On Saturday, 2 December 2017 11:05:24 AM AEDT Adam D. Barratt wrote: > IFF it's versioned as 2:2.20161023.1-9+deb9u1, uses "stretch" as the > changelog distribution, is otherwise identical to the diff presented in > this bug log and is built and tested on a stretch system, then OK.
I've attached a debdiff that only differs in file timestamps, the version change you requested, and the changelog timestamp. I have tested it on my main mail server, one of my main web servers, one of my minor mail servers, and a shell server. It passed all tests and did everything as well as expected with no regressions. Please consider it for inclusion. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
diff -Nru refpolicy-2.20161023.1/debian/changelog refpolicy-2.20161023.1/debian/changelog --- refpolicy-2.20161023.1/debian/changelog 2017-01-26 00:52:00.000000000 +1100 +++ refpolicy-2.20161023.1/debian/changelog 2017-12-09 13:12:05.000000000 +1100 @@ -1,3 +1,28 @@ +refpolicy (2:2.20161023.1-9+deb9u1) stretch; urgency=medium + + * Add patch for typebounds. This patch was rejected upstream, to quote + Chris PeBenito: + NAK. This has already been fixed with the upcoming nnp_transition + nosuid_transition permissions in refpolicy. I'm afraid distros will + have to carry policy patches until they can roll out kernels that + support these permissions. + https://marc.info/?l=selinux&m=150151037511601&w=2 + Closes: #874201 + * Make it build-depend on the Stretch versions of tools. + Closes: #875546 + * Allow systemd-tmpfiles to delete /var/lib/sudo files. + Closes: #875668 + * Allow brctl to create files in sysfs and correctly label + /usr/lib/bridge-utils/.*\.sh + Closes: #875669 + * Give bootloader_t all the access it needs to create initramfs images in + different situations and communicate with dpkg_t. + Closes: #875676 + * Allow dnsmasq_t to read it's config dir + Closes: #875681 + + -- Russell Coker <russ...@coker.com.au> Sat, 09 Dec 2017 13:12:05 +1100 + refpolicy (2:2.20161023.1-9) unstable; urgency=medium * Dontaudit dkim_milter_t binding to labeled udp ports diff -Nru refpolicy-2.20161023.1/debian/control refpolicy-2.20161023.1/debian/control --- refpolicy-2.20161023.1/debian/control 2017-01-04 00:10:28.000000000 +1100 +++ refpolicy-2.20161023.1/debian/control 2017-12-09 13:11:58.000000000 +1100 @@ -9,12 +9,12 @@ Standards-Version: 3.9.8 Build-Depends: debhelper (>= 9) Build-Depends-Indep: bzip2, - checkpolicy (>= 2.5), + checkpolicy (>= 2.5), checkpolicy (<< 2.7~rc2-1), gawk, - libsepol1 (>= 2.5), + libsepol1 (>= 2.5), libsepol1 (<<2.7~rc2-1), m4, - policycoreutils (>= 2.5), - policycoreutils-python-utils (>= 2.5), + policycoreutils (>= 2.5), policycoreutils (<<2.7~rc2-1), + policycoreutils-python-utils (>= 2.5), policycoreutils-python-utils (<<2.7~rc2-1), python, # Needed for the --sort=name option, can probably be removed when this version # hits stable. diff -Nru refpolicy-2.20161023.1/debian/patches/0200-stretch-updates refpolicy-2.20161023.1/debian/patches/0200-stretch-updates --- refpolicy-2.20161023.1/debian/patches/0200-stretch-updates 1970-01-01 10:00:00.000000000 +1000 +++ refpolicy-2.20161023.1/debian/patches/0200-stretch-updates 2017-12-09 13:11:58.000000000 +1100 @@ -0,0 +1,243 @@ +Index: refpolicy-2.20161023.1/policy/modules/contrib/pulseaudio.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/pulseaudio.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/pulseaudio.te +@@ -212,6 +212,12 @@ optional_policy(` + ') + + optional_policy(` ++ # when pulseaudio is run from a user session on systems it uses files ++ # under /run/systemd/users ++ systemd_read_logind_pids(pulseaudio_t) ++') ++ ++optional_policy(` + udev_read_pid_files(pulseaudio_t) + udev_read_state(pulseaudio_t) + udev_read_db(pulseaudio_t) +Index: refpolicy-2.20161023.1/policy/modules/system/userdomain.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/system/userdomain.if ++++ refpolicy-2.20161023.1/policy/modules/system/userdomain.if +@@ -66,7 +66,9 @@ template(`userdom_base_user_template',` + # avoid annoying messages on terminal hangup on role change + dontaudit $1_t user_tty_device_t:chr_file ioctl; + ++ kernel_read_crypto_sysctls($1_t) + kernel_read_kernel_sysctls($1_t) ++ kernel_read_vm_overcommit_sysctl($1_t) + kernel_read_vm_sysctls($1_t) + kernel_dontaudit_list_unlabeled($1_t) + kernel_dontaudit_getattr_unlabeled_files($1_t) +Index: refpolicy-2.20161023.1/policy/modules/contrib/courier.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/courier.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/courier.te +@@ -188,6 +188,8 @@ miscfiles_read_localization(courier_tcpd + + kernel_read_kernel_sysctls(courier_sqwebmail_t) + ++dev_read_urand(courier_sqwebmail_t) ++ + optional_policy(` + cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) + ') +Index: refpolicy-2.20161023.1/policy/modules/contrib/apache.fc +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/apache.fc ++++ refpolicy-2.20161023.1/policy/modules/contrib/apache.fc +@@ -86,6 +86,7 @@ ifdef(`distro_suse',` + /usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +Index: refpolicy-2.20161023.1/policy/modules/contrib/cron.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/cron.if ++++ refpolicy-2.20161023.1/policy/modules/contrib/cron.if +@@ -770,10 +770,31 @@ interface(`cron_read_system_job_tmp_file + ') + + files_search_tmp($1) ++ allow $1 system_cronjob_tmp_t:dir search_dir_perms; + allow $1 system_cronjob_tmp_t:file read_file_perms; + ') + + ######################################## ++## <summary> ++## Read/write system cron job temporary files. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`cron_rw_system_job_tmp_files',` ++ gen_require(` ++ type system_cronjob_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 system_cronjob_tmp_t:dir search_dir_perms; ++ allow $1 system_cronjob_tmp_t:file rw_file_perms; ++') ++ ++######################################## + ## <summary> + ## Do not audit attempts to append temporary + ## system cron job files. +Index: refpolicy-2.20161023.1/policy/modules/contrib/gpg.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/gpg.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/gpg.te +@@ -98,6 +98,7 @@ gpg_stream_connect_agent(gpg_t) + domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) + domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) + ++kernel_read_crypto_sysctls(gpg_t) + kernel_read_sysctl(gpg_t) + + corecmd_exec_shell(gpg_t) +@@ -171,6 +172,7 @@ optional_policy(` + optional_policy(` + cron_system_entry(gpg_t, gpg_exec_t) + cron_read_system_job_tmp_files(gpg_t) ++ cron_rw_system_job_tmp_files(gpg_t) + ') + + optional_policy(` +Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.fc +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.fc ++++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.fc +@@ -4,6 +4,7 @@ + /usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) + /usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) + ++/var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) + /var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) + /var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) + +Index: refpolicy-2.20161023.1/policy/modules/contrib/cron.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/cron.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/cron.te +@@ -337,6 +337,7 @@ ifdef(`distro_debian',` + optional_policy(` + apt_manage_cache(system_cronjob_t) + apt_read_db(system_cronjob_t) ++ dpkg_manage_db(system_cronjob_t) + ') + ') + +@@ -477,6 +478,7 @@ manage_files_pattern(system_cronjob_t, c + manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) + filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) + files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) ++allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms; + + manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) + +Index: refpolicy-2.20161023.1/policy/modules/contrib/apt.fc +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/apt.fc ++++ refpolicy-2.20161023.1/policy/modules/contrib/apt.fc +@@ -14,6 +14,7 @@ ifndef(`distro_redhat',` + + /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) + /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) ++/var/lib/apt-xapian-inde(x)(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) + + /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) + +Index: refpolicy-2.20161023.1/policy/modules/contrib/dkim.fc +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dkim.fc ++++ refpolicy-2.20161023.1/policy/modules/contrib/dkim.fc +@@ -1,4 +1,5 @@ + /etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) ++/etc/dkimkeys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + + /etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0) + +Index: refpolicy-2.20161023.1/policy/modules/contrib/dkim.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dkim.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/dkim.te +@@ -35,6 +35,7 @@ dev_read_sysfs(dkim_milter_t) + + dev_read_urand(dkim_milter_t) + ++files_read_usr_files(dkim_milter_t) + files_search_spool(dkim_milter_t) + + mta_read_config(dkim_milter_t) +Index: refpolicy-2.20161023.1/policy/modules/contrib/mailman.fc +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/mailman.fc ++++ refpolicy-2.20161023.1/policy/modules/contrib/mailman.fc +@@ -1,6 +1,7 @@ + /etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) + + /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) ++/etc/mailman/postfix-to-mailman\.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + + /usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.if ++++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.if +@@ -242,3 +242,23 @@ interface(`dpkg_lock_db',` + allow $1 dpkg_var_lib_t:dir list_dir_perms; + allow $1 dpkg_lock_t:file manage_file_perms; + ') ++ ++######################################## ++## <summary> ++## manage dpkg_tmp_t files and dirs ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`dpkg_manage_tmp_files',` ++ gen_require(` ++ type dpkg_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 dpkg_tmp_t:dir manage_dir_perms; ++ allow $1 dpkg_tmp_t:file manage_file_perms; ++') +Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te +@@ -68,6 +68,8 @@ allow dpkg_t self:msgq create_msgq_perms + allow dpkg_t self:msg { send receive }; + + allow dpkg_t dpkg_lock_t:file manage_file_perms; ++corecmd_bin_domtrans(dpkg_t, dpkg_script_t) ++corecmd_bin_entry_type(dpkg_script_t) + + manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) + manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) +Index: refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/kernel/corecommands.fc ++++ refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc +@@ -129,6 +129,7 @@ ifdef(`distro_debian',` + # /lib + # + ++/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) diff -Nru refpolicy-2.20161023.1/debian/patches/0210-bounds-874201 refpolicy-2.20161023.1/debian/patches/0210-bounds-874201 --- refpolicy-2.20161023.1/debian/patches/0210-bounds-874201 1970-01-01 10:00:00.000000000 +1000 +++ refpolicy-2.20161023.1/debian/patches/0210-bounds-874201 2017-12-09 13:11:58.000000000 +1100 @@ -0,0 +1,109 @@ +Index: refpolicy-2.20161023.1/policy/modules/system/init.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/system/init.te ++++ refpolicy-2.20161023.1/policy/modules/system/init.te +@@ -292,6 +292,7 @@ ifdef(`init_systemd',` + fs_manage_hugetlbfs_dirs(init_t) + fs_getattr_tmpfs(init_t) + fs_read_tmpfs_files(init_t) ++ fs_read_tmpfs_symlinks(init_t) + fs_read_cgroup_files(init_t) + fs_dontaudit_getattr_xattr_fs(init_t) + # for privatetmp functions +Index: refpolicy-2.20161023.1/policy/modules/contrib/entropyd.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/entropyd.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/entropyd.te +@@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t) + + fs_getattr_all_fs(entropyd_t) + fs_search_auto_mountpoints(entropyd_t) ++fs_search_tmpfs(entropyd_t) + + domain_use_interactive_fds(entropyd_t) + +@@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',` + dev_write_sound(entropyd_t) + ') + ++ifdef(`init_systemd',` ++ init_bounded(entropyd_t, entropyd_exec_t) ++') ++ + optional_policy(` + tunable_policy(`entropyd_use_audio',` + alsa_read_lib(entropyd_t) +Index: refpolicy-2.20161023.1/policy/modules/contrib/tor.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/tor.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/tor.te +@@ -115,6 +115,10 @@ tunable_policy(`tor_bind_all_unreserved_ + corenet_tcp_bind_all_unreserved_ports(tor_t) + ') + ++ifdef(`init_systemd',` ++ init_bounded(tor_t, tor_exec_t) ++') ++ + optional_policy(` + seutil_sigchld_newrole(tor_t) + ') +Index: refpolicy-2.20161023.1/policy/modules/system/init.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/system/init.if ++++ refpolicy-2.20161023.1/policy/modules/system/init.if +@@ -365,6 +365,31 @@ interface(`init_ranged_daemon_domain',` + ') + ') + ++######################################## ++## <summary> ++## Make a domain be bounded by init_t ++## NB init_t needs to have all the permissions of the domain in question ++## </summary> ++## <param name="domain"> ++## <summary> ++## Bounded domain ++## </summary> ++## </param> ++## <param name="entry_point"> ++## <summary> ++## Type of the program to be used as an entry point to this domain. ++## </summary> ++## </param> ++# ++interface(`init_bounded',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ typebounds init_t $1; ++ allow init_t $2:file entrypoint; ++') ++ + ######################################### + ## <summary> + ## Abstract socket service activation (systemd). +Index: refpolicy-2.20161023.1/policy/modules/contrib/mysql.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/mysql.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/mysql.te +@@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t) + + fs_getattr_all_fs(mysqld_t) + fs_search_auto_mountpoints(mysqld_t) ++fs_search_tmpfs(mysqld_t) + fs_rw_hugetlbfs_files(mysqld_t) + + files_read_etc_runtime_files(mysqld_t) +@@ -149,6 +150,10 @@ optional_policy(` + daemontools_service_domain(mysqld_t, mysqld_exec_t) + ') + ++ifdef(`init_systemd',` ++ init_bounded(mysqld_t, mysqld_exec_t) ++') ++ + optional_policy(` + seutil_sigchld_newrole(mysqld_t) + ') diff -Nru refpolicy-2.20161023.1/debian/patches/0220-delete-lib-sudo-875668 refpolicy-2.20161023.1/debian/patches/0220-delete-lib-sudo-875668 --- refpolicy-2.20161023.1/debian/patches/0220-delete-lib-sudo-875668 1970-01-01 10:00:00.000000000 +1000 +++ refpolicy-2.20161023.1/debian/patches/0220-delete-lib-sudo-875668 2017-12-09 13:11:58.000000000 +1100 @@ -0,0 +1,15 @@ +Index: refpolicy-2.20161023.1/policy/modules/system/systemd.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/system/systemd.te ++++ refpolicy-2.20161023.1/policy/modules/system/systemd.te +@@ -742,6 +742,10 @@ files_relabelto_etc_dirs(systemd_tmpfile + files_relabel_all_lock_dirs(systemd_tmpfiles_t) + files_relabel_all_pid_dirs(systemd_tmpfiles_t) + files_relabel_all_tmp_dirs(systemd_tmpfiles_t) ++ ++# for /var/lib/sudo ++auth_delete_pam_pid(systemd_tmpfiles_t) ++ + # for /etc/mtab + files_manage_etc_symlinks(systemd_tmpfiles_t) + diff -Nru refpolicy-2.20161023.1/debian/patches/0230-brctl-sysfs-875669 refpolicy-2.20161023.1/debian/patches/0230-brctl-sysfs-875669 --- refpolicy-2.20161023.1/debian/patches/0230-brctl-sysfs-875669 1970-01-01 10:00:00.000000000 +1000 +++ refpolicy-2.20161023.1/debian/patches/0230-brctl-sysfs-875669 2017-12-09 13:11:58.000000000 +1100 @@ -0,0 +1,53 @@ +Index: refpolicy-2.20161023.1/policy/modules/contrib/brctl.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/brctl.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/brctl.te +@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t) + + corenet_rw_tun_tap_dev(brctl_t) + ++dev_create_sysfs_files(brctl_t) + dev_rw_sysfs(brctl_t) + dev_write_sysfs_dirs(brctl_t) + +Index: refpolicy-2.20161023.1/policy/modules/kernel/devices.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/kernel/devices.if ++++ refpolicy-2.20161023.1/policy/modules/kernel/devices.if +@@ -4097,6 +4097,24 @@ interface(`dev_dontaudit_getattr_sysfs', + + ######################################## + ## <summary> ++## Add a sysfs file ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`dev_create_sysfs_files',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ create_files_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## <summary> + ## Search the sysfs directories. + ## </summary> + ## <param name="domain"> +Index: refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/kernel/corecommands.fc ++++ refpolicy-2.20161023.1/policy/modules/kernel/corecommands.fc +@@ -129,6 +129,7 @@ ifdef(`distro_debian',` + # /lib + # + ++/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) diff -Nru refpolicy-2.20161023.1/debian/patches/0250-bootloader-875676 refpolicy-2.20161023.1/debian/patches/0250-bootloader-875676 --- refpolicy-2.20161023.1/debian/patches/0250-bootloader-875676 1970-01-01 10:00:00.000000000 +1000 +++ refpolicy-2.20161023.1/debian/patches/0250-bootloader-875676 2017-12-09 13:11:58.000000000 +1100 @@ -0,0 +1,213 @@ +Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.fc +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.fc ++++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.fc +@@ -10,3 +10,4 @@ + /usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) + /usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0) + /usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_tmp_t,s0) +Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.te ++++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.te +@@ -68,6 +68,9 @@ kernel_read_kernel_sysctls(bootloader_t) + # for grub-probe + kernel_request_load_module(bootloader_t) + ++# for grub-mount ++kernel_search_debugfs(bootloader_t) ++ + storage_raw_read_fixed_disk(bootloader_t) + storage_raw_write_fixed_disk(bootloader_t) + storage_raw_read_removable_device(bootloader_t) +@@ -85,6 +88,7 @@ dev_rw_nvram(bootloader_t) + fs_getattr_xattr_fs(bootloader_t) + fs_getattr_tmpfs(bootloader_t) + fs_read_tmpfs_symlinks(bootloader_t) ++fs_unmount_xattr_fs(bootloader_t) + #Needed for ia64 + fs_manage_dos_files(bootloader_t) + +@@ -138,6 +142,7 @@ userdom_dontaudit_search_user_home_dirs( + + ifdef(`distro_debian',` + allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; ++ allow bootloader_t bootloader_tmp_t:dir mounton; + fs_list_tmpfs(bootloader_t) + + files_relabel_kernel_modules(bootloader_t) +@@ -148,15 +153,30 @@ ifdef(`distro_debian',` + # for /usr/share/initrd-tools/scripts + files_exec_usr_files(bootloader_t) + ++ files_search_mnt(bootloader_t) ++ fs_mount_fusefs(bootloader_t) ++ fs_mounton_fusefs(bootloader_t) ++ fs_read_fusefs_symlinks(bootloader_t) ++ fs_read_fusefs_files(bootloader_t) ++ fs_stat_fusefs(bootloader_t) ++ fs_unmount_fusefs(bootloader_t) ++ + fstools_manage_entry_files(bootloader_t) + fstools_relabelto_entry_files(bootloader_t) ++ fstools_manage_runfile(bootloader_t) + + libs_relabelto_lib_files(bootloader_t) + ++ mount_rw_runfiles(bootloader_t) ++ + # for apt-cache + dpkg_read_db(bootloader_t) ++ dpkg_rw_pipes(bootloader_t) + apt_read_db(bootloader_t) + apt_read_cache(bootloader_t) ++ ++ storage_rw_fuse(bootloader_t) ++ udev_read_pid_files(bootloader_t) + ') + + ifdef(`distro_redhat',` +@@ -214,5 +234,9 @@ optional_policy(` + ') + + optional_policy(` ++ raid_manage_mdadm_pid(bootloader_t) ++') ++ ++optional_policy(` + rpm_rw_pipes(bootloader_t) + ') +Index: refpolicy-2.20161023.1/policy/modules/admin/bootloader.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/admin/bootloader.if ++++ refpolicy-2.20161023.1/policy/modules/admin/bootloader.if +@@ -141,3 +141,21 @@ interface(`bootloader_create_runtime_fil + allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; + files_boot_filetrans($1, boot_runtime_t, file) + ') ++ ++######################################## ++## <summary> ++## allow bootloader to send sigchld to domain ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`bootloader_send_sigchld',` ++ gen_require(` ++ type bootloader_t; ++ ') ++ ++ allow bootloader_t $1:process sigchld; ++') +Index: refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dpkg.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/dpkg.te +@@ -337,6 +337,7 @@ optional_policy(` + + optional_policy(` + bootloader_run(dpkg_script_t, dpkg_roles) ++ bootloader_send_sigchld(dpkg_t) + ') + + optional_policy(` +Index: refpolicy-2.20161023.1/policy/modules/kernel/filesystem.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/kernel/filesystem.if ++++ refpolicy-2.20161023.1/policy/modules/kernel/filesystem.if +@@ -1988,6 +1988,24 @@ interface(`fs_read_eventpollfs',` + + ######################################## + ## <summary> ++## stat a FUSE filesystem ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`fs_stat_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:filesystem getattr; ++') ++ ++######################################## ++## <summary> + ## Mount a FUSE filesystem. + ## </summary> + ## <param name="domain"> +Index: refpolicy-2.20161023.1/policy/modules/contrib/raid.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/raid.if ++++ refpolicy-2.20161023.1/policy/modules/contrib/raid.if +@@ -63,6 +63,7 @@ interface(`raid_manage_mdadm_pid',` + ') + + files_search_pids($1) ++ allow $1 mdadm_var_run_t:dir search; + allow $1 mdadm_var_run_t:file manage_file_perms; + ') + +Index: refpolicy-2.20161023.1/policy/modules/system/fstools.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/system/fstools.if ++++ refpolicy-2.20161023.1/policy/modules/system/fstools.if +@@ -190,3 +190,22 @@ interface(`fstools_write_log',` + + allow $1 fsadm_log_t:file write_file_perms; + ') ++ ++######################################## ++## <summary> ++## rw fsadm_run_t ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`fstools_manage_runfile',` ++ gen_require(` ++ type fsadm_run_t; ++ ') ++ ++ allow $1 fsadm_run_t:dir rw_dir_perms; ++ allow $1 fsadm_run_t:file manage_file_perms; ++') +Index: refpolicy-2.20161023.1/policy/modules/system/mount.if +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/system/mount.if ++++ refpolicy-2.20161023.1/policy/modules/system/mount.if +@@ -227,3 +227,22 @@ interface(`stat_mount_var_run',` + + allow $1 mount_var_run_t:file getattr; + ') ++ ++######################################## ++## <summary> ++## rw mount_var_run_t files ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`mount_rw_runfiles',` ++ gen_require(` ++ type mount_var_run_t; ++ ') ++ ++ allow $1 mount_var_run_t:dir search; ++ allow $1 mount_var_run_t:file rw_file_perms; ++') diff -Nru refpolicy-2.20161023.1/debian/patches/0260-dnsmasq-875681 refpolicy-2.20161023.1/debian/patches/0260-dnsmasq-875681 --- refpolicy-2.20161023.1/debian/patches/0260-dnsmasq-875681 1970-01-01 10:00:00.000000000 +1000 +++ refpolicy-2.20161023.1/debian/patches/0260-dnsmasq-875681 2017-12-09 13:11:58.000000000 +1100 @@ -0,0 +1,14 @@ +Index: refpolicy-2.20161023.1/policy/modules/contrib/dnsmasq.te +=================================================================== +--- refpolicy-2.20161023.1.orig/policy/modules/contrib/dnsmasq.te ++++ refpolicy-2.20161023.1/policy/modules/contrib/dnsmasq.te +@@ -40,7 +40,8 @@ allow dnsmasq_t self:tcp_socket { accept + allow dnsmasq_t self:packet_socket create_socket_perms; + allow dnsmasq_t self:rawip_socket create_socket_perms; + +-read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) ++allow dnsmasq_t dnsmasq_etc_t:dir list_dir_perms; ++allow dnsmasq_t dnsmasq_etc_t:file read_file_perms; + + manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) + files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) diff -Nru refpolicy-2.20161023.1/debian/patches/series refpolicy-2.20161023.1/debian/patches/series --- refpolicy-2.20161023.1/debian/patches/series 2017-01-26 00:52:00.000000000 +1100 +++ refpolicy-2.20161023.1/debian/patches/series 2017-12-09 13:11:58.000000000 +1100 @@ -11,4 +11,9 @@ 0150-monit 0160-usrmerge 0170-usrmerge2 +0210-bounds-874201 +0220-delete-lib-sudo-875668 +0230-brctl-sysfs-875669 +0250-bootloader-875676 +0260-dnsmasq-875681 9140-boinc