Merge pull request #307 from atenart/buildroot-fixes

policy/modules/kernel/corecommands.fc

@@ -155,6 +155,7 @@ ifdef(`distro_gentoo',`
 /usr/bin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/sh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/yash			--	gen_context(system_u:object_r:shell_exec_t,s0)

policy/modules/services/dbus.if

@@ -143,6 +143,8 @@ interface(`dbus_system_bus_client',`
 	stream_connect_pattern($1, system_dbusd_runtime_t, system_dbusd_runtime_t, system_dbusd_t)
 
 	dbus_read_config($1)
+	dbus_list_system_bus_runtime($1)
+	dbus_read_system_bus_runtime_named_sockets($1)
 ')
 
 #######################################
@@ -594,6 +596,24 @@ interface(`dbus_watch_system_bus_runtime_dirs',`
 	allow $1 system_dbusd_runtime_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	List system bus runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_list_system_bus_runtime',`
+	gen_require(`
+		type system_dbusd_runtime_t;
+	')
+
+	allow $1 system_dbusd_runtime_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Watch system bus runtime named sockets.
@@ -612,6 +632,24 @@ interface(`dbus_watch_system_bus_runtime_named_sockets',`
 	allow $1 system_dbusd_runtime_t:sock_file watch;
 ')
 
+########################################
+## <summary>
+##	Read system bus runtime named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_read_system_bus_runtime_named_sockets',`
+	gen_require(`
+		type system_dbusd_runtime_t;
+	')
+
+	allow $1 system_dbusd_runtime_t:sock_file read;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to DBUS.

policy/modules/system/locallogin.te

@@ -59,6 +59,7 @@ kernel_read_system_state(local_login_t)
 kernel_read_kernel_sysctls(local_login_t)
 kernel_search_key(local_login_t)
 kernel_link_key(local_login_t)
+kernel_getattr_proc(local_login_t)
 
 corecmd_list_bin(local_login_t)
 # cjp: these are probably not needed:

policy/modules/system/logging.te

@@ -524,7 +524,7 @@ ifdef(`init_systemd',`
 	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
 	allow syslogd_t self:capability2 audit_read;
 	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
-	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
+	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
 
 	# remove /run/log/journal when switching to permanent storage
 	allow syslogd_t var_log_t:dir rmdir;

policy/modules/system/sysnetwork.if

@@ -346,6 +346,8 @@ interface(`sysnet_read_config',`
 	')
 
 	files_search_etc($1)
+	files_search_runtime($1)
+	allow $1 net_conf_t:dir list_dir_perms;
 	allow $1 net_conf_t:file read_file_perms;
 
 	ifdef(`distro_debian',`

policy/modules/system/systemd.te

@@ -362,6 +362,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 #
 
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
+allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:process setfscreate;
 
 corecmd_getattr_bin_files(systemd_generator_t)
 
@@ -459,6 +461,7 @@ selinux_get_fs_mount(systemd_hw_t)
 selinux_use_status_page(systemd_hw_t)
 
 init_read_state(systemd_hw_t)
+init_search_runtime(systemd_hw_t)
 
 seutil_read_config(systemd_hw_t)
 seutil_read_file_contexts(systemd_hw_t)
@@ -782,6 +785,7 @@ dev_write_kmsg(systemd_networkd_t)
 files_read_etc_files(systemd_networkd_t)
 files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
+fs_getattr_xattr_fs(systemd_networkd_t)
 
 auth_use_nsswitch(systemd_networkd_t)
 
@@ -1091,6 +1095,7 @@ auth_use_nsswitch(systemd_resolved_t)
 
 files_watch_root_dirs(systemd_resolved_t)
 files_watch_runtime_dirs(systemd_resolved_t)
+files_list_runtime(systemd_resolved_t)
 
 init_dgram_send(systemd_resolved_t)
 

policy/modules/system/udev.te

@@ -421,3 +421,5 @@ kernel_read_kernel_sysctls(udevadm_t)
 kernel_read_system_state(udevadm_t)
 
 seutil_read_file_contexts(udevadm_t)
+
+fs_getattr_xattr_fs(udevadm_t)