From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7C6C6C4332B
	for <selinux-refpolicy@archiver.kernel.org>; Wed, 20 Jan 2021 11:12:16 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 468C223159
	for <selinux-refpolicy@archiver.kernel.org>; Wed, 20 Jan 2021 11:12:16 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730559AbhATLKA (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Wed, 20 Jan 2021 06:10:00 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:41370 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732259AbhATKSG (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 20 Jan 2021 05:18:06 -0500
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id D5F5C16AF5
        for <selinux-refpolicy@vger.kernel.org>; Wed, 20 Jan 2021 21:17:21 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1611137842;
        bh=AqCL8OUwBzVwWmG1IIL2HT34YdsAa6oCIAJG9JHWfDE=; l=3729;
        h=Date:From:To:Subject:From;
        b=OkFHa9gDSqKJWO6BO1ghSXFyuvhmlI9OX/ASWsTV/NqSMTQ+M6EbSdHX0cVf53y8Y
         H0JXgbzefY+bOkqmInJ1/DEsgFzyVmC7em1D6lJ1AYmfRL+4BmJiOkNUhG4d5UFj04
         bWfyJTYJoV8I6PgvL8m58rq5wz5gWpTfci63k4sY=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id BB37C131FD18; Wed, 20 Jan 2021 21:17:17 +1100 (AEDT)
Date:   Wed, 20 Jan 2021 21:17:17 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] latest memlockd patch
Message-ID: <YAgDLZznabfyzIaJ@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Includes the ifndef(`distro_debian' section that was requested.  Should be
ready for merging now.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20201205/policy/modules/services/memlockd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20201205/policy/modules/services/memlockd.fc
@@ -0,0 +1 @@
+/usr/sbin/memlockd	--	gen_context(system_u:object_r:memlockd_exec_t,s0)
Index: refpolicy-2.20201205/policy/modules/services/memlockd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20201205/policy/modules/services/memlockd.if
@@ -0,0 +1,2 @@
+## <summary>memory lock daemon, keeps important files in RAM.</summary>
+
Index: refpolicy-2.20201205/policy/modules/services/memlockd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20201205/policy/modules/services/memlockd.te
@@ -0,0 +1,39 @@
+policy_module(memlockd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type memlockd_t;
+type memlockd_exec_t;
+init_daemon_domain(memlockd_t, memlockd_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow memlockd_t self:capability { setgid setuid ipc_lock };
+ifndef(`distro_debian', `
+allow memlockd_t self:capability dac_read_search;
+')
+allow memlockd_t self:fifo_file rw_file_perms;
+
+# cache /etc/shadow too
+auth_read_shadow(memlockd_t)
+auth_map_shadow(memlockd_t)
+
+corecmd_exec_all_executables(memlockd_t)
+corecmd_exec_bin(memlockd_t)
+corecmd_exec_shell(memlockd_t)
+corecmd_read_all_executables(memlockd_t)
+corecmd_search_bin(memlockd_t)
+files_read_etc_files(memlockd_t)
+libs_exec_ld_so(memlockd_t)
+files_map_etc_files(memlockd_t)
+
+logging_send_syslog_msg(memlockd_t)
+miscfiles_read_localization(memlockd_t)
+
+sysnet_mmap_read_config(memlockd_t)
Index: refpolicy-2.20201205/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20201205/policy/modules/system/sysnetwork.if
@@ -393,6 +393,31 @@ interface(`sysnet_mmap_config_files',`
 
 #######################################
 ## <summary>
+##	map network config files.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to mmap the
+##	general network configuration files.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_mmap_read_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file mmap_read_file_perms;
+')
+
+#######################################
+## <summary>
 ##	Do not audit attempts to read network config files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20201205/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20201205/policy/modules/system/authlogin.if
@@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
 
 ########################################
 ## <summary>
+##	Map the shadow passwords file (/etc/shadow)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_map_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+	allow $1 shadow_t:file map;
+')
+
+########################################
+## <summary>
 ##	Pass shadow assertion for reading.
 ## </summary>
 ## <desc>