooth_t)
> kernel_read_kernel_sysctls(bluetooth_t)
> kernel_read_system_state(bluetooth_t)
> kernel_read_network_state(bluetooth_t)
> @@ -123,6 +125,8 @@ miscfiles_read_localization(bluetooth_t)
> miscfiles_read_fonts(bluetooth_t)
> miscfiles_read_hwdata(bluetooth_t)
>
> +udev_search_runtime(bluetooth_t)
> +
> userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
> userdom_dontaudit_use_user_terminals(bluetooth_t)
> userdom_dontaudit_search_user_home_dirs(bluetooth_t)
> @@ -210,5 +214,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + unconfined_dbus_send(bluetooth_t)
> +')
> +
> +optional_policy(`
> xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20210203/policy/modules/services/boinc.te
> @@ -118,6 +118,7 @@ corecmd_exec_shell(boinc_t)
> dev_read_rand(boinc_t)
> dev_read_urand(boinc_t)
> dev_read_sysfs(boinc_t)
> +dev_rw_dri(boinc_t)
> dev_rw_xserver_misc(boinc_t)
>
> domain_read_all_domains_state(boinc_t)
> Index: refpolicy-2.20210203/policy/modules/services/certbot.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
> +++ refpolicy-2.20210203/policy/modules/services/certbot.te
> @@ -85,6 +85,8 @@ domain_use_interactive_fds(certbot_t)
> files_read_etc_files(certbot_t)
> files_read_usr_files(certbot_t)
>
> +# dontaudit for attempts to write python cache files
> +libs_dontaudit_write_lib_dirs(certbot_t)
> libs_exec_ldconfig(certbot_t)
> # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
> libs_exec_lib_files(certbot_t)
> Index: refpolicy-2.20210203/policy/modules/services/clamav.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/clamav.te
> +++ refpolicy-2.20210203/policy/modules/services/clamav.te
> @@ -176,7 +176,7 @@ optional_policy(`
> # Freshclam local policy
> #
>
> -allow freshclam_t self:capability { dac_override setgid setuid };
> +allow freshclam_t self:capability { chown dac_override setgid setuid };
> allow freshclam_t self:fifo_file rw_fifo_file_perms;
> allow freshclam_t self:unix_stream_socket { accept listen };
> allow freshclam_t self:tcp_socket { accept listen };
> @@ -228,6 +228,7 @@ dev_read_urand(freshclam_t)
> domain_use_interactive_fds(freshclam_t)
>
> files_read_etc_runtime_files(freshclam_t)
> +files_read_usr_files(freshclam_t)
> files_search_var_lib(freshclam_t)
>
> auth_use_nsswitch(freshclam_t)
> Index: refpolicy-2.20210203/policy/modules/services/colord.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/colord.te
> +++ refpolicy-2.20210203/policy/modules/services/colord.te
> @@ -25,7 +25,7 @@ files_type(colord_var_lib_t)
>
> allow colord_t self:capability { dac_override dac_read_search };
> dontaudit colord_t self:capability sys_admin;
> -allow colord_t self:process signal;
> +allow colord_t self:process { signal getsched setsched };
> allow colord_t self:fifo_file rw_fifo_file_perms;
> allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow colord_t self:tcp_socket { accept listen };
> Index: refpolicy-2.20210203/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20210203/policy/modules/services/cron.te
> @@ -461,6 +461,7 @@ kernel_read_fs_sysctls(system_cronjob_t)
> kernel_read_irq_sysctls(system_cronjob_t)
> kernel_read_kernel_sysctls(system_cronjob_t)
> kernel_read_network_state(system_cronjob_t)
> +kernel_read_rpc_sysctls(system_cronjob_t)
> kernel_read_system_state(system_cronjob_t)
> kernel_read_software_raid_state(system_cronjob_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/cups.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/cups.te
> +++ refpolicy-2.20210203/policy/modules/services/cups.te
> @@ -5,6 +5,13 @@ policy_module(cups, 1.25.3)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Allows legacy ld_so for old printer filters
> +## </p>
> +## </desc>
> +gen_tunable(cups_legacy_ldso, false)
> +
> type cupsd_config_t;
> type cupsd_config_exec_t;
> init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
> @@ -131,6 +138,7 @@ manage_files_pattern(cupsd_t, cupsd_inte
>
> manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> +manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
> files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
>
> @@ -211,11 +219,13 @@ domain_use_interactive_fds(cupsd_t)
>
> files_getattr_boot_dirs(cupsd_t)
> files_list_spool(cupsd_t)
> +files_map_etc_files(cupsd_t)
> files_read_etc_runtime_files(cupsd_t)
> files_read_usr_files(cupsd_t)
> files_exec_usr_files(cupsd_t)
> # for /var/lib/defoma
> files_read_var_lib_files(cupsd_t)
> +files_read_var_lib_symlinks(cupsd_t)
> files_list_world_readable(cupsd_t)
> files_read_world_readable_files(cupsd_t)
> files_read_world_readable_symlinks(cupsd_t)
> @@ -565,6 +575,10 @@ userdom_manage_user_home_content_dirs(cu
> userdom_manage_user_home_content_files(cups_pdf_t)
> userdom_home_filetrans_user_home_dir(cups_pdf_t)
>
> +tunable_policy(`cups_legacy_ldso',`
not sure if this is worth a tunable
> + libs_legacy_use_ld_so(cupsd_t)
> +')
> +
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(cups_pdf_t)
> fs_manage_nfs_files(cups_pdf_t)
> Index: refpolicy-2.20210203/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20210203/policy/modules/services/devicekit.te
> @@ -67,7 +67,7 @@ optional_policy(`
>
> allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
> allow devicekit_disk_t self:capability2 wake_alarm;
> -allow devicekit_disk_t self:process { getsched signal_perms };
> +allow devicekit_disk_t self:process { getsched setsched signal_perms };
> allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
> allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
>
> @@ -135,6 +135,8 @@ mls_file_read_all_levels(devicekit_disk_
> mls_file_write_to_clearance(devicekit_disk_t)
>
> mount_rw_runtime_files(devicekit_disk_t)
> +mount_watch_runtime_files(devicekit_disk_t)
> +mount_watch_runtime_files_reads(devicekit_disk_t)
>
> storage_raw_read_fixed_disk(devicekit_disk_t)
> storage_raw_write_fixed_disk(devicekit_disk_t)
> @@ -147,6 +149,7 @@ auth_use_nsswitch(devicekit_disk_t)
>
> logging_send_syslog_msg(devicekit_disk_t)
>
> +mount_watch_runtime_dirs(devicekit_disk_t)
> miscfiles_read_localization(devicekit_disk_t)
>
> userdom_read_all_users_state(devicekit_disk_t)
> @@ -210,7 +213,7 @@ optional_policy(`
>
> allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
> allow devicekit_power_t self:capability2 wake_alarm;
> -allow devicekit_power_t self:process { getsched signal_perms };
> +allow devicekit_power_t self:process { getsched setsched signal_perms };
> allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
> allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
> allow devicekit_power_t self:unix_stream_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/services/dirmngr.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dirmngr.te
> +++ refpolicy-2.20210203/policy/modules/services/dirmngr.te
> @@ -85,6 +85,7 @@ miscfiles_read_generic_certs(dirmngr_t)
> userdom_search_user_home_dirs(dirmngr_t)
> userdom_search_user_runtime(dirmngr_t)
> userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
> +allow dirmngr_t dirmngr_tmp_t:dir manage_dir_perms;
>
> optional_policy(`
> gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> @@ -92,3 +93,7 @@ optional_policy(`
> gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
> gpg_stream_connect_agent(dirmngr_t)
> ')
> +
> +optional_policy(`
> + corenet_tcp_connect_tor_port(dirmngr_t)
> +')
> Index: refpolicy-2.20210203/policy/modules/services/dovecot.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dovecot.te
> +++ refpolicy-2.20210203/policy/modules/services/dovecot.te
> @@ -258,6 +258,8 @@ allow dovecot_auth_t dovecot_t:unix_stre
>
> kernel_dontaudit_getattr_proc(dovecot_auth_t)
>
> +kernel_getattr_proc(dovecot_auth_t)
> +
> files_search_runtime(dovecot_auth_t)
> files_read_usr_files(dovecot_auth_t)
> files_read_var_lib_files(dovecot_auth_t)
> Index: refpolicy-2.20210203/policy/modules/services/fail2ban.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/fail2ban.te
> +++ refpolicy-2.20210203/policy/modules/services/fail2ban.te
> @@ -63,7 +63,9 @@ manage_files_pattern(fail2ban_t, fail2ba
> files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
>
> kernel_read_system_state(fail2ban_t)
> +kernel_read_vm_overcommit_sysctl(fail2ban_t)
> kernel_search_fs_sysctls(fail2ban_t)
> +kernel_search_vm_sysctl(fail2ban_t)
>
> corecmd_exec_bin(fail2ban_t)
> corecmd_exec_shell(fail2ban_t)
> @@ -133,7 +135,7 @@ optional_policy(`
> #
>
> allow fail2ban_client_t self:capability dac_read_search;
> -allow fail2ban_client_t self:unix_stream_socket { create connect write read };
> +allow fail2ban_client_t self:unix_stream_socket { create connect
> write read shutdown };
create_socket_perms
>
> domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/ftp.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ftp.fc
> +++ refpolicy-2.20210203/policy/modules/services/ftp.fc
> @@ -1,4 +1,5 @@
> /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
> +/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0)
>
> /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
>
> @@ -22,8 +23,10 @@
> /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
> /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
> /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
> +/usr/sbin/pure-ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
>
> -/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
> +/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
> +/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0)
>
> /usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
>
> @@ -31,6 +34,7 @@
>
> /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
> +/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/ftp.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ftp.te
> +++ refpolicy-2.20210203/policy/modules/services/ftp.te
> @@ -180,6 +180,7 @@ allow ftpd_t self:tcp_socket { accept li
> allow ftpd_t self:shm create_shm_perms;
> allow ftpd_t self:key manage_key_perms;
>
> +allow ftpd_t ftpd_etc_t:dir list_dir_perms;
> allow ftpd_t ftpd_etc_t:file read_file_perms;
>
> allow ftpd_t ftpd_keytab_t:file read_file_perms;
> @@ -196,6 +197,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t,
>
> manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> +allow ftpd_t ftpd_runtime_t:file map;
> manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
>
> @@ -405,6 +407,13 @@ optional_policy(`
> seutil_sigchld_newrole(ftpd_t)
> ')
>
> +optional_policy(`
> + systemd_connect_machined(ftpd_t)
this is probably related to dynamic user resolving? we should probably
address this in auth_use_nsswitch()
> + systemd_dbus_chat_logind(ftpd_t)
> + systemd_read_logind_state(ftpd_t)
> + systemd_write_inherited_logind_sessions_pipes(ftpd_t)
This looks PAM related?
> +')
> +
> ########################################
> #
> # Ctl local policy
> Index: refpolicy-2.20210203/policy/modules/services/kerneloops.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/kerneloops.te
> +++ refpolicy-2.20210203/policy/modules/services/kerneloops.te
> @@ -43,6 +43,7 @@ corenet_tcp_connect_http_port(kerneloops
>
> auth_use_nsswitch(kerneloops_t)
>
> +logging_mmap_generic_logs(kerneloops_t)
> logging_send_syslog_msg(kerneloops_t)
> logging_read_generic_logs(kerneloops_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/modemmanager.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/modemmanager.te
> +++ refpolicy-2.20210203/policy/modules/services/modemmanager.te
> @@ -15,7 +15,7 @@ init_daemon_domain(modemmanager_t, modem
> #
>
> allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
> -allow modemmanager_t self:process { getsched signal };
> +allow modemmanager_t self:process { getsched setsched signal };
> allow modemmanager_t self:fifo_file rw_fifo_file_perms;
> allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
> allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210203/policy/modules/services/mon.te
> @@ -164,9 +164,10 @@ optional_policy(`
> #
>
> # sys_ptrace is for reading /proc/1/maps etc
> -allow mon_local_test_t self:capability { sys_ptrace sys_admin };
> +allow mon_local_test_t self:capability { sys_rawio sys_ptrace sys_admin };
> allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
> allow mon_local_test_t self:process getsched;
> +allow mon_local_test_t self:cap_userns sys_ptrace;
>
> can_exec(mon_local_test_t, mon_local_test_exec_t)
>
> @@ -197,8 +198,11 @@ files_list_boot(mon_local_test_t)
> fs_search_auto_mountpoints(mon_local_test_t)
> fs_getattr_nfs(mon_local_test_t)
> fs_getattr_xattr_fs(mon_local_test_t)
> +fs_list_cgroup_dirs(mon_local_test_t)
> fs_list_hugetlbfs(mon_local_test_t)
> fs_list_tmpfs(mon_local_test_t)
> +fs_read_cgroup_files(mon_local_test_t)
> +fs_search_cgroup_dirs(mon_local_test_t)
> fs_search_nfs(mon_local_test_t)
>
> storage_getattr_fixed_disk_dev(mon_local_test_t)
> @@ -211,12 +215,14 @@ application_exec_all(mon_local_test_t)
>
> auth_use_nsswitch(mon_local_test_t)
>
> +fsdaemon_read_lib(mon_local_test_t)
> init_getattr_initctl(mon_local_test_t)
>
> logging_send_syslog_msg(mon_local_test_t)
>
> miscfiles_read_generic_certs(mon_t)
> miscfiles_read_localization(mon_local_test_t)
> +storage_raw_read_fixed_disk(mon_local_test_t)
>
> sysnet_read_config(mon_local_test_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/mta.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mta.if
> +++ refpolicy-2.20210203/policy/modules/services/mta.if
> @@ -253,6 +253,7 @@ interface(`mta_manage_mail_home_rw_conte
> manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> allow $1 mail_home_rw_t:file map;
> manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> + allow $1 mail_home_rw_t:dir watch;
> ')
>
> ########################################
> Index: refpolicy-2.20210203/policy/modules/services/mysql.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mysql.te
> +++ refpolicy-2.20210203/policy/modules/services/mysql.te
> @@ -67,7 +67,7 @@ files_runtime_file(mysqlmanagerd_runtime
>
> allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
> dontaudit mysqld_t self:capability sys_tty_config;
> -allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
> +allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh };
> allow mysqld_t self:fifo_file rw_fifo_file_perms;
> allow mysqld_t self:shm create_shm_perms;
> allow mysqld_t self:unix_stream_socket { connectto accept listen };
> Index: refpolicy-2.20210203/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20210203/policy/modules/services/networkmanager.te
> @@ -148,6 +148,7 @@ files_read_usr_files(NetworkManager_t)
> files_read_usr_src_files(NetworkManager_t)
>
> fs_getattr_all_fs(NetworkManager_t)
> +fs_read_nsfs_files(NetworkManager_t)
> fs_search_auto_mountpoints(NetworkManager_t)
> fs_list_inotifyfs(NetworkManager_t)
>
> @@ -163,6 +164,8 @@ init_domtrans_script(NetworkManager_t)
>
> auth_use_nsswitch(NetworkManager_t)
>
> +libs_watch_shared_libs_dir(NetworkManager_t)
> +
> logging_send_audit_msgs(NetworkManager_t)
> logging_send_syslog_msg(NetworkManager_t)
>
> @@ -184,6 +187,7 @@ sysnet_delete_dhcpc_state(NetworkManager
> sysnet_search_dhcp_state(NetworkManager_t)
> sysnet_manage_config(NetworkManager_t)
> sysnet_etc_filetrans_config(NetworkManager_t)
> +sysnet_watch_config_dir(NetworkManager_t)
>
> # certificates in user home directories (cert_home_t in ~/\.pki)
> userdom_read_user_certs(NetworkManager_t)
> Index: refpolicy-2.20210203/policy/modules/services/openvpn.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/openvpn.te
> +++ refpolicy-2.20210203/policy/modules/services/openvpn.te
> @@ -128,6 +128,7 @@ files_read_etc_runtime_files(openvpn_t)
>
> fs_getattr_all_fs(openvpn_t)
> fs_search_auto_mountpoints(openvpn_t)
> +fs_search_tmpfs(openvpn_t)
>
> auth_use_pam(openvpn_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20210203/policy/modules/services/policykit.te
> @@ -75,6 +75,7 @@ allow policykit_t self:unix_stream_socke
> rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
>
> manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
> +allow policykit_t policykit_var_lib_t:dir watch;
>
> manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
> manage_files_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
> Index: refpolicy-2.20210203/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20210203/policy/modules/services/postfix.te
> @@ -516,6 +516,7 @@ manage_files_pattern(postfix_map_t, post
> files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
>
> kernel_read_kernel_sysctls(postfix_map_t)
> +kernel_read_network_state(postfix_map_t)
> kernel_dontaudit_list_proc(postfix_map_t)
> kernel_dontaudit_read_system_state(postfix_map_t)
>
> @@ -538,10 +539,14 @@ files_dontaudit_search_var(postfix_map_t
>
> auth_use_nsswitch(postfix_map_t)
>
> +domain_use_interactive_fds(postfix_map_t)
> +
> logging_send_syslog_msg(postfix_map_t)
>
> miscfiles_read_localization(postfix_map_t)
>
> +userdom_use_user_ptys(postfix_map_t)
> +
> optional_policy(`
> locallogin_dontaudit_use_fds(postfix_map_t)
> ')
> @@ -745,12 +750,17 @@ allow postfix_showq_t postfix_spool_mail
> allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
>
> allow postfix_showq_t postfix_spool_t:file read_file_perms;
> +allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
>
> mcs_file_read_all(postfix_showq_t)
>
> term_use_all_ptys(postfix_showq_t)
> term_use_all_ttys(postfix_showq_t)
>
> +optional_policy(`
> + unconfined_run_to(postfix_showq_t, postfix_showq_exec_t)
> +')
> +
> ########################################
> #
> # Smtp delivery local policy
> Index: refpolicy-2.20210203/policy/modules/services/rpc.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/rpc.te
> +++ refpolicy-2.20210203/policy/modules/services/rpc.te
> @@ -114,6 +114,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domai
>
> fs_rw_rpc_named_pipes(rpc_domain)
> fs_search_auto_mountpoints(rpc_domain)
> +fs_watch_rpc_pipefs_dir(rpc_domain)
>
> files_read_etc_runtime_files(rpc_domain)
> files_read_usr_files(rpc_domain)
> Index: refpolicy-2.20210203/policy/modules/services/samba.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/samba.te
> +++ refpolicy-2.20210203/policy/modules/services/samba.te
> @@ -619,7 +619,7 @@ allow smbcontrol_t self:unix_stream_sock
> allow smbcontrol_t self:process { signal signull };
>
> allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
> -read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> +manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
>
> manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
> @@ -638,6 +638,7 @@ files_search_var_lib(smbcontrol_t)
> term_use_console(smbcontrol_t)
>
> init_use_fds(smbcontrol_t)
> +init_rw_inherited_stream_socket(smbcontrol_t)
I mentioned how this is common to children of systemd and systemd daemon
I think this is how journald catches the stdout so that it can log it
there is probably a more efficient way to address this on a lower level.
>
> miscfiles_read_localization(smbcontrol_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/sendmail.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/sendmail.te
> +++ refpolicy-2.20210203/policy/modules/services/sendmail.te
> @@ -173,6 +173,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + userdom_use_user_ttys(sendmail_t)
probably atleast inherited? ie is userdom_use_inherited_user_ttys() an
option here?
> postfix_domtrans_postdrop(sendmail_t)
> postfix_domtrans_master(sendmail_t)
> postfix_domtrans_postqueue(sendmail_t)
> Index: refpolicy-2.20210203/policy/modules/services/smartmon.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/smartmon.if
> +++ refpolicy-2.20210203/policy/modules/services/smartmon.if
> @@ -56,3 +56,24 @@ interface(`smartmon_admin',`
> files_list_var_lib($1)
> admin_pattern($1, fsdaemon_var_lib_t)
> ')
> +
> +########################################
> +## <summary>
> +## Read fsdaemon /var/lib files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`fsdaemon_read_lib',`
> + gen_require(`
> + type fsdaemon_var_lib_t;
> + ')
> +
> + allow $1 fsdaemon_var_lib_t:dir search;
> + allow $1 fsdaemon_var_lib_t:file read_file_perms;
you can also use a pattern for this. this is exactly the scenario that
suits the use of a pattern
files_search_var_lib($1)
read_files_pattern($1, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
> +')
> +
> Index: refpolicy-2.20210203/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210203/policy/modules/services/ssh.te
> @@ -199,6 +199,11 @@ tunable_policy(`user_tcp_server',`
> ')
>
> optional_policy(`
> + cron_read_pipes(ssh_t)
> + cron_rw_tmp_files(ssh_t)
> +')
> +
> +optional_policy(`
> tunable_policy(`ssh_use_gpg_agent',`
> gpg_stream_connect_agent(ssh_t)
> ')
> @@ -269,6 +274,8 @@ ifdef(`distro_debian',`
> ifdef(`init_systemd',`
> auth_use_pam_systemd(sshd_t)
> init_dbus_chat(sshd_t)
> + # dynamic users
> + init_stream_connect(sshd_t)
probably best to address DynamicUsers.io in auth_use_nsswitch()?
> init_rw_stream_sockets(sshd_t)
> systemd_write_inherited_logind_sessions_pipes(sshd_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/services/virt.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/virt.fc
> +++ refpolicy-2.20210203/policy/modules/services/virt.fc
> @@ -9,6 +9,9 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_
> /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
> /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
>
> +/etc/qemu -d gen_context(system_u:object_r:virt_etc_t,s0)
> +/etc/qemu/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
> +
> /etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
>
> /etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/virt.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/virt.te
> +++ refpolicy-2.20210203/policy/modules/services/virt.te
> @@ -1272,6 +1272,9 @@ allow virt_bridgehelper_t self:tcp_socke
> allow virt_bridgehelper_t self:tun_socket create_socket_perms;
> allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
>
> +allow virt_bridgehelper_t virt_etc_t:dir list_dir_perms;
> +allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
> +
> manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
>
> kernel_read_network_state(virt_bridgehelper_t)
> Index: refpolicy-2.20210203/policy/modules/services/xserver.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/xserver.fc
> +++ refpolicy-2.20210203/policy/modules/services/xserver.fc
> @@ -69,6 +69,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> +/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
> /usr/bin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20210203/policy/modules/services/xserver.te
> @@ -282,6 +282,7 @@ term_use_ptmx(xauth_t)
> auth_use_nsswitch(xauth_t)
>
> userdom_use_user_terminals(xauth_t)
> +userdom_user_tmp_filetrans(xauth_t, xauth_home_t, file)
> userdom_read_user_tmp_files(xauth_t)
>
> xserver_rw_xdm_tmp_files(xauth_t)
> Index: refpolicy-2.20210203/policy/modules/system/mount.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/mount.if
> +++ refpolicy-2.20210203/policy/modules/system/mount.if
> @@ -224,6 +224,42 @@ interface(`mount_watch_runtime_dirs',`
>
> ########################################
> ## <summary>
> +## Watch mount runtime files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_watch_runtime_files',`
> + gen_require(`
> + type mount_runtime_t;
> + ')
> +
> + allow $1 mount_runtime_t:file watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch mount runtime files reads.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_watch_runtime_files_reads',`
> + gen_require(`
> + type mount_runtime_t;
> + ')
> +
> + allow $1 mount_runtime_t:file watch_reads;
> +')
> +
> +########################################
> +## <summary>
> ## Getattr on mount_runtime_t files
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20210203/policy/modules/kernel/files.if
> @@ -5932,6 +5932,24 @@ interface(`files_read_var_lib_files',`
>
> ########################################
> ## <summary>
> +## map generic files in /var/lib.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_map_var_lib_files',`
> + gen_require(`
> + type var_lib_t;
> + ')
> +
> + allow $1 var_lib_t:file map;
> +')
> +
> +########################################
> +## <summary>
> ## Read generic symbolic links in /var/lib
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/system/libraries.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/libraries.if
> +++ refpolicy-2.20210203/policy/modules/system/libraries.if
> @@ -469,3 +469,21 @@ interface(`libs_relabel_shared_libs',`
>
> relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
> ')
> +
> +########################################
> +## <summary>
> +## watch lib dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`libs_watch_shared_libs_dir',`
> + gen_require(`
> + type lib_t;
> + ')
> +
> + allow $1 lib_t:dir watch;
> +')
> Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.if
> @@ -545,6 +545,24 @@ interface(`sysnet_manage_config',`
>
> #######################################
> ## <summary>
> +## Watch a network config dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_watch_config_dir',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + allow $1 net_conf_t:dir watch;
> +')
> +
> +#######################################
> +## <summary>
> ## Read the dhcp client pid file. (Deprecated)
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> @@ -583,6 +583,25 @@ interface(`fs_manage_autofs_symlinks',`
>
> ########################################
> ## <summary>
> +## Get the attributes of binfmt_misc filesystems.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_getattr_binfmt_misc_fs',`
> + gen_require(`
> + type binfmt_misc_fs_t;
> + ')
> +
> + allow $1 binfmt_misc_fs_t:filesystem getattr;
> +
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of directories on
> ## binfmt_misc filesystems.
> ## </summary>
> @@ -4386,6 +4405,24 @@ interface(`fs_getattr_rpc_pipefs',`
> allow $1 rpc_pipefs_t:filesystem getattr;
> ')
>
> +########################################
> +## <summary>
> +## Watch a rpc pipefs dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_watch_rpc_pipefs_dir',`
> + gen_require(`
> + type rpc_pipefs_t;
> + ')
> +
> + allow $1 rpc_pipefs_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read and write RPC pipe filesystem named pipes.
> @@ -5773,3 +5810,21 @@ interface(`fs_unconfined',`
>
> typeattribute $1 filesystem_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Search bpf dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_search_bpf',`
> + gen_require(`
> + type bpf_t;
> + ')
> +
> + allow $1 bpf_t:dir search;
> +')
>
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
