Description: Make strict configuration work
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-09-13

Index: refpolicy/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy.orig/policy/modules/roles/sysadm.te
+++ refpolicy/policy/modules/roles/sysadm.te
@@ -35,6 +35,8 @@ ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
 
+selinux_read_policy(sysadm_t)
+
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
@@ -66,6 +68,10 @@ tunable_policy(`allow_ptrace',`
 ')
 
 optional_policy(`
+	system_mail_role(sysadm_r)
+')
+
+optional_policy(`
 	amanda_run_recover(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy.orig/policy/modules/kernel/kernel.te
+++ refpolicy/policy/modules/kernel/kernel.te
@@ -266,6 +266,15 @@ dev_delete_generic_chr_files(kernel_t)
 dev_setattr_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 
+ifdef(`distro_debian',`
+	# for systemd access to /run before transition
+	fs_search_tmpfs(kernel_t)
+	# also for systemd before transition
+	selinux_compute_create_context(kernel_t)
+	kernel_read_unlabeled_state(kernel_t)
+')
+
+
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
 fs_mount_all_fs(kernel_t)
Index: refpolicy/policy/modules/system/udev.if
===================================================================
--- refpolicy.orig/policy/modules/system/udev.if
+++ refpolicy/policy/modules/system/udev.if
@@ -314,6 +314,7 @@ interface(`udev_relabelto_db',`
 
 	files_search_pids($1)
 	allow $1 udev_var_run_t:file relabelto_file_perms;
+	allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
 ')
 
 ########################################
Index: refpolicy/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/filesystem.if
+++ refpolicy/policy/modules/kernel/filesystem.if
@@ -730,6 +730,24 @@ interface(`fs_search_cgroup_dirs',`
 
 ########################################
 ## <summary>
+##     Relabel pstore directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_relabel_pstore_dirs',`
+        gen_require(`
+                type pstore_t;
+        ')
+
+        relabel_dirs_pattern($1, pstore_t, pstore_t)
+')
+
+########################################
+## <summary>
 ##     Relabel cgroup directories.
 ## </summary>
 ## <param name="domain">
@@ -838,7 +856,6 @@ interface(`fs_read_cgroup_files',`
 interface(`fs_read_cgroup_links',`
 	gen_require(`
 		type cgroup_t;
-
 	')
 
 	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
@@ -847,6 +864,26 @@ interface(`fs_read_cgroup_links',`
 
 ########################################
 ## <summary>
+##	Create cgroup lnk_files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_cgroup_links',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	create_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Write cgroup files.
 ## </summary>
 ## <param name="domain">
@@ -4336,6 +4373,24 @@ interface(`fs_read_tmpfs_symlinks',`
 ')
 
 ########################################
+## <summary>
+##	Relabelfrom tmpfs link files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
 ## <summary>
 ##	Read and write character nodes on tmpfs filesystems.
 ## </summary>
Index: refpolicy/policy/modules/system/init.te
===================================================================
--- refpolicy.orig/policy/modules/system/init.te
+++ refpolicy/policy/modules/system/init.te
@@ -147,13 +147,18 @@ kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
 
+domain_read_all_domains_state(init_t)
+
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
+fs_relabel_pstore_dirs(init_t)
+dev_read_urand(init_t)
 logging_create_devlog_dev(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
+dev_relabel_generic_symlinks(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
@@ -166,6 +171,8 @@ files_read_etc_files(init_t)
 files_rw_generic_pids(init_t)
 files_manage_etc_runtime_files(init_t)
 files_etc_filetrans_etc_runtime(init_t, file)
+files_list_usr(init_t)
+
 # Run /etc/X11/prefdm:
 files_exec_etc_files(init_t)
 # file descriptors inherited from the rootfs:
@@ -200,11 +207,20 @@ seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
+fs_relabelfrom_tmpfs_symlinks(init_t)
+
 ifdef(`distro_debian',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
 
 	allow init_t initrc_var_run_t:file manage_file_perms;
 	fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+	sysnet_write_config(initrc_t)
+	sysnet_create_config(initrc_t)
+	sysnet_manage_config(initrc_t)
+
+	optional_policy(`
+		postfix_read_config(initrc_t)
+	')
 ')
 
 ifdef(`distro_gentoo',`
@@ -224,6 +240,12 @@ tunable_policy(`init_upstart || init_sys
 ')
 
 optional_policy(`
+	modutils_read_module_config(init_t)
+	modutils_read_module_deps(init_t)
+	modutils_read_module_objects(init_t)
+')
+
+optional_policy(`
 	auth_rw_login_records(init_t)
 ')
 
@@ -243,6 +265,8 @@ optional_policy(`
 	udev_read_db(init_t)
 	udev_relabelto_db(init_t)
 	udev_create_kobject_uevent_socket(init_t)
+	# for systemd to read udev status
+	udev_read_pid_files(init_t)
 ')
 
 #optional_policy(`
@@ -1134,15 +1158,19 @@ optional_policy(`
 	clock_read_adjtime(init_t)
 ')
 
+# for systemd
+kernel_load_module(init_t)
+
 tunable_policy(`init_systemd',`
 	allow init_t self:system { status reboot halt };
 
 	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow init_t self:process { setsockcreate setfscreate setrlimit };
-	allow init_t self:process { getcap setcap };
+	allow init_t self:process { getcap setcap setsched };
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+	allow init_t self:netlink_selinux_socket create_socket_perms;
 	# Until systemd is fixed
 	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
 	allow init_t self:udp_socket create_socket_perms;
@@ -1174,6 +1202,7 @@ tunable_policy(`init_systemd',`
 	# systemd writes to /dev/watchdog on shutdown
 	dev_write_watchdog(init_t)
 
+	files_read_all_pids(init_t)
 	files_search_all(init_t)
 	files_mounton_all_mountpoints(init_t)
 	files_unmount_all_file_type_fs(init_t)
@@ -1197,6 +1226,7 @@ tunable_policy(`init_systemd',`
 	fs_getattr_all_fs(init_t)
 	fs_manage_cgroup_dirs(init_t)
 	fs_manage_cgroup_files(init_t)
+	fs_create_cgroup_links(init_t)
 	fs_manage_hugetlbfs_dirs(init_t)
 	fs_manage_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_dirs(init_t)
@@ -1228,13 +1258,16 @@ tunable_policy(`init_systemd',`
 	systemd_manage_all_unit_files(init_t)
 	systemd_logger_stream_connect(init_t)
 	systemd_manage_lnk_file_passwd_run(init_t)
+	systemd_manage_passwd_run(init_t)
 
 	create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
-
+	allow init_t init_var_run_t:sock_file manage_sock_file_perms;
+	selinux_compute_access_vector(init_t)
 	allow initrc_t init_script_file_type:service { stop start status reload };
-
-
+	auth_manage_var_auth(init_t)
+	init_rw_stream_sockets(initrc_t)
 ')
+
 auth_use_nsswitch(init_t)
 auth_rw_login_records(init_t)
 
Index: refpolicy/policy/modules/contrib/mta.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/mta.if
+++ refpolicy/policy/modules/contrib/mta.if
@@ -121,6 +121,23 @@ interface(`mta_role',`
 
 ########################################
 ## <summary>
+##	Enable system_mail_t to run in the specified role
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`system_mail_role',`
+	gen_require(`
+		type system_mail_t;
+	')
+	role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
 ##	Make the specified domain usable for a mail server.
 ## </summary>
 ## <param name="type">
Index: refpolicy/policy/modules/system/modutils.if
===================================================================
--- refpolicy.orig/policy/modules/system/modutils.if
+++ refpolicy/policy/modules/system/modutils.if
@@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
 
 ########################################
 ## <summary>
+##	Read the kernel modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_read_module_objects',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	files_list_kernel_modules($1)
+	allow $1 modules_object_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read the configuration options used when
 ##	loading modules.
 ## </summary>
Index: refpolicy/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dpkg.te
+++ refpolicy/policy/modules/contrib/dpkg.te
@@ -72,6 +72,7 @@ allow dpkg_t dpkg_lock_t:file manage_fil
 manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
 manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
 files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
+can_exec(dpkg_t, dpkg_tmp_t)
 
 manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
 manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
@@ -87,6 +88,9 @@ files_var_lib_filetrans(dpkg_t, dpkg_var
 kernel_read_system_state(dpkg_t)
 kernel_read_kernel_sysctls(dpkg_t)
 
+# for dpkg-preconfigure
+kernel_request_load_module(dpkg_t)
+
 corecmd_exec_all_executables(dpkg_t)
 
 corenet_all_recvfrom_unlabeled(dpkg_t)
@@ -208,8 +212,8 @@ optional_policy(`
 # Script Local policy
 #
 
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid net_admin ipc_lock sys_chroot sys_ptrace sys_nice mknod audit_write };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
 allow dpkg_script_t self:fd use;
 allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
 allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
@@ -220,6 +224,8 @@ allow dpkg_script_t self:shm create_shm_
 allow dpkg_script_t self:sem create_sem_perms;
 allow dpkg_script_t self:msgq create_msgq_perms;
 allow dpkg_script_t self:msg { send receive };
+allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow dpkg_script_t self:udp_socket create_socket_perms;
 
 allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
 
@@ -237,6 +243,7 @@ fs_tmpfs_filetrans(dpkg_script_t, dpkg_s
 restart_all_daemons(dpkg_script_t)
 kernel_read_kernel_sysctls(dpkg_script_t)
 kernel_read_system_state(dpkg_script_t)
+auth_manage_shadow(dpkg_script_t)
 
 corecmd_exec_all_executables(dpkg_script_t)
 
@@ -274,13 +281,13 @@ selinux_compute_access_vector(dpkg_scrip
 selinux_compute_create_context(dpkg_script_t)
 selinux_compute_relabel_context(dpkg_script_t)
 selinux_compute_user_contexts(dpkg_script_t)
+selinux_read_policy(dpkg_script_t)
 
 storage_raw_read_fixed_disk(dpkg_script_t)
 storage_raw_write_fixed_disk(dpkg_script_t)
 
 term_use_all_terms(dpkg_script_t)
 
-auth_dontaudit_getattr_shadow(dpkg_script_t)
 files_manage_non_auth_files(dpkg_script_t)
 
 init_all_labeled_script_domtrans(dpkg_script_t)
Index: refpolicy/policy/modules/system/userdomain.te
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.te
+++ refpolicy/policy/modules/system/userdomain.te
@@ -53,6 +53,10 @@ attribute admindomain;
 # all user domains
 attribute userdomain;
 
+ifdef(`distro_debian', `
+        dpkg_read_db(userdomain)
+')
+
 # unprivileged user domains
 attribute unpriv_userdomain;
 
Index: refpolicy/policy/modules/services/ssh.if
===================================================================
--- refpolicy.orig/policy/modules/services/ssh.if
+++ refpolicy/policy/modules/services/ssh.if
@@ -349,6 +349,8 @@ template(`ssh_role_template',`
 	allow $1_ssh_agent_t self:process setrlimit;
 	allow $1_ssh_agent_t self:capability setgid;
 
+	allow $1_ssh_agent_t self:fifo_file rw_file_perms;
+
 	allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
 
 	allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -432,6 +434,7 @@ template(`ssh_role_template',`
 	optional_policy(`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
+		xdm_sigchld($1_ssh_agent_t)
 	')
 ')
 
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.if
+++ refpolicy/policy/modules/system/userdomain.if
@@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
 	dontaudit $1_t user_tty_device_t:chr_file ioctl;
 
 	kernel_read_kernel_sysctls($1_t)
+	kernel_read_vm_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -78,6 +79,12 @@ template(`userdom_base_user_template',`
 	dev_dontaudit_getattr_all_blk_files($1_t)
 	dev_dontaudit_getattr_all_chr_files($1_t)
 
+	# for X session unlock
+	allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+	# for KDE
+	allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
+
 	# When the user domain runs ps, there will be a number of access
 	# denials when ps tries to search /proc. Do not audit these denials.
 	domain_dontaudit_read_all_domains_state($1_t)
@@ -108,6 +115,14 @@ template(`userdom_base_user_template',`
 
 	sysnet_read_config($1_t)
 
+	# kdeinit wants systemd status
+	init_status($1_t)
+
+	optional_policy(`
+		apt_read_cache($1_t)
+		apt_read_db($1_t)
+	')
+
 	tunable_policy(`allow_execmem',`
 		# Allow loading DSOs that require executable stack.
 		allow $1_t self:process execmem;
Index: refpolicy/policy/modules/contrib/gnome.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/gnome.if
+++ refpolicy/policy/modules/contrib/gnome.if
@@ -76,6 +76,8 @@ template(`gnome_role_template',`
 
 	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
+	allow $3 gconfd_t:dbus send_msg;
+	allow gconfd_t $3:dbus send_msg;
 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
 
Index: refpolicy/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.te
+++ refpolicy/policy/modules/system/selinuxutil.te
@@ -198,6 +198,7 @@ seutil_libselinux_linked(load_policy_t)
 
 userdom_use_user_terminals(load_policy_t)
 userdom_use_all_users_fds(load_policy_t)
+dev_read_urand(load_policy_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
Index: refpolicy/policy/modules/services/xserver.te
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.te
+++ refpolicy/policy/modules/services/xserver.te
@@ -260,6 +260,7 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t
 
 allow xdm_t xauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, ".xsession-errors")
 
 kernel_request_load_module(xauth_t)
 
Index: refpolicy/policy/modules/contrib/cron.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.te
+++ refpolicy/policy/modules/contrib/cron.te
@@ -733,6 +733,7 @@ optional_policy(`
 type unconfined_cronjob_t;
 domain_type(unconfined_cronjob_t)
 domain_cron_exemption_target(unconfined_cronjob_t)
+role system_r types unconfined_cronjob_t;
 
 dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
 
Index: refpolicy/policy/modules/system/libraries.fc
===================================================================
--- refpolicy.orig/policy/modules/system/libraries.fc
+++ refpolicy/policy/modules/system/libraries.fc
@@ -98,7 +98,11 @@ ifdef(`distro_redhat',`
 #
 # /sbin
 #
+ifdef(`distro_debian',`
+/sbin/ldconfig.real				--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
+',`
 /sbin/ldconfig				--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
+')
 
 #
 # /usr
Index: refpolicy/policy/modules/contrib/apt.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apt.te
+++ refpolicy/policy/modules/contrib/apt.te
@@ -76,6 +76,7 @@ files_var_lib_filetrans(apt_t, apt_var_l
 
 allow apt_t apt_var_log_t:file manage_file_perms;
 logging_log_filetrans(apt_t, apt_var_log_t, file)
+allow apt_t apt_var_log_t:dir list_dir_perms;
 
 can_exec(apt_t, apt_exec_t)
 
