From 70a1c1ede2d021dd2719961850dd7bd16953781c Mon Sep 17 00:00:00 2001
From: Daniel Burgener <dburgener@tresys.com>
Date: Thu, 16 Jan 2020 08:39:36 -0500
Subject: [PATCH] Add requires to interfaces that reference types or attributes
 without requiring them

Signed-off-by: Daniel Burgener <dburgener@tresys.com>
---
 policy/modules/admin/portage.if     |  2 +-
 policy/modules/apps/gnome.if        |  2 +-
 policy/modules/apps/mozilla.if      |  4 ++--
 policy/modules/kernel/devices.if    | 27 +++++++++++++++++++--------
 policy/modules/kernel/files.if      |  1 +
 policy/modules/kernel/kernel.if     |  2 +-
 policy/modules/services/kerberos.if |  2 +-
 policy/modules/services/postfix.if  |  3 ++-
 policy/modules/services/procmail.if |  2 +-
 policy/modules/services/ssh.if      |  3 +++
 policy/modules/services/xserver.if  |  3 ++-
 policy/modules/services/zabbix.if   |  2 +-
 policy/modules/system/hotplug.if    |  2 +-
 policy/modules/system/modutils.if   |  2 +-
 policy/modules/system/systemd.if    |  2 +-
 policy/modules/system/userdomain.if |  4 ++--
 policy/modules/system/xen.if        |  2 +-
 17 files changed, 41 insertions(+), 24 deletions(-)

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 48af87f84..7cbad84e9 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -66,7 +66,7 @@ interface(`portage_compile_domain',`
 	gen_require(`
 		class dbus send_msg;
 		type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
-		type portage_tmpfs_t;
+		type portage_tmpfs_t, portage_sandbox_t;
 	')
 
 	allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid };
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 8b27d15a0..f1e23402e 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -27,7 +27,7 @@ template(`gnome_role_template',`
 		attribute_role gconfd_roles;
 		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
 		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
-		type gconf_home_t;
+		type gconf_home_t, gnome_home_t;
 	')
 
 	########################################
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index e5510c9f8..de482e61e 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -89,8 +89,8 @@ interface(`mozilla_role',`
 #
 interface(`mozilla_role_plugin',`
 	gen_require(`
-		type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t;
-		type mozilla_home_t;
+		type mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t;
+		type mozilla_plugin_rw_t, mozilla_plugin_config_t, mozilla_home_t;
 	')
 
 	mozilla_run_plugin($2, $1)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 6ace740f0..880ad89d6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1109,6 +1109,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
 interface(`dev_getattr_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	getattr_chr_files_pattern($1, device_t, device_node)
@@ -1147,6 +1148,7 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
 interface(`dev_setattr_all_blk_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	setattr_blk_files_pattern($1, device_t, device_node)
@@ -1166,6 +1168,7 @@ interface(`dev_setattr_all_blk_files',`
 interface(`dev_setattr_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	setattr_chr_files_pattern($1, device_t, device_node)
@@ -1256,6 +1259,7 @@ interface(`dev_dontaudit_write_all_chr_files',`
 interface(`dev_create_all_blk_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	create_blk_files_pattern($1, device_t, device_node)
@@ -1274,6 +1278,7 @@ interface(`dev_create_all_blk_files',`
 interface(`dev_create_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	create_chr_files_pattern($1, device_t, device_node)
@@ -1292,6 +1297,7 @@ interface(`dev_create_all_chr_files',`
 interface(`dev_delete_all_blk_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	delete_blk_files_pattern($1, device_t, device_node)
@@ -1310,6 +1316,7 @@ interface(`dev_delete_all_blk_files',`
 interface(`dev_delete_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	delete_chr_files_pattern($1, device_t, device_node)
@@ -1328,6 +1335,7 @@ interface(`dev_delete_all_chr_files',`
 interface(`dev_rename_all_blk_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	rename_blk_files_pattern($1, device_t, device_node)
@@ -1346,6 +1354,7 @@ interface(`dev_rename_all_blk_files',`
 interface(`dev_rename_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	rename_chr_files_pattern($1, device_t, device_node)
@@ -1364,6 +1373,7 @@ interface(`dev_rename_all_chr_files',`
 interface(`dev_manage_all_blk_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	manage_blk_files_pattern($1, device_t, device_node)
@@ -1388,6 +1398,7 @@ interface(`dev_manage_all_blk_files',`
 interface(`dev_manage_all_chr_files',`
 	gen_require(`
 		attribute device_node, memory_raw_read, memory_raw_write;
+		type device_t;
 	')
 
 	manage_chr_files_pattern($1, device_t, device_node)
@@ -1665,7 +1676,7 @@ interface(`dev_rw_cachefiles',`
 #
 interface(`dev_rw_cardmgr',`
 	gen_require(`
-		type cardmgr_dev_t;
+		type cardmgr_dev_t, device_t;
 	')
 
 	rw_chr_files_pattern($1, device_t, cardmgr_dev_t)
@@ -2220,7 +2231,7 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',`
 #
 interface(`dev_read_framebuffer',`
 	gen_require(`
-		type framebuf_device_t;
+		type framebuf_device_t, device_t;
 	')
 
 	read_chr_files_pattern($1, device_t, framebuf_device_t)
@@ -3318,7 +3329,7 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
 #
 interface(`dev_rw_nvram',`
 	gen_require(`
-		type nvram_device_t;
+		type nvram_device_t, device_t;
 	')
 
 	rw_chr_files_pattern($1, device_t, nvram_device_t)
@@ -4028,7 +4039,7 @@ interface(`dev_manage_smartcard',`
 #
 interface(`dev_mounton_sysfs',`
 	gen_require(`
-		type device_t;
+		type sysfs_t;
 	')
 
 	allow $1 sysfs_t:dir mounton;
@@ -4488,7 +4499,7 @@ interface(`dev_write_urand',`
 #
 interface(`dev_getattr_generic_usb_dev',`
 	gen_require(`
-		type usb_device_t;
+		type usb_device_t, device_t;
 	')
 
 	getattr_chr_files_pattern($1, device_t, usb_device_t)
@@ -4506,7 +4517,7 @@ interface(`dev_getattr_generic_usb_dev',`
 #
 interface(`dev_setattr_generic_usb_dev',`
 	gen_require(`
-		type usb_device_t;
+		type usb_device_t, device_t;
 	')
 
 	setattr_chr_files_pattern($1, device_t, usb_device_t)
@@ -4524,7 +4535,7 @@ interface(`dev_setattr_generic_usb_dev',`
 #
 interface(`dev_read_generic_usb_dev',`
 	gen_require(`
-		type usb_device_t;
+		type usb_device_t, device_t;
 	')
 
 	read_chr_files_pattern($1, device_t, usb_device_t)
@@ -4560,7 +4571,7 @@ interface(`dev_rw_generic_usb_dev',`
 #
 interface(`dev_relabel_generic_usb_dev',`
 	gen_require(`
-		type usb_device_t;
+		type usb_device_t, device_t;
 	')
 
 	relabel_chr_files_pattern($1, device_t, usb_device_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f1c94411d..4c5ea3af0 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6526,6 +6526,7 @@ interface(`files_dontaudit_getattr_all_pids',`
 interface(`files_dontaudit_write_all_pids',`
 	gen_require(`
 		attribute pidfile;
+		type var_run_t;
 	')
 
 	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 3f0a2dbe3..5841e0d65 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1406,7 +1406,7 @@ interface(`kernel_dontaudit_search_network_state',`
 #
 interface(`kernel_search_network_state',`
 	gen_require(`
-		type proc_net_t;
+		type proc_t, proc_net_t;
 	')
 
 	search_dirs_pattern($1, proc_t, proc_net_t)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index d8c7cd586..ff32275dc 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -50,7 +50,7 @@ interface(`kerberos_domtrans_kpropd',`
 #
 interface(`kerberos_use',`
 	gen_require(`
-		type krb5kdc_conf_t, krb5_host_rcache_t;
+		type krb5kdc_conf_t, krb5_host_rcache_t, krb5_conf_t;
 	')
 
 	kerberos_read_config($1)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 805c995e9..4a3ff71c3 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -64,6 +64,7 @@ template(`postfix_domain_template',`
 #
 template(`postfix_server_domain_template',`
 	gen_require(`
+		type postfix_master_t;
 		attribute postfix_server_domain, postfix_server_tmp_content;
 	')
 
@@ -682,7 +683,7 @@ interface(`postfix_admin',`
 		type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
 		type postfix_data_t, postfix_runtime_t, postfix_public_t;
 		type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
-		type postfix_keytab_t;
+		type postfix_keytab_t, postfix_t;
 	')
 
 	allow $1 postfix_domain:process { ptrace signal_perms };
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
index 00edeab17..79dc66435 100644
--- a/policy/modules/services/procmail.if
+++ b/policy/modules/services/procmail.if
@@ -90,7 +90,7 @@ interface(`procmail_read_home_files',`
 #
 interface(`procmail_relabel_home_files',`
 	gen_require(`
-		type ppp_home_t;
+		type ppp_home_t, procmail_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 9bc7a8429..1cbe5eac5 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -167,6 +167,9 @@ template(`ssh_basic_client_template',`
 ## </param>
 #
 template(`ssh_server_template', `
+	gen_require(`
+		type sshd_exec_t, sshd_key_t;
+	')
 	type $1_t, ssh_server;
 	auth_login_pgm_domain($1_t)
 
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 40492ee9c..b13c913aa 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -22,6 +22,7 @@ interface(`xserver_restricted_role',`
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
 		type iceauth_t, iceauth_exec_t, iceauth_home_t;
 		type xauth_t, xauth_exec_t, xauth_home_t;
+		type xdm_t, xdm_tmp_t;
 	')
 
 	role $1 types { xserver_t xauth_t iceauth_t };
@@ -137,7 +138,7 @@ interface(`xserver_restricted_role',`
 #
 interface(`xserver_role',`
 	gen_require(`
-		type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
+		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
 		type mesa_shader_cache_t;
 	')
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index 6ad4c3919..5cc587eb2 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -109,7 +109,7 @@ interface(`zabbix_read_pid_files',`
 #
 interface(`zabbix_agent_tcp_connect',`
 	gen_require(`
-		type zabbix_agent_t;
+		type zabbix_t, zabbix_agent_t;
 	')
 
 	corenet_sendrecv_zabbix_agent_client_packets($1)
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
index cd1783e4d..c99c17525 100644
--- a/policy/modules/system/hotplug.if
+++ b/policy/modules/system/hotplug.if
@@ -34,7 +34,7 @@ interface(`hotplug_domtrans',`
 #
 interface(`hotplug_exec',`
 	gen_require(`
-		type hotplug_t;
+		type hotplug_exec_t;
 	')
 
 	corecmd_search_bin($1)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index e9ee3c291..beec3112e 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
 #
 interface(`modutils_getattr_module_deps',`
 	gen_require(`
-		type modules_dep_t;
+		type modules_dep_t, modules_object_t;
 	')
 
 	getattr_files_pattern($1, modules_object_t, modules_dep_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 0fd37fe87..3ae9860c4 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -575,7 +575,7 @@ interface(`systemd_relabelto_journal_files',`
 #
 interface(`systemd_read_networkd_units',`
 	gen_require(`
-		type systemd_networkd_t;
+		type systemd_networkd_unit_t;
 	')
 
 	init_search_units($1)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6efdd1e68..c90eb8364 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -336,7 +336,7 @@ interface(`userdom_ro_home_role',`
 #
 interface(`userdom_manage_home_role',`
 	gen_require(`
-		type user_home_t, user_home_dir_t;
+		type user_home_t, user_home_dir_t, user_cert_t;
 	')
 
 	##############################
@@ -2650,7 +2650,7 @@ interface(`userdom_write_user_tmp_sockets',`
 #
 interface(`userdom_list_user_tmp',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_t;
 	')
 
 	allow $1 user_tmp_t:dir list_dir_perms;
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index e80d3d90b..d0596ca63 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -317,7 +317,7 @@ interface(`xen_domtrans_xm',`
 #
 interface(`xen_stream_connect_xm',`
 	gen_require(`
-		type xm_t;
+		type xm_t, xenstored_runtime_t;
 	')
 
 	files_search_pids($1)