[PATCH] misc apps and admin patches

[PATCH] misc apps and admin patches

[Russell Coker]

Patches for apt unattended upgrades and dbus, logrotate certs and samba,
games_t, mplayer/mencoder, and sysadm_t dbus.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210120/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20210120/policy/modules/admin/apt.fc
@@ -5,6 +5,8 @@
 /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
 
 ifndef(`distro_redhat',`
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
@@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
 /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
 
 /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
-
+/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
 /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
Index: refpolicy-2.20210120/policy/modules/admin/apt.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/apt.te
+++ refpolicy-2.20210120/policy/modules/admin/apt.te
@@ -155,6 +155,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_dbus_chat(apt_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(apt_t)
 ')
 
@@ -169,5 +173,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_logind(apt_t)
+')
+
+optional_policy(`
 	unconfined_domain(apt_t)
 ')
Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210120/policy/modules/admin/bootloader.te
@@ -186,6 +186,9 @@ ifdef(`distro_debian',`
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
+
+	apt_use_fds(bootloader_t)
+	apt_use_ptys(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210120/policy/modules/admin/logrotate.te
@@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
 logging_exec_all_logs(logrotate_t)
 
+miscfiles_read_generic_certs(logrotate_t)
 miscfiles_read_localization(logrotate_t)
 
 seutil_dontaudit_read_config(logrotate_t)
@@ -242,6 +243,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	samba_domtrans_smbcontrol(logrotate_t)
 	samba_exec_log(logrotate_t)
 ')
 
Index: refpolicy-2.20210120/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210120/policy/modules/apps/games.te
@@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
 
 can_exec(games_t, games_exec_t)
 
+kernel_read_kernel_sysctls(games_t)
 kernel_read_system_state(games_t)
 
 corecmd_exec_bin(games_t)
+corecmd_exec_shell(games_t)
 
 corenet_all_recvfrom_netlabel(games_t)
 corenet_tcp_sendrecv_generic_if(games_t)
@@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
 
 logging_dontaudit_search_logs(games_t)
 
+miscfiles_read_generic_certs(games_t)
 miscfiles_read_man_pages(games_t)
 miscfiles_read_localization(games_t)
 
@@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
 ')
 
 optional_policy(`
+	alsa_read_config(games_t)
+')
+
+optional_policy(`
 	dbus_all_session_bus_client(games_t)
 	dbus_connect_all_session_bus(games_t)
+	dbus_read_lib_files(games_t)
+	dbus_system_bus_client(games_t)
 ')
 
 optional_policy(`
@@ -175,6 +184,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xdg_read_config_files(games_t)
+	xdg_read_data_files(games_t)
+')
+
+optional_policy(`
 	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
 	xserver_create_xdm_tmp_sockets(games_t)
 	xserver_read_xdm_lib_files(games_t)
Index: refpolicy-2.20210120/policy/modules/apps/mplayer.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.if
+++ refpolicy-2.20210120/policy/modules/apps/mplayer.if
@@ -38,7 +38,7 @@ interface(`mplayer_role',`
 	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
 	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
 
-	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
+	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
 	ps_process_pattern($2, { mplayer_t mencoder_t })
 
 	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
Index: refpolicy-2.20210120/policy/modules/apps/mplayer.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.te
+++ refpolicy-2.20210120/policy/modules/apps/mplayer.te
@@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_symlinks(mencoder_t)
 ')
 
+tunable_policy(`xserver_allow_dri',`
+	dev_rw_dri(mplayer_t)
+')
+
 ########################################
 #
 # Mplayer local policy
 #
 
-allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:process { signal_perms getsched setsched };
 allow mplayer_t self:fifo_file rw_fifo_file_perms;
 allow mplayer_t self:sem create_sem_perms;
 allow mplayer_t self:udp_socket create_socket_perms;
@@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
 kernel_dontaudit_list_unlabeled(mplayer_t)
 kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
 kernel_dontaudit_read_unlabeled_files(mplayer_t)
+kernel_read_crypto_sysctls(mplayer_t)
 kernel_read_system_state(mplayer_t)
 kernel_read_kernel_sysctls(mplayer_t)
 
Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
@@ -530,6 +530,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(sysadm_t)
+')
+
+optional_policy(`
 	inn_admin(sysadm_t, sysadm_r)
 ')
 

Re: [PATCH] misc apps and admin patches

[Dominick Grift]

Russell Coker <russell@coker.com.au> writes:

> Patches for apt unattended upgrades and dbus, logrotate certs and samba,
> games_t, mplayer/mencoder, and sysadm_t dbus.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210120/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20210120/policy/modules/admin/apt.fc
> @@ -5,6 +5,8 @@
>  /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
>  /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
>  /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
>  
>  ifndef(`distro_redhat',`
>  /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
> @@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
>  /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
>  
>  /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
> -
> +/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
>  /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
> Index: refpolicy-2.20210120/policy/modules/admin/apt.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.te
> +++ refpolicy-2.20210120/policy/modules/admin/apt.te
> @@ -155,6 +155,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	networkmanager_dbus_chat(apt_t)
> +')
> +
> +optional_policy(`
>  	nis_use_ypbind(apt_t)
>  ')
>  
> @@ -169,5 +173,9 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	systemd_dbus_chat_logind(apt_t)
> +')
> +
> +optional_policy(`
>  	unconfined_domain(apt_t)
>  ')
> Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210120/policy/modules/admin/bootloader.te
> @@ -186,6 +186,9 @@ ifdef(`distro_debian',`
>  
>  	dpkg_read_db(bootloader_t)
>  	dpkg_rw_pipes(bootloader_t)
> +
> +	apt_use_fds(bootloader_t)
> +	apt_use_ptys(bootloader_t)
>  ')
>  
>  ifdef(`distro_redhat',`
> Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210120/policy/modules/admin/logrotate.te
> @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
>  logging_send_audit_msgs(logrotate_t)
>  logging_exec_all_logs(logrotate_t)
>  
> +miscfiles_read_generic_certs(logrotate_t)
>  miscfiles_read_localization(logrotate_t)
>  
>  seutil_dontaudit_read_config(logrotate_t)
> @@ -242,6 +243,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	samba_domtrans_smbcontrol(logrotate_t)
>  	samba_exec_log(logrotate_t)
>  ')
>  
> Index: refpolicy-2.20210120/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210120/policy/modules/apps/games.te
> @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
>  
>  can_exec(games_t, games_exec_t)
>  
> +kernel_read_kernel_sysctls(games_t)
>  kernel_read_system_state(games_t)
>  
>  corecmd_exec_bin(games_t)
> +corecmd_exec_shell(games_t)
>  
>  corenet_all_recvfrom_netlabel(games_t)
>  corenet_tcp_sendrecv_generic_if(games_t)
> @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
>  
>  logging_dontaudit_search_logs(games_t)
>  
> +miscfiles_read_generic_certs(games_t)
>  miscfiles_read_man_pages(games_t)
>  miscfiles_read_localization(games_t)
>  
> @@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
>  ')
>  
>  optional_policy(`
> +	alsa_read_config(games_t)
> +')
> +
> +optional_policy(`
>  	dbus_all_session_bus_client(games_t)
>  	dbus_connect_all_session_bus(games_t)
> +	dbus_read_lib_files(games_t)
> +	dbus_system_bus_client(games_t)
>  ')
>  
>  optional_policy(`
> @@ -175,6 +184,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	xdg_read_config_files(games_t)
> +	xdg_read_data_files(games_t)
> +')
> +
> +optional_policy(`
>  	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
>  	xserver_create_xdm_tmp_sockets(games_t)
>  	xserver_read_xdm_lib_files(games_t)
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.if
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.if
> @@ -38,7 +38,7 @@ interface(`mplayer_role',`
>  	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
>  	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
>  
> -	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
> +	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
>  	ps_process_pattern($2, { mplayer_t mencoder_t })
>  
>  	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.te
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.te
> @@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
>  	fs_manage_cifs_symlinks(mencoder_t)
>  ')
>  
> +tunable_policy(`xserver_allow_dri',`
> +	dev_rw_dri(mplayer_t)
> +')
> +
>  ########################################
>  #
>  # Mplayer local policy
>  #
>  
> -allow mplayer_t self:process { signal_perms getsched };
> +allow mplayer_t self:process { signal_perms getsched setsched };
>  allow mplayer_t self:fifo_file rw_fifo_file_perms;
>  allow mplayer_t self:sem create_sem_perms;
>  allow mplayer_t self:udp_socket create_socket_perms;
> @@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
>  kernel_dontaudit_list_unlabeled(mplayer_t)
>  kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
>  kernel_dontaudit_read_unlabeled_files(mplayer_t)
> +kernel_read_crypto_sysctls(mplayer_t)
>  kernel_read_system_state(mplayer_t)
>  kernel_read_kernel_sysctls(mplayer_t)
>  
> Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
> @@ -530,6 +530,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	init_dbus_chat(sysadm_t)

Can you explain why you added this?

> +')
> +
> +optional_policy(`
>  	inn_admin(sysadm_t, sysadm_r)
>  ')
>  
>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

Re: [PATCH] misc apps and admin patches

[Russell Coker]

On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
> > optional_policy(`
> > +       init_dbus_chat(sysadm_t)
> 
> Can you explain why you added this?

Apart from the obvious that some program wanted it, no.  I'll remove that bit 
and add it again with a note if it's necessary.  Did you like the rest of that 
patch?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Re: [PATCH] misc apps and admin patches

[Dominick Grift]

Russell Coker <russell@coker.com.au> writes:

> On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
>> > optional_policy(`
>> > +       init_dbus_chat(sysadm_t)
>> 
>> Can you explain why you added this?
>
> Apart from the obvious that some program wanted it, no.  I'll remove that bit 
> and add it again with a note if it's necessary.  Did you like the rest of that 
> patch?

Yes, if i didnt add any more comments then i liked the remainder of the
patch. I might have overlooked things though because that was quite a
load you dumped there.


-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

Re: [PATCH] misc apps and admin patches

[Dominick Grift]

Russell Coker <russell@coker.com.au> writes:

> On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
>> > optional_policy(`
>> > +       init_dbus_chat(sysadm_t)
>> 
>> Can you explain why you added this?
>
> Apart from the obvious that some program wanted it, no.  I'll remove that bit 
> and add it again with a note if it's necessary.  Did you like the rest of that 
> patch?

Yes and thats my beef with this. "some program wanted it". sysadm_t is a
shell domain. Any programs that need this should, in my view, ideally be
targeted. If you dont want that then use unconfined_t instead and be
done.

I dont want sysadm_t to become a "drunken unconfined_t".

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

Re: [PATCH] misc apps and admin patches

[Dominick Grift]

Dominick Grift <dominick.grift@defensec.nl> writes:

> Russell Coker <russell@coker.com.au> writes:
>
>> On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
>>> > optional_policy(`
>>> > +       init_dbus_chat(sysadm_t)
>>> 
>>> Can you explain why you added this?
>>
>> Apart from the obvious that some program wanted it, no.  I'll remove that bit 
>> and add it again with a note if it's necessary.  Did you like the rest of that 
>> patch?
>
> Yes and thats my beef with this. "some program wanted it". sysadm_t is a
> shell domain. Any programs that need this should, in my view, ideally be
> targeted. If you dont want that then use unconfined_t instead and be
> done.
>
> I dont want sysadm_t to become a "drunken unconfined_t".

But also if this was added to support resolving dynamic users with
systemd then this is no longer needed because resolving of dynamic users
with systemd is no longer done with dbus. It is using varlink for that
now.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

Re: [PATCH] misc apps and admin patches

[Russell Coker]

On Thursday, 21 January 2021 2:06:25 AM AEDT Dominick Grift wrote:
> >> Can you explain why you added this?
> > 
> > Apart from the obvious that some program wanted it, no.  I'll remove that
> > bit and add it again with a note if it's necessary.  Did you like the
> > rest of that patch?
> 
> Yes and thats my beef with this. "some program wanted it". sysadm_t is a
> shell domain. Any programs that need this should, in my view, ideally be
> targeted. If you dont want that then use unconfined_t instead and be
> done.
> 
> I dont want sysadm_t to become a "drunken unconfined_t".

Fair point.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Re: [PATCH] misc apps and admin patches

[Chris PeBenito]

On 2/2/21 9:55 AM, Russell Coker wrote:
> Send again without the section Dominick didn't like.  I think it's ready for inclusion.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20210126/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20210126/policy/modules/admin/apt.fc
> @@ -5,6 +5,8 @@
>   /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
>   
>   ifndef(`distro_redhat',`
>   /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
> @@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
>   /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
>   
>   /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
> -
> +/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
>   /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
> Index: refpolicy-2.20210126/policy/modules/admin/apt.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/apt.te
> +++ refpolicy-2.20210126/policy/modules/admin/apt.te
> @@ -155,6 +155,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	networkmanager_dbus_chat(apt_t)
> +')
> +
> +optional_policy(`
>   	nis_use_ypbind(apt_t)
>   ')
>   
> @@ -169,5 +173,9 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	systemd_dbus_chat_logind(apt_t)
> +')
> +
> +optional_policy(`
>   	unconfined_domain(apt_t)
>   ')
> Index: refpolicy-2.20210126/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210126/policy/modules/admin/bootloader.te
> @@ -186,6 +186,9 @@ ifdef(`distro_debian',`
>   
>   	dpkg_read_db(bootloader_t)
>   	dpkg_rw_pipes(bootloader_t)
> +
> +	apt_use_fds(bootloader_t)
> +	apt_use_ptys(bootloader_t)
>   ')
>   
>   ifdef(`distro_redhat',`
> Index: refpolicy-2.20210126/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210126/policy/modules/admin/logrotate.te
> @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
>   logging_send_audit_msgs(logrotate_t)
>   logging_exec_all_logs(logrotate_t)
>   
> +miscfiles_read_generic_certs(logrotate_t)
>   miscfiles_read_localization(logrotate_t)
>   
>   seutil_dontaudit_read_config(logrotate_t)
> @@ -242,6 +243,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	samba_domtrans_smbcontrol(logrotate_t)
>   	samba_exec_log(logrotate_t)
>   ')
>   
> Index: refpolicy-2.20210126/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210126/policy/modules/apps/games.te
> @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
>   
>   can_exec(games_t, games_exec_t)
>   
> +kernel_read_kernel_sysctls(games_t)
>   kernel_read_system_state(games_t)
>   
>   corecmd_exec_bin(games_t)
> +corecmd_exec_shell(games_t)
>   
>   corenet_all_recvfrom_netlabel(games_t)
>   corenet_tcp_sendrecv_generic_if(games_t)
> @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
>   
>   logging_dontaudit_search_logs(games_t)
>   
> +miscfiles_read_generic_certs(games_t)
>   miscfiles_read_man_pages(games_t)
>   miscfiles_read_localization(games_t)
>   
> @@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
>   ')
>   
>   optional_policy(`
> +	alsa_read_config(games_t)
> +')
> +
> +optional_policy(`
>   	dbus_all_session_bus_client(games_t)
>   	dbus_connect_all_session_bus(games_t)
> +	dbus_read_lib_files(games_t)
> +	dbus_system_bus_client(games_t)
>   ')
>   
>   optional_policy(`
> @@ -175,6 +184,11 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	xdg_read_config_files(games_t)
> +	xdg_read_data_files(games_t)
> +')
> +
> +optional_policy(`
>   	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
>   	xserver_create_xdm_tmp_sockets(games_t)
>   	xserver_read_xdm_lib_files(games_t)
> Index: refpolicy-2.20210126/policy/modules/apps/mplayer.if
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.if
> +++ refpolicy-2.20210126/policy/modules/apps/mplayer.if
> @@ -38,7 +38,7 @@ interface(`mplayer_role',`
>   	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
>   	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
>   
> -	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
> +	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
>   	ps_process_pattern($2, { mplayer_t mencoder_t })
>   
>   	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
> Index: refpolicy-2.20210126/policy/modules/apps/mplayer.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.te
> +++ refpolicy-2.20210126/policy/modules/apps/mplayer.te
> @@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
>   	fs_manage_cifs_symlinks(mencoder_t)
>   ')
>   
> +tunable_policy(`xserver_allow_dri',`
> +	dev_rw_dri(mplayer_t)
> +')
> +
>   ########################################
>   #
>   # Mplayer local policy
>   #
>   
> -allow mplayer_t self:process { signal_perms getsched };
> +allow mplayer_t self:process { signal_perms getsched setsched };
>   allow mplayer_t self:fifo_file rw_fifo_file_perms;
>   allow mplayer_t self:sem create_sem_perms;
>   allow mplayer_t self:udp_socket create_socket_perms;
> @@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
>   kernel_dontaudit_list_unlabeled(mplayer_t)
>   kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
>   kernel_dontaudit_read_unlabeled_files(mplayer_t)
> +kernel_read_crypto_sysctls(mplayer_t)
>   kernel_read_system_state(mplayer_t)
>   kernel_read_kernel_sysctls(mplayer_t)

Merged.  Some lines were moved.

-- 
Chris PeBenito

[PATCH] misc apps and admin patches

[Russell Coker]

Send again without the section Dominick didn't like.  I think it's ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210126/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20210126/policy/modules/admin/apt.fc
@@ -5,6 +5,8 @@
 /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
 
 ifndef(`distro_redhat',`
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
@@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
 /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
 
 /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
-
+/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
 /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
Index: refpolicy-2.20210126/policy/modules/admin/apt.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/apt.te
+++ refpolicy-2.20210126/policy/modules/admin/apt.te
@@ -155,6 +155,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_dbus_chat(apt_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(apt_t)
 ')
 
@@ -169,5 +173,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_logind(apt_t)
+')
+
+optional_policy(`
 	unconfined_domain(apt_t)
 ')
Index: refpolicy-2.20210126/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210126/policy/modules/admin/bootloader.te
@@ -186,6 +186,9 @@ ifdef(`distro_debian',`
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
+
+	apt_use_fds(bootloader_t)
+	apt_use_ptys(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
Index: refpolicy-2.20210126/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210126/policy/modules/admin/logrotate.te
@@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
 logging_exec_all_logs(logrotate_t)
 
+miscfiles_read_generic_certs(logrotate_t)
 miscfiles_read_localization(logrotate_t)
 
 seutil_dontaudit_read_config(logrotate_t)
@@ -242,6 +243,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	samba_domtrans_smbcontrol(logrotate_t)
 	samba_exec_log(logrotate_t)
 ')
 
Index: refpolicy-2.20210126/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210126/policy/modules/apps/games.te
@@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
 
 can_exec(games_t, games_exec_t)
 
+kernel_read_kernel_sysctls(games_t)
 kernel_read_system_state(games_t)
 
 corecmd_exec_bin(games_t)
+corecmd_exec_shell(games_t)
 
 corenet_all_recvfrom_netlabel(games_t)
 corenet_tcp_sendrecv_generic_if(games_t)
@@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
 
 logging_dontaudit_search_logs(games_t)
 
+miscfiles_read_generic_certs(games_t)
 miscfiles_read_man_pages(games_t)
 miscfiles_read_localization(games_t)
 
@@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
 ')
 
 optional_policy(`
+	alsa_read_config(games_t)
+')
+
+optional_policy(`
 	dbus_all_session_bus_client(games_t)
 	dbus_connect_all_session_bus(games_t)
+	dbus_read_lib_files(games_t)
+	dbus_system_bus_client(games_t)
 ')
 
 optional_policy(`
@@ -175,6 +184,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xdg_read_config_files(games_t)
+	xdg_read_data_files(games_t)
+')
+
+optional_policy(`
 	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
 	xserver_create_xdm_tmp_sockets(games_t)
 	xserver_read_xdm_lib_files(games_t)
Index: refpolicy-2.20210126/policy/modules/apps/mplayer.if
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.if
+++ refpolicy-2.20210126/policy/modules/apps/mplayer.if
@@ -38,7 +38,7 @@ interface(`mplayer_role',`
 	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
 	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
 
-	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
+	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
 	ps_process_pattern($2, { mplayer_t mencoder_t })
 
 	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
Index: refpolicy-2.20210126/policy/modules/apps/mplayer.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.te
+++ refpolicy-2.20210126/policy/modules/apps/mplayer.te
@@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_symlinks(mencoder_t)
 ')
 
+tunable_policy(`xserver_allow_dri',`
+	dev_rw_dri(mplayer_t)
+')
+
 ########################################
 #
 # Mplayer local policy
 #
 
-allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:process { signal_perms getsched setsched };
 allow mplayer_t self:fifo_file rw_fifo_file_perms;
 allow mplayer_t self:sem create_sem_perms;
 allow mplayer_t self:udp_socket create_socket_perms;
@@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
 kernel_dontaudit_list_unlabeled(mplayer_t)
 kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
 kernel_dontaudit_read_unlabeled_files(mplayer_t)
+kernel_read_crypto_sysctls(mplayer_t)
 kernel_read_system_state(mplayer_t)
 kernel_read_kernel_sysctls(mplayer_t)