--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package refpolicy
[ Reason ]
Added policy for rasdaemon and sympa. This is a significant benefit for people
who use those programs as they will now work correctly with SE Linux. No
possibility of things breaking because for those people it was totally broken
before.
Allow dovecot to watch and create mail files, needed for correct IMAP
operation.
Allow unprivileged KDE logins without KDE processes crashing due to lack of
access.
Allow all the access that mailman3 needs.
Added some systemd policy from upstream to better handle the latest systemd
features.
Change spamassassin policy to correctly support rspamd.
Significant fixes for the Courier POP/IMAP server policy.
Allow apache to map user web content files.
A few other little fixes.
[ Impact ]
Without this rasdamon, sympa, courier POP/IMAP, KDE unpriviled accounts,
mailman3, and rspam will be almost entirely unusable with SE Linux.
[ Tests ]
The systemd policy has been tested extensively on many systems, both in my
tests and upstream. Everything here falls in one of two categories, things
that are tested really well and things that fix significant things such that
if they don't do what's expected they won't make things worse.
[ Risks ]
I don't think there are any noteworthy risks.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
unblock refpolicy/2.20210203-5
Here is the debdiff:
diff -Nru refpolicy-2.20210203/debian/changelog refpolicy-2.20210203/debian/changelog
--- refpolicy-2.20210203/debian/changelog 2021-03-05 21:11:58.000000000 +1100
+++ refpolicy-2.20210203/debian/changelog 2021-04-09 23:02:14.000000000 +1000
@@ -1,3 +1,43 @@
+refpolicy (2:2.20210203-5) unstable; urgency=medium
+
+ * Add policy for rasdaemon
+ * Made mta_manage_mail_home_rw_content() include mail_home_rw_t:file watch
+ access, needed by dovecot_t and probably others in future
+ * Allow restorecond to watch selinux_config_t files.
+ * Allow *_wm_t domains (for window manager processes) to watch xdg_config_t
+ files and to execmod wm_tmpfs_t files (stops kwin_x11 SEGV)
+ * Allow systemd_tmpfiles_t to relabel colord var lib files and dirs
+ * Allow smbcontrol_t to map samba_runtime_t files and send unix datagrams
+ to smbd processes
+ * Allow systemd_user_runtime_dir_t to delete all user runtime sock files
+ and manage pulseaudio_tmp_t dirs
+ * Allow system_cronjob_t to manage var_lib dirs
+ * Allow dovecot to create ~/mail directories.
+ * Label /usr/share/mailman3-web/manage.py as mailman_queue_exec_t
+ Allow mailman_queue_t to read usr files and to create it's own tmpfs files
+ and allow it to map mailman_data_t files
+ * Added systemd policy from upstream git as of 31st Mar to the upstream patch
+ * Label /usr/bin/rspamd file not /usr/bin/rspamd symlink
+ label /var/log/rspamd(/.*)? as spamd_log_t. Allow spamd_t self execmem
+ access when rspamd_spamd. Label port 11333 as spamd_port_t for rspam.
+ * Label /usr/lib/courier/imapd.* and /usr/lib/courier/pop3d.* as
+ courier_pop_exec_t. Allow courier_pop_t to read generic certs, manage
+ courier_var_lib_t files, bind to POP ports, execute courier_exec_t and
+ courier_tcpd_exec_t programs, and map courier config files. Grant
+ courier_pop_t the fowner and chown capabilities (for managing user mail)
+ but dontaudit the fsetid capability. Grant courier_pop_t the setrlimit
+ process access so it can set it's own resource limits. Allow
+ courier_authdaemon_t to search SE Linux default contexts (needed by pam
+ before using unix_chkpwd) and allow it to stat proc files.
+ * Add sympa policy
+ * Allow exim_t to read/write tmp files inherited from cron. Allow exim_t
+ the dac_read_search capability.
+ * Allow apache to map user content files when httpd_read_user_content is set.
+ Label /usr/lib/w3m/* as httpd_sys_script_exec_t
+ * Dontaudit fsdaemon_t capability net_admin (probably setting buffer size)
+
+ -- Russell Coker <russell@coker.com.au> Fri, 09 Apr 2021 23:02:14 +1000
+
refpolicy (2:2.20210203-4) unstable; urgency=medium
* Allow ntpd_t to get the status of generic systemd units
diff -Nru refpolicy-2.20210203/debian/modules.conf.default refpolicy-2.20210203/debian/modules.conf.default
--- refpolicy-2.20210203/debian/modules.conf.default 2021-01-26 22:15:34.000000000 +1100
+++ refpolicy-2.20210203/debian/modules.conf.default 2021-04-04 22:55:24.000000000 +1000
@@ -1861,6 +1861,13 @@
raid = module
# Layer: contrib
+# Module: rasdaemon
+#
+# rasdaemon tracks motherboard hardware errors
+#
+rasdaemon = module
+
+# Layer: contrib
# Module: razor
#
# A distributed, collaborative, spam detection and filtering network.
@@ -2197,6 +2204,13 @@
sxid = module
# Layer: contrib
+# Module: sympa
+#
+# Manage electronic mail discussion and e-newsletter lists.
+#
+sympa = module
+
+# Layer: contrib
# Module: sysstat
#
# Reports on various system states.
diff -Nru refpolicy-2.20210203/debian/modules.conf.mls refpolicy-2.20210203/debian/modules.conf.mls
--- refpolicy-2.20210203/debian/modules.conf.mls 2021-01-26 22:15:38.000000000 +1100
+++ refpolicy-2.20210203/debian/modules.conf.mls 2021-04-04 22:55:32.000000000 +1000
@@ -1861,6 +1861,13 @@
raid = module
# Layer: contrib
+# Module: rasdaemon
+#
+# rasdaemon tracks motherboard hardware errors
+#
+rasdaemon = module
+
+# Layer: contrib
# Module: razor
#
# A distributed, collaborative, spam detection and filtering network.
@@ -2197,6 +2204,13 @@
sxid = module
# Layer: contrib
+# Module: sympa
+#
+# Manage electronic mail discussion and e-newsletter lists.
+#
+sympa = module
+
+# Layer: contrib
# Module: sysstat
#
# Reports on various system states.
diff -Nru refpolicy-2.20210203/debian/patches/0000-upstream refpolicy-2.20210203/debian/patches/0000-upstream
--- refpolicy-2.20210203/debian/patches/0000-upstream 2021-02-17 13:40:33.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0000-upstream 2021-03-31 19:05:44.000000000 +1100
@@ -554,7 +554,25 @@
gen_require(`
class passwd rootok;
-@@ -252,9 +252,10 @@ ifdef(`init_systemd',`
+@@ -35,6 +35,7 @@ attribute init_path_unit_loc_type;
+ attribute init_script_domain_type;
+ attribute init_script_file_type;
+ attribute init_run_all_scripts_domain;
++attribute init_linkable_keyring_type;
+ attribute systemdunit;
+ attribute initrc_transition_domain;
+
+@@ -149,6 +150,9 @@ can_exec(init_t, init_exec_t)
+
+ allow init_t initrc_t:unix_stream_socket connectto;
+
++# Mostly for systemd. Allow init to link to various keyrings
++allow init_t init_linkable_keyring_type:key link;
++
+ # For /var/run/shutdown.pid.
+ allow init_t init_runtime_t:file manage_file_perms;
+ files_runtime_filetrans(init_t, init_runtime_t, file)
+@@ -252,9 +256,10 @@ ifdef(`init_systemd',`
allow init_t init_path_unit_loc_type:{ dir file } { getattr watch };
@@ -568,7 +586,7 @@
allow init_t systemprocess:process { dyntransition siginh };
allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
-@@ -311,6 +312,8 @@ ifdef(`init_systemd',`
+@@ -311,6 +316,8 @@ ifdef(`init_systemd',`
kernel_setsched(init_t)
kernel_link_key(init_t)
kernel_rw_unix_sysctls(init_t)
@@ -577,7 +595,7 @@
# run systemd misc initializations
# in the initrc_t domain, as would be
-@@ -411,6 +414,9 @@ ifdef(`init_systemd',`
+@@ -411,6 +418,9 @@ ifdef(`init_systemd',`
fs_remount_all_fs(init_t)
fs_relabelfrom_tmpfs_symlinks(init_t)
fs_unmount_all_fs(init_t)
@@ -587,7 +605,7 @@
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)
-@@ -485,6 +491,8 @@ ifdef(`init_systemd',`
+@@ -485,6 +495,8 @@ ifdef(`init_systemd',`
# for systemd to read udev status
udev_read_runtime_files(init_t)
@@ -596,7 +614,7 @@
tunable_policy(`init_mounton_non_security',`
files_mounton_non_security(init_t)
')
-@@ -1022,6 +1030,9 @@ ifdef(`init_systemd',`
+@@ -1022,6 +1034,9 @@ ifdef(`init_systemd',`
allow initrc_t systemdunit:service reload;
allow initrc_t init_script_file_type:service { stop start status reload };
@@ -606,7 +624,7 @@
# run systemd misc initializations
# in the initrc_t domain, as would be
# done in traditional sysvinit/upstart.
-@@ -1046,6 +1057,7 @@ ifdef(`init_systemd',`
+@@ -1046,6 +1061,7 @@ ifdef(`init_systemd',`
logging_manage_audit_config(initrc_t)
# journalctl:
logging_watch_runtime_dirs(initrc_t)
@@ -659,7 +677,7 @@
kernel_use_fds(syslogd_t)
dev_read_kmsg(syslogd_t)
-@@ -544,6 +542,9 @@ ifdef(`init_systemd',`
+@@ -544,9 +542,18 @@ ifdef(`init_systemd',`
init_read_runtime_symlinks(syslogd_t)
init_read_state(syslogd_t)
@@ -669,6 +687,15 @@
systemd_manage_journal_files(syslogd_t)
udev_read_runtime_files(syslogd_t)
++
++ # journald traverses /run/user/UID (which is mode 0700) to read symlinks in /run/user/UID/systemd/units/
++ allow syslogd_t self:capability dac_read_search;
++ userdom_search_user_runtime_root(syslogd_t)
++ userdom_search_user_runtime(syslogd_t)
++ systemd_read_user_runtime_lnk_files(syslogd_t)
+ ')
+
+ ifdef(`distro_gentoo',`
Index: refpolicy-2.20210203/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/lvm.te
@@ -739,7 +766,19 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.fc
+++ refpolicy-2.20210203/policy/modules/system/systemd.fc
-@@ -57,6 +57,8 @@
+@@ -44,6 +44,11 @@
+ /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
+
+ # Systemd unit files
++HOME_DIR/\.config/systemd(/.*)? gen_context(system_u:object_r:systemd_conf_home_t,s0)
++HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data_home_t,s0)
++
++/usr/lib/systemd/user(/.*)? gen_context(system_u:object_r:systemd_user_unit_t,s0)
++
+ /usr/lib/systemd/system/[^/]*halt.* -- gen_context(system_u:object_r:power_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*hibernate.* -- gen_context(system_u:object_r:power_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*power.* -- gen_context(system_u:object_r:power_unit_t,s0)
+@@ -57,6 +62,8 @@
/usr/lib/systemd/system/systemd-rfkill.* -- gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
/usr/lib/systemd/system/systemd-socket-proxyd\.service -- gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
@@ -748,11 +787,539 @@
/var/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0)
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
+@@ -68,6 +75,13 @@
+ /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+ /run/nologin -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+
++/run/user/%{USERID}/systemd -d gen_context(system_u:object_r:systemd_user_runtime_t,s0)
++/run/user/%{USERID}/systemd/generator(/.*)? gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
++/run/user/%{USERID}/systemd/generator\.early(/.*)? gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
++/run/user/%{USERID}/systemd/generator\.late(/.*)? gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
++/run/user/%{USERID}/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
++/run/user/%{USERID}/systemd/user(/.*)? gen_context(system_u:object_r:systemd_user_runtime_unit_t,s0)
++
+ /run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
+ /run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
+ /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
Index: refpolicy-2.20210203/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210203/policy/modules/system/systemd.if
-@@ -1174,6 +1174,7 @@ interface(`systemd_tmpfilesd_managed',`
+@@ -28,8 +28,11 @@
+ template(`systemd_role_template',`
+ gen_require(`
+ attribute systemd_user_session_type, systemd_log_parse_env_type;
+- type systemd_user_runtime_t, systemd_user_runtime_notify_t;
++ attribute systemd_user_activated_sock_file_type, systemd_user_unix_stream_activated_socket_type;
+ type systemd_run_exec_t, systemd_analyze_exec_t;
++ type systemd_conf_home_t, systemd_data_home_t;
++ type systemd_user_runtime_t, systemd_user_runtime_notify_t;
++ type systemd_user_unit_t, systemd_user_runtime_unit_t;
+ ')
+
+ #################################
+@@ -47,39 +50,459 @@ template(`systemd_role_template',`
+ # Local policy
+ #
+
+- allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
+- allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+- allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+- allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+-
+- allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+-
+ # This domain is per-role because of the below transitions.
+ # See the systemd --user section of systemd.te for the
+ # remainder of the rules.
+- allow $1_systemd_t $3:process { setsched rlimitinh };
++ allow $1_systemd_t self:process { getsched signal };
++ allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
++ allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
++ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
+ corecmd_shell_domtrans($1_systemd_t, $3)
+ corecmd_bin_domtrans($1_systemd_t, $3)
+- allow $1_systemd_t self:process signal;
++
++ # systemctl --user rules
++ allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
++ allow $1_systemd_t systemd_user_activated_sock_file_type:dir manage_dir_perms;
++ allow $1_systemd_t systemd_user_activated_sock_file_type:sock_file manage_sock_file_perms;
++
++ allow $1_systemd_t systemd_user_runtime_t:blk_file manage_blk_file_perms;
++ allow $1_systemd_t systemd_user_runtime_t:chr_file manage_chr_file_perms;
++ allow $1_systemd_t systemd_user_runtime_t:dir manage_dir_perms;
++ allow $1_systemd_t systemd_user_runtime_t:file manage_file_perms;
++ allow $1_systemd_t systemd_user_runtime_t:fifo_file manage_fifo_file_perms;
++ allow $1_systemd_t systemd_user_runtime_t:lnk_file manage_lnk_file_perms;
++ allow $1_systemd_t systemd_user_runtime_t:sock_file manage_sock_file_perms;
++
++ allow $1_systemd_t systemd_user_runtime_unit_t:dir manage_dir_perms;
++ allow $1_systemd_t systemd_user_runtime_unit_t:file manage_file_perms;
++ allow $1_systemd_t systemd_user_runtime_unit_t:lnk_file manage_lnk_file_perms;
++
++ allow $1_systemd_t $3:dir search_dir_perms;
++ allow $1_systemd_t $3:file read_file_perms;
++ allow $1_systemd_t $3:lnk_file read_lnk_file_perms;
++
++ filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.early")
++ filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "generator.late")
++ filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "transient")
++ filetrans_pattern(systemd_user_session_type, systemd_user_runtime_t, systemd_user_runtime_unit_t, dir, "user")
++
++ dev_read_urand($1_systemd_t)
+
+ files_search_home($1_systemd_t)
+
++ fs_manage_cgroup_files($1_systemd_t)
++ fs_watch_cgroup_files($1_systemd_t)
++
++ kernel_dontaudit_getattr_proc($1_systemd_t)
++
++ selinux_use_status_page($1_systemd_t)
++
++ init_linkable_keyring($1_systemd_t)
++ init_list_unit_dirs($1_systemd_t)
++ init_read_generic_units_files($1_systemd_t)
++
++ miscfiles_watch_localization($1_systemd_t)
++
++ mount_read_runtime_files($1_systemd_t)
++ mount_watch_runtime_files($1_systemd_t)
++ mount_watch_reads_runtime_files($1_systemd_t)
++
++ seutil_search_default_contexts($1_systemd_t)
++ seutil_read_file_contexts($1_systemd_t)
++
++ systemd_manage_conf_home_content($1_systemd_t)
++ systemd_manage_data_home_content($1_systemd_t)
++
++ systemd_search_user_runtime_unit_dirs($1_systemd_t)
++
++ systemd_search_user_runtime_unit_dirs($1_systemd_t)
++ systemd_read_user_unit_files($1_systemd_t)
++
++ dbus_system_bus_client($1_systemd_t)
++ dbus_spec_session_bus_client($1, $1_systemd_t)
++
++ # userdomain rules
++ allow $3 $1_systemd_t:process signal;
++ allow $3 $1_systemd_t:unix_stream_socket rw_stream_socket_perms;
+ # Allow using file descriptors for user environment generators
+ allow $3 $1_systemd_t:fd use;
+ allow $3 $1_systemd_t:fifo_file rw_inherited_fifo_file_perms;
+-
+- # systemctl --user
+ stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
+
++ allow $3 $1_systemd_t:system { disable enable reload start stop status };
++
++ allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
++ allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
++ allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
++ allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
++ allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
++
++ allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
++
++ allow $3 systemd_user_unit_t:service { reload start status stop };
++ allow $3 systemd_conf_home_t:service { reload start status stop };
++
+ can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
+
+- dbus_system_bus_client($1_systemd_t)
++ init_dbus_chat($3)
+
+- selinux_use_status_page($1_systemd_t)
++ systemd_list_journal_dirs($3)
++ systemd_read_journal_files($3)
+
+- seutil_read_file_contexts($1_systemd_t)
+- seutil_search_default_contexts($1_systemd_t)
++ systemd_manage_conf_home_content($3)
++ systemd_relabel_conf_home_content($3)
++
++ systemd_manage_data_home_content($3)
++ systemd_relabel_data_home_content($3)
++
++ systemd_read_user_unit_files($3)
++ systemd_list_user_runtime_unit_dirs($3)
++ systemd_read_user_runtime_units($3)
++
++ systemd_reload_user_runtime_units($3)
++ systemd_start_user_runtime_units($3)
++ systemd_status_user_runtime_units($3)
++ systemd_stop_user_runtime_units($3)
++
++ optional_policy(`
++ xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
++ xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
++ xdg_read_config_files($1_systemd_t)
++ xdg_read_data_files($1_systemd_t)
++ ')
++')
++
++######################################
++## <summary>
++## Allow the specified domain to be started as a daemon by the
++## specified systemd user instance.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the user domain.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Entry point file type for the domain.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain to allow the systemd user domain to run.
++## </summary>
++## </param>
++#
++template(`systemd_user_daemon_domain',`
++ gen_require(`
++ type $1_systemd_t;
++ ')
++
++ domtrans_pattern($1_systemd_t, $2, $3)
++
++ allow $1_systemd_t $3:process signal_perms;
++ allow $3 $1_systemd_t:unix_stream_socket rw_socket_perms;
++')
++
++######################################
++## <summary>
++## Associate the specified file type to be a type whose sock files
++## can be managed by systemd user instances for socket activation.
++## </summary>
++## <param name="file_type">
++## <summary>
++## File type to be associated.
++## </summary>
++## </param>
++#
++interface(`systemd_user_activated_sock_file',`
++ gen_require(`
++ attribute systemd_user_activated_sock_file_type;
++ ')
++
++ typeattribute $1 systemd_user_activated_sock_file_type;
++')
++
++######################################
++## <summary>
++## Associate the specified domain to be a domain whose unix stream
++## sockets and sock files can be managed by systemd user instances
++## for socket activation.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to be associated.
++## </summary>
++## </param>
++## <param name="sock_file_type">
++## <summary>
++## File type of the domain's sock files to be associated.
++## </summary>
++## </param>
++#
++interface(`systemd_user_unix_stream_activated_socket',`
++ gen_require(`
++ attribute systemd_user_unix_stream_activated_socket_type;
++ ')
++
++ typeattribute $1 systemd_user_unix_stream_activated_socket_type;
++ systemd_user_activated_sock_file($2)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to manage systemd config home
++## content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_manage_conf_home_content',`
++ gen_require(`
++ type systemd_conf_home_t;
++ ')
++
++ manage_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
++ manage_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
++ manage_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to relabel systemd config home
++## content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_relabel_conf_home_content',`
++ gen_require(`
++ type systemd_conf_home_t;
++ ')
++
++ relabel_dirs_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
++ relabel_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
++ relabel_lnk_files_pattern($1, systemd_conf_home_t, systemd_conf_home_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to manage systemd data home
++## content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_manage_data_home_content',`
++ gen_require(`
++ type systemd_data_home_t;
++ ')
++
++ allow $1 systemd_data_home_t:dir manage_dir_perms;
++ allow $1 systemd_data_home_t:file manage_file_perms;
++ allow $1 systemd_data_home_t:lnk_file manage_lnk_file_perms;
++')
++
++######################################
++## <summary>
++## Allow the specified domain to relabel systemd data home
++## content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_relabel_data_home_content',`
++ gen_require(`
++ type systemd_data_home_t;
++ ')
++
++ relabel_dirs_pattern($1, systemd_data_home_t, systemd_data_home_t)
++ relabel_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
++ relabel_lnk_files_pattern($1, systemd_data_home_t, systemd_data_home_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to read systemd user runtime lnk files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_read_user_runtime_lnk_files',`
++ gen_require(`
++ type systemd_user_runtime_t;
++ ')
++
++ read_lnk_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to read system-wide systemd
++## user unit files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_read_user_unit_files',`
++ gen_require(`
++ type systemd_user_unit_t;
++ ')
++
++ allow $1 systemd_user_unit_t:dir list_dir_perms;
++ allow $1 systemd_user_unit_t:file read_file_perms;
++ allow $1 systemd_user_unit_t:lnk_file read_lnk_file_perms;
++')
++
++######################################
++## <summary>
++## Allow the specified domain to read systemd user runtime unit files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_read_user_runtime_units',`
++ gen_require(`
++ type systemd_user_runtime_unit_t;
++ ')
++
++ read_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
++ read_lnk_files_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to search systemd user runtime unit
++## directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_search_user_runtime_unit_dirs',`
++ gen_require(`
++ type systemd_user_runtime_unit_t;
++ ')
++
++ search_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to list the contents of systemd
++## user runtime unit directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_list_user_runtime_unit_dirs',`
++ gen_require(`
++ type systemd_user_runtime_unit_t;
++ ')
++
++ list_dirs_pattern($1, systemd_user_runtime_unit_t, systemd_user_runtime_unit_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to get the status of systemd user runtime units.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_status_user_runtime_units',`
++ gen_require(`
++ type systemd_user_runtime_unit_t;
++ class service status;
++ ')
++
++ allow $1 systemd_user_runtime_unit_t:service status;
++')
++
++######################################
++## <summary>
++## Allow the specified domain to start systemd user runtime units.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_start_user_runtime_units',`
++ gen_require(`
++ type systemd_user_runtime_unit_t;
++ class service start;
++ ')
++
++ allow $1 systemd_user_runtime_unit_t:service start;
++')
++
++######################################
++## <summary>
++## Allow the specified domain to stop systemd user runtime units.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_stop_user_runtime_units',`
++ gen_require(`
++ type systemd_user_runtime_unit_t;
++ class service stop;
++ ')
++
++ allow $1 systemd_user_runtime_unit_t:service stop;
++')
++
++######################################
++## <summary>
++## Allow the specified domain to reload systemd user runtime units.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_reload_user_runtime_units',`
++ gen_require(`
++ type systemd_user_runtime_unit_t;
++ class service reload;
++ ')
++
++ allow $1 systemd_user_runtime_unit_t:service reload;
+ ')
+
+ ######################################
+@@ -682,6 +1105,24 @@ interface(`systemd_manage_all_units',`
+
+ ########################################
+ ## <summary>
++## Allow domain to list the contents of systemd_journal_t dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_list_journal_dirs',`
++ gen_require(`
++ type systemd_journal_t;
++ ')
++
++ list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
++')
++
++########################################
++## <summary>
+ ## Allow domain to read systemd_journal_t files
+ ## </summary>
+ ## <param name="domain">
+@@ -1174,6 +1615,7 @@ interface(`systemd_tmpfilesd_managed',`
type systemd_tmpfiles_t;
')
@@ -770,7 +1337,7 @@
#########################################
#
-@@ -45,6 +45,14 @@ gen_tunable(systemd_socket_proxyd_bind_a
+@@ -45,9 +45,19 @@ gen_tunable(systemd_socket_proxyd_bind_a
## </desc>
gen_tunable(systemd_socket_proxyd_connect_any, false)
@@ -785,7 +1352,12 @@
attribute systemd_log_parse_env_type;
attribute systemd_tmpfiles_conf_type;
attribute systemd_user_session_type;
-@@ -104,6 +112,9 @@ type systemd_detect_virt_t;
++attribute systemd_user_activated_sock_file_type;
++attribute systemd_user_unix_stream_activated_socket_type;
+
+ attribute_role systemd_sysusers_roles;
+
+@@ -104,6 +114,9 @@ type systemd_detect_virt_t;
type systemd_detect_virt_exec_t;
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
@@ -795,7 +1367,7 @@
type systemd_generator_t;
type systemd_generator_exec_t;
typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_generator_t };
-@@ -168,6 +179,7 @@ init_system_domain(systemd_networkd_t, s
+@@ -168,6 +181,7 @@ init_system_domain(systemd_networkd_t, s
type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
files_runtime_file(systemd_networkd_runtime_t)
@@ -803,7 +1375,38 @@
type systemd_networkd_unit_t;
init_unit_file(systemd_networkd_unit_t)
-@@ -443,6 +455,10 @@ systemd_log_parse_environment(systemd_ge
+@@ -265,6 +279,16 @@ init_system_domain(systemd_update_done_t
+ type systemd_update_run_t;
+ files_type(systemd_update_run_t)
+
++type systemd_conf_home_t;
++init_unit_file(systemd_conf_home_t)
++
++optional_policy(`
++ xdg_config_content(systemd_conf_home_t)
++')
++
++type systemd_data_home_t;
++xdg_data_content(systemd_data_home_t)
++
+ type systemd_user_runtime_notify_t;
+ userdom_user_runtime_content(systemd_user_runtime_notify_t)
+
+@@ -281,6 +305,13 @@ userdom_user_tmpfs_file(systemd_user_tmp
+ type systemd_userdb_runtime_t;
+ files_runtime_file(systemd_userdb_runtime_t)
+
++type systemd_user_unit_t;
++init_unit_file(systemd_user_unit_t)
++
++type systemd_user_runtime_unit_t;
++init_unit_file(systemd_user_runtime_unit_t)
++userdom_user_runtime_content(systemd_user_runtime_unit_t)
++
+ #
+ # Unit file types
+ #
+@@ -443,6 +474,10 @@ systemd_log_parse_environment(systemd_ge
term_use_unallocated_ttys(systemd_generator_t)
@@ -814,7 +1417,7 @@
optional_policy(`
fstools_exec(systemd_generator_t)
')
-@@ -1279,6 +1295,7 @@ allow systemd_tmpfiles_t systemd_journal
+@@ -1279,6 +1314,7 @@ allow systemd_tmpfiles_t systemd_journal
allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
@@ -822,7 +1425,7 @@
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
kernel_getattr_proc(systemd_tmpfiles_t)
-@@ -1314,6 +1331,7 @@ files_relabel_var_lib_dirs(systemd_tmpfi
+@@ -1314,6 +1350,7 @@ files_relabel_var_lib_dirs(systemd_tmpfi
files_relabelfrom_home(systemd_tmpfiles_t)
files_relabelto_home(systemd_tmpfiles_t)
files_relabelto_etc_dirs(systemd_tmpfiles_t)
@@ -830,7 +1433,7 @@
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)
-@@ -1334,6 +1352,8 @@ auth_relabel_lastlog(systemd_tmpfiles_t)
+@@ -1334,6 +1371,8 @@ auth_relabel_lastlog(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
@@ -839,7 +1442,7 @@
init_manage_utmp(systemd_tmpfiles_t)
init_manage_var_lib_files(systemd_tmpfiles_t)
# for /proc/1/environ
-@@ -1373,6 +1393,22 @@ tunable_policy(`systemd_tmpfiles_manage_
+@@ -1373,6 +1412,22 @@ tunable_policy(`systemd_tmpfiles_manage_
files_relabel_non_security_files(systemd_tmpfiles_t)
')
@@ -862,6 +1465,35 @@
optional_policy(`
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
+@@ -1493,6 +1548,9 @@ allow systemd_user_runtime_dir_t self:pr
+
+ domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
+
++allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
++allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms;
++
+ files_read_etc_files(systemd_user_runtime_dir_t)
+
+ fs_mount_tmpfs(systemd_user_runtime_dir_t)
+@@ -1511,6 +1569,18 @@ systemd_dbus_chat_logind(systemd_user_ru
+ seutil_read_file_contexts(systemd_user_runtime_dir_t)
+ seutil_libselinux_linked(systemd_user_runtime_dir_t)
+
++userdom_list_all_user_runtime(systemd_user_runtime_dir_t)
++userdom_delete_all_user_runtime_dirs(systemd_user_runtime_dir_t)
++userdom_delete_all_user_runtime_files(systemd_user_runtime_dir_t)
++userdom_delete_all_user_runtime_symlinks(systemd_user_runtime_dir_t)
++userdom_delete_all_user_runtime_named_pipes(systemd_user_runtime_dir_t)
++userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
++userdom_delete_all_user_runtime_blk_files(systemd_user_runtime_dir_t)
++userdom_delete_all_user_runtime_chr_files(systemd_user_runtime_dir_t)
++
++userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t)
++userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
++
+ userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
+ userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
+ userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
Index: refpolicy-2.20210203/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/udev.te
@@ -883,3 +1515,212 @@
term_search_ptys(udev_t)
+Index: refpolicy-2.20210203/policy/modules/services/dbus.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/dbus.if
++++ refpolicy-2.20210203/policy/modules/services/dbus.if
+@@ -63,6 +63,7 @@ template(`dbus_role_template',`
+ attribute session_bus_type;
+ type system_dbusd_t, dbusd_exec_t;
+ type session_dbusd_tmp_t, session_dbusd_home_t;
++ type session_dbusd_runtime_t;
+ ')
+
+ ##############################
+@@ -86,10 +87,13 @@ template(`dbus_role_template',`
+ allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 $1_dbusd_t:fd use;
+
++ dontaudit $1_dbusd_t self:process getcap;
++
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+ allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
++ allow $3 session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
+
+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+@@ -110,6 +114,8 @@ template(`dbus_role_template',`
+
+ optional_policy(`
+ systemd_read_logind_runtime_files($1_dbusd_t)
++ systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
++ systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
+ ')
+ ')
+
+Index: refpolicy-2.20210203/policy/modules/system/init.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/init.if
++++ refpolicy-2.20210203/policy/modules/system/init.if
+@@ -3274,6 +3274,24 @@ interface(`init_list_unit_dirs',`
+
+ ########################################
+ ## <summary>
++## Read systemd unit files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_read_generic_units_files',`
++ gen_require(`
++ type systemd_unit_t;
++ ')
++
++ allow $1 systemd_unit_t:file read_file_perms;
++')
++
++########################################
++## <summary>
+ ## Read systemd unit links
+ ## </summary>
+ ## <param name="domain">
+@@ -3482,6 +3500,25 @@ interface(`init_manage_all_unit_files',`
+ manage_lnk_files_pattern($1, systemdunit, systemdunit)
+ ')
+
++#########################################
++## <summary>
++## Associate the specified domain to be a domain whose
++## keyring init should be allowed to link.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain whose keyring init should be allowed to link.
++## </summary>
++## </param>
++#
++interface(`init_linkable_keyring',`
++ gen_require(`
++ attribute init_linkable_keyring_type;
++ ')
++
++ typeattribute $1 init_linkable_keyring_type;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow unconfined access to send instructions to init
+Index: refpolicy-2.20210203/policy/modules/system/mount.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/mount.if
++++ refpolicy-2.20210203/policy/modules/system/mount.if
+@@ -224,6 +224,42 @@ interface(`mount_watch_runtime_dirs',`
+
+ ########################################
+ ## <summary>
++## Watch mount runtime files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mount_watch_runtime_files',`
++ gen_require(`
++ type mount_runtime_t;
++ ')
++
++ allow $1 mount_runtime_t:file watch;
++')
++
++########################################
++## <summary>
++## Watch reads on mount runtime files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mount_watch_reads_runtime_files',`
++ gen_require(`
++ type mount_runtime_t;
++ ')
++
++ allow $1 mount_runtime_t:file watch_reads;
++')
++
++########################################
++## <summary>
+ ## Getattr on mount_runtime_t files
+ ## </summary>
+ ## <param name="domain">
+@@ -241,6 +277,24 @@ interface(`mount_getattr_runtime_files',
+ ')
+
+ ########################################
++## <summary>
++## Read mount runtime files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mount_read_runtime_files',`
++ gen_require(`
++ type mount_runtime_t;
++ ')
++
++ read_files_pattern($1, mount_runtime_t, mount_runtime_t)
++')
++
++########################################
+ ## <summary>
+ ## Read and write mount runtime files.
+ ## </summary>
+Index: refpolicy-2.20210203/policy/modules/system/userdomain.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/userdomain.if
++++ refpolicy-2.20210203/policy/modules/system/userdomain.if
+@@ -3614,6 +3614,42 @@ interface(`userdom_delete_all_user_runti
+
+ ########################################
+ ## <summary>
++## delete user runtime blk files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_all_user_runtime_blk_files',`
++ gen_require(`
++ attribute user_runtime_content_type;
++ ')
++
++ delete_blk_files_pattern($1, user_runtime_content_type, user_runtime_content_type)
++')
++
++########################################
++## <summary>
++## delete user runtime chr files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_all_user_runtime_chr_files',`
++ gen_require(`
++ attribute user_runtime_content_type;
++ ')
++
++ delete_chr_files_pattern($1, user_runtime_content_type, user_runtime_content_type)
++')
++
++########################################
++## <summary>
+ ## Create objects in the pid directory
+ ## with an automatic type transition to
+ ## the user runtime root type. (Deprecated)
diff -Nru refpolicy-2.20210203/debian/patches/0002-strict refpolicy-2.20210203/debian/patches/0002-strict
--- refpolicy-2.20210203/debian/patches/0002-strict 2021-02-25 11:47:38.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0002-strict 2021-03-31 18:37:54.000000000 +1100
@@ -135,15 +135,15 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20210203/policy/modules/services/dbus.if
-@@ -84,6 +84,7 @@ template(`dbus_role_template',`
+@@ -85,6 +85,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket connectto;
allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t $3:dbus send_msg;
allow $3 $1_dbusd_t:fd use;
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
-@@ -99,9 +100,13 @@ template(`dbus_role_template',`
+ dontaudit $1_dbusd_t self:process getcap;
+@@ -103,9 +104,13 @@ template(`dbus_role_template',`
allow $1_dbusd_t $3:process sigkill;
@@ -157,9 +157,9 @@
auth_use_nsswitch($1_dbusd_t)
ifdef(`hide_broken_symptoms',`
-@@ -111,6 +116,15 @@ template(`dbus_role_template',`
- optional_policy(`
- systemd_read_logind_runtime_files($1_dbusd_t)
+@@ -117,6 +122,15 @@ template(`dbus_role_template',`
+ systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
+ systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
')
+
+ optional_policy(`
@@ -202,7 +202,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -63,10 +63,6 @@ type systemd_activate_t;
+@@ -65,10 +65,6 @@ type systemd_activate_t;
type systemd_activate_exec_t;
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
@@ -213,7 +213,7 @@
type systemd_backlight_t;
type systemd_backlight_exec_t;
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
-@@ -1410,6 +1406,7 @@ tunable_policy(`systemd_tmpfilesd_factor
+@@ -1426,6 +1422,7 @@ tunable_policy(`systemd_tmpfilesd_factor
')
optional_policy(`
diff -Nru refpolicy-2.20210203/debian/patches/0009-misc-kernel-system refpolicy-2.20210203/debian/patches/0009-misc-kernel-system
--- refpolicy-2.20210203/debian/patches/0009-misc-kernel-system 2021-02-17 13:40:50.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0009-misc-kernel-system 2021-04-06 13:30:16.000000000 +1000
@@ -198,7 +198,7 @@
## Create files in /var/run with the
## utmp file type.
## </summary>
-@@ -3483,6 +3501,24 @@ interface(`init_manage_all_unit_files',`
+@@ -3520,6 +3538,24 @@ interface(`init_linkable_keyring',`
')
########################################
@@ -227,7 +227,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.te
+++ refpolicy-2.20210203/policy/modules/system/init.te
-@@ -1052,6 +1052,7 @@ ifdef(`init_systemd',`
+@@ -1056,6 +1056,7 @@ ifdef(`init_systemd',`
init_get_all_units_status(initrc_t)
init_manage_var_lib_files(initrc_t)
init_rw_stream_sockets(initrc_t)
@@ -244,7 +244,7 @@
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
allow syslogd_t self:capability2 audit_read;
- allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
-+ allow syslogd_t self:capability { chown dac_read_search setgid setuid sys_ptrace audit_control };
++ allow syslogd_t self:capability { chown setgid setuid sys_ptrace audit_control };
+ allow syslogd_t self:cap_userns sys_ptrace;
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
@@ -373,7 +373,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -370,10 +370,11 @@ ifdef(`enable_mls',`
+@@ -389,10 +389,11 @@ ifdef(`enable_mls',`
#
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
@@ -386,7 +386,7 @@
kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
kernel_read_kernel_sysctls(systemd_coredump_t)
-@@ -391,6 +392,7 @@ files_read_etc_files(systemd_coredump_t)
+@@ -410,6 +411,7 @@ files_read_etc_files(systemd_coredump_t)
files_search_var_lib(systemd_coredump_t)
fs_getattr_xattr_fs(systemd_coredump_t)
@@ -394,7 +394,7 @@
selinux_getattr_fs(systemd_coredump_t)
-@@ -412,6 +414,8 @@ allow systemd_generator_t self:fifo_file
+@@ -431,6 +433,8 @@ allow systemd_generator_t self:fifo_file
allow systemd_generator_t self:capability dac_override;
allow systemd_generator_t self:process setfscreate;
@@ -403,7 +403,7 @@
corecmd_getattr_bin_files(systemd_generator_t)
dev_read_sysfs(systemd_generator_t)
-@@ -422,6 +426,7 @@ files_read_etc_files(systemd_generator_t
+@@ -441,6 +445,7 @@ files_read_etc_files(systemd_generator_t
files_search_runtime(systemd_generator_t)
files_list_boot(systemd_generator_t)
files_read_boot_files(systemd_generator_t)
@@ -411,7 +411,7 @@
files_search_all_mountpoints(systemd_generator_t)
files_list_usr(systemd_generator_t)
-@@ -429,6 +434,8 @@ fs_list_efivars(systemd_generator_t)
+@@ -448,6 +453,8 @@ fs_list_efivars(systemd_generator_t)
fs_getattr_xattr_fs(systemd_generator_t)
init_create_runtime_files(systemd_generator_t)
@@ -420,7 +420,7 @@
init_manage_runtime_dirs(systemd_generator_t)
init_manage_runtime_symlinks(systemd_generator_t)
init_read_runtime_files(systemd_generator_t)
-@@ -646,6 +653,7 @@ init_start_all_units(systemd_logind_t)
+@@ -665,6 +672,7 @@ init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
@@ -428,7 +428,7 @@
locallogin_read_state(systemd_logind_t)
-@@ -909,6 +917,9 @@ allow systemd_nspawn_t self:capability {
+@@ -928,6 +936,9 @@ allow systemd_nspawn_t self:capability {
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
@@ -438,7 +438,7 @@
allow systemd_nspawn_t systemd_journal_t:dir search;
-@@ -945,6 +956,9 @@ dev_getattr_fs(systemd_nspawn_t)
+@@ -964,6 +975,9 @@ dev_getattr_fs(systemd_nspawn_t)
dev_manage_sysfs_dirs(systemd_nspawn_t)
dev_mounton_sysfs_dirs(systemd_nspawn_t)
dev_mount_sysfs(systemd_nspawn_t)
@@ -448,7 +448,7 @@
dev_read_rand(systemd_nspawn_t)
dev_read_urand(systemd_nspawn_t)
-@@ -957,6 +971,7 @@ files_mounton_tmp(systemd_nspawn_t)
+@@ -976,6 +990,7 @@ files_mounton_tmp(systemd_nspawn_t)
files_read_kernel_symbol_table(systemd_nspawn_t)
files_setattr_runtime_dirs(systemd_nspawn_t)
@@ -456,7 +456,7 @@
fs_getattr_tmpfs(systemd_nspawn_t)
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
fs_mount_tmpfs(systemd_nspawn_t)
-@@ -980,6 +995,7 @@ init_write_runtime_socket(systemd_nspawn
+@@ -999,6 +1014,7 @@ init_write_runtime_socket(systemd_nspawn
init_spec_domtrans_script(systemd_nspawn_t)
miscfiles_manage_localization(systemd_nspawn_t)
@@ -464,7 +464,7 @@
# for writing inside chroot
sysnet_manage_config(systemd_nspawn_t)
-@@ -996,8 +1012,14 @@ tunable_policy(`systemd_nspawn_labeled_n
+@@ -1015,8 +1031,14 @@ tunable_policy(`systemd_nspawn_labeled_n
# manage etc symlinks for /etc/localtime
files_manage_etc_symlinks(systemd_nspawn_t)
files_mounton_runtime_dirs(systemd_nspawn_t)
@@ -479,7 +479,7 @@
fs_getattr_cgroup(systemd_nspawn_t)
fs_manage_cgroup_dirs(systemd_nspawn_t)
fs_manage_tmpfs_dirs(systemd_nspawn_t)
-@@ -1015,6 +1037,7 @@ tunable_policy(`systemd_nspawn_labeled_n
+@@ -1034,6 +1056,7 @@ tunable_policy(`systemd_nspawn_labeled_n
selinux_getattr_fs(systemd_nspawn_t)
selinux_remount_fs(systemd_nspawn_t)
selinux_search_fs(systemd_nspawn_t)
@@ -487,7 +487,7 @@
init_domtrans(systemd_nspawn_t)
-@@ -1042,7 +1065,7 @@ optional_policy(`
+@@ -1061,7 +1084,7 @@ optional_policy(`
# systemd_passwd_agent_t local policy
#
@@ -496,7 +496,7 @@
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
-@@ -1053,14 +1076,19 @@ manage_sock_files_pattern(systemd_passwd
+@@ -1072,14 +1095,19 @@ manage_sock_files_pattern(systemd_passwd
manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file })
@@ -516,7 +516,7 @@
files_read_etc_files(systemd_passwd_agent_t)
fs_getattr_xattr_fs(systemd_passwd_agent_t)
-@@ -1069,6 +1097,7 @@ selinux_get_enforce_mode(systemd_passwd_
+@@ -1088,6 +1116,7 @@ selinux_get_enforce_mode(systemd_passwd_
selinux_getattr_fs(systemd_passwd_agent_t)
term_read_console(systemd_passwd_agent_t)
@@ -524,7 +524,7 @@
auth_use_nsswitch(systemd_passwd_agent_t)
-@@ -1127,7 +1156,7 @@ logging_send_syslog_msg(systemd_pstore_t
+@@ -1146,7 +1175,7 @@ logging_send_syslog_msg(systemd_pstore_t
# Rfkill local policy
#
@@ -533,7 +533,7 @@
manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
-@@ -1294,6 +1323,8 @@ allow systemd_tmpfiles_t systemd_tmpfile
+@@ -1313,6 +1342,8 @@ allow systemd_tmpfiles_t systemd_tmpfile
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
@@ -542,9 +542,9 @@
kernel_getattr_proc(systemd_tmpfiles_t)
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
kernel_read_network_state(systemd_tmpfiles_t)
-@@ -1544,6 +1575,8 @@ systemd_dbus_chat_logind(systemd_user_ru
- seutil_read_file_contexts(systemd_user_runtime_dir_t)
- seutil_libselinux_linked(systemd_user_runtime_dir_t)
+@@ -1578,6 +1609,8 @@ userdom_delete_all_user_runtime_chr_file
+ userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t)
+ userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
@@ -642,3 +642,20 @@
')
########################################
+Index: refpolicy-2.20210203/policy/modules/kernel/corenetwork.if.in
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/corenetwork.if.in
++++ refpolicy-2.20210203/policy/modules/kernel/corenetwork.if.in
+@@ -1422,10 +1422,10 @@ interface(`corenet_udp_bind_generic_port
+ #
+ interface(`corenet_tcp_connect_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
+- allow $1 port_t:tcp_socket name_connect;
++ allow $1 { port_t unreserved_port_t }:tcp_socket name_connect;
+ ')
+
+ ########################################
diff -Nru refpolicy-2.20210203/debian/patches/0010-difficult-kernel-system refpolicy-2.20210203/debian/patches/0010-difficult-kernel-system
--- refpolicy-2.20210203/debian/patches/0010-difficult-kernel-system 2021-02-17 13:40:52.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0010-difficult-kernel-system 2021-03-31 18:07:21.000000000 +1100
@@ -26,7 +26,7 @@
+
########################################
## <summary>
- ## Read systemd unit links
+ ## Read systemd unit files
Index: refpolicy-2.20210203/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/locallogin.te
@@ -45,7 +45,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -655,6 +655,9 @@ init_start_system(systemd_logind_t)
+@@ -671,6 +671,9 @@ init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
init_watch_utmp(systemd_logind_t)
@@ -59,7 +59,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210203/policy/modules/system/systemd.if
-@@ -19,17 +19,13 @@
+@@ -19,11 +19,6 @@
## The user domain for the role.
## </summary>
## </param>
@@ -71,25 +71,36 @@
#
template(`systemd_role_template',`
gen_require(`
- attribute systemd_user_session_type, systemd_log_parse_env_type;
+@@ -33,6 +28,7 @@ template(`systemd_role_template',`
+ type systemd_conf_home_t, systemd_data_home_t;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
-- type systemd_run_exec_t, systemd_analyze_exec_t;
-+ type systemd_run_exec_t, systemd_analyze_exec_t, user_devpts_t;
-+ type systemd_machined_t;
+ type systemd_user_unit_t, systemd_user_runtime_unit_t;
++ type systemd_machined_t, user_devpts_t;
')
#################################
-@@ -61,6 +57,7 @@ template(`systemd_role_template',`
- allow $1_systemd_t $3:process { setsched rlimitinh };
+@@ -59,6 +55,7 @@ template(`systemd_role_template',`
+ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
+ corecmd_shell_entry_type($1_systemd_t)
- allow $1_systemd_t self:process signal;
- files_search_home($1_systemd_t)
-@@ -69,6 +66,12 @@ template(`systemd_role_template',`
- allow $3 $1_systemd_t:fd use;
- allow $3 $1_systemd_t:fifo_file rw_inherited_fifo_file_perms;
+ # systemctl --user rules
+ allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
+@@ -110,6 +107,10 @@ template(`systemd_role_template',`
+ seutil_search_default_contexts($1_systemd_t)
+ seutil_read_file_contexts($1_systemd_t)
+
++ # for machinectl shell
++ term_user_pty($1_systemd_t, user_devpts_t)
++ allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
++
+ systemd_manage_conf_home_content($1_systemd_t)
+ systemd_manage_data_home_content($1_systemd_t)
+
+@@ -137,6 +138,12 @@ template(`systemd_role_template',`
+ allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ # for "machinectl shell"
+ allow $1_systemd_t systemd_machined_t:fd use;
@@ -97,17 +108,6 @@
+ allow $3 systemd_machined_t:dbus send_msg;
+ allow systemd_machined_t $3:dbus send_msg;
+
- # systemctl --user
- stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
-
-@@ -80,6 +83,10 @@ template(`systemd_role_template',`
-
- seutil_read_file_contexts($1_systemd_t)
- seutil_search_default_contexts($1_systemd_t)
-+
-+ # for machinectl shell
-+ term_user_pty($1_systemd_t, user_devpts_t)
-+ allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
- ')
+ allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
- ######################################
+ allow $3 systemd_user_unit_t:service { reload start status stop };
diff -Nru refpolicy-2.20210203/debian/patches/0015-cron-trivial refpolicy-2.20210203/debian/patches/0015-cron-trivial
--- refpolicy-2.20210203/debian/patches/0015-cron-trivial 2021-02-17 13:40:59.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0015-cron-trivial 2021-03-31 18:07:25.000000000 +1100
@@ -231,7 +231,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.if
+++ refpolicy-2.20210203/policy/modules/system/init.if
-@@ -3585,3 +3585,21 @@ interface(`init_getrlimit',`
+@@ -3622,3 +3622,21 @@ interface(`init_getrlimit',`
allow $1 init_t:process getrlimit;
')
diff -Nru refpolicy-2.20210203/debian/patches/0025-systemd refpolicy-2.20210203/debian/patches/0025-systemd
--- refpolicy-2.20210203/debian/patches/0025-systemd 2021-03-05 12:56:18.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0025-systemd 2021-04-06 13:58:55.000000000 +1000
@@ -2,16 +2,27 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210203/policy/modules/system/systemd.if
-@@ -84,6 +84,8 @@ template(`systemd_role_template',`
- seutil_read_file_contexts($1_systemd_t)
+@@ -107,6 +107,8 @@ template(`systemd_role_template',`
seutil_search_default_contexts($1_systemd_t)
+ seutil_read_file_contexts($1_systemd_t)
+ userdom_search_user_home_dirs($1_systemd_t)
+
# for machinectl shell
term_user_pty($1_systemd_t, user_devpts_t)
allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
-@@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_
+@@ -172,6 +174,10 @@ template(`systemd_role_template',`
+ systemd_stop_user_runtime_units($3)
+
+ optional_policy(`
++ dirmngr_tmp_dir_search($1_systemd_t)
++ ')
++
++ optional_policy(`
+ xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
+ xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
+ xdg_read_config_files($1_systemd_t)
+@@ -719,6 +725,24 @@ interface(`systemd_write_logind_runtime_
######################################
## <summary>
@@ -36,7 +47,7 @@
## Use inherited systemd
## logind file descriptors.
## </summary>
-@@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login
+@@ -779,6 +803,24 @@ interface(`systemd_write_inherited_login
######################################
## <summary>
@@ -61,7 +72,7 @@
## Write inherited logind inhibit pipes.
## </summary>
## <param name="domain">
-@@ -528,6 +566,24 @@ interface(`systemd_connect_machined',`
+@@ -951,6 +993,24 @@ interface(`systemd_connect_machined',`
########################################
## <summary>
@@ -86,7 +97,7 @@
## Send and receive messages from
## systemd hostnamed over dbus.
## </summary>
-@@ -674,6 +730,24 @@ interface(`systemd_manage_passwd_runtime
+@@ -1097,6 +1157,24 @@ interface(`systemd_manage_passwd_runtime
########################################
## <summary>
@@ -111,7 +122,7 @@
## manage systemd unit dirs and the files in them (Deprecated)
## </summary>
## <param name="domain">
-@@ -1360,3 +1434,63 @@ interface(`systemd_use_inherited_machine
+@@ -1801,3 +1879,63 @@ interface(`systemd_use_inherited_machine
allow $1 systemd_machined_t:fd use;
allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
')
@@ -179,7 +190,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -140,6 +140,7 @@ type systemd_logind_t;
+@@ -142,6 +142,7 @@ type systemd_logind_t;
type systemd_logind_exec_t;
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
@@ -187,7 +198,7 @@
type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
files_runtime_file(systemd_logind_inhibit_runtime_t)
-@@ -189,6 +190,9 @@ type systemd_nspawn_exec_t;
+@@ -191,6 +192,9 @@ type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
mcs_killall(systemd_nspawn_t)
@@ -197,7 +208,19 @@
type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
files_runtime_file(systemd_nspawn_runtime_t)
-@@ -307,6 +311,8 @@ allow systemd_backlight_t systemd_backli
+@@ -283,7 +287,10 @@ optional_policy(`
+ ')
+
+ type systemd_data_home_t;
+-xdg_data_content(systemd_data_home_t)
++
++optional_policy(`
++ xdg_data_content(systemd_data_home_t)
++')
+
+ type systemd_user_runtime_notify_t;
+ userdom_user_runtime_content(systemd_user_runtime_notify_t)
+@@ -326,6 +333,8 @@ allow systemd_backlight_t systemd_backli
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
@@ -206,7 +229,7 @@
systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
-@@ -370,28 +376,37 @@ ifdef(`enable_mls',`
+@@ -389,28 +398,37 @@ ifdef(`enable_mls',`
#
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
@@ -245,7 +268,7 @@
fs_search_tmpfs(systemd_coredump_t)
selinux_getattr_fs(systemd_coredump_t)
-@@ -405,6 +420,7 @@ logging_send_syslog_msg(systemd_coredump
+@@ -424,6 +442,7 @@ logging_send_syslog_msg(systemd_coredump
seutil_search_default_contexts(systemd_coredump_t)
@@ -253,7 +276,7 @@
#######################################
#
# Systemd generator local policy
-@@ -414,14 +430,29 @@ allow systemd_generator_t self:fifo_file
+@@ -433,14 +452,29 @@ allow systemd_generator_t self:fifo_file
allow systemd_generator_t self:capability dac_override;
allow systemd_generator_t self:process setfscreate;
@@ -284,7 +307,7 @@
files_read_etc_files(systemd_generator_t)
files_search_runtime(systemd_generator_t)
files_list_boot(systemd_generator_t)
-@@ -429,9 +460,14 @@ files_read_boot_files(systemd_generator_
+@@ -448,9 +482,14 @@ files_read_boot_files(systemd_generator_
files_read_config_files(systemd_generator_t)
files_search_all_mountpoints(systemd_generator_t)
files_list_usr(systemd_generator_t)
@@ -300,7 +323,7 @@
init_create_runtime_files(systemd_generator_t)
init_read_all_script_files(systemd_generator_t)
-@@ -448,9 +484,10 @@ init_list_unit_dirs(systemd_generator_t)
+@@ -467,9 +506,10 @@ init_list_unit_dirs(systemd_generator_t)
init_read_generic_units_symlinks(systemd_generator_t)
init_read_script_files(systemd_generator_t)
@@ -314,7 +337,7 @@
storage_raw_read_fixed_disk(systemd_generator_t)
-@@ -462,6 +499,8 @@ ifdef(`distro_gentoo',`
+@@ -481,6 +521,8 @@ ifdef(`distro_gentoo',`
corecmd_shell_entry_type(systemd_generator_t)
')
@@ -323,7 +346,7 @@
optional_policy(`
fstools_exec(systemd_generator_t)
')
-@@ -473,6 +512,21 @@ optional_policy(`
+@@ -492,6 +534,21 @@ optional_policy(`
miscfiles_read_localization(systemd_generator_t)
')
@@ -345,7 +368,7 @@
#######################################
#
# Hostnamed policy
-@@ -505,6 +559,10 @@ optional_policy(`
+@@ -524,6 +581,10 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
@@ -356,7 +379,7 @@
#########################################
#
# hw local policy
-@@ -573,6 +631,7 @@ logging_send_syslog_msg(systemd_log_pars
+@@ -592,6 +653,7 @@ logging_send_syslog_msg(systemd_log_pars
#
allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
@@ -364,7 +387,7 @@
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
-@@ -618,11 +677,13 @@ dev_setattr_video_dev(systemd_logind_t)
+@@ -637,11 +699,13 @@ dev_setattr_video_dev(systemd_logind_t)
domain_obj_id_change_exemption(systemd_logind_t)
@@ -378,7 +401,7 @@
fs_list_tmpfs(systemd_logind_t)
fs_mount_tmpfs(systemd_logind_t)
fs_read_cgroup_files(systemd_logind_t)
-@@ -653,6 +714,7 @@ init_start_all_units(systemd_logind_t)
+@@ -672,6 +736,7 @@ init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
@@ -386,7 +409,7 @@
init_watch_utmp(systemd_logind_t)
# for /run/systemd/transient/*
-@@ -717,6 +779,11 @@ optional_policy(`
+@@ -736,6 +801,11 @@ optional_policy(`
')
optional_policy(`
@@ -398,7 +421,7 @@
devicekit_dbus_chat_disk(systemd_logind_t)
devicekit_dbus_chat_power(systemd_logind_t)
')
-@@ -759,6 +826,9 @@ allow systemd_machined_t systemd_machine
+@@ -778,6 +848,9 @@ allow systemd_machined_t systemd_machine
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
@@ -408,7 +431,7 @@
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
-@@ -875,6 +945,10 @@ sysnet_read_config(systemd_networkd_t)
+@@ -894,6 +967,10 @@ sysnet_read_config(systemd_networkd_t)
systemd_log_parse_environment(systemd_networkd_t)
optional_policy(`
@@ -419,7 +442,7 @@
dbus_system_bus_client(systemd_networkd_t)
dbus_connect_system_bus(systemd_networkd_t)
dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
-@@ -915,7 +989,7 @@ miscfiles_read_localization(systemd_noti
+@@ -934,7 +1011,7 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#
@@ -428,7 +451,7 @@
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
-@@ -941,14 +1015,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
+@@ -960,14 +1037,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
@@ -458,7 +481,7 @@
corecmd_exec_shell(systemd_nspawn_t)
corecmd_search_bin(systemd_nspawn_t)
-@@ -965,6 +1054,7 @@ dev_read_sysfs(systemd_nspawn_t)
+@@ -984,6 +1076,7 @@ dev_read_sysfs(systemd_nspawn_t)
dev_read_rand(systemd_nspawn_t)
dev_read_urand(systemd_nspawn_t)
@@ -466,7 +489,7 @@
files_getattr_tmp_dirs(systemd_nspawn_t)
files_manage_etc_files(systemd_nspawn_t)
files_manage_mnt_dirs(systemd_nspawn_t)
-@@ -976,11 +1066,17 @@ files_setattr_runtime_dirs(systemd_nspaw
+@@ -995,11 +1088,17 @@ files_setattr_runtime_dirs(systemd_nspaw
fs_getattr_cgroup(systemd_nspawn_t)
fs_getattr_tmpfs(systemd_nspawn_t)
@@ -485,7 +508,7 @@
term_getattr_generic_ptys(systemd_nspawn_t)
term_getattr_pty_fs(systemd_nspawn_t)
-@@ -988,6 +1084,7 @@ term_mount_devpts(systemd_nspawn_t)
+@@ -1007,6 +1106,7 @@ term_mount_devpts(systemd_nspawn_t)
term_search_ptys(systemd_nspawn_t)
term_setattr_generic_ptys(systemd_nspawn_t)
term_use_ptmx(systemd_nspawn_t)
@@ -493,7 +516,7 @@
init_domtrans_script(systemd_nspawn_t)
init_getrlimit(systemd_nspawn_t)
-@@ -998,8 +1095,12 @@ init_write_runtime_socket(systemd_nspawn
+@@ -1017,8 +1117,12 @@ init_write_runtime_socket(systemd_nspawn
init_spec_domtrans_script(systemd_nspawn_t)
miscfiles_manage_localization(systemd_nspawn_t)
@@ -506,7 +529,7 @@
# for writing inside chroot
sysnet_manage_config(systemd_nspawn_t)
-@@ -1022,11 +1123,13 @@ tunable_policy(`systemd_nspawn_labeled_n
+@@ -1041,11 +1145,13 @@ tunable_policy(`systemd_nspawn_labeled_n
allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
@@ -520,7 +543,7 @@
fs_manage_tmpfs_symlinks(systemd_nspawn_t)
fs_mount_cgroup(systemd_nspawn_t)
fs_mounton_cgroup(systemd_nspawn_t)
-@@ -1044,8 +1147,11 @@ tunable_policy(`systemd_nspawn_labeled_n
+@@ -1063,8 +1169,11 @@ tunable_policy(`systemd_nspawn_labeled_n
init_domtrans(systemd_nspawn_t)
@@ -532,7 +555,7 @@
seutil_search_default_contexts(systemd_nspawn_t)
')
-@@ -1072,7 +1178,7 @@ allow systemd_passwd_agent_t self:capabi
+@@ -1091,7 +1200,7 @@ allow systemd_passwd_agent_t self:capabi
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
@@ -541,7 +564,7 @@
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
-@@ -1082,6 +1188,7 @@ init_runtime_filetrans(systemd_passwd_ag
+@@ -1101,6 +1210,7 @@ init_runtime_filetrans(systemd_passwd_ag
can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
kernel_read_system_state(systemd_passwd_agent_t)
@@ -549,7 +572,7 @@
kernel_stream_connect(systemd_passwd_agent_t)
dev_create_generic_dirs(systemd_passwd_agent_t)
-@@ -1108,6 +1215,7 @@ init_create_runtime_dirs(systemd_passwd_
+@@ -1127,6 +1237,7 @@ init_create_runtime_dirs(systemd_passwd_
init_read_runtime_pipes(systemd_passwd_agent_t)
init_read_state(systemd_passwd_agent_t)
init_read_utmp(systemd_passwd_agent_t)
@@ -557,7 +580,7 @@
init_stream_connect(systemd_passwd_agent_t)
logging_send_syslog_msg(systemd_passwd_agent_t)
-@@ -1369,6 +1477,7 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
+@@ -1388,6 +1499,7 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
fs_list_tmpfs(systemd_tmpfiles_t)
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
@@ -565,36 +588,37 @@
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_use_status_page(systemd_tmpfiles_t)
-@@ -1440,6 +1549,10 @@ tunable_policy(`systemd_tmpfilesd_factor
+@@ -1459,6 +1571,11 @@ tunable_policy(`systemd_tmpfilesd_factor
')
optional_policy(`
+ colord_read_lib_files(systemd_tmpfiles_t)
++ colord_relabel_lib(systemd_tmpfiles_t)
+')
+
+optional_policy(`
dbus_manage_lib_files(systemd_tmpfiles_t)
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
-@@ -1555,11 +1668,15 @@ seutil_libselinux_linked(systemd_user_se
+@@ -1574,13 +1691,15 @@ seutil_libselinux_linked(systemd_user_se
# systemd-user-runtime-dir local policy
#
-allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
-+allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search dac_override fowner sys_admin mknod };
++allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override mknod };
allow systemd_user_runtime_dir_t self:process setfscreate;
domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
-+allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:file manage_file_perms;
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
+allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
-+
+
files_read_etc_files(systemd_user_runtime_dir_t)
- fs_mount_tmpfs(systemd_user_runtime_dir_t)
-@@ -1579,7 +1696,10 @@ seutil_read_file_contexts(systemd_user_r
- seutil_libselinux_linked(systemd_user_runtime_dir_t)
+@@ -1613,7 +1732,10 @@ userdom_manage_user_tmp_dirs(systemd_use
+ userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
@@ -604,7 +628,7 @@
userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
-@@ -1589,3 +1709,11 @@ userdom_relabelto_user_runtime_dirs(syst
+@@ -1623,3 +1745,15 @@ userdom_relabelto_user_runtime_dirs(syst
optional_policy(`
dbus_system_bus_client(systemd_user_runtime_dir_t)
')
@@ -616,6 +640,10 @@
+optional_policy(`
+ gpg_agent_tmp_unlink_sock(systemd_user_runtime_dir_t)
+')
++
++optional_policy(`
++ userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
++')
Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if
@@ -795,6 +823,31 @@
########################################
## <summary>
## Execute dirmngr in the dirmngr domain.
+@@ -95,6 +113,24 @@ interface(`dirmngr_stream_connect',`
+ ')
+
+ ########################################
++## <summary>
++## Search dirmngr_tmp_t dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirmngr_tmp_dir_search',`
++ gen_require(`
++ type dirmngr_tmp_t;
++ ')
++
++ allow $1 dirmngr_tmp_t:dir search_dir_perms;
++')
++
++########################################
+ ## <summary>
+ ## All of the rules required to
+ ## administrate an dirmngr environment.
Index: refpolicy-2.20210203/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/logging.te
@@ -806,4 +859,31 @@
+ systemd_search_user_runtime(syslogd_t)
udev_read_runtime_files(syslogd_t)
+
+Index: refpolicy-2.20210203/policy/modules/services/colord.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/colord.if
++++ refpolicy-2.20210203/policy/modules/services/colord.if
+@@ -58,3 +58,22 @@ interface(`colord_read_lib_files',`
+ files_search_var_lib($1)
+ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
++
++######################################
++## <summary>
++## relabel colord lib files and dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`colord_relabel_lib',`
++ gen_require(`
++ type colord_var_lib_t;
++ ')
++
++ allow $1 colord_var_lib_t:dir { list_dir_perms relabelfrom relabelto };
++ allow $1 colord_var_lib_t:file { relabelfrom relabelto };
++')
diff -Nru refpolicy-2.20210203/debian/patches/0026-mailman refpolicy-2.20210203/debian/patches/0026-mailman
--- refpolicy-2.20210203/debian/patches/0026-mailman 2021-03-03 18:09:00.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0026-mailman 2021-04-06 13:26:16.000000000 +1000
@@ -101,13 +101,16 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20210203/policy/modules/services/mailman.te
-@@ -26,11 +26,15 @@ files_lock_file(mailman_lock_t)
+@@ -26,11 +26,18 @@ files_lock_file(mailman_lock_t)
type mailman_runtime_t alias mailman_var_run_t;
files_runtime_file(mailman_runtime_t)
+type mailman_cgi_tmpfs_t;
+files_tmpfs_file(mailman_cgi_tmpfs_t)
+
++type mailman_queue_tmpfs_t;
++files_tmpfs_file(mailman_queue_tmpfs_t)
++
mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
role mailman_roles types mailman_mail_t;
@@ -117,7 +120,7 @@
########################################
#
-@@ -89,13 +93,16 @@ miscfiles_read_localization(mailman_doma
+@@ -89,13 +96,16 @@ miscfiles_read_localization(mailman_doma
# CGI local policy
#
@@ -136,7 +139,7 @@
allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
-@@ -104,25 +111,40 @@ allow mailman_cgi_t mailman_lock_t:file
+@@ -104,25 +114,40 @@ allow mailman_cgi_t mailman_lock_t:file
allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
@@ -178,7 +181,7 @@
optional_policy(`
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
-@@ -133,6 +155,15 @@ optional_policy(`
+@@ -133,6 +158,15 @@ optional_policy(`
')
optional_policy(`
@@ -194,7 +197,7 @@
postfix_read_config(mailman_cgi_t)
')
-@@ -142,7 +173,9 @@ optional_policy(`
+@@ -142,7 +176,9 @@ optional_policy(`
#
allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
@@ -205,7 +208,7 @@
allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
allow mailman_mail_t mailman_archive_t:file manage_file_perms;
-@@ -167,8 +200,12 @@ manage_files_pattern(mailman_mail_t, mai
+@@ -167,8 +203,12 @@ manage_files_pattern(mailman_mail_t, mai
manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t)
files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir })
@@ -218,7 +221,7 @@
corenet_tcp_connect_smtp_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
corenet_sendrecv_innd_client_packets(mailman_mail_t)
-@@ -193,6 +230,7 @@ libs_read_lib_files(mailman_mail_t)
+@@ -193,6 +233,7 @@ libs_read_lib_files(mailman_mail_t)
logging_search_logs(mailman_mail_t)
@@ -226,7 +229,7 @@
miscfiles_read_localization(mailman_mail_t)
mta_use_mailserver_fds(mailman_mail_t)
-@@ -200,14 +238,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
+@@ -200,14 +241,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
mta_dontaudit_rw_queue(mailman_mail_t)
optional_policy(`
@@ -253,7 +256,7 @@
postfix_search_spool(mailman_mail_t)
postfix_rw_inherited_master_pipes(mailman_mail_t)
')
-@@ -217,10 +267,13 @@ optional_policy(`
+@@ -217,15 +270,18 @@ optional_policy(`
# Queue local policy
#
@@ -269,10 +272,19 @@
allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
allow mailman_queue_t mailman_archive_t:file manage_file_perms;
-@@ -234,12 +287,15 @@ allow mailman_queue_t mailman_lock_t:fil
+ allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
+-allow mailman_queue_t mailman_data_t:file manage_file_perms;
++allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
+ allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+ allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
+@@ -234,15 +290,24 @@ allow mailman_queue_t mailman_lock_t:fil
allow mailman_queue_t mailman_log_t:dir list_dir_perms;
allow mailman_queue_t mailman_log_t:file manage_file_perms;
++fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
++allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
++
+kernel_read_network_state(mailman_queue_t)
kernel_read_system_state(mailman_queue_t)
@@ -282,10 +294,16 @@
corenet_sendrecv_innd_client_packets(mailman_queue_t)
+corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
+corenet_tcp_bind_generic_node(mailman_queue_t)
++corenet_tcp_connect_generic_port(mailman_queue_t)
++corenet_tcp_connect_http_port(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
files_dontaudit_search_runtime(mailman_queue_t)
-@@ -251,14 +307,23 @@ seutil_dontaudit_search_config(mailman_q
++files_read_usr_files(mailman_queue_t)
+ files_search_locks(mailman_queue_t)
+
+ miscfiles_read_localization(mailman_queue_t)
+@@ -251,14 +316,24 @@ seutil_dontaudit_search_config(mailman_q
userdom_search_user_home_dirs(mailman_queue_t)
@@ -297,6 +315,7 @@
optional_policy(`
+ cron_rw_tmp_files(mailman_queue_t)
++ cron_search_spool(mailman_queue_t)
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+ cron_use_fds(mailman_queue_t)
+')
@@ -344,7 +363,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -1562,6 +1562,10 @@ optional_policy(`
+@@ -1587,6 +1587,10 @@ optional_policy(`
')
optional_policy(`
@@ -367,3 +386,8 @@
/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+@@ -28,3 +29,4 @@
+ /usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+ /usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/share/mailman3-web/manage.py -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
diff -Nru refpolicy-2.20210203/debian/patches/0027-services refpolicy-2.20210203/debian/patches/0027-services
--- refpolicy-2.20210203/debian/patches/0027-services 2021-03-05 12:44:18.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0027-services 2021-04-09 20:56:34.000000000 +1000
@@ -58,7 +58,15 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210203/policy/modules/services/apache.fc
-@@ -164,6 +164,7 @@ ifdef(`distro_suse',`
+@@ -67,6 +67,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
+ /usr/lib/systemd/system/apache[^/]*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+ /usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+ /usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
++/usr/lib/w3m/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+ /usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
+@@ -164,6 +165,7 @@ ifdef(`distro_suse',`
/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -66,7 +74,7 @@
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -172,7 +173,7 @@ ifdef(`distro_suse',`
+@@ -172,7 +174,7 @@ ifdef(`distro_suse',`
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -87,6 +95,14 @@
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
files_read_etc_runtime_files(httpd_t)
+@@ -703,6 +704,7 @@ optional_policy(`
+
+ tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
++ userdom_map_user_home_content_files(httpd_t)
+ ')
+
+ tunable_policy(`httpd_setrlimit',`
Index: refpolicy-2.20210203/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/aptcacher.te
@@ -381,7 +397,15 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20210203/policy/modules/services/dovecot.te
-@@ -258,6 +258,8 @@ allow dovecot_auth_t dovecot_t:unix_stre
+@@ -211,6 +211,7 @@ optional_policy(`
+ mta_manage_mail_home_rw_content(dovecot_t)
+ mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
+ mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
++ mta_home_filetrans_mail_home_rw(dovecot_t, dir, "mail")
+ ')
+
+ optional_policy(`
+@@ -258,6 +259,8 @@ allow dovecot_auth_t dovecot_t:unix_stre
kernel_dontaudit_getattr_proc(dovecot_auth_t)
@@ -674,7 +698,7 @@
manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
allow $1 mail_home_rw_t:file map;
manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-+ allow $1 mail_home_rw_t:dir watch;
++ allow $1 mail_home_rw_t:{ dir file } watch;
')
########################################
@@ -833,7 +857,7 @@
')
optional_policy(`
-@@ -616,13 +620,15 @@ optional_policy(`
+@@ -616,13 +620,17 @@ optional_policy(`
allow smbcontrol_t self:process signal;
allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
@@ -842,7 +866,9 @@
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
++allow smbcontrol_t smbd_t:unix_dgram_socket sendto;
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
++allow smbcontrol_t samba_runtime_t:file map;
allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
@@ -850,7 +876,7 @@
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -638,6 +644,7 @@ files_search_var_lib(smbcontrol_t)
+@@ -638,6 +646,7 @@ files_search_var_lib(smbcontrol_t)
term_use_console(smbcontrol_t)
init_use_fds(smbcontrol_t)
@@ -980,28 +1006,10 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/mount.if
+++ refpolicy-2.20210203/policy/modules/system/mount.if
-@@ -224,6 +224,42 @@ interface(`mount_watch_runtime_dirs',`
+@@ -260,6 +260,24 @@ interface(`mount_watch_reads_runtime_fil
########################################
## <summary>
-+## Watch mount runtime files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`mount_watch_runtime_files',`
-+ gen_require(`
-+ type mount_runtime_t;
-+ ')
-+
-+ allow $1 mount_runtime_t:file watch;
-+')
-+
-+########################################
-+## <summary>
+## Watch mount runtime files reads.
+## </summary>
+## <param name="domain">
@@ -1288,7 +1296,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210203/policy/modules/system/userdomain.if
-@@ -4312,6 +4312,24 @@ interface(`userdom_search_user_home_cont
+@@ -4348,6 +4348,24 @@ interface(`userdom_search_user_home_cont
########################################
## <summary>
@@ -1313,26 +1321,6 @@
## Send signull to unprivileged user domains.
## </summary>
## <param name="domain">
-Index: refpolicy-2.20210203/policy/modules/services/mailman.te
-===================================================================
---- refpolicy-2.20210203.orig/policy/modules/services/mailman.te
-+++ refpolicy-2.20210203/policy/modules/services/mailman.te
-@@ -296,6 +296,7 @@ corecmd_read_bin_files(mailman_queue_t)
- corenet_sendrecv_innd_client_packets(mailman_queue_t)
- corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
- corenet_tcp_bind_generic_node(mailman_queue_t)
-+corenet_tcp_connect_http_port(mailman_queue_t)
- corenet_tcp_connect_innd_port(mailman_queue_t)
-
- files_dontaudit_search_runtime(mailman_queue_t)
-@@ -313,6 +314,7 @@ optional_policy(`
-
- optional_policy(`
- cron_rw_tmp_files(mailman_queue_t)
-+ cron_search_spool(mailman_queue_t)
- cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
- cron_use_fds(mailman_queue_t)
- ')
Index: refpolicy-2.20210203/policy/modules/services/milter.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/milter.te
@@ -1477,7 +1465,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -676,6 +676,7 @@ dev_setattr_video_dev(systemd_logind_t)
+@@ -699,6 +699,7 @@ dev_setattr_video_dev(systemd_logind_t)
domain_obj_id_change_exemption(systemd_logind_t)
@@ -1591,3 +1579,157 @@
')
optional_policy(`
+Index: refpolicy-2.20210203/policy/modules/services/spamassassin.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/spamassassin.fc
++++ refpolicy-2.20210203/policy/modules/services/spamassassin.fc
+@@ -16,7 +16,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(sys
+ /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+ /usr/bin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+ /usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
+-/usr/bin/rspamd -l gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/rspamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+ /usr/bin/rspamd-[^/]+ -- gen_context(system_u:object_r:spamd_exec_t,s0)
+ /usr/bin/rspamc -l gen_context(system_u:object_r:spamc_exec_t,s0)
+ /usr/bin/rspamc-[^/]+ -- gen_context(system_u:object_r:spamc_exec_t,s0)
+@@ -41,6 +41,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(sys
+
+ /var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
+ /var/log/rspamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
++/var/log/rspamd(/.*)? gen_context(system_u:object_r:spamd_log_t,s0)
+ /var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
+
+ /var/vmail/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+Index: refpolicy-2.20210203/policy/modules/services/courier.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/courier.fc
++++ refpolicy-2.20210203/policy/modules/services/courier.fc
+@@ -23,8 +23,8 @@
+ /usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/imapd.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/pop3d.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+ /usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
+ /usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+Index: refpolicy-2.20210203/policy/modules/services/courier.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/courier.te
++++ refpolicy-2.20210203/policy/modules/services/courier.te
+@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_
+
+ can_exec(courier_authdaemon_t, courier_exec_t)
+
++kernel_getattr_proc(courier_authdaemon_t)
++
+ corecmd_exec_shell(courier_authdaemon_t)
+
+ domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
+@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t
+ miscfiles_read_localization(courier_authdaemon_t)
+
+ selinux_getattr_fs(courier_authdaemon_t)
++seutil_search_default_contexts(courier_authdaemon_t)
+
+ userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
+
+@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
+ # POP3/IMAP local policy
+ #
+
+-allow courier_pop_t self:capability { setgid setuid };
++allow courier_pop_t self:capability { chown dac_read_search fowner setgid setuid };
++dontaudit courier_pop_t self:capability fsetid;
++allow courier_pop_t self:unix_stream_socket connectto;
++allow courier_pop_t self:process setrlimit;
++
+ allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
+ allow courier_pop_t courier_authdaemon_t:process sigchld;
+
+ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+
+-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
++allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
++allow courier_pop_t courier_var_lib_t:file manage_file_perms;
+
++allow courier_pop_t courier_etc_t:file map;
++
++can_exec(courier_pop_t, courier_exec_t)
++can_exec(courier_pop_t, courier_tcpd_exec_t)
+ stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t)
+
+ domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
+
+ corecmd_exec_shell(courier_pop_t)
++corenet_tcp_bind_generic_node(courier_pop_t)
++corenet_tcp_bind_pop_port(courier_pop_t)
++
++files_search_var_lib(courier_pop_t)
+
++miscfiles_read_generic_certs(courier_pop_t)
+ miscfiles_read_localization(courier_pop_t)
+
+ mta_manage_mail_home_rw_content(courier_pop_t)
+Index: refpolicy-2.20210203/policy/modules/services/spamassassin.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/spamassassin.te
++++ refpolicy-2.20210203/policy/modules/services/spamassassin.te
+@@ -399,6 +399,8 @@ tunable_policy(`rspamd_spamd',`
+ allow spamd_t self:process setrlimit;
+ allow spamc_t self:process setrlimit;
+
++ allow spamd_t self:process execmem;
++
+ list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+ mmap_read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+ allow spamd_t spamd_etc_t:dir watch;
+Index: refpolicy-2.20210203/policy/modules/services/exim.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/exim.te
++++ refpolicy-2.20210203/policy/modules/services/exim.te
+@@ -73,7 +73,7 @@ ifdef(`distro_debian',`
+ # Local policy
+ #
+
+-allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource };
++allow exim_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_resource };
+ allow exim_t self:process { setrlimit setpgid };
+ allow exim_t self:fifo_file rw_fifo_file_perms;
+ allow exim_t self:unix_stream_socket { accept listen };
+@@ -190,6 +190,7 @@ optional_policy(`
+
+ optional_policy(`
+ cron_read_pipes(exim_t)
++ cron_rw_inherited_tmp_files(exim_t)
+ cron_rw_system_job_pipes(exim_t)
+ cron_use_system_job_fds(exim_t)
+ ')
+Index: refpolicy-2.20210203/policy/modules/kernel/corenetwork.te.in
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/corenetwork.te.in
++++ refpolicy-2.20210203/policy/modules/kernel/corenetwork.te.in
+@@ -255,7 +255,7 @@ network_port(smtp, tcp,25,s0, tcp,465,s0
+ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
+ network_port(socks) # no defined portcon
+ network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
+-network_port(spamd, tcp,783,s0)
++network_port(spamd, tcp,783,s0, tcp,11333,s0)
+ network_port(speech, tcp,8036,s0)
+ network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+ network_port(ssdp, tcp,1900,s0, udp,1900,s0)
+Index: refpolicy-2.20210203/policy/modules/services/smartmon.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/smartmon.te
++++ refpolicy-2.20210203/policy/modules/services/smartmon.te
+@@ -39,7 +39,7 @@ ifdef(`enable_mls',`
+ #
+
+ allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
+-dontaudit fsdaemon_t self:capability sys_tty_config;
++dontaudit fsdaemon_t self:capability { net_admin sys_tty_config };
+ allow fsdaemon_t self:process { getcap setcap signal_perms };
+ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
+ allow fsdaemon_t self:unix_stream_socket { accept listen };
diff -Nru refpolicy-2.20210203/debian/patches/0028-misc refpolicy-2.20210203/debian/patches/0028-misc
--- refpolicy-2.20210203/debian/patches/0028-misc 2021-03-02 22:42:44.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0028-misc 2021-04-04 22:49:49.000000000 +1000
@@ -247,7 +247,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.if
+++ refpolicy-2.20210203/policy/modules/system/init.if
-@@ -3498,6 +3498,24 @@ interface(`init_reload_all_units',`
+@@ -3516,6 +3516,24 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
@@ -276,7 +276,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.te
+++ refpolicy-2.20210203/policy/modules/system/init.te
-@@ -244,7 +244,6 @@ ifdef(`init_systemd',`
+@@ -248,7 +248,6 @@ ifdef(`init_systemd',`
allow init_t self:udp_socket create_socket_perms;
allow init_t self:netlink_route_socket create_netlink_socket_perms;
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
@@ -284,7 +284,7 @@
allow init_t self:key { search setattr write };
allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
-@@ -263,7 +262,7 @@ ifdef(`init_systemd',`
+@@ -267,7 +266,7 @@ ifdef(`init_systemd',`
# setexec and setkeycreate for systemd --user
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
@@ -293,7 +293,7 @@
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
-@@ -434,6 +433,7 @@ ifdef(`init_systemd',`
+@@ -438,6 +437,7 @@ ifdef(`init_systemd',`
miscfiles_watch_localization(init_t)
mount_watch_runtime_dirs(init_t)
@@ -319,9 +319,9 @@
udev_read_runtime_files(syslogd_t)
+ userdom_list_user_tmp(syslogd_t)
+ userdom_read_user_tmp_symlinks(syslogd_t)
- ')
- ifdef(`distro_gentoo',`
+ # journald traverses /run/user/UID (which is mode 0700) to read symlinks in /run/user/UID/systemd/units/
+ allow syslogd_t self:capability dac_read_search;
Index: refpolicy-2.20210203/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/lvm.te
@@ -404,7 +404,16 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te
-@@ -368,11 +368,14 @@ fs_list_inotifyfs(restorecond_t)
+@@ -346,6 +346,8 @@ allow restorecond_t self:fifo_file rw_fi
+ allow restorecond_t restorecond_run_t:file manage_file_perms;
+ files_runtime_filetrans(restorecond_t, restorecond_run_t, file)
+
++allow restorecond_t selinux_config_t:file watch;
++
+ kernel_getattr_debugfs(restorecond_t)
+ kernel_read_system_state(restorecond_t)
+ kernel_rw_pipes(restorecond_t)
+@@ -368,11 +370,14 @@ fs_list_inotifyfs(restorecond_t)
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_getattr_pstorefs(restorecond_t)
@@ -419,7 +428,7 @@
files_relabel_non_auth_files(restorecond_t )
files_dontaudit_read_all_symlinks(restorecond_t)
-@@ -417,6 +420,8 @@ allow run_init_t self:netlink_audit_sock
+@@ -417,6 +422,8 @@ allow run_init_t self:netlink_audit_sock
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
@@ -428,7 +437,7 @@
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
-@@ -586,6 +591,7 @@ allow setfiles_t { policy_src_t policy_c
+@@ -586,6 +593,7 @@ allow setfiles_t { policy_src_t policy_c
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
allow setfiles_t file_context_t:file map;
@@ -698,3 +707,114 @@
allow netutils_t self:netlink_netfilter_socket create_socket_perms;
allow netutils_t self:packet_socket { create_socket_perms map };
allow netutils_t self:udp_socket create_socket_perms;
+Index: refpolicy-2.20210203/policy/modules/apps/wm.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/wm.if
++++ refpolicy-2.20210203/policy/modules/apps/wm.if
+@@ -101,6 +101,10 @@ template(`wm_role_template',`
+ optional_policy(`
+ pulseaudio_run($1_wm_t, $2)
+ ')
++
++ optional_policy(`
++ xdg_watch_config_files($1_wm_t)
++ ')
+ ')
+
+ ########################################
+Index: refpolicy-2.20210203/policy/modules/apps/wm.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/wm.te
++++ refpolicy-2.20210203/policy/modules/apps/wm.te
+@@ -39,6 +39,7 @@ files_tmp_filetrans(wm_domain, wm_tmp_t,
+ manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+ manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+ mmap_read_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
++allow wm_domain wm_tmpfs_t:file execmod;
+ manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+ fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+Index: refpolicy-2.20210203/policy/modules/system/xdg.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/xdg.if
++++ refpolicy-2.20210203/policy/modules/system/xdg.if
+@@ -389,6 +389,24 @@ interface(`xdg_watch_config_dirs',`
+
+ ########################################
+ ## <summary>
++## Watch the xdg config home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xdg_watch_config_files',`
++ gen_require(`
++ type xdg_config_t;
++ ')
++
++ allow $1 xdg_config_t:file watch;
++')
++
++########################################
++## <summary>
+ ## Watch all the xdg config home directories
+ ## </summary>
+ ## <param name="domain">
+Index: refpolicy-2.20210203/policy/modules/services/cron.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/cron.te
++++ refpolicy-2.20210203/policy/modules/services/cron.te
+@@ -507,6 +507,7 @@ files_read_usr_files(system_cronjob_t)
+ files_read_var_files(system_cronjob_t)
+ files_dontaudit_search_runtime(system_cronjob_t)
+ files_manage_generic_spool(system_cronjob_t)
++files_manage_var_lib_dirs(system_cronjob_t)
+ files_create_boot_flag(system_cronjob_t)
+ files_read_var_lib_symlinks(system_cronjob_t)
+
+Index: refpolicy-2.20210203/policy/modules/apps/pulseaudio.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/pulseaudio.if
++++ refpolicy-2.20210203/policy/modules/apps/pulseaudio.if
+@@ -205,6 +205,24 @@ interface(`pulseaudio_stream_connect',`
+ stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_runtime_t }, { pulseaudio_tmp_t pulseaudio_runtime_t }, pulseaudio_t)
+ ')
+
++#####################################
++## <summary>
++## Manage pulseaudio_tmp_t dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pulseaudio_manage_tmp_dirs',`
++ gen_require(`
++ type pulseaudio_tmp_t;
++ ')
++
++ allow $1 pulseaudio_tmp_t:dir manage_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
+Index: refpolicy-2.20210203/policy/modules/system/systemd.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
++++ refpolicy-2.20210203/policy/modules/system/systemd.te
+@@ -1760,5 +1760,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ pulseaudio_manage_tmp_dirs(systemd_user_runtime_dir_t)
++')
++
++optional_policy(`
+ userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
+ ')
diff -Nru refpolicy-2.20210203/debian/patches/0029-sympa refpolicy-2.20210203/debian/patches/0029-sympa
--- refpolicy-2.20210203/debian/patches/0029-sympa 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0029-sympa 2021-04-06 18:16:47.000000000 +1000
@@ -0,0 +1,252 @@
+Index: refpolicy-2.20210203/policy/modules/services/sympa.fc
+===================================================================
+--- /dev/null
++++ refpolicy-2.20210203/policy/modules/services/sympa.fc
+@@ -0,0 +1,6 @@
++/usr/lib/sympa/bin/.* -- gen_context(system_u:object_r:sympa_exec_t,s0)
++/var/lib/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0)
++/var/spool/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0)
++/run/sympa(/.*)? gen_context(system_u:object_r:sympa_runtime_t,s0)
++/etc/mail/sympa(/.*)? gen_context(system_u:object_r:sympa_etc_t,s0)
++/etc/sympa(/.*)? gen_context(system_u:object_r:sympa_etc_t,s0)
+Index: refpolicy-2.20210203/policy/modules/services/sympa.te
+===================================================================
+--- /dev/null
++++ refpolicy-2.20210203/policy/modules/services/sympa.te
+@@ -0,0 +1,64 @@
++policy_module(sympa,1.0.0)
++
++type sympa_t;
++type sympa_exec_t;
++init_daemon_domain(sympa_t, sympa_exec_t)
++
++type sympa_var_t;
++files_type(sympa_var_t)
++
++type sympa_runtime_t;
++files_runtime_file(sympa_runtime_t)
++
++type sympa_etc_t;
++files_config_file(sympa_etc_t)
++
++type sympa_tmp_t;
++files_tmp_file(sympa_tmp_t)
++
++allow sympa_t self:fifo_file rw_file_perms;
++allow sympa_t self:tcp_socket create_socket_perms;
++allow sympa_t self:unix_dgram_socket create_socket_perms;
++allow sympa_t sympa_var_t:dir manage_dir_perms;
++allow sympa_t sympa_var_t:file manage_file_perms;
++
++allow sympa_t sympa_runtime_t:dir manage_dir_perms;
++allow sympa_t sympa_runtime_t:file manage_file_perms;
++
++allow sympa_t sympa_etc_t:dir list_dir_perms;
++allow sympa_t sympa_etc_t:file read_file_perms;
++
++files_tmp_filetrans(sympa_t, sympa_tmp_t, { file })
++allow sympa_t sympa_tmp_t:file manage_file_perms;
++
++kernel_read_kernel_sysctls(sympa_t)
++
++auth_dontaudit_read_shadow(sympa_t)
++
++corecmd_exec_bin(sympa_t)
++corecmd_exec_shell(sympa_t)
++
++dev_read_urand(sympa_t)
++
++files_read_etc_files(sympa_t)
++files_read_usr_files(sympa_t)
++files_search_spool(sympa_t)
++files_search_var_lib(sympa_t)
++
++logging_send_syslog_msg(sympa_t)
++
++miscfiles_read_generic_certs(sympa_t)
++miscfiles_read_localization(sympa_t)
++
++sysnet_read_config(sympa_t)
++
++optional_policy(`
++ mta_read_config(sympa_t)
++ mta_send_mail(sympa_t)
++ mta_rw_delivery_fifos(sympa_t)
++')
++
++optional_policy(`
++ mysql_tcp_connect(sympa_t)
++ mysql_stream_connect(sympa_t)
++')
+Index: refpolicy-2.20210203/policy/modules/services/sympa.if
+===================================================================
+--- /dev/null
++++ refpolicy-2.20210203/policy/modules/services/sympa.if
+@@ -0,0 +1,93 @@
++## <summary></summary>
++
++########################################
++## <summary>
++## Allow appending to sympa_var_t (for error log)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sympa_append_var_files',`
++ gen_require(`
++ type sympa_var_t;
++ ')
++
++ allow $1 sympa_var_t:file { append getattr };
++')
++
++########################################
++## <summary>
++## Allow reading sympa_var_t files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sympa_read_var_files',`
++ gen_require(`
++ type sympa_var_t;
++ ')
++
++ allow $1 sympa_var_t:dir list_dir_perms;
++ allow $1 sympa_var_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Transition to sympa_t when executing sympa_exec_t
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sympa_domtrans',`
++ gen_require(`
++ type sympa_exec_t, sympa_t;
++ ')
++
++ domain_auto_transition_pattern($1, sympa_exec_t, sympa_t)
++')
++
++########################################
++## <summary>
++## Use file handles inherited from sympa
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sympa_use_fd',`
++ gen_require(`
++ type sympa_t;
++ ')
++
++ allow $1 sympa_t:fd use;
++')
++
++
++########################################
++## <summary>
++## Dontaudit access to inherited sympa tcp sockets
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit
++## </summary>
++## </param>
++#
++interface(`sympa_dontaudit_tcp_rw',`
++ gen_require(`
++ type sympa_t;
++ ')
++
++ dontaudit $1 sympa_t:tcp_socket { read write };
++')
+Index: refpolicy-2.20210203/policy/modules/services/mta.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/mta.te
++++ refpolicy-2.20210203/policy/modules/services/mta.te
+@@ -310,6 +310,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sympa_append_var_files(system_mail_t)
++ sympa_dontaudit_tcp_rw(system_mail_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(system_mail_t)
+ ')
+
+@@ -403,6 +408,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sympa_dontaudit_tcp_rw(mailserver_delivery)
++ sympa_domtrans(mailserver_delivery)
++')
++
++optional_policy(`
+ uucp_domtrans_uux(mailserver_delivery)
+ ')
+
+Index: refpolicy-2.20210203/policy/modules/services/mta.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/mta.if
++++ refpolicy-2.20210203/policy/modules/services/mta.if
+@@ -814,6 +814,26 @@ interface(`mta_dontaudit_rw_delivery_tcp
+
+ #######################################
+ ## <summary>
++## read and write fifo files inherited from delivery domains
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to use fifo files
++## </summary>
++## </param>
++#
++interface(`mta_rw_delivery_fifos',`
++ gen_require(`
++ attribute mailserver_delivery;
++ ')
++
++ allow $1 mailserver_delivery:fd use;
++ allow $1 mailserver_delivery:fifo_file { getattr read write };
++')
++
++
++#######################################
++## <summary>
+ ## Do not audit attempts to read
+ ## mail spool symlinks.
+ ## </summary>
+Index: refpolicy-2.20210203/policy/modules/services/exim.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/exim.te
++++ refpolicy-2.20210203/policy/modules/services/exim.te
+@@ -249,3 +249,10 @@ optional_policy(`
+ spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t)
+ ')
++
++optional_policy(`
++ # each of these should probably be for mailserver_delivery or mailserver_domain
++ sympa_append_var_files(exim_t)
++ sympa_read_var_files(exim_t)
++ sympa_use_fd(exim_t)
++')
diff -Nru refpolicy-2.20210203/debian/patches/0030-user-sddm refpolicy-2.20210203/debian/patches/0030-user-sddm
--- refpolicy-2.20210203/debian/patches/0030-user-sddm 2021-02-26 15:40:51.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0030-user-sddm 2021-04-06 13:27:36.000000000 +1000
@@ -22,9 +22,9 @@
optional_policy(`
dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
-@@ -101,6 +107,17 @@ template(`wm_role_template',`
+@@ -105,6 +111,17 @@ template(`wm_role_template',`
optional_policy(`
- pulseaudio_run($1_wm_t, $2)
+ xdg_watch_config_files($1_wm_t)
')
+
+ optional_policy(`
@@ -208,7 +208,7 @@
## Search users runtime directories.
## </summary>
## <param name="domain">
-@@ -3879,6 +3906,24 @@ interface(`userdom_manage_user_tmpfs_fil
+@@ -3915,6 +3942,24 @@ interface(`userdom_manage_user_tmpfs_fil
')
########################################
@@ -249,7 +249,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20210203/policy/modules/system/xdg.if
-@@ -655,6 +655,24 @@ interface(`xdg_watch_data_dirs',`
+@@ -673,6 +673,24 @@ interface(`xdg_watch_data_dirs',`
########################################
## <summary>
@@ -274,7 +274,7 @@
## Watch all the xdg data home directories
## </summary>
## <param name="domain">
-@@ -673,6 +691,24 @@ interface(`xdg_watch_all_data_dirs',`
+@@ -691,6 +709,24 @@ interface(`xdg_watch_all_data_dirs',`
########################################
## <summary>
@@ -299,7 +299,7 @@
## Read the xdg data home files
## </summary>
## <param name="domain">
-@@ -878,6 +914,24 @@ interface(`xdg_relabel_data',`
+@@ -896,6 +932,24 @@ interface(`xdg_relabel_data',`
')
########################################
diff -Nru refpolicy-2.20210203/debian/patches/0110-gpg refpolicy-2.20210203/debian/patches/0110-gpg
--- refpolicy-2.20210203/debian/patches/0110-gpg 2021-02-26 15:43:08.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0110-gpg 2021-03-31 18:38:13.000000000 +1100
@@ -152,7 +152,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20210203/policy/modules/services/dbus.if
-@@ -75,6 +75,9 @@ template(`dbus_role_template',`
+@@ -76,6 +76,9 @@ template(`dbus_role_template',`
domain_entry_file($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
@@ -162,7 +162,7 @@
role $2 types $1_dbusd_t;
##############################
-@@ -82,7 +85,7 @@ template(`dbus_role_template',`
+@@ -83,7 +86,7 @@ template(`dbus_role_template',`
# Local policy
#
@@ -171,7 +171,7 @@
allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t $3:dbus send_msg;
allow $3 $1_dbusd_t:fd use;
-@@ -229,7 +232,7 @@ interface(`dbus_all_session_bus_client',
+@@ -235,7 +238,7 @@ interface(`dbus_all_session_bus_client',
allow $1 { session_bus_type self }:dbus send_msg;
allow session_bus_type $1:dbus send_msg;
@@ -180,7 +180,7 @@
allow $1 session_bus_type:fd use;
')
-@@ -262,7 +265,7 @@ interface(`dbus_spec_session_bus_client'
+@@ -268,7 +271,7 @@ interface(`dbus_spec_session_bus_client'
allow $2 { $1_dbusd_t self }:dbus send_msg;
allow $1_dbusd_t $2:dbus send_msg;
diff -Nru refpolicy-2.20210203/debian/patches/0201-rasdaemon refpolicy-2.20210203/debian/patches/0201-rasdaemon
--- refpolicy-2.20210203/debian/patches/0201-rasdaemon 1970-01-01 10:00:00.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0201-rasdaemon 2021-03-08 13:09:39.000000000 +1100
@@ -0,0 +1,98 @@
+Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
++++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
+@@ -5302,6 +5302,25 @@ interface(`fs_getattr_tracefs_files',`
+
+ ########################################
+ ## <summary>
++## Read/write trace filesystem files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_write_tracefs_files',`
++ gen_require(`
++ type tracefs_t;
++ ')
++
++ allow $1 tracefs_t:dir list_dir_perms;
++ allow $1 tracefs_t:file rw_file_perms;
++')
++
++########################################
++## <summary>
+ ## Mount a XENFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.fc
+===================================================================
+--- /dev/null
++++ refpolicy-2.20210203/policy/modules/services/rasdaemon.fc
+@@ -0,0 +1,3 @@
++/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
++/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0)
++
+Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.if
+===================================================================
+--- /dev/null
++++ refpolicy-2.20210203/policy/modules/services/rasdaemon.if
+@@ -0,0 +1 @@
++## <summary></summary>
+Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.te
+===================================================================
+--- /dev/null
++++ refpolicy-2.20210203/policy/modules/services/rasdaemon.te
+@@ -0,0 +1,49 @@
++policy_module(rasdaemon, 1.0.0)
++
++# rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
++# tool. It currently records memory errors, using the EDAC tracing events.
++# EDAC are drivers in the Linux kernel that handle detection of ECC errors
++# from memory controllers for most chipsets on x86 and ARM architectures.
++#
++# https://git.infradead.org/users/mchehab/rasdaemon.git
++
++########################################
++#
++# Declarations
++#
++
++type rasdaemon_t;
++type rasdaemon_exec_t;
++init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
++
++type rasdaemon_var_t;
++files_type(rasdaemon_var_t)
++
++########################################
++#
++# Local policy
++#
++
++allow rasdaemon_t self:unix_dgram_socket create_socket_perms;
++
++# confidentiality for tracefs and integrity for debugfs
++allow rasdaemon_t self:lockdown { confidentiality integrity };
++
++allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms;
++allow rasdaemon_t rasdaemon_var_t:file manage_file_perms;
++
++kernel_read_debugfs(rasdaemon_t)
++kernel_read_system_state(rasdaemon_t)
++kernel_read_vm_overcommit_sysctl(rasdaemon_t)
++kernel_search_fs_sysctls(rasdaemon_t)
++
++dev_list_sysfs(rasdaemon_t)
++dev_read_urand(rasdaemon_t)
++
++files_read_etc_symlinks(rasdaemon_t)
++files_search_var_lib(rasdaemon_t)
++fs_write_tracefs_files(rasdaemon_t)
++
++logging_send_syslog_msg(rasdaemon_t)
++miscfiles_read_localization(rasdaemon_t)
++
diff -Nru refpolicy-2.20210203/debian/patches/1999-aliases refpolicy-2.20210203/debian/patches/1999-aliases
--- refpolicy-2.20210203/debian/patches/1999-aliases 2021-02-17 13:43:09.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/1999-aliases 2021-03-31 18:02:14.000000000 +1100
@@ -34,7 +34,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -129,6 +129,7 @@ type systemd_hwdb_t;
+@@ -131,6 +131,7 @@ type systemd_hwdb_t;
files_type(systemd_hwdb_t)
type systemd_journal_t;
diff -Nru refpolicy-2.20210203/debian/patches/2000-hacks refpolicy-2.20210203/debian/patches/2000-hacks
--- refpolicy-2.20210203/debian/patches/2000-hacks 2021-02-25 14:34:43.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/2000-hacks 2021-04-06 13:27:52.000000000 +1000
@@ -76,9 +76,9 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -1721,3 +1721,7 @@ optional_policy(`
+@@ -1767,3 +1767,7 @@ optional_policy(`
optional_policy(`
- gpg_agent_tmp_unlink_sock(systemd_user_runtime_dir_t)
+ userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
')
+
+optional_policy(`
@@ -88,7 +88,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210203/policy/modules/system/userdomain.if
-@@ -4567,6 +4567,25 @@ interface(`userdom_dontaudit_write_user_
+@@ -4603,6 +4603,25 @@ interface(`userdom_dontaudit_write_user_
########################################
## <summary>
diff -Nru refpolicy-2.20210203/debian/patches/series refpolicy-2.20210203/debian/patches/series
--- refpolicy-2.20210203/debian/patches/series 2021-02-23 16:45:51.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/series 2021-04-04 22:50:49.000000000 +1000
@@ -10,11 +10,13 @@
0026-mailman
0027-services
0028-misc
+0029-sympa
0030-user-sddm
0035-certbot
0110-gpg
0190-net_admin
0191-GetDynamicUsers
0200-matrixd
+0201-rasdaemon
1999-aliases
2000-hacks
--- End Message ---