Bug#984645: marked as done (unblock: refpolicy/2:2.20210203-4)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#984645: marked as done (unblock: refpolicy/2:2.20210203-4)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 13 Mar 2021 13:21:06 +0000
Message-id: <[🔎] handler.984645.D984645.16156414999192.ackdone@bugs.debian.org>
Reply-to: 984645@bugs.debian.org
References: <E1lL49p-0001XB-V5@respighi.debian.org> <[🔎] 161502721817.181239.14400070825011555405.reportbug@xev>

Your message dated Sat, 13 Mar 2021 13:18:17 +0000
with message-id <E1lL49p-0001XB-V5@respighi.debian.org>
and subject line unblock refpolicy
has caused the Debian Bug report #984645,
regarding unblock: refpolicy/2:2.20210203-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
984645: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984645
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: refpolicy/2:2.20210203-4
From: Russell Coker <russell@coker.com.au>
Date: Sat, 06 Mar 2021 21:40:18 +1100
Message-id: <[🔎] 161502721817.181239.14400070825011555405.reportbug@xev>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package refpolicy

[ Reason ]
This new version has lots of changes that will make the experience more
pleasant for users.  It specifically allows some of the recent features
in systemd, chromium/chrome, and KDE.  It allows gpg with pinentry to be
run from user_t (the confined user).  It allows some extra access that
mailman3 requires.  It also allows newaliases to run with Postfix.

[ Impact ]
If this isn't in Bullseye then the SE Linux experience for users will be
a little more annoying.  Things won't work out of the box as expected
without it and local customisations to resolve the issues won't be of as
high quality as the ones I developed.  Also without this version there
will be audit messages that will be confusing and annoying.

[ Tests ]
For the programs subject to the policy in question, they were run
repeatedly with the new policy, VMs running them were rebooted, and the
results were inspected to see if they operated correctly and didn't give
unwanted audit messages.

[ Risks ]
Most changes are granting new access, not access that is unexpected given
the context, and not access that is likely to be part of a vulnerability
chain.  These have low possibility of causing any problem.

The change for the newaliases command is more complex, but being unable
to run newaliases is a serious issue so it's worth doing.  The worst
case might be some domain being unable to send mail from a script.  But
in all the test cases it worked.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing


unblock refpolicy/2:2.20210203-4

diff -Nru refpolicy-2.20210203/debian/changelog refpolicy-2.20210203/debian/changelog
--- refpolicy-2.20210203/debian/changelog	2021-02-23 16:57:40.000000000 +1100
+++ refpolicy-2.20210203/debian/changelog	2021-03-05 21:11:58.000000000 +1100
@@ -1,3 +1,35 @@
+refpolicy (2:2.20210203-4) unstable; urgency=medium
+
+  * Allow ntpd_t to get the status of generic systemd units
+  * Allow kernel_t self:perf_event cpu.
+  * Allow chromium to watch network manager runtime dirs (for resolv.conf)
+    Allow chromium to run naclhelper with nnp_transition
+    Allow chromium to watch root dirs
+    Allow chromium to read/write unix sockets from the calling domain
+  * Make Postgresql use postgresql_tmpfs_t for tmpfs files and make 
+    mon_local_test_t and systemd_logind_t not have getattr access to tmpfs
+    files audited.
+  * Allow systemd_user_runtime_dir_t to unlink device nodes of type
+    user_tmp_t, they probably should not exist, so it's in the hacks patch.
+  * Allow the acngtool to read random and urandom devices and search fs sysctls
+  * Add wm_write_xdg_data tunable to allow user_wm_t etc to write xdg data.
+  * Allow chromium to watch gnome_xdg_config_t dirs
+  * Label pinentry programs as gpg_agent_exec_t and allow gpg_agent_t to exec
+    them
+  * Create new admin_mail_t domain so that newaliases can work with Postfix
+  * Added a transition rule so that vipw/vigr gives the right context for
+    /etc/passwd and /etc/group
+  * Allow acngtool_t to read /proc/sys/kernel/random/uuid
+  * Allow unconfined domains lockdown confidentiality and integrity access
+  * Allow netutils_t netlink_generic_socket access for tcpdump
+  * Allow smbcontrol to create a sock_file in a samba run dir
+  * Allow mailman_queue_t to bind to all unreserved TCP ports
+  * Allow systemd_coredump_t to mmap all executables and to have cap_userns
+    sys_ptrace access. dontaudit systemd_coredump_t capability net_admin
+  * Allow mailman_queue_t to connect to port 443
+
+ -- Russell Coker <russell@coker.com.au>  Fri, 05 Mar 2021 21:11:58 +1100
+
 refpolicy (2:2.20210203-3) unstable; urgency=medium
 
   * Add policy for blkmapd which is part of nfs service (included in upstream)
diff -Nru refpolicy-2.20210203/debian/patches/0002-strict refpolicy-2.20210203/debian/patches/0002-strict
--- refpolicy-2.20210203/debian/patches/0002-strict	2021-02-17 13:40:42.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0002-strict	2021-02-25 11:47:38.000000000 +1100
@@ -245,3 +245,15 @@
  
  tunable_policy(`pulseaudio_execmem',`
  	allow pulseaudio_t self:process execmem;
+Index: refpolicy-2.20210203/policy/modules/services/ntp.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/ntp.te
++++ refpolicy-2.20210203/policy/modules/services/ntp.te
+@@ -130,6 +130,7 @@ term_use_ptmx(ntpd_t)
+ auth_use_nsswitch(ntpd_t)
+ 
+ init_exec_script_files(ntpd_t)
++init_get_generic_units_status(ntpd_t)
+ 
+ logging_send_syslog_msg(ntpd_t)
+ 
diff -Nru refpolicy-2.20210203/debian/patches/0025-systemd refpolicy-2.20210203/debian/patches/0025-systemd
--- refpolicy-2.20210203/debian/patches/0025-systemd	2021-02-17 13:51:17.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0025-systemd	2021-03-05 12:56:18.000000000 +1100
@@ -206,15 +206,17 @@
  systemd_log_parse_environment(systemd_backlight_t)
  
  # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
-@@ -370,6 +376,7 @@ ifdef(`enable_mls',`
+@@ -370,28 +376,37 @@ ifdef(`enable_mls',`
  #
  
  allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
 +allow systemd_coredump_t self:unix_stream_socket connectto;
  allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
++dontaudit systemd_coredump_t self:capability net_admin;
  allow systemd_coredump_t self:process { getcap setcap setfscreate };
++allow systemd_coredump_t self:cap_userns sys_ptrace;
  
-@@ -377,6 +384,7 @@ manage_files_pattern(systemd_coredump_t,
+ manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
  allow systemd_coredump_t systemd_coredump_var_lib_t:file map;
  
  kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
@@ -222,7 +224,11 @@
  kernel_read_kernel_sysctls(systemd_coredump_t)
  kernel_read_system_state(systemd_coredump_t)
  kernel_rw_pipes(systemd_coredump_t)
-@@ -387,11 +395,16 @@ corecmd_read_all_executables(systemd_cor
+ kernel_use_fds(systemd_coredump_t)
+ 
+ corecmd_exec_bin(systemd_coredump_t)
+-corecmd_read_all_executables(systemd_coredump_t)
++corecmd_mmap_all_executables(systemd_coredump_t)
  
  dev_write_kmsg(systemd_coredump_t)
  
@@ -239,7 +245,7 @@
  fs_search_tmpfs(systemd_coredump_t)
  
  selinux_getattr_fs(systemd_coredump_t)
-@@ -405,6 +418,7 @@ logging_send_syslog_msg(systemd_coredump
+@@ -405,6 +420,7 @@ logging_send_syslog_msg(systemd_coredump
  
  seutil_search_default_contexts(systemd_coredump_t)
  
@@ -247,7 +253,7 @@
  #######################################
  #
  # Systemd generator local policy
-@@ -414,14 +428,29 @@ allow systemd_generator_t self:fifo_file
+@@ -414,14 +430,29 @@ allow systemd_generator_t self:fifo_file
  allow systemd_generator_t self:capability dac_override;
  allow systemd_generator_t self:process setfscreate;
  
@@ -278,7 +284,7 @@
  files_read_etc_files(systemd_generator_t)
  files_search_runtime(systemd_generator_t)
  files_list_boot(systemd_generator_t)
-@@ -429,9 +458,14 @@ files_read_boot_files(systemd_generator_
+@@ -429,9 +460,14 @@ files_read_boot_files(systemd_generator_
  files_read_config_files(systemd_generator_t)
  files_search_all_mountpoints(systemd_generator_t)
  files_list_usr(systemd_generator_t)
@@ -294,7 +300,7 @@
  
  init_create_runtime_files(systemd_generator_t)
  init_read_all_script_files(systemd_generator_t)
-@@ -448,9 +482,10 @@ init_list_unit_dirs(systemd_generator_t)
+@@ -448,9 +484,10 @@ init_list_unit_dirs(systemd_generator_t)
  init_read_generic_units_symlinks(systemd_generator_t)
  init_read_script_files(systemd_generator_t)
  
@@ -308,7 +314,7 @@
  
  storage_raw_read_fixed_disk(systemd_generator_t)
  
-@@ -462,6 +497,8 @@ ifdef(`distro_gentoo',`
+@@ -462,6 +499,8 @@ ifdef(`distro_gentoo',`
  	corecmd_shell_entry_type(systemd_generator_t)
  ')
  
@@ -317,7 +323,7 @@
  optional_policy(`
  	fstools_exec(systemd_generator_t)
  ')
-@@ -473,6 +510,21 @@ optional_policy(`
+@@ -473,6 +512,21 @@ optional_policy(`
  	miscfiles_read_localization(systemd_generator_t)
  ')
  
@@ -339,7 +345,7 @@
  #######################################
  #
  # Hostnamed policy
-@@ -505,6 +557,10 @@ optional_policy(`
+@@ -505,6 +559,10 @@ optional_policy(`
  	networkmanager_dbus_chat(systemd_hostnamed_t)
  ')
  
@@ -350,7 +356,7 @@
  #########################################
  #
  # hw local policy
-@@ -573,6 +629,7 @@ logging_send_syslog_msg(systemd_log_pars
+@@ -573,6 +631,7 @@ logging_send_syslog_msg(systemd_log_pars
  #
  
  allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
@@ -358,7 +364,7 @@
  allow systemd_logind_t self:process { getcap setfscreate };
  allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
  allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
-@@ -618,11 +675,13 @@ dev_setattr_video_dev(systemd_logind_t)
+@@ -618,11 +677,13 @@ dev_setattr_video_dev(systemd_logind_t)
  
  domain_obj_id_change_exemption(systemd_logind_t)
  
@@ -372,7 +378,7 @@
  fs_list_tmpfs(systemd_logind_t)
  fs_mount_tmpfs(systemd_logind_t)
  fs_read_cgroup_files(systemd_logind_t)
-@@ -653,6 +712,7 @@ init_start_all_units(systemd_logind_t)
+@@ -653,6 +714,7 @@ init_start_all_units(systemd_logind_t)
  init_stop_all_units(systemd_logind_t)
  init_start_system(systemd_logind_t)
  init_stop_system(systemd_logind_t)
@@ -380,7 +386,7 @@
  init_watch_utmp(systemd_logind_t)
  
  # for /run/systemd/transient/*
-@@ -717,6 +777,11 @@ optional_policy(`
+@@ -717,6 +779,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -392,7 +398,7 @@
  	devicekit_dbus_chat_disk(systemd_logind_t)
  	devicekit_dbus_chat_power(systemd_logind_t)
  ')
-@@ -759,6 +824,9 @@ allow systemd_machined_t systemd_machine
+@@ -759,6 +826,9 @@ allow systemd_machined_t systemd_machine
  manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
  allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
  
@@ -402,7 +408,7 @@
  kernel_read_kernel_sysctls(systemd_machined_t)
  kernel_read_system_state(systemd_machined_t)
  
-@@ -875,6 +943,10 @@ sysnet_read_config(systemd_networkd_t)
+@@ -875,6 +945,10 @@ sysnet_read_config(systemd_networkd_t)
  systemd_log_parse_environment(systemd_networkd_t)
  
  optional_policy(`
@@ -413,7 +419,7 @@
  	dbus_system_bus_client(systemd_networkd_t)
  	dbus_connect_system_bus(systemd_networkd_t)
  	dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
-@@ -915,7 +987,7 @@ miscfiles_read_localization(systemd_noti
+@@ -915,7 +989,7 @@ miscfiles_read_localization(systemd_noti
  # Nspawn local policy
  #
  
@@ -422,7 +428,7 @@
  allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
  allow systemd_nspawn_t self:capability2 wake_alarm;
  allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
-@@ -941,14 +1013,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
+@@ -941,14 +1015,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
  # for /run/systemd/nspawn/incoming in chroot
  allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
  
@@ -452,7 +458,7 @@
  
  corecmd_exec_shell(systemd_nspawn_t)
  corecmd_search_bin(systemd_nspawn_t)
-@@ -965,6 +1052,7 @@ dev_read_sysfs(systemd_nspawn_t)
+@@ -965,6 +1054,7 @@ dev_read_sysfs(systemd_nspawn_t)
  dev_read_rand(systemd_nspawn_t)
  dev_read_urand(systemd_nspawn_t)
  
@@ -460,7 +466,7 @@
  files_getattr_tmp_dirs(systemd_nspawn_t)
  files_manage_etc_files(systemd_nspawn_t)
  files_manage_mnt_dirs(systemd_nspawn_t)
-@@ -976,11 +1064,17 @@ files_setattr_runtime_dirs(systemd_nspaw
+@@ -976,11 +1066,17 @@ files_setattr_runtime_dirs(systemd_nspaw
  
  fs_getattr_cgroup(systemd_nspawn_t)
  fs_getattr_tmpfs(systemd_nspawn_t)
@@ -479,7 +485,7 @@
  
  term_getattr_generic_ptys(systemd_nspawn_t)
  term_getattr_pty_fs(systemd_nspawn_t)
-@@ -988,6 +1082,7 @@ term_mount_devpts(systemd_nspawn_t)
+@@ -988,6 +1084,7 @@ term_mount_devpts(systemd_nspawn_t)
  term_search_ptys(systemd_nspawn_t)
  term_setattr_generic_ptys(systemd_nspawn_t)
  term_use_ptmx(systemd_nspawn_t)
@@ -487,7 +493,7 @@
  
  init_domtrans_script(systemd_nspawn_t)
  init_getrlimit(systemd_nspawn_t)
-@@ -998,8 +1093,12 @@ init_write_runtime_socket(systemd_nspawn
+@@ -998,8 +1095,12 @@ init_write_runtime_socket(systemd_nspawn
  init_spec_domtrans_script(systemd_nspawn_t)
  
  miscfiles_manage_localization(systemd_nspawn_t)
@@ -500,7 +506,7 @@
  # for writing inside chroot
  sysnet_manage_config(systemd_nspawn_t)
  
-@@ -1022,11 +1121,13 @@ tunable_policy(`systemd_nspawn_labeled_n
+@@ -1022,11 +1123,13 @@ tunable_policy(`systemd_nspawn_labeled_n
  	allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
  	fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
  	allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
@@ -514,7 +520,7 @@
  	fs_manage_tmpfs_symlinks(systemd_nspawn_t)
  	fs_mount_cgroup(systemd_nspawn_t)
  	fs_mounton_cgroup(systemd_nspawn_t)
-@@ -1044,8 +1145,11 @@ tunable_policy(`systemd_nspawn_labeled_n
+@@ -1044,8 +1147,11 @@ tunable_policy(`systemd_nspawn_labeled_n
  
  	init_domtrans(systemd_nspawn_t)
  
@@ -526,7 +532,7 @@
  	seutil_search_default_contexts(systemd_nspawn_t)
  ')
  
-@@ -1072,7 +1176,7 @@ allow systemd_passwd_agent_t self:capabi
+@@ -1072,7 +1178,7 @@ allow systemd_passwd_agent_t self:capabi
  allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
  allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
  
@@ -535,7 +541,7 @@
  manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
  manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
  manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
-@@ -1082,6 +1186,7 @@ init_runtime_filetrans(systemd_passwd_ag
+@@ -1082,6 +1188,7 @@ init_runtime_filetrans(systemd_passwd_ag
  can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
  
  kernel_read_system_state(systemd_passwd_agent_t)
@@ -543,7 +549,7 @@
  kernel_stream_connect(systemd_passwd_agent_t)
  
  dev_create_generic_dirs(systemd_passwd_agent_t)
-@@ -1108,6 +1213,7 @@ init_create_runtime_dirs(systemd_passwd_
+@@ -1108,6 +1215,7 @@ init_create_runtime_dirs(systemd_passwd_
  init_read_runtime_pipes(systemd_passwd_agent_t)
  init_read_state(systemd_passwd_agent_t)
  init_read_utmp(systemd_passwd_agent_t)
@@ -551,7 +557,7 @@
  init_stream_connect(systemd_passwd_agent_t)
  
  logging_send_syslog_msg(systemd_passwd_agent_t)
-@@ -1369,6 +1475,7 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
+@@ -1369,6 +1477,7 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
  fs_getattr_xattr_fs(systemd_tmpfiles_t)
  fs_list_tmpfs(systemd_tmpfiles_t)
  fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
@@ -559,7 +565,7 @@
  
  selinux_get_fs_mount(systemd_tmpfiles_t)
  selinux_use_status_page(systemd_tmpfiles_t)
-@@ -1440,6 +1547,10 @@ tunable_policy(`systemd_tmpfilesd_factor
+@@ -1440,6 +1549,10 @@ tunable_policy(`systemd_tmpfilesd_factor
  ')
  
  optional_policy(`
@@ -570,7 +576,7 @@
  	dbus_manage_lib_files(systemd_tmpfiles_t)
  	dbus_read_lib_files(systemd_tmpfiles_t)
  	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
-@@ -1555,11 +1666,15 @@ seutil_libselinux_linked(systemd_user_se
+@@ -1555,11 +1668,15 @@ seutil_libselinux_linked(systemd_user_se
  # systemd-user-runtime-dir local policy
  #
  
@@ -587,7 +593,7 @@
  files_read_etc_files(systemd_user_runtime_dir_t)
  
  fs_mount_tmpfs(systemd_user_runtime_dir_t)
-@@ -1579,7 +1694,10 @@ seutil_read_file_contexts(systemd_user_r
+@@ -1579,7 +1696,10 @@ seutil_read_file_contexts(systemd_user_r
  seutil_libselinux_linked(systemd_user_runtime_dir_t)
  
  userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
@@ -598,7 +604,7 @@
  userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
  userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
  userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
-@@ -1589,3 +1707,11 @@ userdom_relabelto_user_runtime_dirs(syst
+@@ -1589,3 +1709,11 @@ userdom_relabelto_user_runtime_dirs(syst
  optional_policy(`
      dbus_system_bus_client(systemd_user_runtime_dir_t)
  ')
diff -Nru refpolicy-2.20210203/debian/patches/0026-mailman refpolicy-2.20210203/debian/patches/0026-mailman
--- refpolicy-2.20210203/debian/patches/0026-mailman	2021-02-17 13:45:24.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0026-mailman	2021-03-03 18:09:00.000000000 +1100
@@ -269,7 +269,7 @@
  allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
  allow mailman_queue_t mailman_archive_t:file manage_file_perms;
  
-@@ -234,12 +287,14 @@ allow mailman_queue_t mailman_lock_t:fil
+@@ -234,12 +287,15 @@ allow mailman_queue_t mailman_lock_t:fil
  allow mailman_queue_t mailman_log_t:dir list_dir_perms;
  allow mailman_queue_t mailman_log_t:file manage_file_perms;
  
@@ -280,11 +280,12 @@
  
  corecmd_read_bin_files(mailman_queue_t)
  corenet_sendrecv_innd_client_packets(mailman_queue_t)
++corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
 +corenet_tcp_bind_generic_node(mailman_queue_t)
  corenet_tcp_connect_innd_port(mailman_queue_t)
  
  files_dontaudit_search_runtime(mailman_queue_t)
-@@ -251,14 +306,23 @@ seutil_dontaudit_search_config(mailman_q
+@@ -251,14 +307,23 @@ seutil_dontaudit_search_config(mailman_q
  
  userdom_search_user_home_dirs(mailman_queue_t)
  
@@ -343,7 +344,7 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
 +++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -1559,6 +1559,10 @@ optional_policy(`
+@@ -1562,6 +1562,10 @@ optional_policy(`
  ')
  
  optional_policy(`
diff -Nru refpolicy-2.20210203/debian/patches/0027-services refpolicy-2.20210203/debian/patches/0027-services
--- refpolicy-2.20210203/debian/patches/0027-services	2021-02-23 16:57:40.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0027-services	2021-03-05 12:44:18.000000000 +1100
@@ -112,6 +112,19 @@
  
  # Uses sd_notify() to inform systemd it has properly started
  init_dgram_send(aptcacher_t)
+@@ -99,8 +105,12 @@ allow acngtool_t self:unix_stream_socket
+ allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
+ allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
+ 
++kernel_read_kernel_sysctls(acngtool_t)
++
+ aptcacher_stream_connect(acngtool_t)
+ 
++dev_read_rand(acngtool_t)
++dev_read_urand(acngtool_t)
+ corenet_tcp_connect_aptcacher_port(acngtool_t)
+ 
+ auth_use_nsswitch(acngtool_t)
 Index: refpolicy-2.20210203/policy/modules/services/bind.te
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/services/bind.te
@@ -516,7 +529,15 @@
  
  can_exec(mon_local_test_t, mon_local_test_exec_t)
  
-@@ -197,8 +202,11 @@ files_list_boot(mon_local_test_t)
+@@ -189,6 +194,7 @@ dev_read_sysfs(mon_local_test_t)
+ 
+ domain_read_all_domains_state(mon_local_test_t)
+ 
++files_dontaudit_tmpfs_file_getattr(mon_local_test_t)
+ files_read_usr_files(mon_local_test_t)
+ files_search_mnt(mon_local_test_t)
+ files_search_spool(mon_local_test_t)
+@@ -197,8 +203,11 @@ files_list_boot(mon_local_test_t)
  fs_search_auto_mountpoints(mon_local_test_t)
  fs_getattr_nfs(mon_local_test_t)
  fs_getattr_xattr_fs(mon_local_test_t)
@@ -528,7 +549,7 @@
  fs_search_nfs(mon_local_test_t)
  
  storage_getattr_fixed_disk_dev(mon_local_test_t)
-@@ -211,12 +219,14 @@ application_exec_all(mon_local_test_t)
+@@ -211,12 +220,14 @@ application_exec_all(mon_local_test_t)
  
  auth_use_nsswitch(mon_local_test_t)
  
@@ -547,7 +568,109 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/services/mta.if
 +++ refpolicy-2.20210203/policy/modules/services/mta.if
-@@ -253,6 +253,7 @@ interface(`mta_manage_mail_home_rw_conte
+@@ -74,26 +74,20 @@ template(`mta_base_mail_template',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`mta_role',`
++interface(`mta_base_role',`
+ 	gen_require(`
+ 		attribute mta_user_agent;
+-		attribute_role user_mail_roles;
+-		type user_mail_t, sendmail_exec_t, mail_home_t;
++		type user_mail_t, mail_home_t;
+ 		type user_mail_tmp_t, mail_home_rw_t;
+ 	')
+ 
+-	roleattribute $1 user_mail_roles;
+-
+ 	# this is something i need to fix
+ 	# i dont know if and why it is needed
+ 	# will role attribute work?
+ 	role $1 types mta_user_agent;
+ 
+-	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+-	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+-
+-	allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
+-	ps_process_pattern($2, { user_mail_t mta_user_agent })
++	allow $2 mta_user_agent:process { ptrace signal_perms };
++	ps_process_pattern($2, mta_user_agent)
+ 
+ 	allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
+ 	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
+@@ -121,6 +115,70 @@ interface(`mta_role',`
+ 
+ ########################################
+ ## <summary>
++##	User Role access for mta.
++## </summary>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	User domain for the role.
++##	</summary>
++## </param>
++#
++interface(`mta_user_role',`
++	gen_require(`
++		attribute_role user_mail_roles;
++		type user_mail_t, sendmail_exec_t, mail_home_t;
++		type user_mail_tmp_t, mail_home_rw_t;
++	')
++	mta_base_role($1, $2)
++
++	roleattribute $1 user_mail_roles;
++
++	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
++	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
++
++	allow $2 user_mail_t:process { ptrace signal_perms };
++	ps_process_pattern($2, user_mail_t)
++')
++
++########################################
++## <summary>
++##	Admin Role access for mta.
++## </summary>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	User domain for the role.
++##	</summary>
++## </param>
++#
++interface(`mta_admin_role',`
++	gen_require(`
++		attribute_role admin_mail_roles;
++		type admin_mail_t, sendmail_exec_t, mail_home_t;
++		type user_mail_tmp_t, mail_home_rw_t;
++	')
++	mta_base_role($1, $2)
++
++	roleattribute $1 admin_mail_roles;
++
++	domtrans_pattern($2, sendmail_exec_t, admin_mail_t)
++	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
++
++	allow $2 admin_mail_t:process { ptrace signal_perms };
++	ps_process_pattern($2, admin_mail_t)
++')
++
++########################################
++## <summary>
+ ##	Make the specified domain usable for a mail server.
+ ## </summary>
+ ## <param name="type">
+@@ -253,6 +311,7 @@ interface(`mta_manage_mail_home_rw_conte
  	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
  	allow $1 mail_home_rw_t:file map;
  	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
@@ -710,7 +833,7 @@
  ')
  
  optional_policy(`
-@@ -616,10 +620,11 @@ optional_policy(`
+@@ -616,13 +620,15 @@ optional_policy(`
  allow smbcontrol_t self:process signal;
  allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
  allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
@@ -723,7 +846,11 @@
  allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
  
  manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -638,6 +643,7 @@ files_search_var_lib(smbcontrol_t)
++allow smbcontrol_t samba_var_t:sock_file manage_file_perms;
+ 
+ samba_read_config(smbcontrol_t)
+ samba_search_var(smbcontrol_t)
+@@ -638,6 +644,7 @@ files_search_var_lib(smbcontrol_t)
  term_use_console(smbcontrol_t)
  
  init_use_fds(smbcontrol_t)
@@ -900,7 +1027,32 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
 +++ refpolicy-2.20210203/policy/modules/kernel/files.if
-@@ -1418,6 +1418,25 @@ interface(`files_unmount_all_file_type_f
+@@ -480,6 +480,24 @@ interface(`files_tmpfs_file',`
+ 
+ ########################################
+ ## <summary>
++##	dontaudit getattr on tmpfs files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not have stat on tmpfs files audited
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_tmpfs_file_getattr',`
++	gen_require(`
++		attribute tmpfsfile;
++	')
++
++	dontaudit $1 tmpfsfile:file getattr;
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of all directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -1418,6 +1436,25 @@ interface(`files_unmount_all_file_type_f
  
  ########################################
  ## <summary>
@@ -926,7 +1078,7 @@
  ##	Read all non-authentication related
  ##	directories.
  ## </summary>
-@@ -3881,6 +3900,24 @@ interface(`files_home_filetrans',`
+@@ -3881,6 +3918,24 @@ interface(`files_home_filetrans',`
  
  ########################################
  ## <summary>
@@ -951,7 +1103,7 @@
  ##	Get the attributes of lost+found directories.
  ## </summary>
  ## <param name="domain">
-@@ -5989,6 +6026,24 @@ interface(`files_read_var_lib_files',`
+@@ -5989,6 +6044,24 @@ interface(`files_read_var_lib_files',`
  ')
  
  ########################################
@@ -1165,7 +1317,15 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/services/mailman.te
 +++ refpolicy-2.20210203/policy/modules/services/mailman.te
-@@ -312,6 +312,7 @@ optional_policy(`
+@@ -296,6 +296,7 @@ corecmd_read_bin_files(mailman_queue_t)
+ corenet_sendrecv_innd_client_packets(mailman_queue_t)
+ corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
+ corenet_tcp_bind_generic_node(mailman_queue_t)
++corenet_tcp_connect_http_port(mailman_queue_t)
+ corenet_tcp_connect_innd_port(mailman_queue_t)
+ 
+ files_dontaudit_search_runtime(mailman_queue_t)
+@@ -313,6 +314,7 @@ optional_policy(`
  
  optional_policy(`
  	cron_rw_tmp_files(mailman_queue_t)
@@ -1287,3 +1447,147 @@
  miscfiles_read_localization(redis_t)
  
  sysnet_dns_name_resolve(redis_t)
+Index: refpolicy-2.20210203/policy/modules/services/postgresql.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/postgresql.te
++++ refpolicy-2.20210203/policy/modules/services/postgresql.te
+@@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runt
+ type postgresql_tmp_t;
+ files_tmp_file(postgresql_tmp_t)
+ 
++type postgresql_tmpfs_t;
++files_tmpfs_file(postgresql_tmpfs_t)
++
+ type postgresql_unit_t;
+ init_unit_file(postgresql_unit_t)
+ 
+@@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, p
+ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
+-fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
++fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file })
++fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
++allow postgresql_t postgresql_tmpfs_t:file map;
++manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
+ 
+ manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
+ manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
+Index: refpolicy-2.20210203/policy/modules/system/systemd.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
++++ refpolicy-2.20210203/policy/modules/system/systemd.te
+@@ -676,6 +676,7 @@ dev_setattr_video_dev(systemd_logind_t)
+ 
+ domain_obj_id_change_exemption(systemd_logind_t)
+ 
++files_dontaudit_tmpfs_file_getattr(systemd_logind_t)
+ files_search_boot(systemd_logind_t)
+ files_search_runtime(systemd_logind_t)
+ 
+Index: refpolicy-2.20210203/policy/modules/roles/staff.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/roles/staff.te
++++ refpolicy-2.20210203/policy/modules/roles/staff.te
+@@ -154,7 +154,7 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		mta_role(staff_r, staff_t)
++		mta_user_role(staff_r, staff_t)
+ 	')
+ 
+ 	optional_policy(`
+Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
++++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
+@@ -706,7 +706,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mta_role(sysadm_r, sysadm_t)
++	mta_admin_role(sysadm_r, sysadm_t)
+ ')
+ 
+ optional_policy(`
+Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te
++++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te
+@@ -126,7 +126,7 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		mta_role(user_r, user_t)
++		mta_user_role(user_r, user_t)
+ 	')
+ 
+ 	optional_policy(`
+Index: refpolicy-2.20210203/policy/modules/services/mta.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/mta.te
++++ refpolicy-2.20210203/policy/modules/services/mta.te
+@@ -15,6 +15,7 @@ attribute mailserver_sender;
+ attribute user_mail_domain;
+ 
+ attribute_role user_mail_roles;
++attribute_role admin_mail_roles;
+ 
+ type etc_aliases_t;
+ files_type(etc_aliases_t)
+@@ -44,6 +45,10 @@ mta_base_mail_template(user)
+ userdom_user_application_type(user_mail_t)
+ role user_mail_roles types user_mail_t;
+ 
++mta_base_mail_template(admin)
++userdom_user_application_type(admin_mail_t)
++role admin_mail_roles types admin_mail_t;
++
+ userdom_user_tmp_file(user_mail_tmp_t)
+ 
+ ########################################
+@@ -424,3 +429,30 @@ optional_policy(`
+ 	postfix_read_config(user_mail_t)
+ 	postfix_list_spool(user_mail_t)
+ ')
++
++########################################
++#
++# Admin local policy
++#
++
++manage_files_pattern(admin_mail_t, mail_home_t, mail_home_t)
++userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".esmtp_queue")
++userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".forward")
++userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".mailrc")
++userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, "dead.letter")
++
++dev_read_sysfs(admin_mail_t)
++
++userdom_use_user_terminals(admin_mail_t)
++
++files_etc_filetrans(admin_mail_t, etc_aliases_t, file)
++allow admin_mail_t etc_aliases_t:file manage_file_perms;
++
++optional_policy(`
++	allow admin_mail_t self:capability dac_override;
++
++	userdom_rw_user_tmp_files(admin_mail_t)
++
++	postfix_read_config(admin_mail_t)
++	postfix_list_spool(admin_mail_t)
++')
+Index: refpolicy-2.20210203/policy/modules/system/unconfined.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te
++++ refpolicy-2.20210203/policy/modules/system/unconfined.te
+@@ -141,7 +141,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mta_role(unconfined_r, unconfined_t)
++	mta_admin_role(unconfined_r, unconfined_t)
+ ')
+ 
+ optional_policy(`
diff -Nru refpolicy-2.20210203/debian/patches/0028-misc refpolicy-2.20210203/debian/patches/0028-misc
--- refpolicy-2.20210203/debian/patches/0028-misc	2021-02-17 13:41:16.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0028-misc	2021-03-02 22:42:44.000000000 +1100
@@ -538,3 +538,163 @@
  /var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
  /var/lib/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
  ')
+Index: refpolicy-2.20210203/policy/modules/kernel/kernel.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/kernel.te
++++ refpolicy-2.20210203/policy/modules/kernel/kernel.te
+@@ -232,6 +232,7 @@ allow kernel_t self:unix_stream_socket c
+ allow kernel_t self:fifo_file rw_fifo_file_perms;
+ allow kernel_t self:sock_file read_sock_file_perms;
+ allow kernel_t self:fd use;
++allow kernel_t self:perf_event cpu;
+ 
+ allow kernel_t debugfs_t:dir search_dir_perms;
+ 
+Index: refpolicy-2.20210203/policy/modules/apps/chromium.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/chromium.if
++++ refpolicy-2.20210203/policy/modules/apps/chromium.if
+@@ -41,6 +41,7 @@ interface(`chromium_role',`
+ 	allow $2 chromium_sandbox_t:process signal_perms;
+ 	allow $2 chromium_naclhelper_t:process signal_perms;
+ 	allow chromium_t $2:process { signull signal };
++	allow chromium_t $2:unix_stream_socket { read write };
+ 
+ 	allow $2 chromium_t:unix_stream_socket connectto;
+ 
+Index: refpolicy-2.20210203/policy/modules/apps/chromium.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/chromium.te
++++ refpolicy-2.20210203/policy/modules/apps/chromium.te
+@@ -114,6 +114,7 @@ allow chromium_t chromium_sandbox_t:unix
+ allow chromium_t chromium_sandbox_t:file read_file_perms;
+ 
+ allow chromium_t chromium_naclhelper_t:process { share };
++allow chromium_t chromium_naclhelper_t:process2 nnp_transition;
+ 
+ # tmp has a wide class access (used for plugins)
+ manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+@@ -183,6 +184,7 @@ files_read_usr_files(chromium_t)
+ files_map_usr_files(chromium_t)
+ files_read_etc_files(chromium_t)
+ files_watch_etc_dirs(chromium_t)
++files_watch_root_dirs(chromium_t)
+ # During find for /etc/whatever-release we get lots of output otherwise
+ files_dontaudit_getattr_all_dirs(chromium_t)
+ 
+@@ -290,6 +292,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	networkmanager_dbus_chat(chromium_t)
++	networkmanager_watch_runtime_dirs(chromium_t)
+ ')
+ 
+ optional_policy(`
+Index: refpolicy-2.20210203/policy/modules/services/networkmanager.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.if
++++ refpolicy-2.20210203/policy/modules/services/networkmanager.if
+@@ -305,6 +305,24 @@ interface(`networkmanager_read_runtime_f
+ 	read_files_pattern($1, NetworkManager_runtime_t, NetworkManager_runtime_t)
+ ')
+ 
++########################################
++## <summary>
++##	watch networkmanager runtime files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`networkmanager_watch_runtime_dirs',`
++	gen_require(`
++		type NetworkManager_runtime_t;
++	')
++
++	allow $1 NetworkManager_runtime_t:dir watch;
++')
++
+ ####################################
+ ## <summary>
+ ##  Connect to networkmanager over
+Index: refpolicy-2.20210203/policy/modules/admin/usermanage.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/admin/usermanage.te
++++ refpolicy-2.20210203/policy/modules/admin/usermanage.te
+@@ -438,6 +438,9 @@ files_read_etc_runtime_files(sysadm_pass
+ # for nscd lookups
+ files_dontaudit_search_runtime(sysadm_passwd_t)
+ 
++files_etc_filetrans_etc(sysadm_passwd_t, file, "passwd.edit")
++files_etc_filetrans_etc(sysadm_passwd_t, file, "group.edit")
++
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it.  Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(sysadm_passwd_t)
+Index: refpolicy-2.20210203/policy/modules/kernel/files.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
++++ refpolicy-2.20210203/policy/modules/kernel/files.if
+@@ -3413,6 +3413,35 @@ interface(`files_etc_filetrans',`
+ 
+ ########################################
+ ## <summary>
++##	Create objects in /etc with type etc_t with specified
++##	name to overide default transition
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="class">
++##	<summary>
++##	Object classes to be created.
++##	</summary>
++## </param>
++## <param name="name">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_etc_filetrans_etc',`
++	gen_require(`
++		type etc_t;
++	')
++
++	filetrans_pattern($1, etc_t, etc_t, $2, $3)
++')
++
++########################################
++## <summary>
+ ##	Create a boot flag.
+ ## </summary>
+ ## <desc>
+Index: refpolicy-2.20210203/policy/modules/system/unconfined.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.if
++++ refpolicy-2.20210203/policy/modules/system/unconfined.if
+@@ -44,6 +44,8 @@ interface(`unconfined_domain_noaudit',`
+ 	# Transition to myself, to make get_ordered_context_list happy.
+ 	allow $1 self:process transition;
+ 
++	allow $1 self:lockdown { integrity confidentiality };
++
+ 	# Write access is for setting attributes under /proc/self/attr.
+ 	allow $1 self:file rw_file_perms;
+ 
+Index: refpolicy-2.20210203/policy/modules/admin/netutils.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/admin/netutils.te
++++ refpolicy-2.20210203/policy/modules/admin/netutils.te
+@@ -39,6 +39,7 @@ allow netutils_t self:process { getcap s
+ allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
+ allow netutils_t self:netlink_socket create_socket_perms;
+ # For tcpdump.
++allow netutils_t self:netlink_generic_socket create_socket_perms;
+ allow netutils_t self:netlink_netfilter_socket create_socket_perms;
+ allow netutils_t self:packet_socket { create_socket_perms map };
+ allow netutils_t self:udp_socket create_socket_perms;
diff -Nru refpolicy-2.20210203/debian/patches/0030-user-sddm refpolicy-2.20210203/debian/patches/0030-user-sddm
--- refpolicy-2.20210203/debian/patches/0030-user-sddm	2021-02-23 16:57:40.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0030-user-sddm	2021-02-26 15:40:51.000000000 +1100
@@ -11,7 +11,18 @@
  	allow $1_wm_t $3:process { signull sigkill };
  
  	domtrans_pattern($3, wm_exec_t, $1_wm_t)
-@@ -101,6 +103,17 @@ template(`wm_role_template',`
+@@ -75,6 +77,10 @@ template(`wm_role_template',`
+ 
+ 	wm_write_pipes($1, $3)
+ 
++	tunable_policy(`wm_write_xdg_data', `
++		xdg_manage_data($1_wm_t)
++	')
++
+ 	optional_policy(`
+ 		dbus_connect_spec_session_bus($1, $1_wm_t)
+ 		dbus_spec_session_bus_client($1, $1_wm_t)
+@@ -101,6 +107,17 @@ template(`wm_role_template',`
  	optional_policy(`
  		pulseaudio_run($1_wm_t, $2)
  	')
@@ -68,6 +79,28 @@
  			wm_dbus_chat($1, $1_gkeyringd_t)
  		')
  	')
+@@ -807,3 +811,21 @@ interface(`gnome_mmap_gstreamer_orcexec'
+ 
+ 	allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
+ ')
++
++########################################
++## <summary>
++##	watch gnome_xdg_config_t dirs
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_watch_xdg_config_dirs',`
++	gen_require(`
++		type gnome_xdg_config_t;
++	')
++
++	allow $1 gnome_xdg_config_t:dir watch;
++')
 Index: refpolicy-2.20210203/policy/modules/services/xserver.if
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/services/xserver.if
@@ -291,3 +324,34 @@
  ## <summary>
  ##	Allow relabeling the xdg data home files, regardless of their type
  ## </summary>
+Index: refpolicy-2.20210203/policy/modules/apps/wm.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/wm.te
++++ refpolicy-2.20210203/policy/modules/apps/wm.te
+@@ -7,6 +7,14 @@ policy_module(wm, 1.11.0)
+ 
+ attribute wm_domain;
+ 
++
++## <desc>
++##      <p>
++##      Grant the window manager domains write access to xdg data
++##      </p>
++## </desc>
++gen_tunable(`wm_write_xdg_data', false)
++
+ type wm_exec_t;
+ corecmd_executable_file(wm_exec_t)
+ 
+Index: refpolicy-2.20210203/policy/modules/apps/chromium.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/chromium.te
++++ refpolicy-2.20210203/policy/modules/apps/chromium.te
+@@ -271,6 +271,7 @@ optional_policy(`
+ 
+ 	optional_policy(`
+ 		gnome_dbus_chat_all_gkeyringd(chromium_t)
++		gnome_watch_xdg_config_dirs(chromium_t)
+ 	')
+ 
+ 	optional_policy(`
diff -Nru refpolicy-2.20210203/debian/patches/0110-gpg refpolicy-2.20210203/debian/patches/0110-gpg
--- refpolicy-2.20210203/debian/patches/0110-gpg	2021-02-23 16:57:40.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0110-gpg	2021-02-26 15:43:08.000000000 +1100
@@ -14,7 +14,7 @@
  /usr/bin/gpgsm				--	gen_context(system_u:object_r:gpg_exec_t,s0)
  /usr/bin/gpg-agent			--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 -/usr/bin/pinentry.*			--	gen_context(system_u:object_r:gpg_pinentry_exec_t,s0)
-+/usr/bin/pinentry.*			--	gen_context(system_u:object_r:gpg_exec_t,s0)
++/usr/bin/pinentry.*			--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
  
  /usr/lib/gnupg/.*			--	gen_context(system_u:object_r:gpg_exec_t,s0)
 -/usr/lib/gnupg/gpgkeys.*		--	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
@@ -225,3 +225,16 @@
  ## <summary>
  ##	Do not audit attempts to append temporary
  ##	system cron job files.
+Index: refpolicy-2.20210203/policy/modules/apps/gpg.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te
++++ refpolicy-2.20210203/policy/modules/apps/gpg.te
+@@ -84,6 +84,8 @@ dontaudit gpg_t self:netlink_audit_socke
+ allow gpg_t self:fifo_file rw_fifo_file_perms;
+ allow gpg_t self:tcp_socket { accept listen };
+ 
++can_exec(gpg_agent_t, gpg_agent_exec_t)
++
+ manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
+ userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
+ 
diff -Nru refpolicy-2.20210203/debian/patches/2000-hacks refpolicy-2.20210203/debian/patches/2000-hacks
--- refpolicy-2.20210203/debian/patches/2000-hacks	2021-02-01 13:00:42.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/2000-hacks	2021-02-25 14:34:43.000000000 +1100
@@ -1,7 +1,7 @@
-Index: refpolicy-2.20210130/policy/modules/system/init.if
+Index: refpolicy-2.20210203/policy/modules/system/init.if
 ===================================================================
---- refpolicy-2.20210130.orig/policy/modules/system/init.if
-+++ refpolicy-2.20210130/policy/modules/system/init.if
+--- refpolicy-2.20210203.orig/policy/modules/system/init.if
++++ refpolicy-2.20210203/policy/modules/system/init.if
 @@ -178,7 +178,11 @@ interface(`init_domain',`
  
  	role system_r types $1;
@@ -15,10 +15,10 @@
  
  	allow init_t $1:process rlimitinh;
  
-Index: refpolicy-2.20210130/policy/modules/system/fstools.te
+Index: refpolicy-2.20210203/policy/modules/system/fstools.te
 ===================================================================
---- refpolicy-2.20210130.orig/policy/modules/system/fstools.te
-+++ refpolicy-2.20210130/policy/modules/system/fstools.te
+--- refpolicy-2.20210203.orig/policy/modules/system/fstools.te
++++ refpolicy-2.20210203/policy/modules/system/fstools.te
 @@ -151,6 +151,11 @@ init_use_script_ptys(fsadm_t)
  init_dontaudit_getattr_initctl(fsadm_t)
  init_rw_script_stream_sockets(fsadm_t)
@@ -31,10 +31,10 @@
  logging_send_syslog_msg(fsadm_t)
  
  miscfiles_read_localization(fsadm_t)
-Index: refpolicy-2.20210130/policy/modules/system/sysnetwork.te
+Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te
 ===================================================================
---- refpolicy-2.20210130.orig/policy/modules/system/sysnetwork.te
-+++ refpolicy-2.20210130/policy/modules/system/sysnetwork.te
+--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
++++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
 @@ -345,6 +345,11 @@ files_dontaudit_read_root_files(ifconfig
  init_use_fds(ifconfig_t)
  init_use_script_ptys(ifconfig_t)
@@ -47,10 +47,10 @@
  logging_send_syslog_msg(ifconfig_t)
  
  miscfiles_read_localization(ifconfig_t)
-Index: refpolicy-2.20210130/config/appconfig-mcs/default_contexts
+Index: refpolicy-2.20210203/config/appconfig-mcs/default_contexts
 ===================================================================
---- refpolicy-2.20210130.orig/config/appconfig-mcs/default_contexts
-+++ refpolicy-2.20210130/config/appconfig-mcs/default_contexts
+--- refpolicy-2.20210203.orig/config/appconfig-mcs/default_contexts
++++ refpolicy-2.20210203/config/appconfig-mcs/default_contexts
 @@ -2,7 +2,7 @@ system_r:crond_t:s0		user_r:user_t:s0 st
  system_r:init_t:s0		user_r:user_systemd_t:s0 staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0 unconfined_r:unconfined_t:s0
  system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -60,10 +60,10 @@
  system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
  system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
  
-Index: refpolicy-2.20210130/Makefile
+Index: refpolicy-2.20210203/Makefile
 ===================================================================
---- refpolicy-2.20210130.orig/Makefile
-+++ refpolicy-2.20210130/Makefile
+--- refpolicy-2.20210203.orig/Makefile
++++ refpolicy-2.20210203/Makefile
 @@ -240,6 +240,7 @@ M4PARAM += -D mls_num_sens=$(MLS_SENS) -
  # differently on different distros
  ifeq ($(DISTRO),debian)
@@ -72,3 +72,45 @@
  endif
  
  ifeq ($(DISTRO),gentoo)
+Index: refpolicy-2.20210203/policy/modules/system/systemd.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
++++ refpolicy-2.20210203/policy/modules/system/systemd.te
+@@ -1721,3 +1721,7 @@ optional_policy(`
+ optional_policy(`
+ 	gpg_agent_tmp_unlink_sock(systemd_user_runtime_dir_t)
+ ')
++
++optional_policy(`
++	userdom_unlink_user_tmp_devices(systemd_user_runtime_dir_t)
++')
+Index: refpolicy-2.20210203/policy/modules/system/userdomain.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/userdomain.if
++++ refpolicy-2.20210203/policy/modules/system/userdomain.if
+@@ -4567,6 +4567,25 @@ interface(`userdom_dontaudit_write_user_
+ 
+ ########################################
+ ## <summary>
++##      Delete user_tmp_t device nodes (probably should not have been
++##	created in the first place)
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to allow deleting
++##      </summary>
++## </param>
++#
++interface(`userdom_unlink_user_tmp_devices',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	allow $1 user_tmp_t:{ chr_file blk_file } unlink;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to use user ttys.
+ ## </summary>
+ ## <param name="domain">

--- End Message ---

--- Begin Message ---

To: 984645-done@bugs.debian.org

Subject: unblock refpolicy

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Sat, 13 Mar 2021 13:18:17 +0000

Message-id: <E1lL49p-0001XB-V5@respighi.debian.org>
Unblocked refpolicy.
--- End Message ---

Reply to:

References:
- Bug#984645: unblock: refpolicy/2:2.20210203-4
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Bug#984642: marked as done (unblock: policycoreutils/3.1-3)
Next by Date: Bug#984468: marked as done (Unblock selected KDE Apps 20.12.3)
Previous by thread: Bug#984645: unblock: refpolicy/2:2.20210203-4
Next by thread: Bug#984648: unblock: packages with unversioned python dependencies
Index(es):
- Date
- Thread