--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package refpolicy
[ Reason ]
This new version has lots of changes that will make the experience more
pleasant for users. It specifically allows some of the recent features
in systemd, chromium/chrome, and KDE. It allows gpg with pinentry to be
run from user_t (the confined user). It allows some extra access that
mailman3 requires. It also allows newaliases to run with Postfix.
[ Impact ]
If this isn't in Bullseye then the SE Linux experience for users will be
a little more annoying. Things won't work out of the box as expected
without it and local customisations to resolve the issues won't be of as
high quality as the ones I developed. Also without this version there
will be audit messages that will be confusing and annoying.
[ Tests ]
For the programs subject to the policy in question, they were run
repeatedly with the new policy, VMs running them were rebooted, and the
results were inspected to see if they operated correctly and didn't give
unwanted audit messages.
[ Risks ]
Most changes are granting new access, not access that is unexpected given
the context, and not access that is likely to be part of a vulnerability
chain. These have low possibility of causing any problem.
The change for the newaliases command is more complex, but being unable
to run newaliases is a serious issue so it's worth doing. The worst
case might be some domain being unable to send mail from a script. But
in all the test cases it worked.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock refpolicy/2:2.20210203-4
diff -Nru refpolicy-2.20210203/debian/changelog
refpolicy-2.20210203/debian/changelog
--- refpolicy-2.20210203/debian/changelog 2021-02-23 16:57:40.000000000
+1100
+++ refpolicy-2.20210203/debian/changelog 2021-03-05 21:11:58.000000000
+1100
@@ -1,3 +1,35 @@
+refpolicy (2:2.20210203-4) unstable; urgency=medium
+
+ * Allow ntpd_t to get the status of generic systemd units
+ * Allow kernel_t self:perf_event cpu.
+ * Allow chromium to watch network manager runtime dirs (for resolv.conf)
+ Allow chromium to run naclhelper with nnp_transition
+ Allow chromium to watch root dirs
+ Allow chromium to read/write unix sockets from the calling domain
+ * Make Postgresql use postgresql_tmpfs_t for tmpfs files and make
+ mon_local_test_t and systemd_logind_t not have getattr access to tmpfs
+ files audited.
+ * Allow systemd_user_runtime_dir_t to unlink device nodes of type
+ user_tmp_t, they probably should not exist, so it's in the hacks patch.
+ * Allow the acngtool to read random and urandom devices and search fs sysctls
+ * Add wm_write_xdg_data tunable to allow user_wm_t etc to write xdg data.
+ * Allow chromium to watch gnome_xdg_config_t dirs
+ * Label pinentry programs as gpg_agent_exec_t and allow gpg_agent_t to exec
+ them
+ * Create new admin_mail_t domain so that newaliases can work with Postfix
+ * Added a transition rule so that vipw/vigr gives the right context for
+ /etc/passwd and /etc/group
+ * Allow acngtool_t to read /proc/sys/kernel/random/uuid
+ * Allow unconfined domains lockdown confidentiality and integrity access
+ * Allow netutils_t netlink_generic_socket access for tcpdump
+ * Allow smbcontrol to create a sock_file in a samba run dir
+ * Allow mailman_queue_t to bind to all unreserved TCP ports
+ * Allow systemd_coredump_t to mmap all executables and to have cap_userns
+ sys_ptrace access. dontaudit systemd_coredump_t capability net_admin
+ * Allow mailman_queue_t to connect to port 443
+
+ -- Russell Coker <russ...@coker.com.au> Fri, 05 Mar 2021 21:11:58 +1100
+
refpolicy (2:2.20210203-3) unstable; urgency=medium
* Add policy for blkmapd which is part of nfs service (included in upstream)
diff -Nru refpolicy-2.20210203/debian/patches/0002-strict
refpolicy-2.20210203/debian/patches/0002-strict
--- refpolicy-2.20210203/debian/patches/0002-strict 2021-02-17
13:40:42.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0002-strict 2021-02-25
11:47:38.000000000 +1100
@@ -245,3 +245,15 @@
tunable_policy(`pulseaudio_execmem',`
allow pulseaudio_t self:process execmem;
+Index: refpolicy-2.20210203/policy/modules/services/ntp.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/ntp.te
++++ refpolicy-2.20210203/policy/modules/services/ntp.te
+@@ -130,6 +130,7 @@ term_use_ptmx(ntpd_t)
+ auth_use_nsswitch(ntpd_t)
+
+ init_exec_script_files(ntpd_t)
++init_get_generic_units_status(ntpd_t)
+
+ logging_send_syslog_msg(ntpd_t)
+
diff -Nru refpolicy-2.20210203/debian/patches/0025-systemd
refpolicy-2.20210203/debian/patches/0025-systemd
--- refpolicy-2.20210203/debian/patches/0025-systemd 2021-02-17
13:51:17.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0025-systemd 2021-03-05
12:56:18.000000000 +1100
@@ -206,15 +206,17 @@
systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
-@@ -370,6 +376,7 @@ ifdef(`enable_mls',`
+@@ -370,28 +376,37 @@ ifdef(`enable_mls',`
#
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt
setopt };
+allow systemd_coredump_t self:unix_stream_socket connectto;
allow systemd_coredump_t self:capability { dac_override dac_read_search
setgid setuid setpcap sys_ptrace };
++dontaudit systemd_coredump_t self:capability net_admin;
allow systemd_coredump_t self:process { getcap setcap setfscreate };
++allow systemd_coredump_t self:cap_userns sys_ptrace;
-@@ -377,6 +384,7 @@ manage_files_pattern(systemd_coredump_t,
+ manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t,
systemd_coredump_var_lib_t)
allow systemd_coredump_t systemd_coredump_var_lib_t:file map;
kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
@@ -222,7 +224,11 @@
kernel_read_kernel_sysctls(systemd_coredump_t)
kernel_read_system_state(systemd_coredump_t)
kernel_rw_pipes(systemd_coredump_t)
-@@ -387,11 +395,16 @@ corecmd_read_all_executables(systemd_cor
+ kernel_use_fds(systemd_coredump_t)
+
+ corecmd_exec_bin(systemd_coredump_t)
+-corecmd_read_all_executables(systemd_coredump_t)
++corecmd_mmap_all_executables(systemd_coredump_t)
dev_write_kmsg(systemd_coredump_t)
@@ -239,7 +245,7 @@
fs_search_tmpfs(systemd_coredump_t)
selinux_getattr_fs(systemd_coredump_t)
-@@ -405,6 +418,7 @@ logging_send_syslog_msg(systemd_coredump
+@@ -405,6 +420,7 @@ logging_send_syslog_msg(systemd_coredump
seutil_search_default_contexts(systemd_coredump_t)
@@ -247,7 +253,7 @@
#######################################
#
# Systemd generator local policy
-@@ -414,14 +428,29 @@ allow systemd_generator_t self:fifo_file
+@@ -414,14 +430,29 @@ allow systemd_generator_t self:fifo_file
allow systemd_generator_t self:capability dac_override;
allow systemd_generator_t self:process setfscreate;
@@ -278,7 +284,7 @@
files_read_etc_files(systemd_generator_t)
files_search_runtime(systemd_generator_t)
files_list_boot(systemd_generator_t)
-@@ -429,9 +458,14 @@ files_read_boot_files(systemd_generator_
+@@ -429,9 +460,14 @@ files_read_boot_files(systemd_generator_
files_read_config_files(systemd_generator_t)
files_search_all_mountpoints(systemd_generator_t)
files_list_usr(systemd_generator_t)
@@ -294,7 +300,7 @@
init_create_runtime_files(systemd_generator_t)
init_read_all_script_files(systemd_generator_t)
-@@ -448,9 +482,10 @@ init_list_unit_dirs(systemd_generator_t)
+@@ -448,9 +484,10 @@ init_list_unit_dirs(systemd_generator_t)
init_read_generic_units_symlinks(systemd_generator_t)
init_read_script_files(systemd_generator_t)
@@ -308,7 +314,7 @@
storage_raw_read_fixed_disk(systemd_generator_t)
-@@ -462,6 +497,8 @@ ifdef(`distro_gentoo',`
+@@ -462,6 +499,8 @@ ifdef(`distro_gentoo',`
corecmd_shell_entry_type(systemd_generator_t)
')
@@ -317,7 +323,7 @@
optional_policy(`
fstools_exec(systemd_generator_t)
')
-@@ -473,6 +510,21 @@ optional_policy(`
+@@ -473,6 +512,21 @@ optional_policy(`
miscfiles_read_localization(systemd_generator_t)
')
@@ -339,7 +345,7 @@
#######################################
#
# Hostnamed policy
-@@ -505,6 +557,10 @@ optional_policy(`
+@@ -505,6 +559,10 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
@@ -350,7 +356,7 @@
#########################################
#
# hw local policy
-@@ -573,6 +629,7 @@ logging_send_syslog_msg(systemd_log_pars
+@@ -573,6 +631,7 @@ logging_send_syslog_msg(systemd_log_pars
#
allow systemd_logind_t self:capability { chown dac_override dac_read_search
fowner sys_admin sys_tty_config };
@@ -358,7 +364,7 @@
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
-@@ -618,11 +675,13 @@ dev_setattr_video_dev(systemd_logind_t)
+@@ -618,11 +677,13 @@ dev_setattr_video_dev(systemd_logind_t)
domain_obj_id_change_exemption(systemd_logind_t)
@@ -372,7 +378,7 @@
fs_list_tmpfs(systemd_logind_t)
fs_mount_tmpfs(systemd_logind_t)
fs_read_cgroup_files(systemd_logind_t)
-@@ -653,6 +712,7 @@ init_start_all_units(systemd_logind_t)
+@@ -653,6 +714,7 @@ init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
@@ -380,7 +386,7 @@
init_watch_utmp(systemd_logind_t)
# for /run/systemd/transient/*
-@@ -717,6 +777,11 @@ optional_policy(`
+@@ -717,6 +779,11 @@ optional_policy(`
')
optional_policy(`
@@ -392,7 +398,7 @@
devicekit_dbus_chat_disk(systemd_logind_t)
devicekit_dbus_chat_power(systemd_logind_t)
')
-@@ -759,6 +824,9 @@ allow systemd_machined_t systemd_machine
+@@ -759,6 +826,9 @@ allow systemd_machined_t systemd_machine
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t,
systemd_machined_runtime_t)
allow systemd_machined_t systemd_machined_runtime_t:lnk_file
manage_lnk_file_perms;
@@ -402,7 +408,7 @@
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
-@@ -875,6 +943,10 @@ sysnet_read_config(systemd_networkd_t)
+@@ -875,6 +945,10 @@ sysnet_read_config(systemd_networkd_t)
systemd_log_parse_environment(systemd_networkd_t)
optional_policy(`
@@ -413,7 +419,7 @@
dbus_system_bus_client(systemd_networkd_t)
dbus_connect_system_bus(systemd_networkd_t)
dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
-@@ -915,7 +987,7 @@ miscfiles_read_localization(systemd_noti
+@@ -915,7 +989,7 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#
@@ -422,7 +428,7 @@
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid
mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
-@@ -941,14 +1013,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
+@@ -941,14 +1015,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
@@ -452,7 +458,7 @@
corecmd_exec_shell(systemd_nspawn_t)
corecmd_search_bin(systemd_nspawn_t)
-@@ -965,6 +1052,7 @@ dev_read_sysfs(systemd_nspawn_t)
+@@ -965,6 +1054,7 @@ dev_read_sysfs(systemd_nspawn_t)
dev_read_rand(systemd_nspawn_t)
dev_read_urand(systemd_nspawn_t)
@@ -460,7 +466,7 @@
files_getattr_tmp_dirs(systemd_nspawn_t)
files_manage_etc_files(systemd_nspawn_t)
files_manage_mnt_dirs(systemd_nspawn_t)
-@@ -976,11 +1064,17 @@ files_setattr_runtime_dirs(systemd_nspaw
+@@ -976,11 +1066,17 @@ files_setattr_runtime_dirs(systemd_nspaw
fs_getattr_cgroup(systemd_nspawn_t)
fs_getattr_tmpfs(systemd_nspawn_t)
@@ -479,7 +485,7 @@
term_getattr_generic_ptys(systemd_nspawn_t)
term_getattr_pty_fs(systemd_nspawn_t)
-@@ -988,6 +1082,7 @@ term_mount_devpts(systemd_nspawn_t)
+@@ -988,6 +1084,7 @@ term_mount_devpts(systemd_nspawn_t)
term_search_ptys(systemd_nspawn_t)
term_setattr_generic_ptys(systemd_nspawn_t)
term_use_ptmx(systemd_nspawn_t)
@@ -487,7 +493,7 @@
init_domtrans_script(systemd_nspawn_t)
init_getrlimit(systemd_nspawn_t)
-@@ -998,8 +1093,12 @@ init_write_runtime_socket(systemd_nspawn
+@@ -998,8 +1095,12 @@ init_write_runtime_socket(systemd_nspawn
init_spec_domtrans_script(systemd_nspawn_t)
miscfiles_manage_localization(systemd_nspawn_t)
@@ -500,7 +506,7 @@
# for writing inside chroot
sysnet_manage_config(systemd_nspawn_t)
-@@ -1022,11 +1121,13 @@ tunable_policy(`systemd_nspawn_labeled_n
+@@ -1022,11 +1123,13 @@ tunable_policy(`systemd_nspawn_labeled_n
allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file
manage_fifo_file_perms;
fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t,
sock_file)
allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file
manage_sock_file_perms;
@@ -514,7 +520,7 @@
fs_manage_tmpfs_symlinks(systemd_nspawn_t)
fs_mount_cgroup(systemd_nspawn_t)
fs_mounton_cgroup(systemd_nspawn_t)
-@@ -1044,8 +1145,11 @@ tunable_policy(`systemd_nspawn_labeled_n
+@@ -1044,8 +1147,11 @@ tunable_policy(`systemd_nspawn_labeled_n
init_domtrans(systemd_nspawn_t)
@@ -526,7 +532,7 @@
seutil_search_default_contexts(systemd_nspawn_t)
')
-@@ -1072,7 +1176,7 @@ allow systemd_passwd_agent_t self:capabi
+@@ -1072,7 +1178,7 @@ allow systemd_passwd_agent_t self:capabi
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal
};
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
@@ -535,7 +541,7 @@
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t,
systemd_passwd_runtime_t)
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t,
systemd_passwd_runtime_t)
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t,
systemd_passwd_runtime_t)
-@@ -1082,6 +1186,7 @@ init_runtime_filetrans(systemd_passwd_ag
+@@ -1082,6 +1188,7 @@ init_runtime_filetrans(systemd_passwd_ag
can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
kernel_read_system_state(systemd_passwd_agent_t)
@@ -543,7 +549,7 @@
kernel_stream_connect(systemd_passwd_agent_t)
dev_create_generic_dirs(systemd_passwd_agent_t)
-@@ -1108,6 +1213,7 @@ init_create_runtime_dirs(systemd_passwd_
+@@ -1108,6 +1215,7 @@ init_create_runtime_dirs(systemd_passwd_
init_read_runtime_pipes(systemd_passwd_agent_t)
init_read_state(systemd_passwd_agent_t)
init_read_utmp(systemd_passwd_agent_t)
@@ -551,7 +557,7 @@
init_stream_connect(systemd_passwd_agent_t)
logging_send_syslog_msg(systemd_passwd_agent_t)
-@@ -1369,6 +1475,7 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
+@@ -1369,6 +1477,7 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
fs_list_tmpfs(systemd_tmpfiles_t)
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
@@ -559,7 +565,7 @@
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_use_status_page(systemd_tmpfiles_t)
-@@ -1440,6 +1547,10 @@ tunable_policy(`systemd_tmpfilesd_factor
+@@ -1440,6 +1549,10 @@ tunable_policy(`systemd_tmpfilesd_factor
')
optional_policy(`
@@ -570,7 +576,7 @@
dbus_manage_lib_files(systemd_tmpfiles_t)
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
-@@ -1555,11 +1666,15 @@ seutil_libselinux_linked(systemd_user_se
+@@ -1555,11 +1668,15 @@ seutil_libselinux_linked(systemd_user_se
# systemd-user-runtime-dir local policy
#
@@ -587,7 +593,7 @@
files_read_etc_files(systemd_user_runtime_dir_t)
fs_mount_tmpfs(systemd_user_runtime_dir_t)
-@@ -1579,7 +1694,10 @@ seutil_read_file_contexts(systemd_user_r
+@@ -1579,7 +1696,10 @@ seutil_read_file_contexts(systemd_user_r
seutil_libselinux_linked(systemd_user_runtime_dir_t)
userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
@@ -598,7 +604,7 @@
userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t,
dir)
userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
-@@ -1589,3 +1707,11 @@ userdom_relabelto_user_runtime_dirs(syst
+@@ -1589,3 +1709,11 @@ userdom_relabelto_user_runtime_dirs(syst
optional_policy(`
dbus_system_bus_client(systemd_user_runtime_dir_t)
')
diff -Nru refpolicy-2.20210203/debian/patches/0026-mailman
refpolicy-2.20210203/debian/patches/0026-mailman
--- refpolicy-2.20210203/debian/patches/0026-mailman 2021-02-17
13:45:24.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0026-mailman 2021-03-03
18:09:00.000000000 +1100
@@ -269,7 +269,7 @@
allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
allow mailman_queue_t mailman_archive_t:file manage_file_perms;
-@@ -234,12 +287,14 @@ allow mailman_queue_t mailman_lock_t:fil
+@@ -234,12 +287,15 @@ allow mailman_queue_t mailman_lock_t:fil
allow mailman_queue_t mailman_log_t:dir list_dir_perms;
allow mailman_queue_t mailman_log_t:file manage_file_perms;
@@ -280,11 +280,12 @@
corecmd_read_bin_files(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
++corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
+corenet_tcp_bind_generic_node(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
files_dontaudit_search_runtime(mailman_queue_t)
-@@ -251,14 +306,23 @@ seutil_dontaudit_search_config(mailman_q
+@@ -251,14 +307,23 @@ seutil_dontaudit_search_config(mailman_q
userdom_search_user_home_dirs(mailman_queue_t)
@@ -343,7 +344,7 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
-@@ -1559,6 +1559,10 @@ optional_policy(`
+@@ -1562,6 +1562,10 @@ optional_policy(`
')
optional_policy(`
diff -Nru refpolicy-2.20210203/debian/patches/0027-services
refpolicy-2.20210203/debian/patches/0027-services
--- refpolicy-2.20210203/debian/patches/0027-services 2021-02-23
16:57:40.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0027-services 2021-03-05
12:44:18.000000000 +1100
@@ -112,6 +112,19 @@
# Uses sd_notify() to inform systemd it has properly started
init_dgram_send(aptcacher_t)
+@@ -99,8 +105,12 @@ allow acngtool_t self:unix_stream_socket
+ allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
+ allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
+
++kernel_read_kernel_sysctls(acngtool_t)
++
+ aptcacher_stream_connect(acngtool_t)
+
++dev_read_rand(acngtool_t)
++dev_read_urand(acngtool_t)
+ corenet_tcp_connect_aptcacher_port(acngtool_t)
+
+ auth_use_nsswitch(acngtool_t)
Index: refpolicy-2.20210203/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/bind.te
@@ -516,7 +529,15 @@
can_exec(mon_local_test_t, mon_local_test_exec_t)
-@@ -197,8 +202,11 @@ files_list_boot(mon_local_test_t)
+@@ -189,6 +194,7 @@ dev_read_sysfs(mon_local_test_t)
+
+ domain_read_all_domains_state(mon_local_test_t)
+
++files_dontaudit_tmpfs_file_getattr(mon_local_test_t)
+ files_read_usr_files(mon_local_test_t)
+ files_search_mnt(mon_local_test_t)
+ files_search_spool(mon_local_test_t)
+@@ -197,8 +203,11 @@ files_list_boot(mon_local_test_t)
fs_search_auto_mountpoints(mon_local_test_t)
fs_getattr_nfs(mon_local_test_t)
fs_getattr_xattr_fs(mon_local_test_t)
@@ -528,7 +549,7 @@
fs_search_nfs(mon_local_test_t)
storage_getattr_fixed_disk_dev(mon_local_test_t)
-@@ -211,12 +219,14 @@ application_exec_all(mon_local_test_t)
+@@ -211,12 +220,14 @@ application_exec_all(mon_local_test_t)
auth_use_nsswitch(mon_local_test_t)
@@ -547,7 +568,109 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mta.if
+++ refpolicy-2.20210203/policy/modules/services/mta.if
-@@ -253,6 +253,7 @@ interface(`mta_manage_mail_home_rw_conte
+@@ -74,26 +74,20 @@ template(`mta_base_mail_template',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mta_role',`
++interface(`mta_base_role',`
+ gen_require(`
+ attribute mta_user_agent;
+- attribute_role user_mail_roles;
+- type user_mail_t, sendmail_exec_t, mail_home_t;
++ type user_mail_t, mail_home_t;
+ type user_mail_tmp_t, mail_home_rw_t;
+ ')
+
+- roleattribute $1 user_mail_roles;
+-
+ # this is something i need to fix
+ # i dont know if and why it is needed
+ # will role attribute work?
+ role $1 types mta_user_agent;
+
+- domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+- allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+-
+- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
+- ps_process_pattern($2, { user_mail_t mta_user_agent })
++ allow $2 mta_user_agent:process { ptrace signal_perms };
++ ps_process_pattern($2, mta_user_agent)
+
+ allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
+ userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
+@@ -121,6 +115,70 @@ interface(`mta_role',`
+
+ ########################################
+ ## <summary>
++## User Role access for mta.
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role.
++## </summary>
++## </param>
++#
++interface(`mta_user_role',`
++ gen_require(`
++ attribute_role user_mail_roles;
++ type user_mail_t, sendmail_exec_t, mail_home_t;
++ type user_mail_tmp_t, mail_home_rw_t;
++ ')
++ mta_base_role($1, $2)
++
++ roleattribute $1 user_mail_roles;
++
++ domtrans_pattern($2, sendmail_exec_t, user_mail_t)
++ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
++
++ allow $2 user_mail_t:process { ptrace signal_perms };
++ ps_process_pattern($2, user_mail_t)
++')
++
++########################################
++## <summary>
++## Admin Role access for mta.
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role.
++## </summary>
++## </param>
++#
++interface(`mta_admin_role',`
++ gen_require(`
++ attribute_role admin_mail_roles;
++ type admin_mail_t, sendmail_exec_t, mail_home_t;
++ type user_mail_tmp_t, mail_home_rw_t;
++ ')
++ mta_base_role($1, $2)
++
++ roleattribute $1 admin_mail_roles;
++
++ domtrans_pattern($2, sendmail_exec_t, admin_mail_t)
++ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
++
++ allow $2 admin_mail_t:process { ptrace signal_perms };
++ ps_process_pattern($2, admin_mail_t)
++')
++
++########################################
++## <summary>
+ ## Make the specified domain usable for a mail server.
+ ## </summary>
+ ## <param name="type">
+@@ -253,6 +311,7 @@ interface(`mta_manage_mail_home_rw_conte
manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
allow $1 mail_home_rw_t:file map;
manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
@@ -710,7 +833,7 @@
')
optional_policy(`
-@@ -616,10 +620,11 @@ optional_policy(`
+@@ -616,13 +620,15 @@ optional_policy(`
allow smbcontrol_t self:process signal;
allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
@@ -723,7 +846,11 @@
allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -638,6 +643,7 @@ files_search_var_lib(smbcontrol_t)
++allow smbcontrol_t samba_var_t:sock_file manage_file_perms;
+
+ samba_read_config(smbcontrol_t)
+ samba_search_var(smbcontrol_t)
+@@ -638,6 +644,7 @@ files_search_var_lib(smbcontrol_t)
term_use_console(smbcontrol_t)
init_use_fds(smbcontrol_t)
@@ -900,7 +1027,32 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20210203/policy/modules/kernel/files.if
-@@ -1418,6 +1418,25 @@ interface(`files_unmount_all_file_type_f
+@@ -480,6 +480,24 @@ interface(`files_tmpfs_file',`
+
+ ########################################
+ ## <summary>
++## dontaudit getattr on tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not have stat on tmpfs files audited
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_tmpfs_file_getattr',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ dontaudit $1 tmpfsfile:file getattr;
++')
++
++########################################
++## <summary>
+ ## Get the attributes of all directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -1418,6 +1436,25 @@ interface(`files_unmount_all_file_type_f
########################################
## <summary>
@@ -926,7 +1078,7 @@
## Read all non-authentication related
## directories.
## </summary>
-@@ -3881,6 +3900,24 @@ interface(`files_home_filetrans',`
+@@ -3881,6 +3918,24 @@ interface(`files_home_filetrans',`
########################################
## <summary>
@@ -951,7 +1103,7 @@
## Get the attributes of lost+found directories.
## </summary>
## <param name="domain">
-@@ -5989,6 +6026,24 @@ interface(`files_read_var_lib_files',`
+@@ -5989,6 +6044,24 @@ interface(`files_read_var_lib_files',`
')
########################################
@@ -1165,7 +1317,15 @@
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20210203/policy/modules/services/mailman.te
-@@ -312,6 +312,7 @@ optional_policy(`
+@@ -296,6 +296,7 @@ corecmd_read_bin_files(mailman_queue_t)
+ corenet_sendrecv_innd_client_packets(mailman_queue_t)
+ corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
+ corenet_tcp_bind_generic_node(mailman_queue_t)
++corenet_tcp_connect_http_port(mailman_queue_t)
+ corenet_tcp_connect_innd_port(mailman_queue_t)
+
+ files_dontaudit_search_runtime(mailman_queue_t)
+@@ -313,6 +314,7 @@ optional_policy(`
optional_policy(`
cron_rw_tmp_files(mailman_queue_t)
@@ -1287,3 +1447,147 @@
miscfiles_read_localization(redis_t)
sysnet_dns_name_resolve(redis_t)
+Index: refpolicy-2.20210203/policy/modules/services/postgresql.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/postgresql.te
++++ refpolicy-2.20210203/policy/modules/services/postgresql.te
+@@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runt
+ type postgresql_tmp_t;
+ files_tmp_file(postgresql_tmp_t)
+
++type postgresql_tmpfs_t;
++files_tmpfs_file(postgresql_tmpfs_t)
++
+ type postgresql_unit_t;
+ init_unit_file(postgresql_unit_t)
+
+@@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, p
+ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
+-fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file
sock_file fifo_file })
++fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file
fifo_file })
++fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
++allow postgresql_t postgresql_tmpfs_t:file map;
++manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
+
+ manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
+ manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
+Index: refpolicy-2.20210203/policy/modules/system/systemd.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
++++ refpolicy-2.20210203/policy/modules/system/systemd.te
+@@ -676,6 +676,7 @@ dev_setattr_video_dev(systemd_logind_t)
+
+ domain_obj_id_change_exemption(systemd_logind_t)
+
++files_dontaudit_tmpfs_file_getattr(systemd_logind_t)
+ files_search_boot(systemd_logind_t)
+ files_search_runtime(systemd_logind_t)
+
+Index: refpolicy-2.20210203/policy/modules/roles/staff.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/roles/staff.te
++++ refpolicy-2.20210203/policy/modules/roles/staff.te
+@@ -154,7 +154,7 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(staff_r, staff_t)
++ mta_user_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
++++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
+@@ -706,7 +706,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mta_role(sysadm_r, sysadm_t)
++ mta_admin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te
++++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te
+@@ -126,7 +126,7 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(user_r, user_t)
++ mta_user_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+Index: refpolicy-2.20210203/policy/modules/services/mta.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/mta.te
++++ refpolicy-2.20210203/policy/modules/services/mta.te
+@@ -15,6 +15,7 @@ attribute mailserver_sender;
+ attribute user_mail_domain;
+
+ attribute_role user_mail_roles;
++attribute_role admin_mail_roles;
+
+ type etc_aliases_t;
+ files_type(etc_aliases_t)
+@@ -44,6 +45,10 @@ mta_base_mail_template(user)
+ userdom_user_application_type(user_mail_t)
+ role user_mail_roles types user_mail_t;
+
++mta_base_mail_template(admin)
++userdom_user_application_type(admin_mail_t)
++role admin_mail_roles types admin_mail_t;
++
+ userdom_user_tmp_file(user_mail_tmp_t)
+
+ ########################################
+@@ -424,3 +429,30 @@ optional_policy(`
+ postfix_read_config(user_mail_t)
+ postfix_list_spool(user_mail_t)
+ ')
++
++########################################
++#
++# Admin local policy
++#
++
++manage_files_pattern(admin_mail_t, mail_home_t, mail_home_t)
++userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file,
".esmtp_queue")
++userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".forward")
++userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".mailrc")
++userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file,
"dead.letter")
++
++dev_read_sysfs(admin_mail_t)
++
++userdom_use_user_terminals(admin_mail_t)
++
++files_etc_filetrans(admin_mail_t, etc_aliases_t, file)
++allow admin_mail_t etc_aliases_t:file manage_file_perms;
++
++optional_policy(`
++ allow admin_mail_t self:capability dac_override;
++
++ userdom_rw_user_tmp_files(admin_mail_t)
++
++ postfix_read_config(admin_mail_t)
++ postfix_list_spool(admin_mail_t)
++')
+Index: refpolicy-2.20210203/policy/modules/system/unconfined.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te
++++ refpolicy-2.20210203/policy/modules/system/unconfined.te
+@@ -141,7 +141,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mta_role(unconfined_r, unconfined_t)
++ mta_admin_role(unconfined_r, unconfined_t)
+ ')
+
+ optional_policy(`
diff -Nru refpolicy-2.20210203/debian/patches/0028-misc
refpolicy-2.20210203/debian/patches/0028-misc
--- refpolicy-2.20210203/debian/patches/0028-misc 2021-02-17
13:41:16.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0028-misc 2021-03-02
22:42:44.000000000 +1100
@@ -538,3 +538,163 @@
/var/cache/PackageKit(/.*)?
gen_context(system_u:object_r:apt_var_cache_t,s0)
/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
')
+Index: refpolicy-2.20210203/policy/modules/kernel/kernel.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/kernel.te
++++ refpolicy-2.20210203/policy/modules/kernel/kernel.te
+@@ -232,6 +232,7 @@ allow kernel_t self:unix_stream_socket c
+ allow kernel_t self:fifo_file rw_fifo_file_perms;
+ allow kernel_t self:sock_file read_sock_file_perms;
+ allow kernel_t self:fd use;
++allow kernel_t self:perf_event cpu;
+
+ allow kernel_t debugfs_t:dir search_dir_perms;
+
+Index: refpolicy-2.20210203/policy/modules/apps/chromium.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/chromium.if
++++ refpolicy-2.20210203/policy/modules/apps/chromium.if
+@@ -41,6 +41,7 @@ interface(`chromium_role',`
+ allow $2 chromium_sandbox_t:process signal_perms;
+ allow $2 chromium_naclhelper_t:process signal_perms;
+ allow chromium_t $2:process { signull signal };
++ allow chromium_t $2:unix_stream_socket { read write };
+
+ allow $2 chromium_t:unix_stream_socket connectto;
+
+Index: refpolicy-2.20210203/policy/modules/apps/chromium.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/chromium.te
++++ refpolicy-2.20210203/policy/modules/apps/chromium.te
+@@ -114,6 +114,7 @@ allow chromium_t chromium_sandbox_t:unix
+ allow chromium_t chromium_sandbox_t:file read_file_perms;
+
+ allow chromium_t chromium_naclhelper_t:process { share };
++allow chromium_t chromium_naclhelper_t:process2 nnp_transition;
+
+ # tmp has a wide class access (used for plugins)
+ manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+@@ -183,6 +184,7 @@ files_read_usr_files(chromium_t)
+ files_map_usr_files(chromium_t)
+ files_read_etc_files(chromium_t)
+ files_watch_etc_dirs(chromium_t)
++files_watch_root_dirs(chromium_t)
+ # During find for /etc/whatever-release we get lots of output otherwise
+ files_dontaudit_getattr_all_dirs(chromium_t)
+
+@@ -290,6 +292,7 @@ optional_policy(`
+
+ optional_policy(`
+ networkmanager_dbus_chat(chromium_t)
++ networkmanager_watch_runtime_dirs(chromium_t)
+ ')
+
+ optional_policy(`
+Index: refpolicy-2.20210203/policy/modules/services/networkmanager.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.if
++++ refpolicy-2.20210203/policy/modules/services/networkmanager.if
+@@ -305,6 +305,24 @@ interface(`networkmanager_read_runtime_f
+ read_files_pattern($1, NetworkManager_runtime_t,
NetworkManager_runtime_t)
+ ')
+
++########################################
++## <summary>
++## watch networkmanager runtime files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_watch_runtime_dirs',`
++ gen_require(`
++ type NetworkManager_runtime_t;
++ ')
++
++ allow $1 NetworkManager_runtime_t:dir watch;
++')
++
+ ####################################
+ ## <summary>
+ ## Connect to networkmanager over
+Index: refpolicy-2.20210203/policy/modules/admin/usermanage.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/admin/usermanage.te
++++ refpolicy-2.20210203/policy/modules/admin/usermanage.te
+@@ -438,6 +438,9 @@ files_read_etc_runtime_files(sysadm_pass
+ # for nscd lookups
+ files_dontaudit_search_runtime(sysadm_passwd_t)
+
++files_etc_filetrans_etc(sysadm_passwd_t, file, "passwd.edit")
++files_etc_filetrans_etc(sysadm_passwd_t, file, "group.edit")
++
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(sysadm_passwd_t)
+Index: refpolicy-2.20210203/policy/modules/kernel/files.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
++++ refpolicy-2.20210203/policy/modules/kernel/files.if
+@@ -3413,6 +3413,35 @@ interface(`files_etc_filetrans',`
+
+ ########################################
+ ## <summary>
++## Create objects in /etc with type etc_t with specified
++## name to overide default transition
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object classes to be created.
++## </summary>
++## </param>
++## <param name="name">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_etc_filetrans_etc',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ filetrans_pattern($1, etc_t, etc_t, $2, $3)
++')
++
++########################################
++## <summary>
+ ## Create a boot flag.
+ ## </summary>
+ ## <desc>
+Index: refpolicy-2.20210203/policy/modules/system/unconfined.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.if
++++ refpolicy-2.20210203/policy/modules/system/unconfined.if
+@@ -44,6 +44,8 @@ interface(`unconfined_domain_noaudit',`
+ # Transition to myself, to make get_ordered_context_list happy.
+ allow $1 self:process transition;
+
++ allow $1 self:lockdown { integrity confidentiality };
++
+ # Write access is for setting attributes under /proc/self/attr.
+ allow $1 self:file rw_file_perms;
+
+Index: refpolicy-2.20210203/policy/modules/admin/netutils.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/admin/netutils.te
++++ refpolicy-2.20210203/policy/modules/admin/netutils.te
+@@ -39,6 +39,7 @@ allow netutils_t self:process { getcap s
+ allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
+ allow netutils_t self:netlink_socket create_socket_perms;
+ # For tcpdump.
++allow netutils_t self:netlink_generic_socket create_socket_perms;
+ allow netutils_t self:netlink_netfilter_socket create_socket_perms;
+ allow netutils_t self:packet_socket { create_socket_perms map };
+ allow netutils_t self:udp_socket create_socket_perms;
diff -Nru refpolicy-2.20210203/debian/patches/0030-user-sddm
refpolicy-2.20210203/debian/patches/0030-user-sddm
--- refpolicy-2.20210203/debian/patches/0030-user-sddm 2021-02-23
16:57:40.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0030-user-sddm 2021-02-26
15:40:51.000000000 +1100
@@ -11,7 +11,18 @@
allow $1_wm_t $3:process { signull sigkill };
domtrans_pattern($3, wm_exec_t, $1_wm_t)
-@@ -101,6 +103,17 @@ template(`wm_role_template',`
+@@ -75,6 +77,10 @@ template(`wm_role_template',`
+
+ wm_write_pipes($1, $3)
+
++ tunable_policy(`wm_write_xdg_data', `
++ xdg_manage_data($1_wm_t)
++ ')
++
+ optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
+ dbus_spec_session_bus_client($1, $1_wm_t)
+@@ -101,6 +107,17 @@ template(`wm_role_template',`
optional_policy(`
pulseaudio_run($1_wm_t, $2)
')
@@ -68,6 +79,28 @@
wm_dbus_chat($1, $1_gkeyringd_t)
')
')
+@@ -807,3 +811,21 @@ interface(`gnome_mmap_gstreamer_orcexec'
+
+ allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
+ ')
++
++########################################
++## <summary>
++## watch gnome_xdg_config_t dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_watch_xdg_config_dirs',`
++ gen_require(`
++ type gnome_xdg_config_t;
++ ')
++
++ allow $1 gnome_xdg_config_t:dir watch;
++')
Index: refpolicy-2.20210203/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/xserver.if
@@ -291,3 +324,34 @@
## <summary>
## Allow relabeling the xdg data home files, regardless of their type
## </summary>
+Index: refpolicy-2.20210203/policy/modules/apps/wm.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/wm.te
++++ refpolicy-2.20210203/policy/modules/apps/wm.te
+@@ -7,6 +7,14 @@ policy_module(wm, 1.11.0)
+
+ attribute wm_domain;
+
++
++## <desc>
++## <p>
++## Grant the window manager domains write access to xdg data
++## </p>
++## </desc>
++gen_tunable(`wm_write_xdg_data', false)
++
+ type wm_exec_t;
+ corecmd_executable_file(wm_exec_t)
+
+Index: refpolicy-2.20210203/policy/modules/apps/chromium.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/chromium.te
++++ refpolicy-2.20210203/policy/modules/apps/chromium.te
+@@ -271,6 +271,7 @@ optional_policy(`
+
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(chromium_t)
++ gnome_watch_xdg_config_dirs(chromium_t)
+ ')
+
+ optional_policy(`
diff -Nru refpolicy-2.20210203/debian/patches/0110-gpg
refpolicy-2.20210203/debian/patches/0110-gpg
--- refpolicy-2.20210203/debian/patches/0110-gpg 2021-02-23
16:57:40.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/0110-gpg 2021-02-26
15:43:08.000000000 +1100
@@ -14,7 +14,7 @@
/usr/bin/gpgsm --
gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent --
gen_context(system_u:object_r:gpg_agent_exec_t,s0)
-/usr/bin/pinentry.* --
gen_context(system_u:object_r:gpg_pinentry_exec_t,s0)
-+/usr/bin/pinentry.* --
gen_context(system_u:object_r:gpg_exec_t,s0)
++/usr/bin/pinentry.* --
gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/lib/gnupg/.* --
gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* --
gen_context(system_u:object_r:gpg_helper_exec_t,s0)
@@ -225,3 +225,16 @@
## <summary>
## Do not audit attempts to append temporary
## system cron job files.
+Index: refpolicy-2.20210203/policy/modules/apps/gpg.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te
++++ refpolicy-2.20210203/policy/modules/apps/gpg.te
+@@ -84,6 +84,8 @@ dontaudit gpg_t self:netlink_audit_socke
+ allow gpg_t self:fifo_file rw_fifo_file_perms;
+ allow gpg_t self:tcp_socket { accept listen };
+
++can_exec(gpg_agent_t, gpg_agent_exec_t)
++
+ manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
+ userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
+
diff -Nru refpolicy-2.20210203/debian/patches/2000-hacks
refpolicy-2.20210203/debian/patches/2000-hacks
--- refpolicy-2.20210203/debian/patches/2000-hacks 2021-02-01
13:00:42.000000000 +1100
+++ refpolicy-2.20210203/debian/patches/2000-hacks 2021-02-25
14:34:43.000000000 +1100
@@ -1,7 +1,7 @@
-Index: refpolicy-2.20210130/policy/modules/system/init.if
+Index: refpolicy-2.20210203/policy/modules/system/init.if
===================================================================
---- refpolicy-2.20210130.orig/policy/modules/system/init.if
-+++ refpolicy-2.20210130/policy/modules/system/init.if
+--- refpolicy-2.20210203.orig/policy/modules/system/init.if
++++ refpolicy-2.20210203/policy/modules/system/init.if
@@ -178,7 +178,11 @@ interface(`init_domain',`
role system_r types $1;
@@ -15,10 +15,10 @@
allow init_t $1:process rlimitinh;
-Index: refpolicy-2.20210130/policy/modules/system/fstools.te
+Index: refpolicy-2.20210203/policy/modules/system/fstools.te
===================================================================
---- refpolicy-2.20210130.orig/policy/modules/system/fstools.te
-+++ refpolicy-2.20210130/policy/modules/system/fstools.te
+--- refpolicy-2.20210203.orig/policy/modules/system/fstools.te
++++ refpolicy-2.20210203/policy/modules/system/fstools.te
@@ -151,6 +151,11 @@ init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
init_rw_script_stream_sockets(fsadm_t)
@@ -31,10 +31,10 @@
logging_send_syslog_msg(fsadm_t)
miscfiles_read_localization(fsadm_t)
-Index: refpolicy-2.20210130/policy/modules/system/sysnetwork.te
+Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te
===================================================================
---- refpolicy-2.20210130.orig/policy/modules/system/sysnetwork.te
-+++ refpolicy-2.20210130/policy/modules/system/sysnetwork.te
+--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
++++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
@@ -345,6 +345,11 @@ files_dontaudit_read_root_files(ifconfig
init_use_fds(ifconfig_t)
init_use_script_ptys(ifconfig_t)
@@ -47,10 +47,10 @@
logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
-Index: refpolicy-2.20210130/config/appconfig-mcs/default_contexts
+Index: refpolicy-2.20210203/config/appconfig-mcs/default_contexts
===================================================================
---- refpolicy-2.20210130.orig/config/appconfig-mcs/default_contexts
-+++ refpolicy-2.20210130/config/appconfig-mcs/default_contexts
+--- refpolicy-2.20210203.orig/config/appconfig-mcs/default_contexts
++++ refpolicy-2.20210203/config/appconfig-mcs/default_contexts
@@ -2,7 +2,7 @@ system_r:crond_t:s0 user_r:user_t:s0 st
system_r:init_t:s0 user_r:user_systemd_t:s0
staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0
unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -60,10 +60,10 @@
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-Index: refpolicy-2.20210130/Makefile
+Index: refpolicy-2.20210203/Makefile
===================================================================
---- refpolicy-2.20210130.orig/Makefile
-+++ refpolicy-2.20210130/Makefile
+--- refpolicy-2.20210203.orig/Makefile
++++ refpolicy-2.20210203/Makefile
@@ -240,6 +240,7 @@ M4PARAM += -D mls_num_sens=$(MLS_SENS) -
# differently on different distros
ifeq ($(DISTRO),debian)
@@ -72,3 +72,45 @@
endif
ifeq ($(DISTRO),gentoo)
+Index: refpolicy-2.20210203/policy/modules/system/systemd.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
++++ refpolicy-2.20210203/policy/modules/system/systemd.te
+@@ -1721,3 +1721,7 @@ optional_policy(`
+ optional_policy(`
+ gpg_agent_tmp_unlink_sock(systemd_user_runtime_dir_t)
+ ')
++
++optional_policy(`
++ userdom_unlink_user_tmp_devices(systemd_user_runtime_dir_t)
++')
+Index: refpolicy-2.20210203/policy/modules/system/userdomain.if
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/system/userdomain.if
++++ refpolicy-2.20210203/policy/modules/system/userdomain.if
+@@ -4567,6 +4567,25 @@ interface(`userdom_dontaudit_write_user_
+
+ ########################################
+ ## <summary>
++## Delete user_tmp_t device nodes (probably should not have been
++## created in the first place)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to allow deleting
++## </summary>
++## </param>
++#
++interface(`userdom_unlink_user_tmp_devices',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:{ chr_file blk_file } unlink;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to use user ttys.
+ ## </summary>
+ ## <param name="domain">
--- End Message ---