misc services patches

Lots of little patches to services.

policy/modules/services/boinc.te

@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
 # Local policy
 #
 
-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
 allow boinc_t self:unix_stream_socket { accept listen };
 allow boinc_t self:tcp_socket { accept listen };
 allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log_t, file)
 
 can_exec(boinc_t, boinc_var_lib_t)
 libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)
 
 domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 
 kernel_read_system_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
 kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
 
 corenet_all_recvfrom_unlabeled(boinc_t)
 corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
 logging_send_syslog_msg(boinc_t)
 
 miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
 miscfiles_read_localization(boinc_t)
 
 tunable_policy(`boinc_execmem',`
@@ -209,6 +213,19 @@ term_getattr_generic_ptys(boinc_t)
 
 userdom_getattr_user_ttys(boinc_t)
 
+optional_policy(`
+	# for lsb_release -a
+	apt_read_cache(boinc_t)
+	apt_read_db(boinc_t)
+	dpkg_exec(boinc_t)
+	dpkg_read_db(boinc_t)
+
+	apt_read_cache(boinc_project_t)
+	apt_read_db(boinc_project_t)
+	dpkg_exec(boinc_project_t)
+	dpkg_read_db(boinc_project_t)
+')
+
 optional_policy(`
 	java_exec(boinc_project_t)
 ')

policy/modules/services/consolekit.te

@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
 # Local policy
 #
 
-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
 allow consolekit_t self:process { getsched signal setfscreate };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };

policy/modules/services/devicekit.te

@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicekit_var_run_t, { dir file })
 kernel_read_system_state(devicekit_t)
 
 dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
 dev_read_urand(devicekit_t)
 
 files_read_etc_files(devicekit_t)

policy/modules/services/dictd.te

@@ -73,6 +73,10 @@ miscfiles_read_localization(dictd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dictd_t)
 
+optional_policy(`
+	dbus_system_bus_client(dictd_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(dictd_t)
 ')

policy/modules/services/fetchmail.te

@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
 
 files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
 files_search_tmp(fetchmail_t)
 files_dontaudit_search_home(fetchmail_t)
 

policy/modules/services/gdomap.fc

@@ -5,3 +5,4 @@
 /usr/bin/gdomap	--	gen_context(system_u:object_r:gdomap_exec_t,s0)
 
 /run/gdomap\.pid	--	gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)?		gen_context(system_u:object_r:gdomap_var_run_t,s0)

policy/modules/services/gdomap.te

@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bind_service setgid setuid sys_chroot };
 allow gdomap_t self:tcp_socket { listen accept };
 
 allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
 files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
 
 corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
 auth_use_nsswitch(gdomap_t)
 
 logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)

policy/modules/services/irqbalance.te

@@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_t)
 
 fs_getattr_all_fs(irqbalance_t)
 fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
 
 domain_use_interactive_fds(irqbalance_t)
 

policy/modules/services/jabber.te

@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_fifo_file_perms;
 allow jabberd_domain self:tcp_socket { accept listen };
 
 manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
 
 kernel_read_system_state(jabberd_domain)
 
@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_domain)
 corenet_tcp_sendrecv_generic_if(jabberd_domain)
 corenet_tcp_sendrecv_generic_node(jabberd_domain)
 corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)
 
 dev_read_urand(jabberd_domain)
 dev_read_sysfs(jabberd_domain)

policy/modules/services/mon.te

@@ -161,6 +161,7 @@ optional_policy(`
 
 allow mon_local_test_t self:capability sys_admin;
 allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
 
 kernel_dontaudit_getattr_core_if(mon_local_test_t)
 kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
 kernel_read_software_raid_state(mon_local_test_t)
 kernel_read_system_state(mon_local_test_t)
 
@@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
+miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)

policy/modules/services/networkmanager.te

@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket { accept listen };
 allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow NetworkManager_t self:packet_socket create_socket_perms;
 allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
 
 allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 

policy/modules/services/policykit.te

@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t)
 
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
+	init_dbus_chat(policykit_t)
 
 	userdom_dbus_send_all_users(policykit_t)
 

policy/modules/services/postfix.te

@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_boun
 manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 
+optional_policy(`
+	init_dbus_chat(postfix_bounce_t)
+')
+
 ########################################
 #
 # Cleanup local policy

policy/modules/services/ssh.te

@@ -248,6 +248,9 @@ optional_policy(`
 # sshd_t is the domain for the sshd program.
 #
 
+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };

policy/modules/services/tor.te

@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
 corenet_tcp_sendrecv_all_reserved_ports(tor_t)
 
 dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
 dev_read_urand(tor_t)
 
 domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
 
 logging_send_syslog_msg(tor_t)
 
+miscfiles_read_generic_certs(tor_t)
 miscfiles_read_localization(tor_t)
 
 tunable_policy(`tor_bind_all_unreserved_ports',`