Bug#991201: unblock: refpolicy/2:2.20210203-7

[Russell Coker <russell@coker.com.au>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package refpolicy

[ Reason ]
Improvement to policy for certbot, dhcp, mon, fsadm, and java.

[ Impact ]
This allows certbot to work out of the box on the first run.
It correctly labels dhclient hooks scripts and wide-dhcpv6-client hooks.
Changes to mon and fsadm policy support megaraid (AKA PERC) RAID controllers.
Made the Java policy work for JRE 17.

[ Tests ]
Tested all of this manually.

[ Risks ]
No real risk, just added new allow rules.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing


unblock refpolicy/2:2.20210203-7

diff -Nru refpolicy-2.20210203/debian/changelog refpolicy-2.20210203/debian/changelog
--- refpolicy-2.20210203/debian/changelog	2021-05-08 17:55:06.000000000 +1000
+++ refpolicy-2.20210203/debian/changelog	2021-06-14 09:47:05.000000000 +1000
@@ -1,3 +1,19 @@
+refpolicy (2:2.20210203-7) unstable; urgency=medium
+
+  * Allow certbot to create /var/log/letsencrypt and /var/lib/letsencrypt
+  * Label /etc/wide-dhcpv6/dhcp6c-ifupdown /etc/wide-dhcpv6/dhcp6c-script
+    /etc/dhcp/dhclient-enter-hooks.d/* and /etc/dhcp/dhclient-exit-hooks.d/*
+    as bin_t.
+  * Allow mon_local_test_t to run smartctl in fsadm_t for megaraid and other
+    corner cases and allowed fsadm_t to read fsdaemon_var_lib_t.  Dontaudit
+    fsadm_t inheriting file handles from mon_t.
+  * Allow fsadm_t to do a file type trans for creating
+    /dev/megaraid_sas_ioctl_node
+  * Allow java_t to exec bin_t and lib_t files for jspawnhelper, and to read
+    cgroup files.  Needed for JRE 17
+
+ -- Russell Coker <russell@coker.com.au>  Mon, 14 Jun 2021 09:47:05 +1000
+
 refpolicy (2:2.20210203-6) unstable; urgency=medium
 
   * Add policy for cockpit web admin tool
diff -Nru refpolicy-2.20210203/debian/patches/0027-services refpolicy-2.20210203/debian/patches/0027-services
--- refpolicy-2.20210203/debian/patches/0027-services	2021-05-06 04:09:33.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0027-services	2021-06-14 09:47:05.000000000 +1000
@@ -217,26 +217,6 @@
  dev_rw_xserver_misc(boinc_t)
  
  domain_read_all_domains_state(boinc_t)
-Index: refpolicy-2.20210203/policy/modules/services/certbot.te
-===================================================================
---- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
-+++ refpolicy-2.20210203/policy/modules/services/certbot.te
-@@ -80,11 +80,15 @@ corenet_tcp_connect_dns_port(certbot_t)
- # bind to http port for standalone mode
- corenet_tcp_bind_http_port(certbot_t)
- 
-+dev_read_urand(certbot_t)
-+
- domain_use_interactive_fds(certbot_t)
- 
- files_read_etc_files(certbot_t)
- files_read_usr_files(certbot_t)
- 
-+# dontaudit for attempts to write python cache files
-+libs_dontaudit_write_lib_dirs(certbot_t)
- libs_exec_ldconfig(certbot_t)
- # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
- libs_exec_lib_files(certbot_t)
 Index: refpolicy-2.20210203/policy/modules/services/clamav.te
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/services/clamav.te
@@ -561,7 +541,7 @@
  files_read_usr_files(mon_local_test_t)
  files_search_mnt(mon_local_test_t)
  files_search_spool(mon_local_test_t)
-@@ -197,8 +203,11 @@ files_list_boot(mon_local_test_t)
+@@ -197,9 +203,13 @@ files_list_boot(mon_local_test_t)
  fs_search_auto_mountpoints(mon_local_test_t)
  fs_getattr_nfs(mon_local_test_t)
  fs_getattr_xattr_fs(mon_local_test_t)
@@ -571,9 +551,11 @@
 +fs_read_cgroup_files(mon_local_test_t)
 +fs_search_cgroup_dirs(mon_local_test_t)
  fs_search_nfs(mon_local_test_t)
++fstools_domtrans(mon_local_test_t)
  
  storage_getattr_fixed_disk_dev(mon_local_test_t)
-@@ -211,12 +220,14 @@ application_exec_all(mon_local_test_t)
+ storage_getattr_removable_dev(mon_local_test_t)
+@@ -211,12 +221,14 @@ application_exec_all(mon_local_test_t)
  
  auth_use_nsswitch(mon_local_test_t)
  
@@ -1765,3 +1747,130 @@
  dontaudit inetd_t self:capability sys_tty_config;
  allow inetd_t self:process { setsched setexec setrlimit };
  allow inetd_t self:fifo_file rw_fifo_file_perms;
+Index: refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/corecommands.fc
++++ refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
+@@ -43,6 +43,8 @@ ifdef(`distro_redhat',`
+ /etc/cron\.monthly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
+ /etc/dhcp/dhclient\.d(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/etc/dhcp/dhclient-enter-hooks.d(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
++/etc/dhcp/dhclient-exit-hooks.d(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
+@@ -101,6 +103,9 @@ ifdef(`distro_redhat',`
+ 
+ /etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
++/etc/wide-dhcpv6/dhcp6c-ifupdown --	gen_context(system_u:object_r:bin_t,s0)
++/etc/wide-dhcpv6/dhcp6c-script	--	gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
+Index: refpolicy-2.20210203/policy/modules/kernel/storage.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.fc
++++ refpolicy-2.20210203/policy/modules/kernel/storage.fc
+@@ -29,6 +29,7 @@
+ /dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megaraid.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mmcblk.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+Index: refpolicy-2.20210203/policy/modules/system/fstools.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/fstools.te
++++ refpolicy-2.20210203/policy/modules/system/fstools.te
+@@ -137,6 +137,8 @@ mls_file_write_all_levels(fsadm_t)
+ 
+ selinux_getattr_fs(fsadm_t)
+ 
++storage_dev_filetrans_fixed_disk_control(fsadm_t, "megaraid_sas_ioctl_node")
++storage_manage_fixed_disk(fsadm_t)
+ storage_raw_read_fixed_disk(fsadm_t)
+ storage_raw_write_fixed_disk(fsadm_t)
+ storage_raw_read_removable_device(fsadm_t)
+@@ -192,6 +194,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	fsdaemon_read_lib(fsadm_t)
++')
++
++optional_policy(`
+ 	livecd_rw_tmp_files(fsadm_t)
+ ')
+ 
+@@ -201,6 +207,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	mon_dontaudit_use_fds(fsadm_t)
++')
++
++optional_policy(`
+ 	nis_use_ypbind(fsadm_t)
+ ')
+ 
+Index: refpolicy-2.20210203/policy/modules/apps/java.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/java.te
++++ refpolicy-2.20210203/policy/modules/apps/java.te
+@@ -128,11 +128,17 @@ tunable_policy(`allow_java_execstack',`
+ auth_use_nsswitch(java_t)
+ 
+ corecmd_search_bin(java_t)
++corecmd_exec_bin(java_t)
+ 
+ dev_read_sysfs(java_t)
+ 
++fs_read_cgroup_files(java_t)
++fs_search_cgroup_dirs(java_t)
++
+ locallogin_use_fds(java_t)
+ 
++libs_exec_lib_files(java_t)
++
+ userdom_read_user_tmp_files(java_t)
+ userdom_use_user_terminals(java_t)
+ 
+Index: refpolicy-2.20210203/policy/modules/kernel/storage.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.if
++++ refpolicy-2.20210203/policy/modules/kernel/storage.if
+@@ -309,6 +309,30 @@ interface(`storage_dev_filetrans_fixed_d
+ 
+ ########################################
+ ## <summary>
++##	Create char devices in /dev with the fixed disk type
++##	via an automatic type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="filename" optional="true">
++##	<summary>
++##	Optional filename of the char device to be created
++##	</summary>
++## </param>
++#
++interface(`storage_dev_filetrans_fixed_disk_control',`
++	gen_require(`
++		type fixed_disk_device_t;
++	')
++
++	dev_filetrans($1, fixed_disk_device_t, chr_file, $2)
++')
++
++########################################
++## <summary>
+ ##	Create block devices in on a tmpfs filesystem with the
+ ##	fixed disk type via an automatic type transition.
+ ## </summary>
diff -Nru refpolicy-2.20210203/debian/patches/0030-user-sddm refpolicy-2.20210203/debian/patches/0030-user-sddm
--- refpolicy-2.20210203/debian/patches/0030-user-sddm	2021-04-06 13:27:36.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0030-user-sddm	2021-05-15 18:59:16.000000000 +1000
@@ -347,7 +347,7 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/apps/chromium.te
 +++ refpolicy-2.20210203/policy/modules/apps/chromium.te
-@@ -271,6 +271,7 @@ optional_policy(`
+@@ -275,6 +275,7 @@ optional_policy(`
  
  	optional_policy(`
  		gnome_dbus_chat_all_gkeyringd(chromium_t)
diff -Nru refpolicy-2.20210203/debian/patches/0035-certbot refpolicy-2.20210203/debian/patches/0035-certbot
--- refpolicy-2.20210203/debian/patches/0035-certbot	2021-05-06 03:50:58.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0035-certbot	2021-05-15 22:18:05.000000000 +1000
@@ -53,15 +53,44 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
 +++ refpolicy-2.20210203/policy/modules/services/certbot.te
-@@ -46,6 +46,7 @@ allow certbot_t self:netlink_route_socke
- files_search_var_lib(certbot_t)
+@@ -43,9 +43,10 @@ allow certbot_t self:udp_socket all_udp_
+ allow certbot_t self:tcp_socket all_tcp_socket_perms;
+ allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
+ 
+-files_search_var_lib(certbot_t)
++files_var_lib_filetrans(certbot_t, certbot_lib_t, dir, "letsencrypt")
  manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
  manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
 +allow certbot_t certbot_lib_t:file relabelfrom;
  
  manage_dirs_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
  manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
-@@ -114,5 +115,17 @@ optional_policy(`
+@@ -62,7 +63,7 @@ allow certbot_t certbot_tmp_t:file mmap_
+ allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
+ allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;
+ 
+-logging_search_logs(certbot_t)
++logging_log_filetrans(certbot_t, certbot_log_t, dir, "letsencrypt")
+ allow certbot_t certbot_log_t:dir manage_dir_perms;
+ allow certbot_t certbot_log_t:file manage_file_perms;
+ 
+@@ -80,11 +81,15 @@ corenet_tcp_connect_dns_port(certbot_t)
+ # bind to http port for standalone mode
+ corenet_tcp_bind_http_port(certbot_t)
+ 
++dev_read_urand(certbot_t)
++
+ domain_use_interactive_fds(certbot_t)
+ 
+ files_read_etc_files(certbot_t)
+ files_read_usr_files(certbot_t)
+ 
++# dontaudit for attempts to write python cache files
++libs_dontaudit_write_lib_dirs(certbot_t)
+ libs_exec_ldconfig(certbot_t)
+ # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
+ libs_exec_lib_files(certbot_t)
+@@ -110,5 +115,17 @@ optional_policy(`
  	# for writing to webroot
  	apache_manage_sys_content(certbot_t)