[PATCH] misc services patches with changes Dominick wanted

[PATCH] misc services patches with changes Dominick wanted

[Russell Coker]

This patch has some changes Dominick wanted and some parts that he disliked
removed.  The one place where I didn't make his change I gave less access than
he recommended.

I think this is ready for merging.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210120/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210120/policy/modules/services/apache.fc
@@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
 /usr/sbin/rotatelogs					--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
 /usr/sbin/suexec					--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 /usr/sbin/wigwam					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php.*-fpm					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm[^/]+					--	gen_context(system_u:object_r:httpd_exec_t,s0)
 
 ifdef(`distro_suse',`
 /usr/sbin/httpd2-.*					--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -144,7 +146,7 @@ ifdef(`distro_suse',`
 /var/lib/php/session(/.*)?					gen_context(system_u:object_r:httpd_runtime_t,s0)
 /var/lib/pootle/po(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/rt3/data/RT-Shredder(/.*)?				gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)?				gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/squirrelmail(/.*)?					gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
 /var/lib/stickshift/\.httpd\.d(/.*)?				gen_context(system_u:object_r:httpd_config_t,s0)
 /var/lib/svn(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/trac(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -170,6 +172,7 @@ ifdef(`distro_suse',`
 /var/log/roundcubemail(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*					--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/php7..-fpm.log					--	gen_context(system_u:object_r:httpd_log_t,s0)
 
 /run/apache.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/cherokee\.pid					--	gen_context(system_u:object_r:httpd_runtime_t,s0)
@@ -178,6 +181,7 @@ ifdef(`distro_suse',`
 /run/httpd.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/mod_.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
+/run/php(/.*)?							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/wsgi.*						-s	gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/user/apache(/.*)?						gen_context(system_u:object_r:httpd_tmp_t,s0)
 
Index: refpolicy-2.20210120/policy/modules/services/apache.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.if
+++ refpolicy-2.20210120/policy/modules/services/apache.if
@@ -71,6 +71,7 @@ template(`apache_content_template',`
 
 	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
 	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -97,6 +98,8 @@ template(`apache_content_template',`
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+		allow httpd_t httpd_$1_content_t:file map;
+		allow httpd_t httpd_$1_rw_content_t:file map;
 	')
 ')
 
@@ -1005,6 +1008,7 @@ interface(`apache_manage_sys_rw_content'
 	apache_search_sys_content($1)
 	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	allow $1 httpd_sys_rw_content_t:file map;
 	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 ')
 
@@ -1132,6 +1136,24 @@ interface(`apache_append_squirrelmail_da
 ')
 
 ########################################
+## <summary>
+##	delete httpd squirrelmail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_delete_squirrelmail_spool',`
+	gen_require(`
+		type squirrelmail_spool_t;
+	')
+
+	delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
+')
+
+########################################
 ## <summary>
 ##	Search httpd system content.
 ## </summary>
Index: refpolicy-2.20210120/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.te
+++ refpolicy-2.20210120/policy/modules/services/apache.te
@@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 files_var_filetrans(httpd_t, httpd_cache_t, dir)
+allow httpd_t httpd_cache_t:file map;
 
 allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_co
 allow httpd_t httpd_htaccess_type:file read_file_perms;
 
 allow httpd_t httpd_ro_content:dir list_dir_perms;
-allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:file { map read_file_perms };
 allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
 
 allow httpd_t httpd_keytab_t:file read_file_perms;
@@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process
 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;
 
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
@@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process
 
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+allow httpd_t httpd_tmp_t:file map;
 manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
@@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
 
 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+allow httpd_t httpd_var_lib_t:file map;
 manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
@@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelo
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
 kernel_read_kernel_sysctls(httpd_t)
+kernel_read_crypto_sysctls(httpd_t)
 kernel_read_vm_sysctls(httpd_t)
 kernel_read_vm_overcommit_sysctl(httpd_t)
 kernel_read_network_state(httpd_t)
@@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
 dev_read_urand(httpd_t)
 dev_rw_crypto(httpd_t)
+dev_rwx_zero(httpd_t)
 
 domain_use_interactive_fds(httpd_t)
 
@@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)
 
 fs_read_anon_inodefs_files(httpd_t)
 fs_rw_inherited_hugetlbfs_files(httpd_t)
+fs_mmap_rw_hugetlbfs_files(httpd_t)
 fs_read_iso9660_files(httpd_t)
 
 files_dontaudit_getattr_all_runtime_files(httpd_t)
 files_read_usr_files(httpd_t)
+files_map_usr_files(httpd_t)
 files_list_mnt(httpd_t)
 files_search_spool(httpd_t)
 files_read_var_symlinks(httpd_t)
@@ -504,6 +512,7 @@ files_search_home(httpd_t)
 files_getattr_home_dir(httpd_t)
 files_read_etc_runtime_files(httpd_t)
 files_read_var_lib_symlinks(httpd_t)
+files_map_etc_files(httpd_t)
 
 auth_use_nsswitch(httpd_t)
 
@@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting'
 	exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
 
 	allow httpd_t httpdcontent:dir list_dir_perms;
-	allow httpd_t httpdcontent:file read_file_perms;
+	allow httpd_t httpdcontent:file { map read_file_perms };
 	allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
 
 	allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
@@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && http
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+	allow httpd_t httpdcontent:file map;
 	manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -903,6 +913,7 @@ optional_policy(`
 #
 
 read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_config_t:file map;
 
 append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.fc
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.fc
@@ -2,12 +2,15 @@
 
 /usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
 
-/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
 
+/run/apt-cacher(/.*)?  gen_context(system_u:object_r:aptcacher_runtime_t,s0)
 /run/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_runtime_t,s0)
 
+/var/cache/apt-cacher(/.*)?	gen_context(system_u:object_r:aptcacher_cache_t,s0)
 /var/cache/apt-cacher-ng(/.*)?	gen_context(system_u:object_r:aptcacher_cache_t,s0)
 
 /var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)
 
+/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
 /var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.if
@@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
 	files_search_runtime($1)
 	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
 ')
+
+######################################
+## <summary>
+##     read aptcacher config
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to read it.
+##     </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+	gen_require(`
+		type aptcacher_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 aptcacher_etc_t:dir list_dir_perms;
+	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.te
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.te
@@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_
 
 auth_use_nsswitch(aptcacher_t)
 
+files_read_etc_files(aptcacher_t)
+
 # Uses sd_notify() to inform systemd it has properly started
 init_dgram_send(aptcacher_t)
 
Index: refpolicy-2.20210120/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/bind.te
+++ refpolicy-2.20210120/policy/modules/services/bind.te
@@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)
 
 files_read_etc_runtime_files(named_t)
 files_read_usr_files(named_t)
+files_map_usr_files(named_t)
 
 fs_getattr_all_fs(named_t)
 fs_search_auto_mountpoints(named_t)
Index: refpolicy-2.20210120/policy/modules/services/colord.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/colord.te
+++ refpolicy-2.20210120/policy/modules/services/colord.te
@@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_ueve
 allow colord_t self:tcp_socket { accept listen };
 allow colord_t self:shm create_shm_perms;
 
+can_exec(colord_t, colord_exec_t)
+
 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
@@ -128,6 +130,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	snmp_read_snmp_var_lib_files(colord_t)
+')
+
+optional_policy(`
 	sysnet_exec_ifconfig(colord_t)
 ')
 
@@ -136,6 +142,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_dbus_send(colord_t)
+')
+
+optional_policy(`
 	xserver_read_xdm_lib_files(colord_t)
 	xserver_use_xdm_fds(colord_t)
 ')
Index: refpolicy-2.20210120/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210120/policy/modules/services/cron.te
@@ -304,6 +304,8 @@ init_start_all_units(system_cronjob_t)
 init_get_generic_units_status(system_cronjob_t)
 init_get_system_status(system_cronjob_t)
 
+backup_manage_store_files(system_cronjob_t)
+
 auth_manage_var_auth(crond_t)
 auth_use_pam(crond_t)
 
@@ -340,6 +342,11 @@ ifdef(`distro_debian',`
 	')
 
 	optional_policy(`
+		aptcacher_read_config(system_cronjob_t)
+		corenet_tcp_connect_aptcacher_port(system_cronjob_t)
+	')
+
+	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')
 ')
@@ -435,6 +442,7 @@ optional_policy(`
 	init_dbus_chat(crond_t)
 	init_dbus_chat(system_cronjob_t)
 	systemd_dbus_chat_logind(system_cronjob_t)
+	systemd_read_journal_files(system_cronjob_t)
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
 	init_stream_connect(system_cronjob_t)
@@ -505,6 +513,7 @@ corenet_tcp_sendrecv_generic_if(system_c
 corenet_udp_sendrecv_generic_if(system_cronjob_t)
 corenet_tcp_sendrecv_generic_node(system_cronjob_t)
 corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_bind_generic_node(system_cronjob_t)
 
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
@@ -587,6 +596,7 @@ optional_policy(`
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
 	apache_delete_lib_files(system_cronjob_t)
+	apache_delete_squirrelmail_spool(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -659,6 +669,8 @@ optional_policy(`
 
 optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
+	spamassassin_status(system_cronjob_t)
+	spamassassin_reload(system_cronjob_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210120/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cups.te
+++ refpolicy-2.20210120/policy/modules/services/cups.te
@@ -111,11 +111,12 @@ ifdef(`enable_mls',`
 
 allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
 dontaudit cupsd_t self:capability { net_admin sys_tty_config };
-allow cupsd_t self:capability2 block_suspend;
+allow cupsd_t self:capability2 { block_suspend wake_alarm };
 allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
 allow cupsd_t self:fifo_file rw_fifo_file_perms;
 allow cupsd_t self:unix_stream_socket { accept connectto listen };
 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow cupsd_t self:shm create_shm_perms;
 allow cupsd_t self:sem create_sem_perms;
 allow cupsd_t self:tcp_socket { accept listen };
@@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
 
 libs_read_lib_files(cupsd_t)
 libs_exec_lib_files(cupsd_t)
+libs_legacy_use_ld_so(cupsd_t)
 
 logging_send_audit_msgs(cupsd_t)
 logging_send_syslog_msg(cupsd_t)
Index: refpolicy-2.20210120/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210120/policy/modules/services/devicekit.te
@@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
 fs_unmount_all_fs(devicekit_disk_t)
 fs_search_all(devicekit_disk_t)
 
+mount_rw_runtime_files(devicekit_disk_t)
+
 mls_file_read_all_levels(devicekit_disk_t)
 mls_file_write_to_clearance(devicekit_disk_t)
 
Index: refpolicy-2.20210120/policy/modules/services/entropyd.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/entropyd.te
+++ refpolicy-2.20210120/policy/modules/services/entropyd.te
@@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)
 
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
 
 domain_use_interactive_fds(entropyd_t)
 
Index: refpolicy-2.20210120/policy/modules/services/fail2ban.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/fail2ban.te
+++ refpolicy-2.20210120/policy/modules/services/fail2ban.te
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ba
 files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
 
 kernel_read_system_state(fail2ban_t)
+kernel_search_fs_sysctls(fail2ban_t)
 
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
@@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
 auth_use_nsswitch(fail2ban_t)
 
 logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
 logging_send_syslog_msg(fail2ban_t)
 
 miscfiles_read_localization(fail2ban_t)
Index: refpolicy-2.20210120/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20210120/policy/modules/services/jabber.te
@@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
 # usr for lua modules
 files_read_usr_files(jabberd_t)
 
+files_search_var_lib(jabberd_t)
+
 fs_search_auto_mountpoints(jabberd_t)
 
+miscfiles_read_generic_tls_privkey(jabberd_t)
 miscfiles_read_all_certs(jabberd_t)
 
 sysnet_read_config(jabberd_t)
Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
+++ refpolicy-2.20210120/policy/modules/services/l2tp.te
@@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
 allow l2tpd_t self:tcp_socket { accept listen };
 allow l2tpd_t self:unix_dgram_socket sendto;
 allow l2tpd_t self:unix_stream_socket { accept listen };
+allow l2tpd_t self:pppox_socket create;
 
 read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)
 
Index: refpolicy-2.20210120/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210120/policy/modules/services/mon.te
@@ -150,6 +150,10 @@ optional_policy(`
 	bind_read_zone(mon_net_test_t)
 ')
 
+optional_policy(`
+	mysql_stream_connect(mon_net_test_t)
+')
+
 ########################################
 #
 # Local policy
@@ -159,7 +163,8 @@ optional_policy(`
 # try not to use dontaudit rules for this
 #
 
-allow mon_local_test_t self:capability sys_admin;
+# sys_ptrace is for reading /proc/1/maps etc
+allow mon_local_test_t self:capability { sys_ptrace sys_admin };
 allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
 allow mon_local_test_t self:process getsched;
 
Index: refpolicy-2.20210120/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210120/policy/modules/services/mysql.fc
@@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf	--	gen_context(system
 /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
 /usr/sbin/ndbd	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mariadbd	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
 /var/lib/mysql(/.*)?	gen_context(system_u:object_r:mysqld_db_t,s0)
 /var/lib/mysql/mysql.*	-s	gen_context(system_u:object_r:mysqld_runtime_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20210120/policy/modules/services/mysql.te
@@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime
 # Local policy
 #
 
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+allow mysqld_t mysqld_db_t:file map;
 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
 
@@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_l
 
 manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
 manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+allow mysqld_t mysqld_tmp_t:file map;
 files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
 
 manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
@@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
 kernel_read_network_state(mysqld_t)
 kernel_read_system_state(mysqld_t)
 kernel_read_vm_sysctls(mysqld_t)
+kernel_read_vm_overcommit_sysctl(mysqld_t)
 
 corenet_all_recvfrom_netlabel(mysqld_t)
 corenet_tcp_sendrecv_generic_if(mysqld_t)
@@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)
 
 fs_getattr_all_fs(mysqld_t)
 fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
 fs_rw_hugetlbfs_files(mysqld_t)
 
 files_read_etc_runtime_files(mysqld_t)
@@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)
 
 logging_send_syslog_msg(mysqld_t)
 
+miscfiles_read_generic_certs(mysqld_t)
 miscfiles_read_localization(mysqld_t)
 
 userdom_search_user_home_dirs(mysqld_t)
Index: refpolicy-2.20210120/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20210120/policy/modules/services/openvpn.te
@@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)
 
 auth_use_pam(openvpn_t)
 
+init_read_state(openvpn_t)
+
 miscfiles_read_localization(openvpn_t)
 miscfiles_read_all_certs(openvpn_t)
 
@@ -163,6 +165,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dpkg_script_rw_inherited_pipes(openvpn_t)
+')
+
+optional_policy(`
 	dbus_system_bus_client(openvpn_t)
 	dbus_connect_system_bus(openvpn_t)
 
@@ -174,3 +180,7 @@ optional_policy(`
 optional_policy(`
 	systemd_use_passwd_agent(openvpn_t)
 ')
+
+optional_policy(`
+	unconfined_use_fds(openvpn_t)
+')
Index: refpolicy-2.20210120/policy/modules/services/postgrey.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/postgrey.te
+++ refpolicy-2.20210120/policy/modules/services/postgrey.te
@@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, po
 manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
 
 manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+allow postgrey_t postgrey_var_lib_t:file map;
 files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
 
 manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
Index: refpolicy-2.20210120/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210120/policy/modules/services/rpc.te
@@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
 
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_search_debugfs(nfsd_t)
 kernel_setsched(nfsd_t)
 kernel_request_load_module(nfsd_t)
 # kernel_mounton_proc(nfsd_t)
Index: refpolicy-2.20210120/policy/modules/services/samba.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/samba.te
+++ refpolicy-2.20210120/policy/modules/services/samba.te
@@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)
 
 allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
 allow samba_net_t self:capability2 block_suspend;
-allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:process { sigkill getsched setsched };
 allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:fifo_file rw_file_perms;
 
 allow samba_net_t samba_etc_t:file read_file_perms;
 
+allow samba_net_t samba_var_run_t:file { map read_file_perms };
+
 manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
 
@@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_n
 
 manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
 manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+allow samba_net_t samba_var_t:file map;
 manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
 files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
 
@@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem {
 
 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+allow smbd_t samba_var_t:file map;
 manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t,
 
 manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
 manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
+allow smbd_t samba_runtime_t:file map;
 manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
 files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
 
@@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file
 stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)
 
 stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
+allow smbd_t nmbd_t:unix_dgram_socket sendto;
 
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
@@ -480,6 +487,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_bus_client(smbd_t)
+')
+
+optional_policy(`
 	kerberos_read_keytab(smbd_t)
 	kerberos_use(smbd_t)
 ')
@@ -520,6 +531,7 @@ allow nmbd_t self:unix_stream_socket { a
 
 manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
 manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
+allow nmbd_t samba_runtime_t:file map;
 manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
 files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
 
@@ -532,7 +544,7 @@ create_files_pattern(nmbd_t, samba_log_t
 setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t samba_var_t:file map;
 manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -613,6 +625,8 @@ allow smbcontrol_t self:process { signal
 
 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
 read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
+init_use_fds(smbcontrol_t)
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
 
Index: refpolicy-2.20210120/policy/modules/services/smartmon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/smartmon.te
+++ refpolicy-2.20210120/policy/modules/services/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
 # Local policy
 #
 
-allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
+allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
 dontaudit fsdaemon_t self:capability sys_tty_config;
 allow fsdaemon_t self:process { getcap setcap signal_perms };
 allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20210120/policy/modules/services/squid.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/squid.te
+++ refpolicy-2.20210120/policy/modules/services/squid.te
@@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
 allow squid_t self:unix_dgram_socket sendto;
 allow squid_t self:unix_stream_socket { accept connectto listen };
 allow squid_t self:tcp_socket { accept listen };
+allow squid_t self:netlink_netfilter_socket create_socket_perms;
 
 manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
 manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
@@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_
 files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
 
 manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+allow squid_t squid_tmpfs_t:file map;
 fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
 
 manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
Index: refpolicy-2.20210120/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/tor.te
+++ refpolicy-2.20210120/policy/modules/services/tor.te
@@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runti
 kernel_read_kernel_sysctls(tor_t)
 kernel_read_net_sysctls(tor_t)
 kernel_read_system_state(tor_t)
+kernel_read_vm_overcommit_sysctl(tor_t)
 
 corenet_all_recvfrom_netlabel(tor_t)
 corenet_tcp_sendrecv_generic_if(tor_t)
Index: refpolicy-2.20210120/policy/modules/services/watchdog.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/watchdog.te
+++ refpolicy-2.20210120/policy/modules/services/watchdog.te
@@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)
 
 logging_send_syslog_msg(watchdog_t)
 
+mcs_killall(watchdog_t)
+
 miscfiles_read_localization(watchdog_t)
 
 sysnet_dns_name_resolve(watchdog_t)
Index: refpolicy-2.20210120/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210120/policy/modules/services/xserver.if
@@ -1662,6 +1662,7 @@ interface(`xserver_rw_mesa_shader_cache'
 
 	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	allow $1 mesa_shader_cache_t:file map;
 	xdg_search_cache_dirs($1)
 ')
 

Re: [PATCH] misc services patches with changes Dominick wanted

[Chris PeBenito]

On 1/21/21 8:46 AM, Russell Coker wrote:
> This patch has some changes Dominick wanted and some parts that he disliked
> removed.  The one place where I didn't make his change I gave less access than
> he recommended.
> 
> I think this is ready for merging.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>

I think I'm ok with the changes, though I have a couple questions/comments:


> Index: refpolicy-2.20210120/policy/modules/services/apache.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
> +++ refpolicy-2.20210120/policy/modules/services/apache.fc
> @@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
>   /usr/sbin/rotatelogs					--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
>   /usr/sbin/suexec					--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
>   /usr/sbin/wigwam					--	gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/php.*-fpm					--	gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/php-fpm[^/]+					--	gen_context(system_u:object_r:httpd_exec_t,s0)

I can fix this when merging, but please keep the fc entries in order.


> @@ -71,6 +71,7 @@ template(`apache_content_template',`
>   
>   	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
>   	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> +	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
>   	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
>   	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
>   	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

There's a lot of mmapping being added.  Can you provide any additional context 
on this?  Is this induced by some config option? Is this apache only?


> @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
>   	files_search_runtime($1)
>   	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
>   ')
> +
> +######################################
> +## <summary>
> +##     read aptcacher config
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed to read it.
> +##     </summary>
> +## </param>
> +#
> +interface(`aptcacher_read_config',`
> +	gen_require(`
> +		type aptcacher_etc_t;
> +	')
> +
> +	files_search_etc($1)
> +	allow $1 aptcacher_etc_t:dir list_dir_perms;
> +	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> +')

Is this the only useful way to read these files?  There's no valid non-mmap 
access?  If regular read can be useful, then this should be 
aptcatch_mmap_read_config().



> @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
>   
>   libs_read_lib_files(cupsd_t)
>   libs_exec_lib_files(cupsd_t)
> +libs_legacy_use_ld_so(cupsd_t)

This seems broken and should probably be in a debian distro block.



-- 
Chris PeBenito

Re: [PATCH] misc services patches with changes Dominick wanted

[Russell Coker]

On Tuesday, 26 January 2021 1:22:22 AM AEDT Chris PeBenito wrote:
> >   gs_exec_t,s0)
> >   /usr/sbin/suexec					--	
gen_context(system_u:object_r:httpd_suexec_exec
> >   _t,s0)
> >   /usr/sbin/wigwam					--	
gen_context(system_u:object_r:httpd_exec_t,s0)> 
> > +/usr/sbin/php.*-fpm					--	
gen_context(system_u:object_r:httpd_exec_t,s0)
> > +/usr/sbin/php-fpm[^/]+					--	
gen_context(system_u:object_r:httpd_exec_t,
> > s0)
> I can fix this when merging, but please keep the fc entries in order.

OK, I'll do that in the next version.

> > @@ -71,6 +71,7 @@ template(`apache_content_template',`
> > 
> >   	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t) manage_files_pattern(httpd_$1_script_t,
> >   	httpd_$1_rw_content_t, httpd_$1_rw_content_t)> 
> > +	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
> > 
> >   	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t,
> >   	httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> >   	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t)
> There's a lot of mmapping being added.  Can you provide any additional
> context on this?  Is this induced by some config option? Is this apache
> only?

It's for Apache, it maps all files it sends with no special configuration.

> > @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
> > 
> >   	files_search_runtime($1)
> >   	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t,
> >   	aptcacher_t)>   
> >   ')
> > 
> > +
> > +######################################
> > +## <summary>
> > +##     read aptcacher config
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed to read it.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`aptcacher_read_config',`
> > +	gen_require(`
> > +		type aptcacher_etc_t;
> > +	')
> > +
> > +	files_search_etc($1)
> > +	allow $1 aptcacher_etc_t:dir list_dir_perms;
> > +	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> > +')
> 
> Is this the only useful way to read these files?  There's no valid non-mmap
> access?  If regular read can be useful, then this should be
> aptcatch_mmap_read_config().

OK.

> > @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
> > 
> >   libs_read_lib_files(cupsd_t)
> >   libs_exec_lib_files(cupsd_t)
> > 
> > +libs_legacy_use_ld_so(cupsd_t)
> 
> This seems broken and should probably be in a debian distro block.

OK, I'll remove that and do more testing.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/