Merge pull request #359 from 0xC0ncord/bugfix/various-20210309

policy/modules/admin/bootloader.te

@@ -67,6 +67,7 @@ kernel_read_software_raid_state(bootloader_t)
 kernel_read_kernel_sysctls(bootloader_t)
 kernel_search_debugfs(bootloader_t)
 kernel_setsched(bootloader_t)
+kernel_dontaudit_getattr_proc(bootloader_t)
 # for grub-probe
 kernel_request_load_module(bootloader_t)
 
@@ -82,6 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
 dev_read_rand(bootloader_t)
 dev_read_urand(bootloader_t)
 dev_read_sysfs(bootloader_t)
+# newer versions of grub use efivarfs to modify EFI variables; dontaudit legacy /sys/fs/efi/vars access
+dev_dontaudit_write_sysfs_files(bootloader_t)
 # needed on some hardware
 dev_rw_nvram(bootloader_t)
 
@@ -90,6 +93,7 @@ fs_getattr_dos_fs(bootloader_t)
 fs_getattr_tmpfs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
 #Needed for EFI
+fs_getattr_efivarfs(bootloader_t)
 fs_manage_dos_files(bootloader_t)
 fs_mmap_read_dos_files(bootloader_t)
 
@@ -153,6 +157,7 @@ miscfiles_read_localization(bootloader_t)
 mount_rw_runtime_files(bootloader_t)
 
 selinux_getattr_fs(bootloader_t)
+selinux_use_status_page(bootloader_t)
 seutil_read_bin_policy(bootloader_t)
 seutil_read_file_contexts(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)

policy/modules/admin/sudo.if

@@ -66,6 +66,7 @@ template(`sudo_role_template',`
 	allow $1_sudo_t self:unix_dgram_socket sendto;
 	allow $1_sudo_t self:unix_stream_socket connectto;
 	allow $1_sudo_t self:key manage_key_perms;
+	dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
 
 	allow $1_sudo_t $3:key search;
 
@@ -85,6 +86,7 @@ template(`sudo_role_template',`
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
 	kernel_link_key($1_sudo_t)
+	kernel_dontaudit_getattr_proc($1_sudo_t)
 
 	corecmd_exec_all_executables($1_sudo_t)
 
@@ -142,6 +144,7 @@ template(`sudo_role_template',`
 	userdom_manage_user_tmp_symlinks($1_sudo_t)
 	userdom_setattr_user_ptys($1_sudo_t)
 	userdom_use_user_terminals($1_sudo_t)
+	userdom_dontaudit_rw_user_tmp_pipes($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_user_home_content($1_sudo_t)
 	userdom_dontaudit_search_user_home_dirs($1_sudo_t)

policy/modules/admin/usbguard.fc

@@ -2,6 +2,9 @@
 /etc/usbguard/rules\.conf				gen_context(system_u:object_r:usbguard_rules_t,s0)
 /etc/usbguard/.+					gen_context(system_u:object_r:usbguard_conf_t,s0)
 
+/run/usbguard(/.*)?					gen_context(system_u:object_r:usbguard_runtime_t,s0)
+/run/usbguard\.pid					gen_context(system_u:object_r:usbguard_runtime_t,s0)
+
 /usr/sbin/usbguard-daemon			--	gen_context(system_u:object_r:usbguard_daemon_exec_t,s0)
 
 /var/log/usbguard(/.*)?					gen_context(system_u:object_r:usbguard_log_t,s0)

policy/modules/admin/usbguard.te

@@ -27,6 +27,9 @@ logging_log_file(usbguard_log_t)
 type usbguard_rules_t;
 files_config_file(usbguard_rules_t)
 
+type usbguard_runtime_t;
+files_runtime_file(usbguard_runtime_t)
+
 # /dev/shm
 type usbguard_tmpfs_t;
 files_tmpfs_file(usbguard_tmpfs_t)
@@ -45,6 +48,10 @@ list_dirs_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
 read_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
 read_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
 
+manage_dirs_pattern(usbguard_t, usbguard_runtime_t, usbguard_runtime_t)
+manage_files_pattern(usbguard_t, usbguard_runtime_t, usbguard_runtime_t)
+files_runtime_filetrans(usbguard_t, usbguard_runtime_t, { dir file })
+
 manage_dirs_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
 manage_files_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
 mmap_read_files_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
@@ -57,6 +64,14 @@ setattr_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
 
 dev_rw_sysfs(usbguard_t)
 
+kernel_read_kernel_sysctls(usbguard_t)
+kernel_dontaudit_getattr_proc(usbguard_t)
+
+init_search_runtime(usbguard_t)
+
+logging_send_audit_msgs(usbguard_t)
+logging_send_syslog_msg(usbguard_t)
+
 tunable_policy(`usbguard_user_modify_rule_files',`
 	manage_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
 ')

policy/modules/kernel/devices.if

@@ -3391,6 +3391,25 @@ interface(`dev_setattr_null_dev',`
 	setattr_chr_files_pattern($1, device_t, null_device_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_null_dev',`
+	gen_require(`
+		type null_device_t;
+	')
+
+	dontaudit $1 null_device_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Delete the null device (/dev/null).
@@ -4454,6 +4473,24 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 	dontaudit $1 sysfs_t:dir write;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write to a sysfs file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_sysfs_files',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete sysfs

policy/modules/kernel/files.if

@@ -4662,6 +4662,24 @@ interface(`files_manage_generic_tmp_dirs',`
 	manage_dirs_pattern($1, tmp_t, tmp_t)
 ')
 
+########################################
+## <summary>
+##	Relabel temporary directories in /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_generic_tmp_dirs',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	relabel_dirs_pattern($1, tmp_t, tmp_t)
+')
+
 ########################################
 ## <summary>
 ##	Manage temporary files and directories in /tmp.

policy/modules/kernel/filesystem.if

@@ -2155,6 +2155,24 @@ interface(`fs_manage_dos_files',`
 	manage_files_pattern($1, dosfs_t, dosfs_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of efivarfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_efivarfs',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	allow $1 efivarfs_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	List dirs in efivarfs filesystem.
@@ -3850,6 +3868,25 @@ interface(`fs_getattr_pstore_dirs',`
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create pstore directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_pstore_dirs',`
+	gen_require(`
+		type pstore_t;
+	')
+
+	create_dirs_pattern($1, pstore_t, pstore_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##     Relabel to/from pstore_t directories.

policy/modules/roles/sysadm.te

@@ -81,6 +81,10 @@ ifdef(`init_systemd',`
 	# Allow sysadm to resolve the username of dynamic users by calling
 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
 	init_dbus_chat(sysadm_t)
+
+	# Allow sysadm to get the status of and set properties of other users,
+	# sessions, and seats on the system.
+	systemd_dbus_chat_logind(sysadm_t)
 ')
 
 tunable_policy(`allow_ptrace',`

policy/modules/services/devicekit.te

@@ -67,7 +67,7 @@ optional_policy(`
 
 allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
 allow devicekit_disk_t self:capability2 wake_alarm;
-allow devicekit_disk_t self:process { getsched signal_perms };
+allow devicekit_disk_t self:process { getsched setsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
 

policy/modules/services/fail2ban.te

@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
 files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
 
 kernel_read_system_state(fail2ban_t)
+kernel_read_vm_overcommit_sysctl(fail2ban_t)
 kernel_search_fs_sysctls(fail2ban_t)
 
 corecmd_exec_bin(fail2ban_t)
@@ -125,6 +126,7 @@ optional_policy(`
 
 optional_policy(`
 	systemd_read_journal_files(fail2ban_t)
+	systemd_watch_journal_dirs(fail2ban_t)
 ')
 
 ########################################

policy/modules/services/redis.te

@@ -50,7 +50,9 @@ manage_dirs_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 manage_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 manage_lnk_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 
+kernel_read_net_sysctls(redis_t)
 kernel_read_system_state(redis_t)
+kernel_read_vm_overcommit_sysctl(redis_t)
 
 corenet_all_recvfrom_netlabel(redis_t)
 corenet_tcp_sendrecv_generic_if(redis_t)
@@ -66,6 +68,7 @@ dev_read_urand(redis_t)
 
 logging_send_syslog_msg(redis_t)
 
+miscfiles_read_generic_certs(redis_t)
 miscfiles_read_localization(redis_t)
 
 sysnet_dns_name_resolve(redis_t)

policy/modules/services/rngd.te

@@ -32,6 +32,7 @@ kernel_rw_kernel_sysctl(rngd_t)
 
 dev_read_rand(rngd_t)
 dev_read_urand(rngd_t)
+dev_read_sysfs(rngd_t)
 dev_rw_tpm(rngd_t)
 dev_write_rand(rngd_t)
 

policy/modules/services/spamassassin.te

@@ -417,6 +417,8 @@ tunable_policy(`rspamd_spamd',`
 
 	corenet_tcp_connect_http_port(spamd_t)
 	corenet_tcp_connect_redis_port(spamd_t)
+
+	kernel_read_network_state(spamd_t)
 ')
 
 tunable_policy(`use_nfs_home_dirs',`

policy/modules/services/ssh.te

@@ -334,6 +334,7 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
 files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
 
 kernel_read_kernel_sysctls(ssh_keygen_t)
+kernel_dontaudit_getattr_proc(ssh_keygen_t)
 
 fs_search_auto_mountpoints(ssh_keygen_t)
 
@@ -354,6 +355,8 @@ auth_use_nsswitch(ssh_keygen_t)
 
 logging_send_syslog_msg(ssh_keygen_t)
 
+miscfiles_read_localization(ssh_keygen_t)
+
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 
 optional_policy(`

policy/modules/services/wireguard.te

@@ -61,8 +61,13 @@ corecmd_exec_shell(wireguard_t)
 
 domain_use_interactive_fds(wireguard_t)
 
+# wg-quick can be configured to run iptables and other networking
+# config tools when bringing up/down the wg interfaces
+iptables_domtrans(wireguard_t)
+
 # wg-quick tries to read /proc/filesystem when running "stat" and "mv" commands
 kernel_dontaudit_read_system_state(wireguard_t)
+kernel_dontaudit_search_kernel_sysctl(wireguard_t)
 
 miscfiles_read_localization(wireguard_t)
 

policy/modules/system/authlogin.fc

@@ -1,7 +1,7 @@
-/etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
-/etc/group\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
+/etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/group\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
 /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
-/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 
 /usr/bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)

policy/modules/system/authlogin.if

@@ -679,6 +679,7 @@ interface(`auth_rw_shadow',`
 	')
 
 	files_list_etc($1)
+	auth_rw_shadow_lock($1)
 	allow $1 shadow_t:file rw_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
@@ -700,6 +701,7 @@ interface(`auth_manage_shadow',`
 		type shadow_t;
 	')
 
+	auth_rw_shadow_lock($1)
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
@@ -771,6 +773,24 @@ interface(`auth_relabel_shadow',`
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
+########################################
+## <summary>
+##	Read/Write shadow lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_shadow_lock',`
+	gen_require(`
+		type shadow_lock_t;
+	')
+
+	rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
+')
+
 #######################################
 ## <summary>
 ##	Append to the login failure log.

policy/modules/system/authlogin.te

@@ -65,6 +65,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
+type shadow_lock_t;
+files_lock_file(shadow_lock_t)
+
 type updpwd_t;
 type updpwd_exec_t;
 domain_type(updpwd_t)

policy/modules/system/getty.te

@@ -55,6 +55,7 @@ allow getty_t getty_tmp_t:file manage_file_perms;
 allow getty_t getty_tmp_t:dir manage_dir_perms;
 files_tmp_filetrans(getty_t, getty_tmp_t, { file dir })
 
+kernel_read_kernel_sysctls(getty_t)
 kernel_read_system_state(getty_t)
 
 # these two needed for receiving faxes
@@ -66,6 +67,7 @@ dev_read_sysfs(getty_t)
 files_read_etc_runtime_files(getty_t)
 files_read_etc_files(getty_t)
 files_search_spool(getty_t)
+files_dontaudit_search_var_lib(getty_t)
 
 fs_search_auto_mountpoints(getty_t)
 # for error condition handling
@@ -84,6 +86,7 @@ term_setattr_unallocated_ttys(getty_t)
 term_setattr_console(getty_t)
 
 auth_rw_login_records(getty_t)
+auth_use_nsswitch(getty_t)
 
 init_rw_utmp(getty_t)
 

policy/modules/system/init.if

@@ -2544,7 +2544,7 @@ interface(`init_rw_script_pipes',`
 		type initrc_t;
 	')
 
-	allow $1 initrc_t:fifo_file rw_inherited_fifo_file_perms;
+	allow $1 initrc_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -3009,6 +3009,24 @@ interface(`init_manage_utmp',`
 	allow $1 initrc_runtime_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Add a watch on utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_watch_utmp',`
+	gen_require(`
+		type initrc_runtime_t;
+	')
+
+	allow $1 initrc_runtime_t:file watch;
+')
+
 ########################################
 ## <summary>
 ##	Relabel utmp.

policy/modules/system/init.te

@@ -251,6 +251,7 @@ ifdef(`init_systemd',`
 	allow init_t self:capability2 audit_read;
 	allow init_t self:key { search setattr write };
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+	dontaudit init_t self:process { dyntransition setcurrent };
 
 	allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton };
 
@@ -267,7 +268,7 @@ ifdef(`init_systemd',`
 
 	# setexec and setkeycreate for systemd --user
 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
-	allow init_t self:capability2 { audit_read block_suspend };
+	allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
 
@@ -294,6 +295,11 @@ ifdef(`init_systemd',`
 	# /memfd:systemd-state
 	fs_tmpfs_filetrans(init_t, init_runtime_t, file)
 
+	# mounton is required for systemd-timesyncd
+	allow init_t init_var_lib_t:dir { manage_dir_perms mounton };
+	allow init_t init_var_lib_t:file manage_file_perms;
+	allow init_t init_var_lib_t:lnk_file manage_lnk_file_perms;
+
 	manage_files_pattern(init_t, systemd_unit_t, systemdunit)
 
 	manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
@@ -307,6 +313,8 @@ ifdef(`init_systemd',`
 	kernel_read_fs_sysctls(init_t)
 	kernel_list_unlabeled(init_t)
 	kernel_load_module(init_t)
+	kernel_request_load_module(init_t)
+	kernel_rw_fs_sysctls(init_t)
 	kernel_rw_kernel_sysctl(init_t)
 	kernel_rw_net_sysctls(init_t)
 	kernel_read_all_sysctls(init_t)
@@ -390,6 +398,8 @@ ifdef(`init_systemd',`
 	files_list_spool(init_t)
 	files_manage_all_runtime_dirs(init_t)
 	files_manage_generic_tmp_dirs(init_t)
+	files_relabel_generic_tmp_dirs(init_t)
+	files_mounton_tmp(init_t)
 	files_manage_urandom_seed(init_t)
 	files_read_boot_files(initrc_t)
 	files_relabel_all_lock_dirs(init_t)
@@ -398,6 +408,7 @@ ifdef(`init_systemd',`
 	# If /etc/localtime is missing, a watch on /etc is added.
 	files_watch_etc_dirs(init_t)
 	files_watch_etc_symlinks(init_t)
+	files_dontaudit_write_var_dirs(init_t)
 
 	fs_relabel_cgroup_dirs(init_t)
 	fs_list_auto_mountpoints(init_t)
@@ -421,6 +432,7 @@ ifdef(`init_systemd',`
 	fs_relabel_tmpfs_blk_files(init_t)
 	fs_relabel_tmpfs_chr_files(init_t)
 	fs_relabel_tmpfs_fifo_files(init_t)
+	fs_read_efivarfs_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
@@ -429,6 +441,7 @@ ifdef(`init_systemd',`
 	# mount-setup
 	fs_unmount_autofs(init_t)
 	fs_getattr_pstore_dirs(init_t)
+	fs_create_pstore_dirs(init_t)
 	# for network namespaces
 	fs_read_nsfs_files(init_t)
 
@@ -437,7 +450,11 @@ ifdef(`init_systemd',`
 
 	miscfiles_watch_localization(init_t)
 
+	# systemd watches utab in order to mount the
+	# local filesystem at boot
 	mount_watch_runtime_dirs(init_t)
+	mount_watch_runtime_files(init_t)
+	mount_watch_reads_runtime_files(init_t)
 
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)
@@ -460,6 +477,8 @@ ifdef(`init_systemd',`
 	auth_relabel_login_records(init_t)
 	auth_relabel_pam_console_data_dirs(init_t)
 	auth_domtrans_chk_passwd(init_t)
+	# for systemd dynamic users
+	auth_rw_shadow_lock(init_t)
 
 	logging_manage_runtime_sockets(init_t)
 	logging_relabelto_devlog_sock_files(init_t)
@@ -495,6 +514,9 @@ ifdef(`init_systemd',`
 	# for systemd to read udev status
 	udev_read_runtime_files(init_t)
 
+	udev_relabel_rules_dirs(init_t)
+	udev_relabel_rules_files(init_t)
+
 	userdom_relabel_user_runtime_root_dirs(init_t)
 
 	tunable_policy(`init_mounton_non_security',`

policy/modules/system/iptables.te

@@ -86,6 +86,7 @@ auth_use_nsswitch(iptables_t)
 init_use_fds(iptables_t)
 init_use_script_ptys(iptables_t)
 # to allow rules to be saved on reboot:
+init_rw_script_pipes(iptables_t)
 init_rw_script_tmp_files(iptables_t)
 init_rw_script_stream_sockets(iptables_t)
 

policy/modules/system/logging.te

@@ -114,6 +114,7 @@ files_getattr_all_dirs(auditctl_t)
 files_getattr_all_files(auditctl_t)
 files_read_etc_files(auditctl_t)
 
+kernel_dontaudit_getattr_proc(auditctl_t)
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
 kernel_setsched(auditctl_t)
@@ -166,6 +167,10 @@ manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
 manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
 files_runtime_filetrans(auditd_t, auditd_runtime_t, { file sock_file })
 
+# Needs to be able to getattr on the audisp-remote binary to verify
+# the plugin configuration.
+allow auditd_t audisp_remote_exec_t:file getattr;
+
 kernel_read_kernel_sysctls(auditd_t)
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
@@ -196,6 +201,8 @@ domain_use_interactive_fds(auditd_t)
 files_read_etc_files(auditd_t)
 files_list_usr(auditd_t)
 
+auth_use_nsswitch(auditd_t)
+
 init_telinit(auditd_t)
 
 logging_set_audit_parameters(auditd_t)

policy/modules/system/modutils.te

@@ -88,6 +88,7 @@ files_read_kernel_symbol_table(kmod_t)
 files_read_etc_runtime_files(kmod_t)
 files_read_etc_files(kmod_t)
 files_read_usr_files(kmod_t)
+files_read_usr_src_files(kmod_t)
 files_exec_etc_files(kmod_t)
 files_search_tmp(kmod_t)
 # for nscd:

policy/modules/system/mount.te

@@ -103,6 +103,7 @@ fs_getattr_tmpfs(mount_t)
 fs_getattr_rpc_pipefs(mount_t)
 fs_getattr_cifs(mount_t)
 fs_getattr_nfs(mount_t)
+fs_getattr_dos_fs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)

policy/modules/system/systemd.fc

@@ -39,6 +39,7 @@
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-rfkill		--	gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
 /usr/lib/systemd/systemd-socket-proxyd	--	gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0)
+/usr/lib/systemd/systemd-sysctl		--	gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
 /usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-runtime-dir	--	gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)

policy/modules/system/systemd.if

@@ -164,6 +164,8 @@ template(`systemd_role_template',`
 	systemd_status_user_runtime_units($3)
 	systemd_stop_user_runtime_units($3)
 
+	systemd_watch_passwd_runtime_dirs($3)
+
 	optional_policy(`
 		xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
 		xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
@@ -1163,6 +1165,24 @@ interface(`systemd_manage_passwd_runtime_symlinks',`
 	allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms;
 ')
 
+########################################
+## <summary>
+##   Allow a domain to watch systemd-passwd runtime dirs.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_watch_passwd_runtime_dirs',`
+	gen_require(`
+		type systemd_passwd_runtime_t;
+	')
+
+	allow $1 systemd_passwd_runtime_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##      manage systemd unit dirs and the files in them  (Deprecated)
@@ -1235,6 +1255,24 @@ interface(`systemd_manage_journal_files',`
 	allow $1 systemd_journal_t:file map;
 ')
 
+########################################
+## <summary>
+##      Allow domain to add a watch on systemd_journal_t directories
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_watch_journal_dirs',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	allow $1 systemd_journal_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Relabel to systemd-journald directory type.

policy/modules/system/systemd.te

@@ -260,6 +260,10 @@ corenet_port(systemd_socket_proxyd_port_t)
 type systemd_socket_proxyd_unit_file_t;
 init_unit_file(systemd_socket_proxyd_unit_file_t)
 
+type systemd_sysctl_t;
+type systemd_sysctl_exec_t;
+init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
+
 type systemd_sysusers_t;
 type systemd_sysusers_exec_t;
 init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
@@ -332,6 +336,8 @@ systemd_log_parse_environment(systemd_backlight_t)
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
 dev_rw_sysfs(systemd_backlight_t)
 
+kernel_dontaudit_search_kernel_sysctl(systemd_backlight_t)
+
 # for udev.conf
 files_read_etc_files(systemd_backlight_t)
 
@@ -432,6 +438,7 @@ allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
 allow systemd_generator_t self:capability dac_override;
 allow systemd_generator_t self:process setfscreate;
 
+corecmd_exec_shell(systemd_generator_t)
 corecmd_getattr_bin_files(systemd_generator_t)
 
 dev_read_sysfs(systemd_generator_t)
@@ -446,6 +453,7 @@ files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
+fs_getattr_cgroup(systemd_generator_t)
 fs_getattr_xattr_fs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
@@ -464,6 +472,7 @@ init_read_script_files(systemd_generator_t)
 kernel_use_fds(systemd_generator_t)
 kernel_read_system_state(systemd_generator_t)
 kernel_read_kernel_sysctls(systemd_generator_t)
+kernel_dontaudit_getattr_proc(systemd_generator_t)
 
 storage_raw_read_fixed_disk(systemd_generator_t)
 
@@ -494,6 +503,7 @@ optional_policy(`
 allow systemd_hostnamed_t self:capability sys_admin;
 
 kernel_read_kernel_sysctls(systemd_hostnamed_t)
+kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
 
 dev_read_sysfs(systemd_hostnamed_t)
 
@@ -592,6 +602,7 @@ allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
 allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
 
 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
+allow systemd_logind_t systemd_logind_var_lib_t:file manage_file_perms;
 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
@@ -610,6 +621,7 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
 
+kernel_dontaudit_getattr_proc(systemd_logind_t)
 kernel_read_kernel_sysctls(systemd_logind_t)
 
 dev_getattr_dri_dev(systemd_logind_t)
@@ -660,6 +672,7 @@ init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)
 init_get_system_status(systemd_logind_t)
 init_read_utmp(systemd_logind_t)
+init_watch_utmp(systemd_logind_t)
 init_service_start(systemd_logind_t)
 init_service_status(systemd_logind_t)
 init_start_all_units(systemd_logind_t)
@@ -713,8 +726,11 @@ ifdef(`distro_redhat',`
 
 tunable_policy(`systemd_logind_get_bootloader',`
 	fs_getattr_dos_fs(systemd_logind_t)
+	fs_getattr_xattr_fs(systemd_logind_t)
 	fs_list_dos(systemd_logind_t)
 	fs_read_dos_files(systemd_logind_t)
+
+	files_search_boot(systemd_logind_t)
 ')
 # systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
 # This reads the first sectors of fixed disk devices.
@@ -814,6 +830,7 @@ optional_policy(`
 kernel_load_module(systemd_modules_load_t)
 kernel_read_kernel_sysctls(systemd_modules_load_t)
 kernel_request_load_module(systemd_modules_load_t)
+kernel_dontaudit_getattr_proc(systemd_modules_load_t)
 
 dev_read_sysfs(systemd_modules_load_t)
 
@@ -850,6 +867,7 @@ kernel_read_kernel_sysctls(systemd_networkd_t)
 kernel_read_network_state(systemd_networkd_t)
 kernel_request_load_module(systemd_networkd_t)
 kernel_rw_net_sysctls(systemd_networkd_t)
+kernel_dontaudit_getattr_proc(systemd_networkd_t)
 
 corecmd_bin_entry_type(systemd_networkd_t)
 corecmd_exec_bin(systemd_networkd_t)
@@ -1180,6 +1198,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
 
 manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
 
 dev_read_sysfs(systemd_resolved_t)
@@ -1187,6 +1206,7 @@ dev_read_sysfs(systemd_resolved_t)
 kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
 kernel_read_net_sysctls(systemd_resolved_t)
+kernel_dontaudit_getattr_proc(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
 corenet_tcp_bind_dns_port(systemd_resolved_t)
@@ -1254,6 +1274,7 @@ allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
 files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
 
 kernel_read_kernel_sysctls(systemd_sessions_t)
+kernel_dontaudit_getattr_proc(systemd_sessions_t)
 
 selinux_get_fs_mount(systemd_sessions_t)
 selinux_use_status_page(systemd_sessions_t)
@@ -1264,6 +1285,21 @@ seutil_read_file_contexts(systemd_sessions_t)
 
 systemd_log_parse_environment(systemd_sessions_t)
 
+########################################
+#
+# sysctl local policy
+#
+
+dontaudit systemd_sysctl_t self:capability sys_ptrace;
+
+kernel_read_kernel_sysctls(systemd_sysctl_t)
+kernel_request_load_module(systemd_sysctl_t)
+kernel_rw_all_sysctls(systemd_sysctl_t)
+kernel_dontaudit_getattr_proc(systemd_sysctl_t)
+
+files_read_etc_files(systemd_sysctl_t)
+
+systemd_log_parse_environment(systemd_sysctl_t)
 
 #########################################
 #
@@ -1557,6 +1593,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
 fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
 
 selinux_use_status_page(systemd_user_runtime_dir_t)
 

policy/modules/system/udev.if

@@ -202,6 +202,46 @@ interface(`udev_manage_rules_files',`
 	udev_search_runtime($1)
 ')
 
+########################################
+## <summary>
+##	Relabel udev rules directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_relabel_rules_dirs',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	relabel_dirs_pattern($1, udev_rules_t, udev_rules_t)
+
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Relabel udev rules files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_relabel_rules_files',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	relabel_files_pattern($1, udev_rules_t, udev_rules_t)
+
+	files_search_etc($1)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit search of udev database directories.  (Deprecated)

policy/modules/system/udev.te

@@ -41,7 +41,6 @@ ifdef(`enable_mcs',`
 #
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
-dontaudit udev_t self:capability sys_tty_config;
 allow udev_t self:capability2 { wake_alarm block_suspend };
 allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
 allow udev_t self:fd use;
@@ -58,6 +57,13 @@ allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:netlink_generic_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
 
+ifdef(`init_systemd',`
+	# systemd-vconsole-setup will be called by udev during virtual terminal initialization
+	allow udev_t self:capability sys_tty_config;
+',`
+	dontaudit udev_t self:capability sys_tty_config;
+')
+
 # for systemd-udevd to rename interfaces
 allow udev_t self:netlink_route_socket nlmsg_write;
 
@@ -124,6 +130,10 @@ files_mmap_read_kernel_modules(udev_t)
 files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)
+files_dontaudit_getattr_default_files(udev_t)
+files_dontaudit_getattr_home_dir(udev_t)
+files_dontaudit_getattr_lost_found_dirs(udev_t)
+files_dontaudit_getattr_tmp_dirs(udev_t)
 
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
@@ -145,6 +155,7 @@ selinux_compute_access_vector(udev_t)
 selinux_compute_create_context(udev_t)
 selinux_compute_relabel_context(udev_t)
 selinux_compute_user_contexts(udev_t)
+selinux_use_status_page(udev_t)
 
 storage_watch_fixed_disk(udev_t)
 
@@ -189,6 +200,7 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
+userdom_dontaudit_getattr_user_home_dirs(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_debian',`
@@ -329,6 +341,7 @@ optional_policy(`
 
 optional_policy(`
 	raid_domtrans_mdadm(udev_t)
+	raid_read_mdadm_runtime_files(udev_t)
 ')
 
 optional_policy(`

policy/modules/system/userdomain.if

@@ -78,6 +78,7 @@ template(`userdom_base_user_template',`
 
 	dev_dontaudit_getattr_all_blk_files($1_t)
 	dev_dontaudit_getattr_all_chr_files($1_t)
+	dev_dontaudit_setattr_null_dev($1_t)
 
 	# for X session unlock
 	allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@@ -3104,6 +3105,25 @@ interface(`userdom_manage_user_tmp_pipes',`
 	userdom_search_user_runtime($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	temporary pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user