Bug#877195: the patches

To: 877195@bugs.debian.org
Subject: Bug#877195: the patches
From: Russell Coker <russell@coker.com.au>
Date: Sat, 30 Sep 2017 01:08:20 +1000
Message-id: <[🔎] 4859425.46iBouGiho@xev>
Reply-to: russell@coker.com.au, 877195@bugs.debian.org
References: <[🔎] 150669705559.16091.6356209500625300505.reportbug@xev>

I've attached the patches.  These all come from the package currently in 
Testing.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Index: refpolicy-2.20161023.1/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/init.te
+++ refpolicy-2.20161023.1/policy/modules/system/init.te
@@ -292,6 +292,7 @@ ifdef(`init_systemd',`
 	fs_manage_hugetlbfs_dirs(init_t)
 	fs_getattr_tmpfs(init_t)
 	fs_read_tmpfs_files(init_t)
+	fs_read_tmpfs_symlinks(init_t)
 	fs_read_cgroup_files(init_t)
 	fs_dontaudit_getattr_xattr_fs(init_t)
 	# for privatetmp functions
Index: refpolicy-2.20161023.1/policy/modules/contrib/entropyd.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/entropyd.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/entropyd.te
@@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t)
 
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
 
 domain_use_interactive_fds(entropyd_t)
 
@@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',`
 	dev_write_sound(entropyd_t)
 ')
 
+ifdef(`init_systemd',`
+	init_bounded(entropyd_t, entropyd_exec_t)
+')
+
 optional_policy(`
 	tunable_policy(`entropyd_use_audio',`
 		alsa_read_lib(entropyd_t)
Index: refpolicy-2.20161023.1/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/tor.te
@@ -115,6 +115,10 @@ tunable_policy(`tor_bind_all_unreserved_
 	corenet_tcp_bind_all_unreserved_ports(tor_t)
 ')
 
+ifdef(`init_systemd',`
+	init_bounded(tor_t, tor_exec_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(tor_t)
 ')
Index: refpolicy-2.20161023.1/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/init.if
+++ refpolicy-2.20161023.1/policy/modules/system/init.if
@@ -365,6 +365,31 @@ interface(`init_ranged_daemon_domain',`
 	')
 ')
 
+########################################
+## <summary>
+##     Make a domain be bounded by init_t
+##     NB init_t needs to have all the permissions of the domain in question
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Bounded domain
+##     </summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`init_bounded',`
+	gen_require(`
+		type init_t;
+	')
+
+	typebounds init_t $1;
+	allow init_t $2:file entrypoint;
+')
+
 #########################################
 ## <summary>
 ##	Abstract socket service activation (systemd).
Index: refpolicy-2.20161023.1/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/mysql.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/mysql.te
@@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t)
 
 fs_getattr_all_fs(mysqld_t)
 fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
 fs_rw_hugetlbfs_files(mysqld_t)
 
 files_read_etc_runtime_files(mysqld_t)
@@ -149,6 +150,10 @@ optional_policy(`
 	daemontools_service_domain(mysqld_t, mysqld_exec_t)
 ')
 
+ifdef(`init_systemd',`
+	init_bounded(mysqld_t, mysqld_exec_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(mysqld_t)
 ')

Index: refpolicy-2.20161023.1/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20161023.1/policy/modules/system/systemd.te
@@ -742,6 +742,10 @@ files_relabelto_etc_dirs(systemd_tmpfile
 files_relabel_all_lock_dirs(systemd_tmpfiles_t)
 files_relabel_all_pid_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+
+# for /var/lib/sudo
+auth_delete_pam_pid(systemd_tmpfiles_t)
+
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)

Index: refpolicy-2.20161023.1/policy/modules/contrib/dnsmasq.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dnsmasq.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/dnsmasq.te
@@ -40,7 +40,8 @@ allow dnsmasq_t self:tcp_socket { accept
 allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:rawip_socket create_socket_perms;
 
-read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+allow dnsmasq_t dnsmasq_etc_t:dir list_dir_perms;
+allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
 
 manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
 files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)

Index: refpolicy-2.20161023.1/policy/modules/contrib/brctl.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/brctl.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/brctl.te
@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
 
 corenet_rw_tun_tap_dev(brctl_t)
 
+dev_create_sysfs_files(brctl_t)
 dev_rw_sysfs(brctl_t)
 dev_write_sysfs_dirs(brctl_t)
 
Index: refpolicy-2.20161023.1/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20161023.1/policy/modules/kernel/devices.if
@@ -4097,6 +4097,24 @@ interface(`dev_dontaudit_getattr_sysfs',
 
 ########################################
 ## <summary>
+##     Add a sysfs file
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_create_sysfs_files',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	create_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
 ##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc
@@ -129,6 +129,7 @@ ifdef(`distro_debian',`
 # /lib
 #
 
+/usr/lib/bridge-utils/.*\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/nut/.*			--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)

Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.fc
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.fc
+++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.fc
@@ -10,3 +10,4 @@
 /usr/sbin/grub2?-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-mkconfig	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/var/lib/os-prober(/.*)?	gen_context(system_u:object_r:bootloader_tmp_t,s0)
Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.te
@@ -68,6 +68,9 @@ kernel_read_kernel_sysctls(bootloader_t)
 # for grub-probe
 kernel_request_load_module(bootloader_t)
 
+# for grub-mount
+kernel_search_debugfs(bootloader_t)
+
 storage_raw_read_fixed_disk(bootloader_t)
 storage_raw_write_fixed_disk(bootloader_t)
 storage_raw_read_removable_device(bootloader_t)
@@ -85,6 +88,7 @@ dev_rw_nvram(bootloader_t)
 fs_getattr_xattr_fs(bootloader_t)
 fs_getattr_tmpfs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
+fs_unmount_xattr_fs(bootloader_t)
 #Needed for ia64
 fs_manage_dos_files(bootloader_t)
 
@@ -138,6 +142,7 @@ userdom_dontaudit_search_user_home_dirs(
 
 ifdef(`distro_debian',`
 	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+	allow bootloader_t bootloader_tmp_t:dir mounton;
 	fs_list_tmpfs(bootloader_t)
 
 	files_relabel_kernel_modules(bootloader_t)
@@ -148,15 +153,30 @@ ifdef(`distro_debian',`
 	# for /usr/share/initrd-tools/scripts
 	files_exec_usr_files(bootloader_t)
 
+	files_search_mnt(bootloader_t)
+	fs_mount_fusefs(bootloader_t)
+	fs_mounton_fusefs(bootloader_t)
+	fs_read_fusefs_symlinks(bootloader_t)
+	fs_read_fusefs_files(bootloader_t)
+	fs_stat_fusefs(bootloader_t)
+	fs_unmount_fusefs(bootloader_t)
+
 	fstools_manage_entry_files(bootloader_t)
 	fstools_relabelto_entry_files(bootloader_t)
+	fstools_manage_runfile(bootloader_t)
 
 	libs_relabelto_lib_files(bootloader_t)
 
+	mount_rw_runfiles(bootloader_t)
+
 	# for apt-cache
 	dpkg_read_db(bootloader_t)
+	dpkg_rw_pipes(bootloader_t)
 	apt_read_db(bootloader_t)
 	apt_read_cache(bootloader_t)
+
+	storage_rw_fuse(bootloader_t)
+	udev_read_pid_files(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
@@ -214,5 +234,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	raid_manage_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')
Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.if
+++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.if
@@ -141,3 +141,21 @@ interface(`bootloader_create_runtime_fil
 	allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
 	files_boot_filetrans($1, boot_runtime_t, file)
 ')
+
+########################################
+## <summary>
+##	allow bootloader to send sigchld to domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bootloader_send_sigchld',`
+	gen_require(`
+		type bootloader_t;
+	')
+
+	allow bootloader_t $1:process sigchld;
+')
Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te
@@ -337,6 +337,7 @@ optional_policy(`
 
 optional_policy(`
 	bootloader_run(dpkg_script_t, dpkg_roles)
+	bootloader_send_sigchld(dpkg_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20161023.1/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20161023.1/policy/modules/kernel/filesystem.if
@@ -1988,6 +1988,24 @@ interface(`fs_read_eventpollfs',`
 
 ########################################
 ## <summary>
+##     stat a FUSE filesystem
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_stat_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
 ##	Mount a FUSE filesystem.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20161023.1/policy/modules/contrib/raid.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/raid.if
+++ refpolicy-2.20161023.1/policy/modules/contrib/raid.if
@@ -63,6 +63,7 @@ interface(`raid_manage_mdadm_pid',`
 	')
 
 	files_search_pids($1)
+	allow $1 mdadm_var_run_t:dir search;
 	allow $1 mdadm_var_run_t:file manage_file_perms;
 ')
 
Index: refpolicy-2.20161023.1/policy/modules/system/fstools.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/fstools.if
+++ refpolicy-2.20161023.1/policy/modules/system/fstools.if
@@ -190,3 +190,22 @@ interface(`fstools_write_log',`
 
 	allow $1 fsadm_log_t:file write_file_perms;
 ')
+
+########################################
+## <summary>
+##	rw fsadm_run_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_manage_runfile',`
+	gen_require(`
+		type fsadm_run_t;
+	')
+
+	allow $1 fsadm_run_t:dir rw_dir_perms;
+	allow $1 fsadm_run_t:file manage_file_perms;
+')
Index: refpolicy-2.20161023.1/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/mount.if
+++ refpolicy-2.20161023.1/policy/modules/system/mount.if
@@ -227,3 +227,22 @@ interface(`stat_mount_var_run',`
 
 	allow $1 mount_var_run_t:file getattr;
 ')
+
+########################################
+## <summary>
+##	rw mount_var_run_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_runfiles',`
+	gen_require(`
+		type mount_var_run_t;
+	')
+
+	allow $1 mount_var_run_t:dir search;
+	allow $1 mount_var_run_t:file rw_file_perms;
+')

Reply to:

Follow-Ups:
- Bug#877195: the patches
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#877195: stretch-pu: package refpolicy/2:2.20161023.1-9
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Bug#877195: stretch-pu: package refpolicy/2:2.20161023.1-9
Next by Date: Bug#877195: the patches
Previous by thread: Bug#877195: stretch-pu: package refpolicy/2:2.20161023.1-9
Next by thread: Bug#877195: the patches
Index(es):
- Date
- Thread