Bug#991201: marked as done (unblock: refpolicy/2:2.20210203-7)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 17 Jul 2021 17:41:09 +0000
with message-id <E1m4oJJ-0001ii-1F@respighi.debian.org>
and subject line unblock refpolicy
has caused the Debian Bug report #991201,
regarding unblock: refpolicy/2:2.20210203-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991201
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: refpolicy/2:2.20210203-7
• From: Russell Coker <russell@coker.com.au>
• Date: Sat, 17 Jul 2021 19:36:35 +1000
• Message-id: <[🔎] 162651459511.856848.5853880198845228082.reportbug@xev>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package refpolicy

[ Reason ]
Improvement to policy for certbot, dhcp, mon, fsadm, and java.

[ Impact ]
This allows certbot to work out of the box on the first run.
It correctly labels dhclient hooks scripts and wide-dhcpv6-client hooks.
Changes to mon and fsadm policy support megaraid (AKA PERC) RAID controllers.
Made the Java policy work for JRE 17.

[ Tests ]
Tested all of this manually.

[ Risks ]
No real risk, just added new allow rules.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing


unblock refpolicy/2:2.20210203-7

diff -Nru refpolicy-2.20210203/debian/changelog refpolicy-2.20210203/debian/changelog
--- refpolicy-2.20210203/debian/changelog	2021-05-08 17:55:06.000000000 +1000
+++ refpolicy-2.20210203/debian/changelog	2021-06-14 09:47:05.000000000 +1000
@@ -1,3 +1,19 @@
+refpolicy (2:2.20210203-7) unstable; urgency=medium
+
+  * Allow certbot to create /var/log/letsencrypt and /var/lib/letsencrypt
+  * Label /etc/wide-dhcpv6/dhcp6c-ifupdown /etc/wide-dhcpv6/dhcp6c-script
+    /etc/dhcp/dhclient-enter-hooks.d/* and /etc/dhcp/dhclient-exit-hooks.d/*
+    as bin_t.
+  * Allow mon_local_test_t to run smartctl in fsadm_t for megaraid and other
+    corner cases and allowed fsadm_t to read fsdaemon_var_lib_t.  Dontaudit
+    fsadm_t inheriting file handles from mon_t.
+  * Allow fsadm_t to do a file type trans for creating
+    /dev/megaraid_sas_ioctl_node
+  * Allow java_t to exec bin_t and lib_t files for jspawnhelper, and to read
+    cgroup files.  Needed for JRE 17
+
+ -- Russell Coker <russell@coker.com.au>  Mon, 14 Jun 2021 09:47:05 +1000
+
 refpolicy (2:2.20210203-6) unstable; urgency=medium
 
   * Add policy for cockpit web admin tool
diff -Nru refpolicy-2.20210203/debian/patches/0027-services refpolicy-2.20210203/debian/patches/0027-services
--- refpolicy-2.20210203/debian/patches/0027-services	2021-05-06 04:09:33.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0027-services	2021-06-14 09:47:05.000000000 +1000
@@ -217,26 +217,6 @@
  dev_rw_xserver_misc(boinc_t)
  
  domain_read_all_domains_state(boinc_t)
-Index: refpolicy-2.20210203/policy/modules/services/certbot.te
-===================================================================
---- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
-+++ refpolicy-2.20210203/policy/modules/services/certbot.te
-@@ -80,11 +80,15 @@ corenet_tcp_connect_dns_port(certbot_t)
- # bind to http port for standalone mode
- corenet_tcp_bind_http_port(certbot_t)
- 
-+dev_read_urand(certbot_t)
-+
- domain_use_interactive_fds(certbot_t)
- 
- files_read_etc_files(certbot_t)
- files_read_usr_files(certbot_t)
- 
-+# dontaudit for attempts to write python cache files
-+libs_dontaudit_write_lib_dirs(certbot_t)
- libs_exec_ldconfig(certbot_t)
- # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
- libs_exec_lib_files(certbot_t)
 Index: refpolicy-2.20210203/policy/modules/services/clamav.te
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/services/clamav.te
@@ -561,7 +541,7 @@
  files_read_usr_files(mon_local_test_t)
  files_search_mnt(mon_local_test_t)
  files_search_spool(mon_local_test_t)
-@@ -197,8 +203,11 @@ files_list_boot(mon_local_test_t)
+@@ -197,9 +203,13 @@ files_list_boot(mon_local_test_t)
  fs_search_auto_mountpoints(mon_local_test_t)
  fs_getattr_nfs(mon_local_test_t)
  fs_getattr_xattr_fs(mon_local_test_t)
@@ -571,9 +551,11 @@
 +fs_read_cgroup_files(mon_local_test_t)
 +fs_search_cgroup_dirs(mon_local_test_t)
  fs_search_nfs(mon_local_test_t)
++fstools_domtrans(mon_local_test_t)
  
  storage_getattr_fixed_disk_dev(mon_local_test_t)
-@@ -211,12 +220,14 @@ application_exec_all(mon_local_test_t)
+ storage_getattr_removable_dev(mon_local_test_t)
+@@ -211,12 +221,14 @@ application_exec_all(mon_local_test_t)
  
  auth_use_nsswitch(mon_local_test_t)
  
@@ -1765,3 +1747,130 @@
  dontaudit inetd_t self:capability sys_tty_config;
  allow inetd_t self:process { setsched setexec setrlimit };
  allow inetd_t self:fifo_file rw_fifo_file_perms;
+Index: refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/corecommands.fc
++++ refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
+@@ -43,6 +43,8 @@ ifdef(`distro_redhat',`
+ /etc/cron\.monthly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
+ /etc/dhcp/dhclient\.d(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/etc/dhcp/dhclient-enter-hooks.d(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
++/etc/dhcp/dhclient-exit-hooks.d(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
+@@ -101,6 +103,9 @@ ifdef(`distro_redhat',`
+ 
+ /etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
++/etc/wide-dhcpv6/dhcp6c-ifupdown --	gen_context(system_u:object_r:bin_t,s0)
++/etc/wide-dhcpv6/dhcp6c-script	--	gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
+Index: refpolicy-2.20210203/policy/modules/kernel/storage.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.fc
++++ refpolicy-2.20210203/policy/modules/kernel/storage.fc
+@@ -29,6 +29,7 @@
+ /dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megaraid.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mmcblk.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+Index: refpolicy-2.20210203/policy/modules/system/fstools.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/fstools.te
++++ refpolicy-2.20210203/policy/modules/system/fstools.te
+@@ -137,6 +137,8 @@ mls_file_write_all_levels(fsadm_t)
+ 
+ selinux_getattr_fs(fsadm_t)
+ 
++storage_dev_filetrans_fixed_disk_control(fsadm_t, "megaraid_sas_ioctl_node")
++storage_manage_fixed_disk(fsadm_t)
+ storage_raw_read_fixed_disk(fsadm_t)
+ storage_raw_write_fixed_disk(fsadm_t)
+ storage_raw_read_removable_device(fsadm_t)
+@@ -192,6 +194,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	fsdaemon_read_lib(fsadm_t)
++')
++
++optional_policy(`
+ 	livecd_rw_tmp_files(fsadm_t)
+ ')
+ 
+@@ -201,6 +207,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	mon_dontaudit_use_fds(fsadm_t)
++')
++
++optional_policy(`
+ 	nis_use_ypbind(fsadm_t)
+ ')
+ 
+Index: refpolicy-2.20210203/policy/modules/apps/java.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/java.te
++++ refpolicy-2.20210203/policy/modules/apps/java.te
+@@ -128,11 +128,17 @@ tunable_policy(`allow_java_execstack',`
+ auth_use_nsswitch(java_t)
+ 
+ corecmd_search_bin(java_t)
++corecmd_exec_bin(java_t)
+ 
+ dev_read_sysfs(java_t)
+ 
++fs_read_cgroup_files(java_t)
++fs_search_cgroup_dirs(java_t)
++
+ locallogin_use_fds(java_t)
+ 
++libs_exec_lib_files(java_t)
++
+ userdom_read_user_tmp_files(java_t)
+ userdom_use_user_terminals(java_t)
+ 
+Index: refpolicy-2.20210203/policy/modules/kernel/storage.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.if
++++ refpolicy-2.20210203/policy/modules/kernel/storage.if
+@@ -309,6 +309,30 @@ interface(`storage_dev_filetrans_fixed_d
+ 
+ ########################################
+ ## <summary>
++##	Create char devices in /dev with the fixed disk type
++##	via an automatic type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="filename" optional="true">
++##	<summary>
++##	Optional filename of the char device to be created
++##	</summary>
++## </param>
++#
++interface(`storage_dev_filetrans_fixed_disk_control',`
++	gen_require(`
++		type fixed_disk_device_t;
++	')
++
++	dev_filetrans($1, fixed_disk_device_t, chr_file, $2)
++')
++
++########################################
++## <summary>
+ ##	Create block devices in on a tmpfs filesystem with the
+ ##	fixed disk type via an automatic type transition.
+ ## </summary>
diff -Nru refpolicy-2.20210203/debian/patches/0030-user-sddm refpolicy-2.20210203/debian/patches/0030-user-sddm
--- refpolicy-2.20210203/debian/patches/0030-user-sddm	2021-04-06 13:27:36.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0030-user-sddm	2021-05-15 18:59:16.000000000 +1000
@@ -347,7 +347,7 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/apps/chromium.te
 +++ refpolicy-2.20210203/policy/modules/apps/chromium.te
-@@ -271,6 +271,7 @@ optional_policy(`
+@@ -275,6 +275,7 @@ optional_policy(`
  
  	optional_policy(`
  		gnome_dbus_chat_all_gkeyringd(chromium_t)
diff -Nru refpolicy-2.20210203/debian/patches/0035-certbot refpolicy-2.20210203/debian/patches/0035-certbot
--- refpolicy-2.20210203/debian/patches/0035-certbot	2021-05-06 03:50:58.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0035-certbot	2021-05-15 22:18:05.000000000 +1000
@@ -53,15 +53,44 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
 +++ refpolicy-2.20210203/policy/modules/services/certbot.te
-@@ -46,6 +46,7 @@ allow certbot_t self:netlink_route_socke
- files_search_var_lib(certbot_t)
+@@ -43,9 +43,10 @@ allow certbot_t self:udp_socket all_udp_
+ allow certbot_t self:tcp_socket all_tcp_socket_perms;
+ allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
+ 
+-files_search_var_lib(certbot_t)
++files_var_lib_filetrans(certbot_t, certbot_lib_t, dir, "letsencrypt")
  manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
  manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
 +allow certbot_t certbot_lib_t:file relabelfrom;
  
  manage_dirs_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
  manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
-@@ -114,5 +115,17 @@ optional_policy(`
+@@ -62,7 +63,7 @@ allow certbot_t certbot_tmp_t:file mmap_
+ allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
+ allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;
+ 
+-logging_search_logs(certbot_t)
++logging_log_filetrans(certbot_t, certbot_log_t, dir, "letsencrypt")
+ allow certbot_t certbot_log_t:dir manage_dir_perms;
+ allow certbot_t certbot_log_t:file manage_file_perms;
+ 
+@@ -80,11 +81,15 @@ corenet_tcp_connect_dns_port(certbot_t)
+ # bind to http port for standalone mode
+ corenet_tcp_bind_http_port(certbot_t)
+ 
++dev_read_urand(certbot_t)
++
+ domain_use_interactive_fds(certbot_t)
+ 
+ files_read_etc_files(certbot_t)
+ files_read_usr_files(certbot_t)
+ 
++# dontaudit for attempts to write python cache files
++libs_dontaudit_write_lib_dirs(certbot_t)
+ libs_exec_ldconfig(certbot_t)
+ # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
+ libs_exec_lib_files(certbot_t)
+@@ -110,5 +115,17 @@ optional_policy(`
  	# for writing to webroot
  	apache_manage_sys_content(certbot_t)
  

--- End Message ---

--- Begin Message ---

• To: 991201-done@bugs.debian.org
• Subject: unblock refpolicy
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Sat, 17 Jul 2021 17:41:09 +0000
• Message-id: <E1m4oJJ-0001ii-1F@respighi.debian.org>

Unblocked.

--- End Message ---