Bug#991201: unblock: refpolicy/2:2.20210203-7
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package refpolicy
[ Reason ]
Improvement to policy for certbot, dhcp, mon, fsadm, and java.
[ Impact ]
This allows certbot to work out of the box on the first run.
It correctly labels dhclient hooks scripts and wide-dhcpv6-client hooks.
Changes to mon and fsadm policy support megaraid (AKA PERC) RAID controllers.
Made the Java policy work for JRE 17.
[ Tests ]
Tested all of this manually.
[ Risks ]
No real risk, just added new allow rules.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock refpolicy/2:2.20210203-7
diff -Nru refpolicy-2.20210203/debian/changelog refpolicy-2.20210203/debian/changelog
--- refpolicy-2.20210203/debian/changelog 2021-05-08 17:55:06.000000000 +1000
+++ refpolicy-2.20210203/debian/changelog 2021-06-14 09:47:05.000000000 +1000
@@ -1,3 +1,19 @@
+refpolicy (2:2.20210203-7) unstable; urgency=medium
+
+ * Allow certbot to create /var/log/letsencrypt and /var/lib/letsencrypt
+ * Label /etc/wide-dhcpv6/dhcp6c-ifupdown /etc/wide-dhcpv6/dhcp6c-script
+ /etc/dhcp/dhclient-enter-hooks.d/* and /etc/dhcp/dhclient-exit-hooks.d/*
+ as bin_t.
+ * Allow mon_local_test_t to run smartctl in fsadm_t for megaraid and other
+ corner cases and allowed fsadm_t to read fsdaemon_var_lib_t. Dontaudit
+ fsadm_t inheriting file handles from mon_t.
+ * Allow fsadm_t to do a file type trans for creating
+ /dev/megaraid_sas_ioctl_node
+ * Allow java_t to exec bin_t and lib_t files for jspawnhelper, and to read
+ cgroup files. Needed for JRE 17
+
+ -- Russell Coker <russell@coker.com.au> Mon, 14 Jun 2021 09:47:05 +1000
+
refpolicy (2:2.20210203-6) unstable; urgency=medium
* Add policy for cockpit web admin tool
diff -Nru refpolicy-2.20210203/debian/patches/0027-services refpolicy-2.20210203/debian/patches/0027-services
--- refpolicy-2.20210203/debian/patches/0027-services 2021-05-06 04:09:33.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0027-services 2021-06-14 09:47:05.000000000 +1000
@@ -217,26 +217,6 @@
dev_rw_xserver_misc(boinc_t)
domain_read_all_domains_state(boinc_t)
-Index: refpolicy-2.20210203/policy/modules/services/certbot.te
-===================================================================
---- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
-+++ refpolicy-2.20210203/policy/modules/services/certbot.te
-@@ -80,11 +80,15 @@ corenet_tcp_connect_dns_port(certbot_t)
- # bind to http port for standalone mode
- corenet_tcp_bind_http_port(certbot_t)
-
-+dev_read_urand(certbot_t)
-+
- domain_use_interactive_fds(certbot_t)
-
- files_read_etc_files(certbot_t)
- files_read_usr_files(certbot_t)
-
-+# dontaudit for attempts to write python cache files
-+libs_dontaudit_write_lib_dirs(certbot_t)
- libs_exec_ldconfig(certbot_t)
- # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
- libs_exec_lib_files(certbot_t)
Index: refpolicy-2.20210203/policy/modules/services/clamav.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/clamav.te
@@ -561,7 +541,7 @@
files_read_usr_files(mon_local_test_t)
files_search_mnt(mon_local_test_t)
files_search_spool(mon_local_test_t)
-@@ -197,8 +203,11 @@ files_list_boot(mon_local_test_t)
+@@ -197,9 +203,13 @@ files_list_boot(mon_local_test_t)
fs_search_auto_mountpoints(mon_local_test_t)
fs_getattr_nfs(mon_local_test_t)
fs_getattr_xattr_fs(mon_local_test_t)
@@ -571,9 +551,11 @@
+fs_read_cgroup_files(mon_local_test_t)
+fs_search_cgroup_dirs(mon_local_test_t)
fs_search_nfs(mon_local_test_t)
++fstools_domtrans(mon_local_test_t)
storage_getattr_fixed_disk_dev(mon_local_test_t)
-@@ -211,12 +220,14 @@ application_exec_all(mon_local_test_t)
+ storage_getattr_removable_dev(mon_local_test_t)
+@@ -211,12 +221,14 @@ application_exec_all(mon_local_test_t)
auth_use_nsswitch(mon_local_test_t)
@@ -1765,3 +1747,130 @@
dontaudit inetd_t self:capability sys_tty_config;
allow inetd_t self:process { setsched setexec setrlimit };
allow inetd_t self:fifo_file rw_fifo_file_perms;
+Index: refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/corecommands.fc
++++ refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
+@@ -43,6 +43,8 @@ ifdef(`distro_redhat',`
+ /etc/cron\.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/dhcp/dhclient-enter-hooks.d(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/etc/dhcp/dhclient-exit-hooks.d(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
+@@ -101,6 +103,9 @@ ifdef(`distro_redhat',`
+
+ /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/etc/wide-dhcpv6/dhcp6c-ifupdown -- gen_context(system_u:object_r:bin_t,s0)
++/etc/wide-dhcpv6/dhcp6c-script -- gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
+Index: refpolicy-2.20210203/policy/modules/kernel/storage.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.fc
++++ refpolicy-2.20210203/policy/modules/kernel/storage.fc
+@@ -29,6 +29,7 @@
+ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megaraid.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mmcblk.* -c gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+Index: refpolicy-2.20210203/policy/modules/system/fstools.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/fstools.te
++++ refpolicy-2.20210203/policy/modules/system/fstools.te
+@@ -137,6 +137,8 @@ mls_file_write_all_levels(fsadm_t)
+
+ selinux_getattr_fs(fsadm_t)
+
++storage_dev_filetrans_fixed_disk_control(fsadm_t, "megaraid_sas_ioctl_node")
++storage_manage_fixed_disk(fsadm_t)
+ storage_raw_read_fixed_disk(fsadm_t)
+ storage_raw_write_fixed_disk(fsadm_t)
+ storage_raw_read_removable_device(fsadm_t)
+@@ -192,6 +194,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ fsdaemon_read_lib(fsadm_t)
++')
++
++optional_policy(`
+ livecd_rw_tmp_files(fsadm_t)
+ ')
+
+@@ -201,6 +207,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mon_dontaudit_use_fds(fsadm_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(fsadm_t)
+ ')
+
+Index: refpolicy-2.20210203/policy/modules/apps/java.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/java.te
++++ refpolicy-2.20210203/policy/modules/apps/java.te
+@@ -128,11 +128,17 @@ tunable_policy(`allow_java_execstack',`
+ auth_use_nsswitch(java_t)
+
+ corecmd_search_bin(java_t)
++corecmd_exec_bin(java_t)
+
+ dev_read_sysfs(java_t)
+
++fs_read_cgroup_files(java_t)
++fs_search_cgroup_dirs(java_t)
++
+ locallogin_use_fds(java_t)
+
++libs_exec_lib_files(java_t)
++
+ userdom_read_user_tmp_files(java_t)
+ userdom_use_user_terminals(java_t)
+
+Index: refpolicy-2.20210203/policy/modules/kernel/storage.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.if
++++ refpolicy-2.20210203/policy/modules/kernel/storage.if
+@@ -309,6 +309,30 @@ interface(`storage_dev_filetrans_fixed_d
+
+ ########################################
+ ## <summary>
++## Create char devices in /dev with the fixed disk type
++## via an automatic type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="filename" optional="true">
++## <summary>
++## Optional filename of the char device to be created
++## </summary>
++## </param>
++#
++interface(`storage_dev_filetrans_fixed_disk_control',`
++ gen_require(`
++ type fixed_disk_device_t;
++ ')
++
++ dev_filetrans($1, fixed_disk_device_t, chr_file, $2)
++')
++
++########################################
++## <summary>
+ ## Create block devices in on a tmpfs filesystem with the
+ ## fixed disk type via an automatic type transition.
+ ## </summary>
diff -Nru refpolicy-2.20210203/debian/patches/0030-user-sddm refpolicy-2.20210203/debian/patches/0030-user-sddm
--- refpolicy-2.20210203/debian/patches/0030-user-sddm 2021-04-06 13:27:36.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0030-user-sddm 2021-05-15 18:59:16.000000000 +1000
@@ -347,7 +347,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20210203/policy/modules/apps/chromium.te
-@@ -271,6 +271,7 @@ optional_policy(`
+@@ -275,6 +275,7 @@ optional_policy(`
optional_policy(`
gnome_dbus_chat_all_gkeyringd(chromium_t)
diff -Nru refpolicy-2.20210203/debian/patches/0035-certbot refpolicy-2.20210203/debian/patches/0035-certbot
--- refpolicy-2.20210203/debian/patches/0035-certbot 2021-05-06 03:50:58.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0035-certbot 2021-05-15 22:18:05.000000000 +1000
@@ -53,15 +53,44 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
+++ refpolicy-2.20210203/policy/modules/services/certbot.te
-@@ -46,6 +46,7 @@ allow certbot_t self:netlink_route_socke
- files_search_var_lib(certbot_t)
+@@ -43,9 +43,10 @@ allow certbot_t self:udp_socket all_udp_
+ allow certbot_t self:tcp_socket all_tcp_socket_perms;
+ allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
+
+-files_search_var_lib(certbot_t)
++files_var_lib_filetrans(certbot_t, certbot_lib_t, dir, "letsencrypt")
manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
+allow certbot_t certbot_lib_t:file relabelfrom;
manage_dirs_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
-@@ -114,5 +115,17 @@ optional_policy(`
+@@ -62,7 +63,7 @@ allow certbot_t certbot_tmp_t:file mmap_
+ allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
+ allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;
+
+-logging_search_logs(certbot_t)
++logging_log_filetrans(certbot_t, certbot_log_t, dir, "letsencrypt")
+ allow certbot_t certbot_log_t:dir manage_dir_perms;
+ allow certbot_t certbot_log_t:file manage_file_perms;
+
+@@ -80,11 +81,15 @@ corenet_tcp_connect_dns_port(certbot_t)
+ # bind to http port for standalone mode
+ corenet_tcp_bind_http_port(certbot_t)
+
++dev_read_urand(certbot_t)
++
+ domain_use_interactive_fds(certbot_t)
+
+ files_read_etc_files(certbot_t)
+ files_read_usr_files(certbot_t)
+
++# dontaudit for attempts to write python cache files
++libs_dontaudit_write_lib_dirs(certbot_t)
+ libs_exec_ldconfig(certbot_t)
+ # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
+ libs_exec_lib_files(certbot_t)
+@@ -110,5 +115,17 @@ optional_policy(`
# for writing to webroot
apache_manage_sys_content(certbot_t)
Reply to: