Bug#995969: release.debian.org: bullseye update requested for refpolicy

[Russell Coker <russell@coker.com.au>]

Package: release.debian.org
Severity: normal

[Reason]

Improvement to refpolicy for ppp, wireshark, acngtool, root login on boot
failure, and systemd-timesyncd.

[Impact]

Allows pppox (for common NBN devices in Australia to work.

Allows Wireshark to do the X stuff it wants to do (not functional otherwise).
Also allow it to get network state.

Allows acngtool to manage it's log files.

Allows kmod, ifconfig, and ping to be run by the sysadmin after the regular
boot process has failed.

Allows systemd-timesyncd to restart generic units.

[ Tests ]
Tested all of this manually.

[ Risks ]
No real risk, just added new allow rules.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in bullseye

diff -Nru refpolicy-2.20210203/debian/changelog refpolicy-2.20210203/debian/changelog
--- refpolicy-2.20210203/debian/changelog	2021-06-14 09:47:05.000000000 +1000
+++ refpolicy-2.20210203/debian/changelog	2021-10-04 15:06:54.000000000 +1100
@@ -1,3 +1,22 @@
+refpolicy (2:2.20210203-8) unstable; urgency=medium
+
+  * Label /etc/ppp/ip-pre-up as pppd_initrc_exec_t
+  * Allow wireshark to rw DRI devices, read crypto sysctls, rw the xserver
+    mesa shader cache, read the kernel network state, have execmem access
+    (probably needed for one of the many shared objects it uses), have setsched
+    access, execute lib files (for it's helper programs), manage xdg config
+    files (gives warning if it can't do this), manage xdg cache, and read xdg
+    data files.
+  * Allow acngtool_t the dac_override capability for managing log files
+  * Allow pppd to connect create and ioctl pppox_socket and allow it to map
+    pppd_runtime_t files.
+  * Allow kmod_t, ifconfig_t, and ping_t to use unallocated ttys (for sysadmin
+    login on boot failure)
+  * Allow ntpd_t to start and stop generic units when systemd is used, for
+    systemd-timesyncd.
+
+ -- Russell Coker <russell@coker.com.au>  Mon, 04 Oct 2021 15:06:54 +1100
+
 refpolicy (2:2.20210203-7) unstable; urgency=medium
 
   * Allow certbot to create /var/log/letsencrypt and /var/lib/letsencrypt
diff -Nru refpolicy-2.20210203/debian/patches/0027-services refpolicy-2.20210203/debian/patches/0027-services
--- refpolicy-2.20210203/debian/patches/0027-services	2021-06-14 09:47:05.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0027-services	2021-08-13 03:54:44.000000000 +1000
@@ -128,7 +128,14 @@
  
  # Uses sd_notify() to inform systemd it has properly started
  init_dgram_send(aptcacher_t)
-@@ -99,8 +105,12 @@ allow acngtool_t self:unix_stream_socket
+@@ -93,14 +99,19 @@ sysnet_mmap_config_files(aptcacher_t)
+ # acngtool local policy
+ #
+ 
++allow acngtool_t self:capability dac_override;
+ allow acngtool_t self:tcp_socket create_stream_socket_perms;
+ allow acngtool_t self:unix_stream_socket create_socket_perms;
+ 
  allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
  allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
  
@@ -1874,3 +1881,60 @@
  ##	Create block devices in on a tmpfs filesystem with the
  ##	fixed disk type via an automatic type transition.
  ## </summary>
+Index: refpolicy-2.20210203/policy/modules/services/ppp.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/ppp.fc
++++ refpolicy-2.20210203/policy/modules/services/ppp.fc
+@@ -8,6 +8,7 @@ HOME_DIR/\.ppprc	--	gen_context(system_u
+ /etc/ppp/.*secrets	--	gen_context(system_u:object_r:pppd_secret_t,s0)
+ /etc/ppp/resolv\.conf	--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+ /etc/ppp/(auth|ip(v6|x)?)-(up|down)	--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
++/etc/ppp/ip-pre-up	--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+ 
+ /usr/bin/ipppd		--	gen_context(system_u:object_r:pppd_exec_t,s0)
+ /usr/bin/ppp-watch	--	gen_context(system_u:object_r:pppd_exec_t,s0)
+Index: refpolicy-2.20210203/policy/modules/services/ppp.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/ppp.te
++++ refpolicy-2.20210203/policy/modules/services/ppp.te
+@@ -86,6 +86,7 @@ allow pppd_t self:socket create_socket_p
+ allow pppd_t self:netlink_route_socket nlmsg_write;
+ allow pppd_t self:tcp_socket { accept listen };
+ allow pppd_t self:packet_socket create_socket_perms;
++allow pppd_t self:pppox_socket { connect create ioctl };
+ 
+ allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ 
+@@ -108,6 +109,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t,
+ 
+ manage_dirs_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
+ manage_files_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
++allow pppd_t pppd_runtime_t:file map;
+ files_runtime_filetrans(pppd_t, pppd_runtime_t, { dir file })
+ 
+ can_exec(pppd_t, pppd_exec_t)
+Index: refpolicy-2.20210203/policy/modules/admin/netutils.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/admin/netutils.te
++++ refpolicy-2.20210203/policy/modules/admin/netutils.te
+@@ -134,6 +134,7 @@ logging_send_syslog_msg(ping_t)
+ miscfiles_read_localization(ping_t)
+ 
+ userdom_use_inherited_user_terminals(ping_t)
++term_use_unallocated_ttys(ping_t)
+ 
+ ifdef(`hide_broken_symptoms',`
+ 	init_dontaudit_use_fds(ping_t)
+Index: refpolicy-2.20210203/policy/modules/services/ntp.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/ntp.te
++++ refpolicy-2.20210203/policy/modules/services/ntp.te
+@@ -156,6 +156,8 @@ ifdef(`init_systemd',`
+ 	allow ntpd_t self:capability { fowner setpcap };
+ 	init_read_state(ntpd_t)
+ 	init_reload(ntpd_t)
++	init_start_generic_units(ntpd_t)
++	init_stop_generic_units(ntpd_t)
+ 
+ 	# for /var/lib/systemd/clock
+ 	init_list_var_lib_dirs(ntpd_t)
diff -Nru refpolicy-2.20210203/debian/patches/0028-misc refpolicy-2.20210203/debian/patches/0028-misc
--- refpolicy-2.20210203/debian/patches/0028-misc	2021-05-06 04:15:52.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0028-misc	2021-07-17 20:25:09.000000000 +1000
@@ -369,6 +369,14 @@
  allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
  # for the radeon/amdgpu modules
  dontaudit kmod_t self:capability sys_admin;
+@@ -111,6 +112,7 @@ miscfiles_read_localization(kmod_t)
+ 
+ seutil_read_file_contexts(kmod_t)
+ 
++term_use_unallocated_ttys(kmod_t)
+ userdom_use_user_terminals(kmod_t)
+ 
+ userdom_dontaudit_search_user_home_dirs(kmod_t)
 Index: refpolicy-2.20210203/policy/modules/system/mount.te
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/system/mount.te
@@ -458,6 +466,14 @@
  
  allow dhcpc_t self:fifo_file rw_fifo_file_perms;
  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+@@ -339,6 +339,7 @@ term_dontaudit_use_all_ttys(ifconfig_t)
+ term_dontaudit_use_all_ptys(ifconfig_t)
+ term_dontaudit_use_ptmx(ifconfig_t)
+ term_dontaudit_use_generic_ptys(ifconfig_t)
++term_use_unallocated_ttys(ifconfig_t)
+ 
+ files_dontaudit_read_root_files(ifconfig_t)
+ 
 Index: refpolicy-2.20210203/policy/modules/system/udev.te
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/system/udev.te
@@ -839,3 +855,63 @@
 +optional_policy(`
  	userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
  ')
+Index: refpolicy-2.20210203/policy/modules/apps/wireshark.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/wireshark.te
++++ refpolicy-2.20210203/policy/modules/apps/wireshark.te
+@@ -31,10 +31,11 @@ optional_policy(`
+ #
+ 
+ allow wireshark_t self:capability { net_admin net_raw setgid };
+-allow wireshark_t self:process { signal getsched };
++allow wireshark_t self:process { signal getsched execmem setsched };
+ allow wireshark_t self:fifo_file rw_fifo_file_perms;
+ allow wireshark_t self:shm create_shm_perms;
+ allow wireshark_t self:packet_socket create_socket_perms;
++allow wireshark_t self:netlink_generic_socket connected_socket_perms;
+ 
+ manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+ manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+@@ -54,7 +55,9 @@ fs_tmpfs_filetrans(wireshark_t, wireshar
+ 
+ can_exec(wireshark_t, wireshark_exec_t)
+ 
++kernel_read_crypto_sysctls(wireshark_t)
+ kernel_read_kernel_sysctls(wireshark_t)
++kernel_read_network_state(wireshark_t)
+ kernel_read_system_state(wireshark_t)
+ kernel_read_sysctl(wireshark_t)
+ 
+@@ -74,6 +77,7 @@ corenet_tcp_connect_generic_port(wiresha
+ dev_read_rand(wireshark_t)
+ dev_read_sysfs(wireshark_t)
+ dev_read_urand(wireshark_t)
++dev_rw_dri(wireshark_t)
+ 
+ files_map_usr_files(wireshark_t)
+ files_read_usr_files(wireshark_t)
+@@ -84,6 +88,7 @@ fs_search_auto_mountpoints(wireshark_t)
+ 
+ auth_use_nsswitch(wireshark_t)
+ 
++libs_exec_lib_files(wireshark_t)
+ libs_read_lib_files(wireshark_t)
+ 
+ miscfiles_read_fonts(wireshark_t)
+@@ -93,6 +98,10 @@ userdom_use_user_terminals(wireshark_t)
+ 
+ userdom_user_content_access_template(wireshark, wireshark_t)
+ 
++xdg_manage_cache(wireshark_t)
++# gives warnings if it can not write its own config
++xdg_manage_config(wireshark_t)
++xdg_read_data_files(wireshark_t)
+ xdg_read_downloads(wireshark_t)
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -119,4 +128,5 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t)
+ 	xserver_create_xdm_tmp_sockets(wireshark_t)
++	xserver_rw_mesa_shader_cache(wireshark_t)
+ ')
diff -Nru refpolicy-2.20210203/debian/patches/0030-user-sddm refpolicy-2.20210203/debian/patches/0030-user-sddm
--- refpolicy-2.20210203/debian/patches/0030-user-sddm	2021-05-15 18:59:16.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0030-user-sddm	2021-06-14 15:11:19.000000000 +1000
@@ -44,7 +44,7 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/kernel/corecommands.fc
 +++ refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
-@@ -251,6 +251,7 @@ ifdef(`distro_gentoo',`
+@@ -256,6 +256,7 @@ ifdef(`distro_gentoo',`
  /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/xfconf/xfconfd	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/xfwm4/helper-dialog --	gen_context(system_u:object_r:bin_t,s0)
diff -Nru refpolicy-2.20210203/debian/patches/2000-hacks refpolicy-2.20210203/debian/patches/2000-hacks
--- refpolicy-2.20210203/debian/patches/2000-hacks	2021-05-06 03:23:13.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/2000-hacks	2021-08-13 03:52:34.000000000 +1000
@@ -19,7 +19,7 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/system/fstools.te
 +++ refpolicy-2.20210203/policy/modules/system/fstools.te
-@@ -151,6 +151,11 @@ init_use_script_ptys(fsadm_t)
+@@ -153,6 +153,11 @@ init_use_script_ptys(fsadm_t)
  init_dontaudit_getattr_initctl(fsadm_t)
  init_rw_script_stream_sockets(fsadm_t)
  
@@ -35,7 +35,7 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
 +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
-@@ -345,6 +345,11 @@ files_dontaudit_read_root_files(ifconfig
+@@ -346,6 +346,11 @@ files_dontaudit_read_root_files(ifconfig
  init_use_fds(ifconfig_t)
  init_use_script_ptys(ifconfig_t)