Bug#989241: unblock: refpolicy/2:2.20210203-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package refpolicy
[ Reason ]
Added policy for the cockpit web admin tool.
Improved support for exim, sympa, and rspamd (together or separately).
Allow postgresql to read TLS private keys for SSL database access.
Allow systemd-nspawn to have audit_control capability for setting up all
chroot settings.
Allow inetd to kill all child processes.
Allow chromium_naclhelper_t more access to setup a jail.
[ Impact ]
Without this:
Cockit can't be used.
Exim (default MTA) can't be installed or upgraded.
Sympa doesn't work and rspamd doesn't work properly.
PostgreSQL won't start under some configurations.
Inetd can't kill it's child processes which may keep running inappropriately.
Chromium/Chrome can't setup a minimum privilege jail properly which may allow
inappropriate privileges.
[ Risks ]
No risks, just adding new access that programs need to run properly.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
(Anything else the release team should know.)
unblock refpolicy/2:2.20210203-6
diff -Nru refpolicy-2.20210203/debian/changelog refpolicy-2.20210203/debian/changelog
--- refpolicy-2.20210203/debian/changelog 2021-04-09 23:02:14.000000000 +1000
+++ refpolicy-2.20210203/debian/changelog 2021-05-08 17:55:06.000000000 +1000
@@ -1,3 +1,31 @@
+refpolicy (2:2.20210203-6) unstable; urgency=medium
+
+ * Add policy for cockpit web admin tool
+ * Fixes for puppet policy
+ * Allow system_mail_t to be in role unconfined_r for upgrades of the exim
+ packages
+ * Allow more spamd_log_t access if boolean rspamd_spamd is enabled
+ * Allow httpd_sys_script_t to rw sympa_var_t dirs and manage sympa_var_t
+ files, and to read sympa conf files. Also allow it to read generic certs
+ for sympa and also for lots of other things
+ Allow httpd_t to read sympa conf files, read sympa var files, manage sympa
+ runtime files, and manage sympa runtime sockets
+ Allow sympa to send signull to itself
+ * Allow certbot to search xdg dirs, don't know what it's trying to do but
+ searching doesn't do any harm and makes it easier to discover what's
+ happening.
+ * Allow postgresql to read tls privkey
+ * Give systemd_nspawn_t the audit_control capability
+ * Allow devicekit_disk_t to read logind sessions and write inherited logind
+ inhibit pipes
+ * Give capability kill to inetd_t so it can kill child processes under
+ different uids
+ * Allow chromium_naclhelper_t process access setcap and signal and
+ cap_userns access sys_admin and sys_chroot.
+ Allow chromium_t to read alsa config.
+
+ -- Russell Coker <russell@coker.com.au> Sat, 08 May 2021 17:55:06 +1000
+
refpolicy (2:2.20210203-5) unstable; urgency=medium
* Add policy for rasdaemon
diff -Nru refpolicy-2.20210203/debian/modules.conf.default refpolicy-2.20210203/debian/modules.conf.default
--- refpolicy-2.20210203/debian/modules.conf.default 2021-04-04 22:55:24.000000000 +1000
+++ refpolicy-2.20210203/debian/modules.conf.default 2021-04-20 17:40:09.000000000 +1000
@@ -545,6 +545,13 @@
cobbler = module
# Layer: contrib
+# Module: cockpit
+#
+# Web based sysadmin tool that includes web shell access
+#
+cockpit = module
+
+# Layer: contrib
# Module: collectd
#
# Statistics collection daemon for filling RRD files.
diff -Nru refpolicy-2.20210203/debian/modules.conf.mls refpolicy-2.20210203/debian/modules.conf.mls
--- refpolicy-2.20210203/debian/modules.conf.mls 2021-04-04 22:55:32.000000000 +1000
+++ refpolicy-2.20210203/debian/modules.conf.mls 2021-04-20 17:40:14.000000000 +1000
@@ -545,6 +545,13 @@
cobbler = module
# Layer: contrib
+# Module: cockpit
+#
+# Web based sysadmin tool that includes web shell access
+#
+cockpit = module
+
+# Layer: contrib
# Module: collectd
#
# Statistics collection daemon for filling RRD files.
diff -Nru refpolicy-2.20210203/debian/patches/0002-strict refpolicy-2.20210203/debian/patches/0002-strict
--- refpolicy-2.20210203/debian/patches/0002-strict 2021-03-31 18:37:54.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0002-strict 2021-04-20 19:15:43.000000000 +1000
@@ -213,7 +213,7 @@
type systemd_backlight_t;
type systemd_backlight_exec_t;
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
-@@ -1426,6 +1422,7 @@ tunable_policy(`systemd_tmpfilesd_factor
+@@ -1429,6 +1425,7 @@ tunable_policy(`systemd_tmpfilesd_factor
')
optional_policy(`
diff -Nru refpolicy-2.20210203/debian/patches/0010-difficult-kernel-system refpolicy-2.20210203/debian/patches/0010-difficult-kernel-system
--- refpolicy-2.20210203/debian/patches/0010-difficult-kernel-system 2021-03-31 18:07:21.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0010-difficult-kernel-system 2021-04-20 19:16:14.000000000 +1000
@@ -45,7 +45,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -671,6 +671,9 @@ init_start_system(systemd_logind_t)
+@@ -674,6 +674,9 @@ init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
init_watch_utmp(systemd_logind_t)
diff -Nru refpolicy-2.20210203/debian/patches/0025-systemd refpolicy-2.20210203/debian/patches/0025-systemd
--- refpolicy-2.20210203/debian/patches/0025-systemd 2021-04-06 13:58:55.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0025-systemd 2021-05-06 04:05:50.000000000 +1000
@@ -442,15 +442,17 @@
dbus_system_bus_client(systemd_networkd_t)
dbus_connect_system_bus(systemd_networkd_t)
dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
-@@ -934,7 +1011,7 @@ miscfiles_read_localization(systemd_noti
+@@ -934,8 +1011,8 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#
-allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
+-allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:process { signal getsched setsched getcap setcap setfscreate setrlimit sigkill };
- allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
++allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot audit_control };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+ allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
@@ -960,14 +1037,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
@@ -742,11 +744,13 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210203/policy/modules/services/devicekit.te
-@@ -195,6 +195,10 @@ optional_policy(`
+@@ -195,6 +195,12 @@ optional_policy(`
')
optional_policy(`
++ systemd_read_logind_sessions_files(devicekit_disk_t)
+ systemd_use_logind_fds(devicekit_disk_t)
++ systemd_write_inherited_logind_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
diff -Nru refpolicy-2.20210203/debian/patches/0027-services refpolicy-2.20210203/debian/patches/0027-services
--- refpolicy-2.20210203/debian/patches/0027-services 2021-04-09 20:56:34.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0027-services 2021-05-06 04:09:33.000000000 +1000
@@ -364,7 +364,7 @@
miscfiles_read_localization(devicekit_disk_t)
userdom_read_all_users_state(devicekit_disk_t)
-@@ -214,7 +217,7 @@ optional_policy(`
+@@ -216,7 +219,7 @@ optional_policy(`
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
allow devicekit_power_t self:capability2 wake_alarm;
@@ -1461,6 +1461,14 @@
manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
+@@ -342,6 +348,7 @@ init_read_utmp(postgresql_t)
+ logging_send_syslog_msg(postgresql_t)
+ logging_send_audit_msgs(postgresql_t)
+
++miscfiles_read_generic_tls_privkey(postgresql_t)
+ miscfiles_read_localization(postgresql_t)
+
+ seutil_libselinux_linked(postgresql_t)
Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
@@ -1677,15 +1685,26 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/spamassassin.te
+++ refpolicy-2.20210203/policy/modules/services/spamassassin.te
-@@ -399,6 +399,8 @@ tunable_policy(`rspamd_spamd',`
+@@ -399,6 +399,10 @@ tunable_policy(`rspamd_spamd',`
allow spamd_t self:process setrlimit;
allow spamc_t self:process setrlimit;
+ allow spamd_t self:process execmem;
+
++ kernel_read_network_state(spamd_t)
++
list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
mmap_read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
allow spamd_t spamd_etc_t:dir watch;
+@@ -407,7 +411,7 @@ tunable_policy(`rspamd_spamd',`
+ allow spamd_t spamd_var_lib_t:dir watch;
+ filetrans_pattern(spamd_t, spamd_var_lib_t, spamd_runtime_t, sock_file)
+
+- search_dirs_pattern(spamd_t, spamd_log_t, spamd_log_t)
++ allow spamd_t spamd_log_t:dir rw_dir_perms;
+
+ fs_search_tmpfs(spamd_t)
+ manage_dirs_pattern(spamd_t, spamd_tmpfs_t, spamd_tmpfs_t)
Index: refpolicy-2.20210203/policy/modules/services/exim.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/exim.te
@@ -1733,3 +1752,16 @@
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
allow fsdaemon_t self:unix_stream_socket { accept listen };
+Index: refpolicy-2.20210203/policy/modules/services/inetd.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/inetd.te
++++ refpolicy-2.20210203/policy/modules/services/inetd.te
+@@ -37,7 +37,7 @@ ifdef(`enable_mcs',`
+ # Local policy
+ #
+
+-allow inetd_t self:capability { setgid setuid sys_resource };
++allow inetd_t self:capability { kill setgid setuid sys_resource };
+ dontaudit inetd_t self:capability sys_tty_config;
+ allow inetd_t self:process { setsched setexec setrlimit };
+ allow inetd_t self:fifo_file rw_fifo_file_perms;
diff -Nru refpolicy-2.20210203/debian/patches/0028-misc refpolicy-2.20210203/debian/patches/0028-misc
--- refpolicy-2.20210203/debian/patches/0028-misc 2021-04-04 22:49:49.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0028-misc 2021-05-06 04:15:52.000000000 +1000
@@ -591,7 +591,18 @@
# During find for /etc/whatever-release we get lots of output otherwise
files_dontaudit_getattr_all_dirs(chromium_t)
-@@ -290,6 +292,7 @@ optional_policy(`
+@@ -255,6 +257,10 @@ tunable_policy(`chromium_read_system_inf
+ ')
+
+ optional_policy(`
++ alsa_read_config(chromium_t)
++')
++
++optional_policy(`
+ cups_read_config(chromium_t)
+ cups_stream_connect(chromium_t)
+ ')
+@@ -290,6 +296,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(chromium_t)
@@ -599,6 +610,16 @@
')
optional_policy(`
+@@ -383,6 +390,9 @@ allow chromium_sandbox_t chromium_naclhe
+ allow chromium_naclhelper_t chromium_t:unix_stream_socket { getattr read write };
+ allow chromium_naclhelper_t chromium_sandbox_t:unix_stream_socket { getattr read write };
+
++allow chromium_naclhelper_t self:cap_userns { sys_admin sys_chroot };
++allow chromium_naclhelper_t self:process { setcap signal };
++
+ dev_read_sysfs(chromium_naclhelper_t)
+ dev_read_urand(chromium_naclhelper_t)
+
Index: refpolicy-2.20210203/policy/modules/services/networkmanager.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.if
diff -Nru refpolicy-2.20210203/debian/patches/0029-sympa refpolicy-2.20210203/debian/patches/0029-sympa
--- refpolicy-2.20210203/debian/patches/0029-sympa 2021-04-06 18:16:47.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0029-sympa 2021-05-06 03:45:21.000000000 +1000
@@ -13,7 +13,7 @@
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/sympa.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,65 @@
+policy_module(sympa,1.0.0)
+
+type sympa_t;
@@ -35,6 +35,7 @@
+allow sympa_t self:fifo_file rw_file_perms;
+allow sympa_t self:tcp_socket create_socket_perms;
+allow sympa_t self:unix_dgram_socket create_socket_perms;
++allow sympa_t self:process signull;
+allow sympa_t sympa_var_t:dir manage_dir_perms;
+allow sympa_t sympa_var_t:file manage_file_perms;
+
@@ -82,7 +83,7 @@
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/sympa.if
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,168 @@
+## <summary></summary>
+
+########################################
@@ -124,6 +125,25 @@
+
+########################################
+## <summary>
++## Allow managing sympa_var_t files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sympa_manage_var_files',`
++ gen_require(`
++ type sympa_var_t;
++ ')
++
++ allow $1 sympa_var_t:dir rw_dir_perms;
++ allow $1 sympa_var_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
+## Transition to sympa_t when executing sympa_exec_t
+## </summary>
+## <param name="domain">
@@ -158,7 +178,6 @@
+ allow $1 sympa_t:fd use;
+')
+
-+
+########################################
+## <summary>
+## Dontaudit access to inherited sympa tcp sockets
@@ -176,6 +195,63 @@
+
+ dontaudit $1 sympa_t:tcp_socket { read write };
+')
++
++########################################
++## <summary>
++## Allow reading sympa config files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to allow
++## </summary>
++## </param>
++#
++interface(`sympa_read_conf',`
++ gen_require(`
++ type sympa_etc_t;
++ ')
++
++ allow $1 sympa_etc_t:dir list_dir_perms;
++ allow $1 sympa_etc_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Allow rw sympa runtime dirs and manage sympa runtime files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to allow
++## </summary>
++## </param>
++#
++interface(`sympa_manage_runtime_files',`
++ gen_require(`
++ type sympa_runtime_t;
++ ')
++
++ allow $1 sympa_runtime_t:dir rw_dir_perms;
++ allow $1 sympa_runtime_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Allow rw sympa runtime dirs and manage sympa runtime sock files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to allow
++## </summary>
++## </param>
++#
++interface(`sympa_manage_runtime_sock_files',`
++ gen_require(`
++ type sympa_runtime_t;
++ ')
++
++ allow $1 sympa_runtime_t:dir rw_dir_perms;
++ allow $1 sympa_runtime_t:sock_file { setattr create unlink write };
++')
Index: refpolicy-2.20210203/policy/modules/services/mta.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mta.te
@@ -250,3 +326,43 @@
+ sympa_read_var_files(exim_t)
+ sympa_use_fd(exim_t)
+')
+Index: refpolicy-2.20210203/policy/modules/services/apache.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/apache.te
++++ refpolicy-2.20210203/policy/modules/services/apache.te
+@@ -902,6 +902,14 @@ optional_policy(`
+ snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ ')
+
++optional_policy(`
++ sympa_manage_runtime_files(httpd_t)
++ sympa_manage_runtime_sock_files(httpd_t)
++ sympa_read_conf(httpd_t)
++ sympa_read_var_files(httpd_t)
++')
++
++
+ ########################################
+ #
+ # Helper local policy
+@@ -1243,6 +1251,8 @@ files_read_var_symlinks(httpd_sys_script
+ files_search_var_lib(httpd_sys_script_t)
+ files_search_spool(httpd_sys_script_t)
+
++miscfiles_read_generic_certs(httpd_sys_script_t)
++
+ apache_domtrans_rotatelogs(httpd_sys_script_t)
+
+ auth_use_nsswitch(httpd_sys_script_t)
+@@ -1325,6 +1335,11 @@ optional_policy(`
+ ')
+ ')
+
++optional_policy(`
++ sympa_manage_var_files(httpd_sys_script_t)
++ sympa_read_conf(httpd_sys_script_t)
++')
++
+ ########################################
+ #
+ # Rotatelogs local policy
diff -Nru refpolicy-2.20210203/debian/patches/0031-cockpit refpolicy-2.20210203/debian/patches/0031-cockpit
--- refpolicy-2.20210203/debian/patches/0031-cockpit 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0031-cockpit 2021-04-20 19:18:22.000000000 +1000
@@ -0,0 +1,488 @@
+Index: refpolicy-2.20210203/policy/modules/services/cockpit.fc
+===================================================================
+--- /dev/null
++++ refpolicy-2.20210203/policy/modules/services/cockpit.fc
+@@ -0,0 +1,18 @@
++# cockpit stuff
++
++/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++
++/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
++/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
++/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
++
++/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
++/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
++
++/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
++
++/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
++
++/var/run/cockpit(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
++/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
+Index: refpolicy-2.20210203/policy/modules/services/cockpit.if
+===================================================================
+--- /dev/null
++++ refpolicy-2.20210203/policy/modules/services/cockpit.if
+@@ -0,0 +1,279 @@
++## <summary>policy for cockpit</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the cockpit domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cockpit_ws_domtrans',`
++ gen_require(`
++ type cockpit_ws_t, cockpit_ws_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
++')
++
++########################################
++## <summary>
++## Execute TEMPLATE in the cockpit domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cockpit_session_domtrans',`
++ gen_require(`
++ type cockpit_session_t, cockpit_session_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
++')
++
++########################################
++## <summary>
++## Read and write cockpit_session_t unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cockpit_rw_pipes',`
++ gen_require(`
++ type cockpit_session_t;
++ ')
++
++ allow $1 cockpit_session_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Create cockpit unix_stream_sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cockpit_manage_unix_stream_sockets',`
++ gen_require(`
++ type cockpit_ws_t;
++ ')
++
++ allow $1 cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
++')
++
++########################################
++## <summary>
++## Search cockpit lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cockpit_search_lib',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ allow $1 cockpit_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read cockpit lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cockpit_read_lib_files',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage cockpit lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cockpit_manage_lib_files',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage cockpit lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cockpit_manage_lib_dirs',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read cockpit pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cockpit_read_pid_files',`
++ gen_require(`
++ type cockpit_runtime_t;
++ ')
++
++ read_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
++ read_lnk_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
++')
++
++########################################
++## <summary>
++## Manage cockpit pid dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cockpit_manage_pid_dirs',`
++ gen_require(`
++ type cockpit_runtime_t;
++ ')
++
++ manage_dirs_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
++')
++
++########################################
++## <summary>
++## Manage cockpit pid dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cockpit_manage_pid_files',`
++ gen_require(`
++ type cockpit_runtime_t;
++ ')
++
++ manage_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
++')
++
++########################################
++## <summary>
++## Execute cockpit server in the cockpit domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cockpit_systemctl',`
++ gen_require(`
++ type cockpit_ws_t;
++ type cockpit_unit_file_t;
++ class service { start stop status reload enable disable };
++ ')
++
++ init_reload($1)
++ systemd_use_passwd_agent($1)
++ allow $1 cockpit_unit_file_t:file read_file_perms;
++ allow $1 cockpit_unit_file_t:service { start stop status reload enable disable };
++
++ ps_process_pattern($1, cockpit_ws_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an cockpit environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`cockpit_admin',`
++ gen_require(`
++ type cockpit_ws_t;
++ type cockpit_session_t;
++ type cockpit_var_lib_t;
++ type cockpit_runtime_t;
++ type cockpit_unit_file_t;
++ ')
++
++ allow $1 cockpit_ws_t:process { signal_perms };
++ ps_process_pattern($1, cockpit_ws_t)
++
++ allow $1 cockpit_session_t:process { signal_perms };
++ ps_process_pattern($1, cockpit_session_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cockpit_ws_t:process ptrace;
++ allow $1 cockpit_session_t:process ptrace;
++ ')
++
++ files_search_var_lib($1)
++ admin_pattern($1, cockpit_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, cockpit_runtime_t)
++
++ cockpit_systemctl($1)
++ admin_pattern($1, cockpit_unit_file_t)
++ allow $1 cockpit_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+Index: refpolicy-2.20210203/policy/modules/services/cockpit.te
+===================================================================
+--- /dev/null
++++ refpolicy-2.20210203/policy/modules/services/cockpit.te
+@@ -0,0 +1,176 @@
++policy_module(cockpit, 1.0.0)
++
++# https://cockpit-project.org/
++
++########################################
++#
++# Declarations
++#
++
++type cockpit_ws_t;
++type cockpit_ws_exec_t;
++init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
++
++type cockpit_tmp_t;
++files_tmp_file(cockpit_tmp_t)
++
++type cockpit_tmpfs_t;
++userdom_user_tmpfs_file(cockpit_tmpfs_t)
++
++type cockpit_runtime_t;
++files_runtime_file(cockpit_runtime_t)
++
++type cockpit_unit_file_t;
++init_unit_file(cockpit_unit_file_t)
++
++type cockpit_var_lib_t;
++files_type(cockpit_var_lib_t)
++
++type cockpit_session_t;
++type cockpit_session_exec_t;
++domain_type(cockpit_session_t)
++domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
++
++########################################
++#
++# cockpit_ws_t local policy
++#
++
++allow cockpit_ws_t self:capability net_admin;
++allow cockpit_ws_t self:process setrlimit;
++allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
++allow cockpit_ws_t self:fifo_file rw_file_perms;
++
++kernel_read_system_state(cockpit_ws_t)
++
++# cockpit-tls can execute cockpit-ws
++can_exec(cockpit_ws_t,cockpit_ws_exec_t)
++
++# cockpit-ws can execute cockpit-session
++can_exec(cockpit_ws_t,cockpit_session_exec_t)
++
++corecmd_exec_shell(cockpit_ws_t)
++
++# cockpit-ws can read from /dev/urandom
++dev_read_urand(cockpit_ws_t) # for authkey
++dev_read_rand(cockpit_ws_t) # for libssh
++
++corenet_tcp_bind_websm_port(cockpit_ws_t)
++
++# cockpit-ws can connect to other hosts via ssh
++corenet_tcp_connect_ssh_port(cockpit_ws_t)
++
++# cockpit-ws can write to its temp files
++manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
++manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
++files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
++
++manage_dirs_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
++manage_files_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
++fs_tmpfs_filetrans(cockpit_ws_t, cockpit_tmpfs_t, { file })
++
++manage_dirs_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
++manage_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
++manage_lnk_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
++manage_sock_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
++files_runtime_filetrans(cockpit_ws_t, cockpit_runtime_t, { file dir sock_file })
++
++manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
++manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
++
++cockpit_systemctl(cockpit_ws_t)
++
++kernel_read_network_state(cockpit_ws_t)
++
++auth_use_nsswitch(cockpit_ws_t)
++
++corecmd_exec_bin(cockpit_ws_t)
++
++fs_read_efivarfs_files(cockpit_ws_t)
++
++init_read_state(cockpit_ws_t)
++init_stream_connect(cockpit_ws_t)
++
++logging_send_syslog_msg(cockpit_ws_t)
++
++miscfiles_read_localization(cockpit_ws_t)
++
++sysnet_exec_ifconfig(cockpit_ws_t)
++
++# cockpit-ws launches cockpit-session
++cockpit_session_domtrans(cockpit_ws_t)
++allow cockpit_ws_t cockpit_session_t:process signal_perms;
++
++# cockpit-session communicates back with cockpit-ws
++allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
++
++# cockpit-tls and cockpit-ws communicate over a Unix socket
++allow cockpit_ws_t cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
++
++optional_policy(`
++ hostname_exec(cockpit_ws_t)
++')
++
++optional_policy(`
++ kerberos_use(cockpit_ws_t)
++ kerberos_etc_filetrans_keytab(cockpit_ws_t, file)
++')
++
++optional_policy(`
++ ssh_read_user_home_files(cockpit_ws_t)
++')
++
++#########################################################
++#
++# cockpit-session local policy
++#
++
++# cockpit-session changes to the actual logged in user
++allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource};
++allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
++
++read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
++list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
++
++manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
++manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
++manage_sock_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
++files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file sock_file })
++
++manage_dirs_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
++manage_files_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
++fs_tmpfs_filetrans(cockpit_session_t, cockpit_tmpfs_t, { file })
++
++read_files_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
++list_dirs_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
++
++kernel_read_network_state(cockpit_session_t)
++
++# cockpit-session runs a full pam stack, including pam_selinux.so
++auth_login_pgm_domain(cockpit_session_t)
++# cockpit-session resseting expired passwords
++auth_manage_shadow(cockpit_session_t)
++auth_write_login_records(cockpit_session_t)
++
++corenet_tcp_bind_ssh_port(cockpit_session_t)
++corenet_tcp_connect_ssh_port(cockpit_session_t)
++
++# cockpit-session can execute cockpit-agent as the user
++userdom_spec_domtrans_all_users(cockpit_session_t)
++usermanage_read_crack_db(cockpit_session_t)
++
++#optional_policy(`
++# ssh_agent_signal(cockpit_session_t)
++#')
++
++optional_policy(`
++ sssd_dbus_chat(cockpit_session_t)
++')
++
++optional_policy(`
++ userdom_signal_all_users(cockpit_session_t)
++')
++
++optional_policy(`
++ unconfined_domtrans(cockpit_session_t)
++')
diff -Nru refpolicy-2.20210203/debian/patches/0032-puppet refpolicy-2.20210203/debian/patches/0032-puppet
--- refpolicy-2.20210203/debian/patches/0032-puppet 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0032-puppet 2021-04-21 12:58:20.000000000 +1000
@@ -0,0 +1,50 @@
+Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc
++++ refpolicy-2.20210203/policy/modules/admin/puppet.fc
+@@ -11,6 +11,7 @@
+ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+ /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
++/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0)
+ /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+
+ /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+Index: refpolicy-2.20210203/policy/modules/admin/puppet.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te
++++ refpolicy-2.20210203/policy/modules/admin/puppet.te
+@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
+ type puppet_tmp_t;
+ files_tmp_file(puppet_tmp_t)
+
++type puppet_cache_t;
++files_type(puppet_cache_t)
++
+ type puppet_var_lib_t;
+ files_type(puppet_var_lib_t)
+
+@@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t)
+ kernel_read_net_sysctls(puppet_t)
+ kernel_read_network_state(puppet_t)
+
++corecmd_bin_entry_type(puppet_t)
+ corecmd_exec_bin(puppet_t)
+ corecmd_exec_shell(puppet_t)
+ corecmd_read_all_executables(puppet_t)
+@@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
+ allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
+ append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+ create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
++read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+ setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+ logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+
+@@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t)
+ kernel_read_crypto_sysctls(puppetmaster_t)
+ kernel_read_kernel_sysctls(puppetmaster_t)
+
++corecmd_bin_entry_type(puppetmaster_t)
+ corecmd_exec_bin(puppetmaster_t)
+ corecmd_exec_shell(puppetmaster_t)
+
diff -Nru refpolicy-2.20210203/debian/patches/0035-certbot refpolicy-2.20210203/debian/patches/0035-certbot
--- refpolicy-2.20210203/debian/patches/0035-certbot 2021-02-23 16:55:58.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0035-certbot 2021-05-06 03:50:58.000000000 +1000
@@ -61,7 +61,7 @@
manage_dirs_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
-@@ -114,5 +115,13 @@ optional_policy(`
+@@ -114,5 +115,17 @@ optional_policy(`
# for writing to webroot
apache_manage_sys_content(certbot_t)
@@ -75,4 +75,8 @@
+
+ apache_rw_runtime_files(certbot_t)
+ apache_signal(certbot_t)
++')
++
++optional_policy(`
++ xdg_search_config_dirs(certbot_t)
')
diff -Nru refpolicy-2.20210203/debian/patches/2000-hacks refpolicy-2.20210203/debian/patches/2000-hacks
--- refpolicy-2.20210203/debian/patches/2000-hacks 2021-04-06 13:27:52.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/2000-hacks 2021-05-06 03:23:13.000000000 +1000
@@ -114,3 +114,46 @@
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
+Index: refpolicy-2.20210203/policy/modules/services/mta.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/mta.if
++++ refpolicy-2.20210203/policy/modules/services/mta.if
+@@ -165,11 +165,15 @@ interface(`mta_admin_role',`
+ attribute_role admin_mail_roles;
+ type admin_mail_t, sendmail_exec_t, mail_home_t;
+ type user_mail_tmp_t, mail_home_rw_t;
++ type system_mail_t;
+ ')
+ mta_base_role($1, $2)
+
+ roleattribute $1 admin_mail_roles;
+
++ # maybe not ideal but needed for exim postinst in Debian
++ role $1 types system_mail_t;
++
+ domtrans_pattern($2, sendmail_exec_t, admin_mail_t)
+ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+@@ -1222,3 +1226,22 @@ interface(`mta_rw_user_mail_stream_socke
+
+ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+ ')
++
++# hack for exim postinst in Debian
++#######################################
++## <summary>
++## Allow system_mail_t to run in a role
++## </summary>
++## <param name="domain">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_system_mail_role',`
++ gen_require(`
++ type system_mail_t;
++ ')
++
++ role $1 types system_mail_t;
++')
diff -Nru refpolicy-2.20210203/debian/patches/series refpolicy-2.20210203/debian/patches/series
--- refpolicy-2.20210203/debian/patches/series 2021-04-04 22:50:49.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/series 2021-04-20 22:38:43.000000000 +1000
@@ -12,6 +12,8 @@
0028-misc
0029-sympa
0030-user-sddm
+0031-cockpit
+0032-puppet
0035-certbot
0110-gpg
0190-net_admin
Reply to: