diff --git a/policy/modules/admin/dpkg.fc b/policy/modules/admin/dpkg.fc index 9ba6e3123..514237b4c 100644 --- a/policy/modules/admin/dpkg.fc +++ b/policy/modules/admin/dpkg.fc @@ -9,6 +9,7 @@ /var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) /var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) /var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) +/var/lib/dpkg/lock-frontend -- gen_context(system_u:object_r:dpkg_lock_t,s0) /usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) /usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index ad9229b0d..f52efeb1b 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -30,7 +30,7 @@ type dpkg_var_lib_t; files_type(dpkg_var_lib_t) type dpkg_script_t; -domain_type(dpkg_script_t) +application_type(dpkg_script_t) domain_entry_file(dpkg_t, dpkg_var_lib_t) domain_entry_file(dpkg_script_t, dpkg_var_lib_t) corecmd_shell_entry_type(dpkg_script_t) diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 4a8a31ef9..acca807f8 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -244,7 +244,6 @@ filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file) domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) kernel_dontaudit_search_sysctl(gpg_agent_t) -kernel_read_core_if(gpg_agent_t) kernel_read_crypto_sysctls(gpg_agent_t) kernel_read_system_state(gpg_agent_t) diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te index 7de51489b..af3c02ebd 100644 --- a/policy/modules/apps/thunderbird.te +++ b/policy/modules/apps/thunderbird.te @@ -15,6 +15,9 @@ role thunderbird_roles types thunderbird_t; type thunderbird_home_t; userdom_user_home_content(thunderbird_home_t) +type thunderbird_tmp_t; +userdom_user_tmp_file(thunderbird_tmp_t) + type thunderbird_tmpfs_t; userdom_user_tmpfs_file(thunderbird_tmpfs_t) @@ -42,6 +45,11 @@ manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) userdom_user_home_dir_filetrans(thunderbird_t, thunderbird_home_t, dir, ".thunderbird") +manage_dirs_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) +manage_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) +manage_lnk_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) +files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file lnk_file }) + manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 92788219b..b473850d4 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -367,6 +367,7 @@ ifdef(`distro_debian',` ifdef(`distro_debian',` /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/openssh/agent-launch -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0) ') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 81fbbd223..202b39a10 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -310,6 +310,7 @@ seutil_dontaudit_search_config(postfix_master_t) mta_manage_aliases(postfix_master_t) mta_etc_filetrans_aliases(postfix_master_t, file, "aliases") mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db") +mta_etc_filetrans_aliases(postfix_master_t, file, "__db.aliases.db") mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp") mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file) mta_read_sendmail_bin(postfix_master_t) diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index d1c0e83b3..e921bca4e 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -118,6 +118,7 @@ userdom_dontaudit_use_unpriv_user_fds(sendmail_t) mta_etc_filetrans_aliases(sendmail_t, file, "aliases") mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db") +mta_etc_filetrans_aliases(sendmail_t, file, "__db.aliases.db") mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp") mta_manage_aliases(sendmail_t) mta_manage_queue(sendmail_t) @@ -208,6 +209,7 @@ optional_policy(` optional_policy(` mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases") mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db") + mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "__db.aliases.db") mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp") unconfined_domain(unconfined_sendmail_t) ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 3f49e9c21..915f68c21 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -104,8 +104,6 @@ allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) kernel_read_crypto_sysctls(chkpwd_t) -# is_selinux_enabled -kernel_read_system_state(chkpwd_t) domain_dontaudit_use_interactive_fds(chkpwd_t) @@ -120,7 +118,6 @@ files_dontaudit_search_var(chkpwd_t) fs_dontaudit_getattr_xattr_fs(chkpwd_t) selinux_get_enforce_mode(chkpwd_t) -selinux_getattr_fs(chkpwd_t) term_dontaudit_use_console(chkpwd_t) term_dontaudit_use_unallocated_ttys(chkpwd_t) @@ -134,7 +131,7 @@ logging_send_syslog_msg(chkpwd_t) miscfiles_read_localization(chkpwd_t) -seutil_read_config(chkpwd_t) +seutil_libselinux_linked(chkpwd_t) seutil_dontaudit_use_newrole_fds(chkpwd_t) userdom_use_user_terminals(chkpwd_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 728cc55d4..a76eb0693 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -284,6 +284,8 @@ ifdef(`init_systemd',` manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t) + # /memfd:systemd-state + fs_tmpfs_filetrans(init_t, init_runtime_t, file) manage_files_pattern(init_t, systemd_unit_t, systemdunit) @@ -317,7 +319,6 @@ ifdef(`init_systemd',` dev_manage_input_dev(init_t) dev_relabel_all_sysfs(init_t) dev_relabel_generic_symlinks(init_t) - dev_read_urand(init_t) dev_write_kmsg(init_t) dev_write_urand(init_t) dev_rw_lvm_control(init_t) @@ -441,9 +442,9 @@ ifdef(`init_systemd',` auth_manage_var_auth(init_t) auth_relabel_login_records(init_t) auth_relabel_pam_console_data_dirs(init_t) + auth_domtrans_chk_passwd(init_t) logging_manage_pid_sockets(init_t) - logging_send_audit_msgs(init_t) logging_relabelto_devlog_sock_files(init_t) logging_relabel_generic_log_dirs(init_t) logging_audit_socket_activation(init_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index bbcb607b1..0f331c6d3 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -60,7 +60,12 @@ template(`systemd_role_template',` # Allow using file descriptors for user environment generators allow $3 $1_systemd_t:fd use; + # systemctl --user + stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t) + can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t }) + + dbus_system_bus_client($1_systemd_t) ') ###################################### diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 545a3e8e0..8fda5888c 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1083,6 +1083,8 @@ optional_policy(` # Rfkill local policy # +allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt }; + manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir) @@ -1250,6 +1252,7 @@ files_manage_etc_symlinks(systemd_tmpfiles_t) fs_getattr_tmpfs(systemd_tmpfiles_t) fs_getattr_xattr_fs(systemd_tmpfiles_t) fs_list_tmpfs(systemd_tmpfiles_t) +fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_search_fs(systemd_tmpfiles_t) @@ -1346,14 +1349,17 @@ systemd_log_parse_environment(systemd_update_done_t) # User session (systemd --user) local policy # +allow systemd_user_session_type self:bpf { prog_load prog_run }; allow systemd_user_session_type self:capability { dac_read_search sys_resource }; dontaudit systemd_user_session_type self:capability dac_override; -allow systemd_user_session_type self:process { setfscreate setsockcreate }; +allow systemd_user_session_type self:fifo_file rw_fifo_file_perms; +allow systemd_user_session_type self:process { setfscreate setsockcreate setcap getcap }; allow systemd_user_session_type self:udp_socket create_socket_perms; allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms; allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr read setopt }; allow systemd_user_session_type systemd_user_runtime_t:dir manage_dir_perms; +allow systemd_user_session_type systemd_user_runtime_t:lnk_file manage_lnk_file_perms; allow systemd_user_session_type systemd_user_runtime_t:sock_file { create write }; userdom_user_runtime_filetrans(systemd_user_session_type, systemd_user_runtime_t, dir) @@ -1369,32 +1375,44 @@ can_exec(systemd_user_session_type, systemd_generator_exec_t) dev_write_sysfs_dirs(systemd_user_session_type) dev_read_sysfs(systemd_user_session_type) +domain_getattr_all_entry_files(systemd_user_session_type) + files_read_etc_files(systemd_user_session_type) files_list_usr(systemd_user_session_type) +# /etc/localtime +files_watch_etc_symlinks(systemd_user_session_type) fs_getattr_cgroup(systemd_user_session_type) fs_getattr_tmpfs(systemd_user_session_type) fs_rw_cgroup_files(systemd_user_session_type) fs_manage_cgroup_dirs(systemd_user_session_type) -# for /run/systemd/notify -init_dgram_send(systemd_user_session_type) -init_signal(systemd_user_session_type) - # for /proc/sys/fs/nr_open kernel_read_fs_sysctls(systemd_user_session_type) kernel_read_kernel_sysctls(systemd_user_session_type) -mount_list_runtime(systemd_user_session_type) - +selinux_compute_access_vector(systemd_user_session_type) selinux_compute_create_context(systemd_user_session_type) storage_getattr_fixed_disk_dev(systemd_user_session_type) +# for /run/systemd/notify +init_dgram_send(systemd_user_session_type) +init_signal(systemd_user_session_type) + +logging_send_audit_msgs(systemd_user_session_type) + +miscfiles_read_localization(systemd_user_session_type) + +mount_list_runtime(systemd_user_session_type) +mount_watch_runtime_dirs(systemd_user_session_type) + # for systemd to read udev status udev_read_pid_files(systemd_user_session_type) udev_list_pids(systemd_user_session_type) +seutil_libselinux_linked(systemd_user_session_type) + ######################################### # # systemd-user-runtime-dir local policy