From edd4ba6f32240c037c9691f36a20b548795a4265 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 2 Feb 2021 10:52:59 -0500
Subject: [PATCH] Various fixes

Allow dovecot to watch the mail spool, and add various dontaudit rules
for several other domains.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/kernel.if      | 18 ++++++++++++++++++
 policy/modules/services/dovecot.te   |  3 +++
 policy/modules/services/mta.if       | 18 ++++++++++++++++++
 policy/modules/services/ssh.te       |  2 ++
 policy/modules/system/authlogin.te   |  3 +++
 policy/modules/system/selinuxutil.te |  1 +
 6 files changed, 45 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 5869eb50b..ebd73aca9 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -910,6 +910,24 @@ interface(`kernel_getattr_proc',`
 	allow $1 proc_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	Mount on proc directories.
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index a2d1cc5e4..16fa4e527 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -207,6 +207,7 @@ optional_policy(`
 
 optional_policy(`
 	mta_manage_spool(dovecot_t)
+	mta_watch_spool(dovecot_t)
 	mta_manage_mail_home_rw_content(dovecot_t)
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
@@ -255,6 +256,8 @@ manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t)
 
 allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
+kernel_dontaudit_getattr_proc(dovecot_auth_t)
+
 files_search_runtime(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index b0ce28b55..b9723aa98 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -955,6 +955,24 @@ interface(`mta_manage_spool',`
 	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
 
+########################################
+## <summary>
+##	Watch mail spool content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_watch_spool',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	allow $1 mail_spool_t:{ dir file } watch;
+')
+
 #######################################
 ## <summary>
 ##	Create specified objects in the
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 6c59e1d53..8cefca989 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -262,6 +262,8 @@ corenet_sendrecv_xserver_server_packets(sshd_t)
 ifdef(`distro_debian',`
 	allow sshd_t self:process { getcap setcap };
 	auth_use_pam_motd_dynamic(sshd_t)
+',`
+	dontaudit sshd_t self:process { getcap setcap };
 ')
 
 ifdef(`init_systemd',`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 6924810c6..0e1619e26 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -104,6 +104,9 @@ allow chkpwd_t shadow_t:file read_file_perms;
 files_list_etc(chkpwd_t)
 
 kernel_read_crypto_sysctls(chkpwd_t)
+kernel_dontaudit_search_kernel_sysctl(chkpwd_t)
+kernel_dontaudit_read_kernel_sysctl(chkpwd_t)
+kernel_dontaudit_getattr_proc(chkpwd_t)
 
 domain_dontaudit_use_interactive_fds(chkpwd_t)
 
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 29771968d..86aa42f1f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -496,6 +496,7 @@ files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
+kernel_dontaudit_getattr_proc(semanage_t)
 
 corecmd_exec_bin(semanage_t)
 corecmd_exec_shell(semanage_t)