Merge pull request #759 from cgzones/deb

Minimal Debian system updates

policy/modules/kernel/filesystem.if

@@ -602,6 +602,24 @@ interface(`fs_manage_autofs_symlinks',`
 	manage_lnk_files_pattern($1, autofs_t, autofs_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_fs',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
+
+	allow $1 binfmt_misc_fs_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of directories on
@@ -622,6 +640,25 @@ interface(`fs_getattr_binfmt_misc_dirs',`
 
 ')
 
+########################################
+## <summary>
+##	Check for permissions using access(2) of directories on
+##	binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_check_write_binfmt_misc_dirs',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
+
+	allow $1 binfmt_misc_fs_t:dir { getattr write };
+')
+
 ########################################
 ## <summary>
 ##	Register an interpreter for new binary
@@ -1271,6 +1308,24 @@ interface(`fs_cgroup_filetrans_memory_pressure',`
 	fs_cgroup_filetrans($1, memory_pressure_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of cgroup's memory.pressure files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_memory_pressure',`
+	gen_require(`
+		type memory_pressure_t;
+	')
+
+	allow $1 memory_pressure_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##      Allow managing a cgroup's memory.pressure file to get notifications

policy/modules/kernel/filesystem.te

@@ -40,6 +40,7 @@ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ubifs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
 
@@ -99,6 +100,7 @@ genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
 # the rest of the cgroup tree.
 type memory_pressure_t;
 typeattribute memory_pressure_t cgroup_types;
+files_type(memory_pressure_t)
 dev_associate_sysfs(memory_pressure_t)
 
 type configfs_t;
@@ -201,6 +203,16 @@ optional_policy(`
 	init_mountpoint(tracefs_t)
 ')
 
+
+#
+# virtiofs_t is the default type for virtio file systems
+# and their files.
+#
+type virtiofs_t;
+fs_noxattr_type(virtiofs_t)
+files_mountpoint(virtiofs_t)
+genfscon virtiofs / gen_context(system_u:object_r:virtiofs_t,s0)
+
 type vmblock_t;
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)

policy/modules/services/consolesetup.te

@@ -37,6 +37,8 @@ files_runtime_filetrans(consolesetup_t, consolesetup_runtime_t, dir, "console-se
 manage_files_pattern(consolesetup_t, consolesetup_tmp_t, consolesetup_tmp_t)
 files_tmp_filetrans(consolesetup_t, consolesetup_tmp_t, file)
 
+kernel_read_system_state(consolesetup_t)
+
 corecmd_exec_bin(consolesetup_t)
 corecmd_exec_shell(consolesetup_t)
 

policy/modules/services/virt.fc

@@ -9,6 +9,8 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t
 /etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 /etc/libvirt/.*/.*	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 
+/etc/qemu(/.*)?		gen_context(system_u:object_r:virt_etc_t,s0)
+
 /etc/rc\.d/init\.d/(libvirt-bin|libvirtd)	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 
 /etc/xen	-d	gen_context(system_u:object_r:virt_etc_t,s0)

policy/modules/services/vnstatd.te

@@ -48,6 +48,7 @@ kernel_read_system_state(vnstatd_t)
 
 # read /sys/class/net/eth0
 dev_read_sysfs(vnstatd_t)
+dev_read_urand(vnstatd_t)
 
 files_read_etc_files(vnstatd_t)
 files_search_var_lib(vnstatd_t)

policy/modules/system/init.if

@@ -3773,6 +3773,26 @@ interface(`init_list_all_units',`
 	read_lnk_files_pattern($1, systemdunit, systemdunit)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of systemd unit directories and the files in them.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_unit_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	list_dirs_pattern($1, systemdunit, systemdunit)
+	getattr_files_pattern($1, systemdunit, systemdunit)
+	read_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
 ########################################
 ## <summary>
 ##	Manage systemd unit dirs and the files in them

policy/modules/system/selinuxutil.te

@@ -249,6 +249,7 @@ read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
 
 kernel_read_system_state(newrole_t)
 kernel_read_kernel_sysctls(newrole_t)
+kernel_dontaudit_getattr_proc(newrole_t)
 
 corecmd_list_bin(newrole_t)
 
@@ -591,6 +592,7 @@ optional_policy(`
 
 allow setfiles_t self:capability { dac_override dac_read_search fowner };
 dontaudit setfiles_t self:capability sys_tty_config;
+allow setfiles_t self:process getsched;
 allow setfiles_t self:fifo_file rw_fifo_file_perms;
 
 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
@@ -613,6 +615,7 @@ kernel_dontaudit_list_all_proc(setfiles_t)
 kernel_dontaudit_list_all_sysctls(setfiles_t)
 kernel_getattr_debugfs(setfiles_t)
 kernel_read_kernel_sysctls(setfiles_t)
+kernel_read_vm_overcommit_sysctl(setfiles_t)
 kernel_dontaudit_getattr_proc(setfiles_t)
 
 dev_read_urand(setfiles_t)
@@ -632,6 +635,7 @@ files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_all_xattr_fs(setfiles_t)
 fs_getattr_cgroup(setfiles_t)
+fs_getattr_memory_pressure(setfiles_t)
 fs_getattr_nfs(setfiles_t)
 fs_getattr_pstore_dirs(setfiles_t)
 fs_getattr_pstorefs(setfiles_t)

policy/modules/system/sysnetwork.if

@@ -489,6 +489,7 @@ interface(`sysnet_create_config',`
 	')
 
 	files_search_etc($1)
+	allow $1 net_conf_t:dir { add_entry_dir_perms create_dir_perms };
 	allow $1 net_conf_t:file create_file_perms;
 ')
 
@@ -535,6 +536,35 @@ interface(`sysnet_etc_filetrans_config',`
 	files_etc_filetrans($1, net_conf_t, file, $2)
 ')
 
+#######################################
+## <summary>
+##	Create files in /run with the type used for
+##	the network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`sysnet_runtime_filetrans_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_runtime_filetrans($1, net_conf_t, $2, $3)
+')
+
 #######################################
 ## <summary>
 ##	Create, read, write, and delete network config files.

policy/modules/system/systemd.te

@@ -397,6 +397,7 @@ fs_search_cgroup_dirs(systemd_backlight_t)
 #
 
 kernel_read_kernel_sysctls(systemd_binfmt_t)
+kernel_getattr_proc(systemd_binfmt_t)
 
 systemd_log_parse_environment(systemd_binfmt_t)
 
@@ -405,6 +406,11 @@ files_read_etc_files(systemd_binfmt_t)
 
 fs_register_binary_executable_type(systemd_binfmt_t)
 
+fs_getattr_binfmt_misc_fs(systemd_binfmt_t)
+fs_check_write_binfmt_misc_dirs(systemd_binfmt_t)
+
+fs_getattr_cgroup(systemd_binfmt_t)
+fs_search_cgroup_dirs(systemd_binfmt_t)
 
 ######################################
 #
@@ -526,10 +532,11 @@ init_rename_runtime_files(systemd_generator_t)
 init_search_runtime(systemd_generator_t)
 init_setattr_runtime_files(systemd_generator_t)
 init_write_runtime_files(systemd_generator_t)
-init_list_all_units(systemd_generator_t)
 init_read_generic_units_files(systemd_generator_t)
 init_read_generic_units_symlinks(systemd_generator_t)
 init_read_script_files(systemd_generator_t)
+init_getattr_all_unit_files(systemd_generator_t)
+init_getattr_all_script_files(systemd_generator_t)
 
 kernel_use_fds(systemd_generator_t)
 kernel_read_system_state(systemd_generator_t)
@@ -1023,6 +1030,9 @@ storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader
 optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 	dbus_system_bus_client(systemd_logind_t)
+
+	# pidfd
+	dbus_use_system_bus_fds(systemd_logind_t)
 ')
 
 optional_policy(`

policy/modules/system/udev.te

@@ -217,6 +217,9 @@ ifdef(`distro_debian',`
 
 	files_runtime_filetrans(udev_t, udev_runtime_t, dir, "xen-hotplug")
 
+	sysnet_runtime_filetrans_config(udev_t, dir, "network")
+	sysnet_create_config(udev_t)
+
 	optional_policy(`
 		# for /usr/lib/avahi/avahi-daemon-check-dns.sh
 		kernel_read_vm_sysctls(udev_t)

policy/modules/system/userdomain.if

@@ -1370,6 +1370,7 @@ template(`userdom_admin_user_template',`
 	kernel_change_ring_buffer_level($1_t)
 	kernel_clear_ring_buffer($1_t)
 	kernel_read_ring_buffer($1_t)
+	kernel_read_psi($1_t)
 	kernel_get_sysvipc_info($1_t)
 	kernel_rw_all_sysctls($1_t)
 	# signal unlabeled processes: