[PATCH] missing from previous

From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] missing from previous
Date: Sun, 6 Jan 2019 13:42:35 +1100	[thread overview]
Message-ID: <20190106024235.GA17569@xev> (raw)

Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.

Index: refpolicy-2.20180701/policy/modules/admin/apt.if
===================================================================

--- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
+++ refpolicy-2.20180701/policy/modules/admin/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir list_dir_perms;
-	allow $1 apt_var_cache_t:file read_file_perms;
+	allow $1 apt_var_cache_t:file mmap_read_file_perms;
 ')
 
 ########################################
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir manage_dir_perms;
-	allow $1 apt_var_cache_t:file manage_file_perms;
+	allow $1 apt_var_cache_t:file { manage_file_perms map };
 ')
 
 ########################################
Index: refpolicy-2.20180701/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20180701/policy/modules/system/systemd.if
@@ -307,6 +307,7 @@ interface(`systemd_use_passwd_agent',`
 	manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
 
 	allow systemd_passwd_agent_t $1:process signull;
+	ps_process_pattern(systemd_passwd_agent_t, $1)
 	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
 ')
 
@@ -828,3 +829,22 @@ interface(`systemd_getattr_updated_runti
 
 	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
 ')
+
+#######################################
+## <summary>
+##  Allow domain to list dirs under /run/systemd/netif
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain permitted the access
+## </summary>
+## </param>
+#
+interface(`systemd_list_netif',`
+	gen_require(`
+		type systemd_networkd_var_run_t;
+	')
+
+	init_list_pids($1)
+	allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
+')
Index: refpolicy-2.20180701/policy/modules/services/ntp.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ntp.te
+++ refpolicy-2.20180701/policy/modules/services/ntp.te
@@ -152,7 +152,7 @@ ifdef(`init_systemd',`
 	init_list_var_lib_dirs(ntpd_t)
 
 	# for /run/systemd/netif/links
-	init_list_pids(ntpd_t)
+	systemd_list_netif(ntpd_t)
 
 	optional_policy(`
 		unconfined_dbus_send(ntpd_t)
Index: refpolicy-2.20180701/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/logging.te
+++ refpolicy-2.20180701/policy/modules/system/logging.te
@@ -552,6 +552,8 @@ ifdef(`init_systemd',`
 	init_dgram_send(syslogd_t)
 	init_read_pid_pipes(syslogd_t)
 	init_read_state(syslogd_t)
+	# for /run/systemd/units/invocation:* links
+	init_read_unit_links(syslogd_t)
 
 	systemd_manage_journal_files(syslogd_t)
 
