From 05cd55fb515bf282c61bcd3fb8637a663955f28f Mon Sep 17 00:00:00 2001
From: Russell Coker <russell@coker.com.au>
Date: Tue, 22 Jan 2019 20:00:28 +1100
Subject: [PATCH] tiny stuff for today

Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
---
 policy/modules/admin/dpkg.if              | 18 ++++++++++++++++++
 policy/modules/services/cron.te           | 11 ++++++++---
 policy/modules/services/networkmanager.te |  5 ++++-
 policy/modules/services/xserver.te        |  2 ++
 policy/modules/system/modutils.te         |  1 +
 policy/modules/system/systemd.te          |  3 ++-
 policy/modules/system/unconfined.te       |  1 +
 7 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index 54f2e1904..1c0c1497c 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks',`
 
 	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
 ')
+
+########################################
+## <summary>
+##	Transition to dpkg_t when NNP has been set
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_nnp_transition',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:process2 nnp_transition;
+')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index b1f3803c8..dbaa28cdd 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -456,8 +456,8 @@ optional_policy(`
 # System local policy
 #
 
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
-allow system_cronjob_t self:process { signal_perms getsched setsched };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
+allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
@@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
 kernel_getattr_message_if(system_cronjob_t)
 
 kernel_read_crypto_sysctls(system_cronjob_t)
+kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
@@ -534,6 +535,7 @@ fs_getattr_all_sockets(system_cronjob_t)
 domain_dontaudit_read_all_domains_state(system_cronjob_t)
 
 files_exec_etc_files(system_cronjob_t)
+files_exec_usr_files(system_cronjob_t)
 files_read_etc_runtime_files(system_cronjob_t)
 files_list_all(system_cronjob_t)
 files_getattr_all_dirs(system_cronjob_t)
@@ -559,7 +561,7 @@ auth_use_nsswitch(system_cronjob_t)
 libs_exec_lib_files(system_cronjob_t)
 libs_exec_ld_so(system_cronjob_t)
 
-logging_read_generic_logs(system_cronjob_t)
+logging_manage_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
@@ -669,6 +671,9 @@ optional_policy(`
 
 optional_policy(`
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+
+	# for gpg-connect-agent to access /run/user/0
+	userdom_manage_user_runtime_dirs(system_cronjob_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 95b92c418..6c20e667b 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
 
-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
+can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
 
 kernel_read_crypto_sysctls(NetworkManager_t)
 kernel_read_system_state(NetworkManager_t)
@@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
 dev_getattr_all_chr_files(NetworkManager_t)
 dev_rw_wireless(NetworkManager_t)
 
+# for access(2)
+dev_write_sysfs_dirs(NetworkManager_t)
+
 domain_use_interactive_fds(NetworkManager_t)
 domain_read_all_domains_state(NetworkManager_t)
 
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5780e7308..d3201c19d 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -147,6 +147,7 @@ type xauth_t;
 type xauth_exec_t;
 typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
 typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+userdom_manage_user_tmp_dirs(xauth_t)
 userdom_user_application_domain(xauth_t, xauth_exec_t)
 
 type xauth_home_t;
@@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
 
 xserver_rw_xdm_tmp_files(xauth_t)
+xserver_stream_connect(xauth_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(xauth_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 254b70fed..8a5f0b865 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
 
 fs_getattr_xattr_fs(kmod_t)
 fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
+fs_search_tracefs(kmod_t)
 
 init_rw_initctl(kmod_t)
 init_use_fds(kmod_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c0991e150..6180a74c6 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
 fs_manage_tmpfs_chr_files(systemd_nspawn_t)
 fs_mount_tmpfs(systemd_nspawn_t)
 fs_remount_tmpfs(systemd_nspawn_t)
-fs_search_cgroup_dirs(systemd_nspawn_t)
+fs_remount_xattr_fs(systemd_nspawn_t)
+fs_read_cgroup_files(systemd_nspawn_t)
 
 term_getattr_generic_ptys(systemd_nspawn_t)
 term_getattr_pty_fs(systemd_nspawn_t)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index da183cf15..e859df06d 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -89,6 +89,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dpkg_nnp_transition(unconfined_t)
 	dpkg_run(unconfined_t, unconfined_r)
 ')