I've attached the patches. These all come from the package currently in
Testing.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Index: refpolicy-2.20161023.1/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/init.te
+++ refpolicy-2.20161023.1/policy/modules/system/init.te
@@ -292,6 +292,7 @@ ifdef(`init_systemd',`
fs_manage_hugetlbfs_dirs(init_t)
fs_getattr_tmpfs(init_t)
fs_read_tmpfs_files(init_t)
+ fs_read_tmpfs_symlinks(init_t)
fs_read_cgroup_files(init_t)
fs_dontaudit_getattr_xattr_fs(init_t)
# for privatetmp functions
Index: refpolicy-2.20161023.1/policy/modules/contrib/entropyd.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/entropyd.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/entropyd.te
@@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t)
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
domain_use_interactive_fds(entropyd_t)
@@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',`
dev_write_sound(entropyd_t)
')
+ifdef(`init_systemd',`
+ init_bounded(entropyd_t, entropyd_exec_t)
+')
+
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
Index: refpolicy-2.20161023.1/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/tor.te
@@ -115,6 +115,10 @@ tunable_policy(`tor_bind_all_unreserved_
corenet_tcp_bind_all_unreserved_ports(tor_t)
')
+ifdef(`init_systemd',`
+ init_bounded(tor_t, tor_exec_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(tor_t)
')
Index: refpolicy-2.20161023.1/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/init.if
+++ refpolicy-2.20161023.1/policy/modules/system/init.if
@@ -365,6 +365,31 @@ interface(`init_ranged_daemon_domain',`
')
')
+########################################
+## <summary>
+## Make a domain be bounded by init_t
+## NB init_t needs to have all the permissions of the domain in question
+## </summary>
+## <param name="domain">
+## <summary>
+## Bounded domain
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_bounded',`
+ gen_require(`
+ type init_t;
+ ')
+
+ typebounds init_t $1;
+ allow init_t $2:file entrypoint;
+')
+
#########################################
## <summary>
## Abstract socket service activation (systemd).
Index: refpolicy-2.20161023.1/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/mysql.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/mysql.te
@@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t)
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
@@ -149,6 +150,10 @@ optional_policy(`
daemontools_service_domain(mysqld_t, mysqld_exec_t)
')
+ifdef(`init_systemd',`
+ init_bounded(mysqld_t, mysqld_exec_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(mysqld_t)
')
Index: refpolicy-2.20161023.1/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20161023.1/policy/modules/system/systemd.te
@@ -742,6 +742,10 @@ files_relabelto_etc_dirs(systemd_tmpfile
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+
+# for /var/lib/sudo
+auth_delete_pam_pid(systemd_tmpfiles_t)
+
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)
Index: refpolicy-2.20161023.1/policy/modules/contrib/dnsmasq.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dnsmasq.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/dnsmasq.te
@@ -40,7 +40,8 @@ allow dnsmasq_t self:tcp_socket { accept
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
-read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+allow dnsmasq_t dnsmasq_etc_t:dir list_dir_perms;
+allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
Index: refpolicy-2.20161023.1/policy/modules/contrib/brctl.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/brctl.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/brctl.te
@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
corenet_rw_tun_tap_dev(brctl_t)
+dev_create_sysfs_files(brctl_t)
dev_rw_sysfs(brctl_t)
dev_write_sysfs_dirs(brctl_t)
Index: refpolicy-2.20161023.1/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20161023.1/policy/modules/kernel/devices.if
@@ -4097,6 +4097,24 @@ interface(`dev_dontaudit_getattr_sysfs',
########################################
## <summary>
+## Add a sysfs file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_sysfs_files',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ create_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
Index: refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc
@@ -129,6 +129,7 @@ ifdef(`distro_debian',`
# /lib
#
+/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.fc
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.fc
+++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.fc
@@ -10,3 +10,4 @@
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_tmp_t,s0)
Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.te
@@ -68,6 +68,9 @@ kernel_read_kernel_sysctls(bootloader_t)
# for grub-probe
kernel_request_load_module(bootloader_t)
+# for grub-mount
+kernel_search_debugfs(bootloader_t)
+
storage_raw_read_fixed_disk(bootloader_t)
storage_raw_write_fixed_disk(bootloader_t)
storage_raw_read_removable_device(bootloader_t)
@@ -85,6 +88,7 @@ dev_rw_nvram(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
+fs_unmount_xattr_fs(bootloader_t)
#Needed for ia64
fs_manage_dos_files(bootloader_t)
@@ -138,6 +142,7 @@ userdom_dontaudit_search_user_home_dirs(
ifdef(`distro_debian',`
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+ allow bootloader_t bootloader_tmp_t:dir mounton;
fs_list_tmpfs(bootloader_t)
files_relabel_kernel_modules(bootloader_t)
@@ -148,15 +153,30 @@ ifdef(`distro_debian',`
# for /usr/share/initrd-tools/scripts
files_exec_usr_files(bootloader_t)
+ files_search_mnt(bootloader_t)
+ fs_mount_fusefs(bootloader_t)
+ fs_mounton_fusefs(bootloader_t)
+ fs_read_fusefs_symlinks(bootloader_t)
+ fs_read_fusefs_files(bootloader_t)
+ fs_stat_fusefs(bootloader_t)
+ fs_unmount_fusefs(bootloader_t)
+
fstools_manage_entry_files(bootloader_t)
fstools_relabelto_entry_files(bootloader_t)
+ fstools_manage_runfile(bootloader_t)
libs_relabelto_lib_files(bootloader_t)
+ mount_rw_runfiles(bootloader_t)
+
# for apt-cache
dpkg_read_db(bootloader_t)
+ dpkg_rw_pipes(bootloader_t)
apt_read_db(bootloader_t)
apt_read_cache(bootloader_t)
+
+ storage_rw_fuse(bootloader_t)
+ udev_read_pid_files(bootloader_t)
')
ifdef(`distro_redhat',`
@@ -214,5 +234,9 @@ optional_policy(`
')
optional_policy(`
+ raid_manage_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
rpm_rw_pipes(bootloader_t)
')
Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.if
+++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.if
@@ -141,3 +141,21 @@ interface(`bootloader_create_runtime_fil
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1, boot_runtime_t, file)
')
+
+########################################
+## <summary>
+## allow bootloader to send sigchld to domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bootloader_send_sigchld',`
+ gen_require(`
+ type bootloader_t;
+ ')
+
+ allow bootloader_t $1:process sigchld;
+')
Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te
@@ -337,6 +337,7 @@ optional_policy(`
optional_policy(`
bootloader_run(dpkg_script_t, dpkg_roles)
+ bootloader_send_sigchld(dpkg_t)
')
optional_policy(`
Index: refpolicy-2.20161023.1/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20161023.1/policy/modules/kernel/filesystem.if
@@ -1988,6 +1988,24 @@ interface(`fs_read_eventpollfs',`
########################################
## <summary>
+## stat a FUSE filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_stat_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Mount a FUSE filesystem.
## </summary>
## <param name="domain">
Index: refpolicy-2.20161023.1/policy/modules/contrib/raid.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/contrib/raid.if
+++ refpolicy-2.20161023.1/policy/modules/contrib/raid.if
@@ -63,6 +63,7 @@ interface(`raid_manage_mdadm_pid',`
')
files_search_pids($1)
+ allow $1 mdadm_var_run_t:dir search;
allow $1 mdadm_var_run_t:file manage_file_perms;
')
Index: refpolicy-2.20161023.1/policy/modules/system/fstools.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/fstools.if
+++ refpolicy-2.20161023.1/policy/modules/system/fstools.if
@@ -190,3 +190,22 @@ interface(`fstools_write_log',`
allow $1 fsadm_log_t:file write_file_perms;
')
+
+########################################
+## <summary>
+## rw fsadm_run_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_manage_runfile',`
+ gen_require(`
+ type fsadm_run_t;
+ ')
+
+ allow $1 fsadm_run_t:dir rw_dir_perms;
+ allow $1 fsadm_run_t:file manage_file_perms;
+')
Index: refpolicy-2.20161023.1/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20161023.1.orig/policy/modules/system/mount.if
+++ refpolicy-2.20161023.1/policy/modules/system/mount.if
@@ -227,3 +227,22 @@ interface(`stat_mount_var_run',`
allow $1 mount_var_run_t:file getattr;
')
+
+########################################
+## <summary>
+## rw mount_var_run_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_rw_runfiles',`
+ gen_require(`
+ type mount_var_run_t;
+ ')
+
+ allow $1 mount_var_run_t:dir search;
+ allow $1 mount_var_run_t:file rw_file_perms;
+')
