Bug#877195: the patches
On Friday, 29 September 2017 4:39:15 PM AEDT Adam D. Barratt wrote:
> On Sat, 2017-09-30 at 01:08 +1000, Russell Coker wrote:
> > I've attached the patches. These all come from the package currently
> > in
> > Testing.
>
> Thanks, but we don't review individual patches (at least, we don't
> ack/nack uploads based on looking at individual patches).
https://www.debian.org/doc/manuals/developers-reference/pkgs.html
Section 5.5.1 of the above seemed to indicate that I should do it that way.
Did I misunderstand it or does the documentation need improving?
> If you'd like an ack for an upload to stable, we'd need to see a full
> source debdiff for a package that's been built and tested on stable.
I've attached such a debdiff. NB It has one thing that is not required (but
is still handy) that is a build-conflicts against too-new versions of the SE
Linux tools. This prevents anyone from accidentally building it on Testing or
Unstable (which will be unusable). Obviously the package will work OK without
such a build-conflict, unless you build it with the wrong packages installed.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
diff -Nru refpolicy-2.20161023.1/debian/changelog refpolicy-2.20161023.1/debian/changelog
--- refpolicy-2.20161023.1/debian/changelog 2017-01-26 00:52:00.000000000 +1100
+++ refpolicy-2.20161023.1/debian/changelog 2017-09-13 23:47:21.000000000 +1000
@@ -1,3 +1,28 @@
+refpolicy (2:2.20161023.1-10) unstable; urgency=medium
+
+ * Add patch for typebounds. This patch was rejected upstream, to quote
+ Chris PeBenito:
+ NAK. This has already been fixed with the upcoming nnp_transition
+ nosuid_transition permissions in refpolicy. I'm afraid distros will
+ have to carry policy patches until they can roll out kernels that
+ support these permissions.
+ https://marc.info/?l=selinux&m=150151037511601&w=2
+ Closes: #874201
+ * Make it build-depend on the Stretch versions of tools.
+ Closes: #875546
+ * Allow systemd-tmpfiles to delete /var/lib/sudo files.
+ Closes: #875668
+ * Allow brctl to create files in sysfs and correctly label
+ /usr/lib/bridge-utils/.*\.sh
+ Closes: #875669
+ * Give bootloader_t all the access it needs to create initramfs images in
+ different situations and communicate with dpkg_t.
+ Closes: #875676
+ * Allow dnsmasq_t to read it's config dir
+ Closes: #875681
+
+ -- Russell Coker <russell@coker.com.au> Wed, 13 Sep 2017 23:47:21 +1000
+
refpolicy (2:2.20161023.1-9) unstable; urgency=medium
* Dontaudit dkim_milter_t binding to labeled udp ports
diff -Nru refpolicy-2.20161023.1/debian/control refpolicy-2.20161023.1/debian/control
--- refpolicy-2.20161023.1/debian/control 2017-01-04 00:10:28.000000000 +1100
+++ refpolicy-2.20161023.1/debian/control 2017-09-12 15:29:26.000000000 +1000
@@ -9,12 +9,12 @@
Standards-Version: 3.9.8
Build-Depends: debhelper (>= 9)
Build-Depends-Indep: bzip2,
- checkpolicy (>= 2.5),
+ checkpolicy (>= 2.5), checkpolicy (<< 2.7~rc2-1),
gawk,
- libsepol1 (>= 2.5),
+ libsepol1 (>= 2.5), libsepol1 (<<2.7~rc2-1),
m4,
- policycoreutils (>= 2.5),
- policycoreutils-python-utils (>= 2.5),
+ policycoreutils (>= 2.5), policycoreutils (<<2.7~rc2-1),
+ policycoreutils-python-utils (>= 2.5), policycoreutils-python-utils (<<2.7~rc2-1),
python,
# Needed for the --sort=name option, can probably be removed when this version
# hits stable.
diff -Nru refpolicy-2.20161023.1/debian/patches/0200-stretch-updates refpolicy-2.20161023.1/debian/patches/0200-stretch-updates
--- refpolicy-2.20161023.1/debian/patches/0200-stretch-updates 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20161023.1/debian/patches/0200-stretch-updates 2017-09-13 22:41:33.000000000 +1000
@@ -0,0 +1,243 @@
+Index: refpolicy-2.20161023.1/policy/modules/contrib/pulseaudio.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/pulseaudio.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/pulseaudio.te
+@@ -212,6 +212,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # when pulseaudio is run from a user session on systems it uses files
++ # under /run/systemd/users
++ systemd_read_logind_pids(pulseaudio_t)
++')
++
++optional_policy(`
+ udev_read_pid_files(pulseaudio_t)
+ udev_read_state(pulseaudio_t)
+ udev_read_db(pulseaudio_t)
+Index: refpolicy-2.20161023.1/policy/modules/system/userdomain.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/system/userdomain.if
++++ refpolicy-2.20161023.1/policy/modules/system/userdomain.if
+@@ -66,7 +66,9 @@ template(`userdom_base_user_template',`
+ # avoid annoying messages on terminal hangup on role change
+ dontaudit $1_t user_tty_device_t:chr_file ioctl;
+
++ kernel_read_crypto_sysctls($1_t)
+ kernel_read_kernel_sysctls($1_t)
++ kernel_read_vm_overcommit_sysctl($1_t)
+ kernel_read_vm_sysctls($1_t)
+ kernel_dontaudit_list_unlabeled($1_t)
+ kernel_dontaudit_getattr_unlabeled_files($1_t)
+Index: refpolicy-2.20161023.1/policy/modules/contrib/courier.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/courier.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/courier.te
+@@ -188,6 +188,8 @@ miscfiles_read_localization(courier_tcpd
+
+ kernel_read_kernel_sysctls(courier_sqwebmail_t)
+
++dev_read_urand(courier_sqwebmail_t)
++
+ optional_policy(`
+ cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
+ ')
+Index: refpolicy-2.20161023.1/policy/modules/contrib/apache.fc
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/apache.fc
++++ refpolicy-2.20161023.1/policy/modules/contrib/apache.fc
+@@ -86,6 +86,7 @@ ifdef(`distro_suse',`
+ /usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+Index: refpolicy-2.20161023.1/policy/modules/contrib/cron.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/cron.if
++++ refpolicy-2.20161023.1/policy/modules/contrib/cron.if
+@@ -770,10 +770,31 @@ interface(`cron_read_system_job_tmp_file
+ ')
+
+ files_search_tmp($1)
++ allow $1 system_cronjob_tmp_t:dir search_dir_perms;
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
+ ')
+
+ ########################################
++## <summary>
++## Read/write system cron job temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cron_rw_system_job_tmp_files',`
++ gen_require(`
++ type system_cronjob_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 system_cronjob_tmp_t:dir search_dir_perms;
++ allow $1 system_cronjob_tmp_t:file rw_file_perms;
++')
++
++########################################
+ ## <summary>
+ ## Do not audit attempts to append temporary
+ ## system cron job files.
+Index: refpolicy-2.20161023.1/policy/modules/contrib/gpg.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/gpg.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/gpg.te
+@@ -98,6 +98,7 @@ gpg_stream_connect_agent(gpg_t)
+ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+ domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
++kernel_read_crypto_sysctls(gpg_t)
+ kernel_read_sysctl(gpg_t)
+
+ corecmd_exec_shell(gpg_t)
+@@ -171,6 +172,7 @@ optional_policy(`
+ optional_policy(`
+ cron_system_entry(gpg_t, gpg_exec_t)
+ cron_read_system_job_tmp_files(gpg_t)
++ cron_rw_system_job_tmp_files(gpg_t)
+ ')
+
+ optional_policy(`
+Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.fc
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.fc
++++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.fc
+@@ -4,6 +4,7 @@
+ /usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+ /usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+
++/var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
+ /var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
+ /var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
+
+Index: refpolicy-2.20161023.1/policy/modules/contrib/cron.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/cron.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/cron.te
+@@ -337,6 +337,7 @@ ifdef(`distro_debian',`
+ optional_policy(`
+ apt_manage_cache(system_cronjob_t)
+ apt_read_db(system_cronjob_t)
++ dpkg_manage_db(system_cronjob_t)
+ ')
+ ')
+
+@@ -477,6 +478,7 @@ manage_files_pattern(system_cronjob_t, c
+ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+ files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
++allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;
+
+ manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
+Index: refpolicy-2.20161023.1/policy/modules/contrib/apt.fc
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/apt.fc
++++ refpolicy-2.20161023.1/policy/modules/contrib/apt.fc
+@@ -14,6 +14,7 @@ ifndef(`distro_redhat',`
+
+ /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+ /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
++/var/lib/apt-xapian-inde(x)(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+ /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+
+Index: refpolicy-2.20161023.1/policy/modules/contrib/dkim.fc
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dkim.fc
++++ refpolicy-2.20161023.1/policy/modules/contrib/dkim.fc
+@@ -1,4 +1,5 @@
+ /etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
++/etc/dkimkeys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+ /etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
+
+Index: refpolicy-2.20161023.1/policy/modules/contrib/dkim.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dkim.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/dkim.te
+@@ -35,6 +35,7 @@ dev_read_sysfs(dkim_milter_t)
+
+ dev_read_urand(dkim_milter_t)
+
++files_read_usr_files(dkim_milter_t)
+ files_search_spool(dkim_milter_t)
+
+ mta_read_config(dkim_milter_t)
+Index: refpolicy-2.20161023.1/policy/modules/contrib/mailman.fc
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/mailman.fc
++++ refpolicy-2.20161023.1/policy/modules/contrib/mailman.fc
+@@ -1,6 +1,7 @@
+ /etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+ /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
++/etc/mailman/postfix-to-mailman\.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+ /usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+ /usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.if
++++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.if
+@@ -242,3 +242,23 @@ interface(`dpkg_lock_db',`
+ allow $1 dpkg_var_lib_t:dir list_dir_perms;
+ allow $1 dpkg_lock_t:file manage_file_perms;
+ ')
++
++########################################
++## <summary>
++## manage dpkg_tmp_t files and dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dpkg_manage_tmp_files',`
++ gen_require(`
++ type dpkg_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 dpkg_tmp_t:dir manage_dir_perms;
++ allow $1 dpkg_tmp_t:file manage_file_perms;
++')
+Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te
+@@ -68,6 +68,8 @@ allow dpkg_t self:msgq create_msgq_perms
+ allow dpkg_t self:msg { send receive };
+
+ allow dpkg_t dpkg_lock_t:file manage_file_perms;
++corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
++corecmd_bin_entry_type(dpkg_script_t)
+
+ manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
+ manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
+Index: refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/kernel/corecommands.fc
++++ refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc
+@@ -129,6 +129,7 @@ ifdef(`distro_debian',`
+ # /lib
+ #
+
++/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
diff -Nru refpolicy-2.20161023.1/debian/patches/0210-bounds-874201 refpolicy-2.20161023.1/debian/patches/0210-bounds-874201
--- refpolicy-2.20161023.1/debian/patches/0210-bounds-874201 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20161023.1/debian/patches/0210-bounds-874201 2017-09-12 14:33:35.000000000 +1000
@@ -0,0 +1,109 @@
+Index: refpolicy-2.20161023.1/policy/modules/system/init.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/system/init.te
++++ refpolicy-2.20161023.1/policy/modules/system/init.te
+@@ -292,6 +292,7 @@ ifdef(`init_systemd',`
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_getattr_tmpfs(init_t)
+ fs_read_tmpfs_files(init_t)
++ fs_read_tmpfs_symlinks(init_t)
+ fs_read_cgroup_files(init_t)
+ fs_dontaudit_getattr_xattr_fs(init_t)
+ # for privatetmp functions
+Index: refpolicy-2.20161023.1/policy/modules/contrib/entropyd.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/entropyd.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/entropyd.te
+@@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t)
+
+ fs_getattr_all_fs(entropyd_t)
+ fs_search_auto_mountpoints(entropyd_t)
++fs_search_tmpfs(entropyd_t)
+
+ domain_use_interactive_fds(entropyd_t)
+
+@@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',`
+ dev_write_sound(entropyd_t)
+ ')
+
++ifdef(`init_systemd',`
++ init_bounded(entropyd_t, entropyd_exec_t)
++')
++
+ optional_policy(`
+ tunable_policy(`entropyd_use_audio',`
+ alsa_read_lib(entropyd_t)
+Index: refpolicy-2.20161023.1/policy/modules/contrib/tor.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/tor.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/tor.te
+@@ -115,6 +115,10 @@ tunable_policy(`tor_bind_all_unreserved_
+ corenet_tcp_bind_all_unreserved_ports(tor_t)
+ ')
+
++ifdef(`init_systemd',`
++ init_bounded(tor_t, tor_exec_t)
++')
++
+ optional_policy(`
+ seutil_sigchld_newrole(tor_t)
+ ')
+Index: refpolicy-2.20161023.1/policy/modules/system/init.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/system/init.if
++++ refpolicy-2.20161023.1/policy/modules/system/init.if
+@@ -365,6 +365,31 @@ interface(`init_ranged_daemon_domain',`
+ ')
+ ')
+
++########################################
++## <summary>
++## Make a domain be bounded by init_t
++## NB init_t needs to have all the permissions of the domain in question
++## </summary>
++## <param name="domain">
++## <summary>
++## Bounded domain
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Type of the program to be used as an entry point to this domain.
++## </summary>
++## </param>
++#
++interface(`init_bounded',`
++ gen_require(`
++ type init_t;
++ ')
++
++ typebounds init_t $1;
++ allow init_t $2:file entrypoint;
++')
++
+ #########################################
+ ## <summary>
+ ## Abstract socket service activation (systemd).
+Index: refpolicy-2.20161023.1/policy/modules/contrib/mysql.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/mysql.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/mysql.te
+@@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t)
+
+ fs_getattr_all_fs(mysqld_t)
+ fs_search_auto_mountpoints(mysqld_t)
++fs_search_tmpfs(mysqld_t)
+ fs_rw_hugetlbfs_files(mysqld_t)
+
+ files_read_etc_runtime_files(mysqld_t)
+@@ -149,6 +150,10 @@ optional_policy(`
+ daemontools_service_domain(mysqld_t, mysqld_exec_t)
+ ')
+
++ifdef(`init_systemd',`
++ init_bounded(mysqld_t, mysqld_exec_t)
++')
++
+ optional_policy(`
+ seutil_sigchld_newrole(mysqld_t)
+ ')
diff -Nru refpolicy-2.20161023.1/debian/patches/0220-delete-lib-sudo-875668 refpolicy-2.20161023.1/debian/patches/0220-delete-lib-sudo-875668
--- refpolicy-2.20161023.1/debian/patches/0220-delete-lib-sudo-875668 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20161023.1/debian/patches/0220-delete-lib-sudo-875668 2017-09-13 21:02:37.000000000 +1000
@@ -0,0 +1,15 @@
+Index: refpolicy-2.20161023.1/policy/modules/system/systemd.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/system/systemd.te
++++ refpolicy-2.20161023.1/policy/modules/system/systemd.te
+@@ -742,6 +742,10 @@ files_relabelto_etc_dirs(systemd_tmpfile
+ files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+ files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+ files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
++
++# for /var/lib/sudo
++auth_delete_pam_pid(systemd_tmpfiles_t)
++
+ # for /etc/mtab
+ files_manage_etc_symlinks(systemd_tmpfiles_t)
+
diff -Nru refpolicy-2.20161023.1/debian/patches/0230-brctl-sysfs-875669 refpolicy-2.20161023.1/debian/patches/0230-brctl-sysfs-875669
--- refpolicy-2.20161023.1/debian/patches/0230-brctl-sysfs-875669 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20161023.1/debian/patches/0230-brctl-sysfs-875669 2017-09-13 23:16:38.000000000 +1000
@@ -0,0 +1,53 @@
+Index: refpolicy-2.20161023.1/policy/modules/contrib/brctl.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/brctl.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/brctl.te
+@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
+
+ corenet_rw_tun_tap_dev(brctl_t)
+
++dev_create_sysfs_files(brctl_t)
+ dev_rw_sysfs(brctl_t)
+ dev_write_sysfs_dirs(brctl_t)
+
+Index: refpolicy-2.20161023.1/policy/modules/kernel/devices.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/kernel/devices.if
++++ refpolicy-2.20161023.1/policy/modules/kernel/devices.if
+@@ -4097,6 +4097,24 @@ interface(`dev_dontaudit_getattr_sysfs',
+
+ ########################################
+ ## <summary>
++## Add a sysfs file
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_create_sysfs_files',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ create_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
+ ## Search the sysfs directories.
+ ## </summary>
+ ## <param name="domain">
+Index: refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/kernel/corecommands.fc
++++ refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc
+@@ -129,6 +129,7 @@ ifdef(`distro_debian',`
+ # /lib
+ #
+
++/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
diff -Nru refpolicy-2.20161023.1/debian/patches/0250-bootloader-875676 refpolicy-2.20161023.1/debian/patches/0250-bootloader-875676
--- refpolicy-2.20161023.1/debian/patches/0250-bootloader-875676 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20161023.1/debian/patches/0250-bootloader-875676 2017-09-13 22:55:43.000000000 +1000
@@ -0,0 +1,213 @@
+Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.fc
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.fc
++++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.fc
+@@ -10,3 +10,4 @@
+ /usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_tmp_t,s0)
+Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.te
++++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.te
+@@ -68,6 +68,9 @@ kernel_read_kernel_sysctls(bootloader_t)
+ # for grub-probe
+ kernel_request_load_module(bootloader_t)
+
++# for grub-mount
++kernel_search_debugfs(bootloader_t)
++
+ storage_raw_read_fixed_disk(bootloader_t)
+ storage_raw_write_fixed_disk(bootloader_t)
+ storage_raw_read_removable_device(bootloader_t)
+@@ -85,6 +88,7 @@ dev_rw_nvram(bootloader_t)
+ fs_getattr_xattr_fs(bootloader_t)
+ fs_getattr_tmpfs(bootloader_t)
+ fs_read_tmpfs_symlinks(bootloader_t)
++fs_unmount_xattr_fs(bootloader_t)
+ #Needed for ia64
+ fs_manage_dos_files(bootloader_t)
+
+@@ -138,6 +142,7 @@ userdom_dontaudit_search_user_home_dirs(
+
+ ifdef(`distro_debian',`
+ allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
++ allow bootloader_t bootloader_tmp_t:dir mounton;
+ fs_list_tmpfs(bootloader_t)
+
+ files_relabel_kernel_modules(bootloader_t)
+@@ -148,15 +153,30 @@ ifdef(`distro_debian',`
+ # for /usr/share/initrd-tools/scripts
+ files_exec_usr_files(bootloader_t)
+
++ files_search_mnt(bootloader_t)
++ fs_mount_fusefs(bootloader_t)
++ fs_mounton_fusefs(bootloader_t)
++ fs_read_fusefs_symlinks(bootloader_t)
++ fs_read_fusefs_files(bootloader_t)
++ fs_stat_fusefs(bootloader_t)
++ fs_unmount_fusefs(bootloader_t)
++
+ fstools_manage_entry_files(bootloader_t)
+ fstools_relabelto_entry_files(bootloader_t)
++ fstools_manage_runfile(bootloader_t)
+
+ libs_relabelto_lib_files(bootloader_t)
+
++ mount_rw_runfiles(bootloader_t)
++
+ # for apt-cache
+ dpkg_read_db(bootloader_t)
++ dpkg_rw_pipes(bootloader_t)
+ apt_read_db(bootloader_t)
+ apt_read_cache(bootloader_t)
++
++ storage_rw_fuse(bootloader_t)
++ udev_read_pid_files(bootloader_t)
+ ')
+
+ ifdef(`distro_redhat',`
+@@ -214,5 +234,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ raid_manage_mdadm_pid(bootloader_t)
++')
++
++optional_policy(`
+ rpm_rw_pipes(bootloader_t)
+ ')
+Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.if
++++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.if
+@@ -141,3 +141,21 @@ interface(`bootloader_create_runtime_fil
+ allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
+ files_boot_filetrans($1, boot_runtime_t, file)
+ ')
++
++########################################
++## <summary>
++## allow bootloader to send sigchld to domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bootloader_send_sigchld',`
++ gen_require(`
++ type bootloader_t;
++ ')
++
++ allow bootloader_t $1:process sigchld;
++')
+Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te
+@@ -337,6 +337,7 @@ optional_policy(`
+
+ optional_policy(`
+ bootloader_run(dpkg_script_t, dpkg_roles)
++ bootloader_send_sigchld(dpkg_t)
+ ')
+
+ optional_policy(`
+Index: refpolicy-2.20161023.1/policy/modules/kernel/filesystem.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/kernel/filesystem.if
++++ refpolicy-2.20161023.1/policy/modules/kernel/filesystem.if
+@@ -1988,6 +1988,24 @@ interface(`fs_read_eventpollfs',`
+
+ ########################################
+ ## <summary>
++## stat a FUSE filesystem
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_stat_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:filesystem getattr;
++')
++
++########################################
++## <summary>
+ ## Mount a FUSE filesystem.
+ ## </summary>
+ ## <param name="domain">
+Index: refpolicy-2.20161023.1/policy/modules/contrib/raid.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/raid.if
++++ refpolicy-2.20161023.1/policy/modules/contrib/raid.if
+@@ -63,6 +63,7 @@ interface(`raid_manage_mdadm_pid',`
+ ')
+
+ files_search_pids($1)
++ allow $1 mdadm_var_run_t:dir search;
+ allow $1 mdadm_var_run_t:file manage_file_perms;
+ ')
+
+Index: refpolicy-2.20161023.1/policy/modules/system/fstools.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/system/fstools.if
++++ refpolicy-2.20161023.1/policy/modules/system/fstools.if
+@@ -190,3 +190,22 @@ interface(`fstools_write_log',`
+
+ allow $1 fsadm_log_t:file write_file_perms;
+ ')
++
++########################################
++## <summary>
++## rw fsadm_run_t
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fstools_manage_runfile',`
++ gen_require(`
++ type fsadm_run_t;
++ ')
++
++ allow $1 fsadm_run_t:dir rw_dir_perms;
++ allow $1 fsadm_run_t:file manage_file_perms;
++')
+Index: refpolicy-2.20161023.1/policy/modules/system/mount.if
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/system/mount.if
++++ refpolicy-2.20161023.1/policy/modules/system/mount.if
+@@ -227,3 +227,22 @@ interface(`stat_mount_var_run',`
+
+ allow $1 mount_var_run_t:file getattr;
+ ')
++
++########################################
++## <summary>
++## rw mount_var_run_t files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mount_rw_runfiles',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ allow $1 mount_var_run_t:dir search;
++ allow $1 mount_var_run_t:file rw_file_perms;
++')
diff -Nru refpolicy-2.20161023.1/debian/patches/0260-dnsmasq-875681 refpolicy-2.20161023.1/debian/patches/0260-dnsmasq-875681
--- refpolicy-2.20161023.1/debian/patches/0260-dnsmasq-875681 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20161023.1/debian/patches/0260-dnsmasq-875681 2017-09-13 23:01:06.000000000 +1000
@@ -0,0 +1,14 @@
+Index: refpolicy-2.20161023.1/policy/modules/contrib/dnsmasq.te
+===================================================================
+--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dnsmasq.te
++++ refpolicy-2.20161023.1/policy/modules/contrib/dnsmasq.te
+@@ -40,7 +40,8 @@ allow dnsmasq_t self:tcp_socket { accept
+ allow dnsmasq_t self:packet_socket create_socket_perms;
+ allow dnsmasq_t self:rawip_socket create_socket_perms;
+
+-read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
++allow dnsmasq_t dnsmasq_etc_t:dir list_dir_perms;
++allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
+
+ manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
diff -Nru refpolicy-2.20161023.1/debian/patches/series refpolicy-2.20161023.1/debian/patches/series
--- refpolicy-2.20161023.1/debian/patches/series 2017-01-26 00:52:00.000000000 +1100
+++ refpolicy-2.20161023.1/debian/patches/series 2017-09-13 23:46:54.000000000 +1000
@@ -11,4 +11,9 @@
0150-monit
0160-usrmerge
0170-usrmerge2
+0210-bounds-874201
+0220-delete-lib-sudo-875668
+0230-brctl-sysfs-875669
+0250-bootloader-875676
+0260-dnsmasq-875681
9140-boinc
Reply to: