dbus, init, mount, rpc: minor fixes for mount.nfs

mount.nfs will attempt to start the rpc-statd.service unit but will fall
back to executing start-statd directly. Dontaudit attempts to start the
unit and perform a domain transition to start-statd from mount.

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/services/dbus.if

@@ -709,6 +709,25 @@ interface(`dbus_read_system_bus_runtime_named_sockets',`
 	allow $1 system_dbusd_runtime_t:sock_file read;
 ')
 
+#######################################
+## <summary>
+##	Do not audit attempts to write to
+##	system bus runtime named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_write_system_bus_runtime_named_sockets',`
+	gen_require(`
+		type system_dbusd_runtime_t;
+	')
+
+	dontaudit $1 system_dbusd_runtime_t:sock_file write;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to DBUS.

policy/modules/services/rpc.te

@@ -264,6 +264,7 @@ fs_watch_rpc_pipefs_dirs(rpcd_t)
 fs_get_all_fs_quotas(rpcd_t)
 fs_set_xattr_fs_quotas(rpcd_t)
 fs_getattr_all_fs(rpcd_t)
+fs_ioctl_cgroup_dirs(rpcd_t)
 
 storage_getattr_fixed_disk_dev(rpcd_t)
 
@@ -272,6 +273,9 @@ selinux_dontaudit_read_fs(rpcd_t)
 miscfiles_read_generic_certs(rpcd_t)
 miscfiles_read_generic_tls_privkey(rpcd_t)
 
+# for mount.nfs
+mount_rw_runtime_files(rpcd_t)
+
 seutil_dontaudit_search_config(rpcd_t)
 
 userdom_signal_all_users(rpcd_t)

policy/modules/system/init.if

@@ -3314,6 +3314,25 @@ interface(`init_write_runtime_socket',`
 	allow $1 init_runtime_t:sock_file write;
 ')
 
+#######################################
+## <summary>
+##  Do not audit attempts to write to
+##	init sock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_write_runtime_socket',`
+	gen_require(`
+		type init_runtime_t;
+	')
+
+	dontaudit $1 init_runtime_t:sock_file write;
+')
+
 ########################################
 ## <summary>
 ##	Read init unnamed pipes.

policy/modules/system/mount.te

@@ -42,6 +42,8 @@ application_domain(unconfined_mount_t, mount_exec_t)
 
 # setuid/setgid needed to mount cifs
 allow mount_t self:capability { chown dac_override dac_read_search ipc_lock setgid setuid sys_admin sys_rawio sys_tty_config };
+dontaudit mount_t self:capability { kill net_admin };
+dontaudit mount_t self:process setrlimit;
 
 allow mount_t mount_tmp_t:file manage_file_perms;
 allow mount_t mount_tmp_t:dir manage_dir_perms;
@@ -129,6 +131,8 @@ auth_use_nsswitch(mount_t)
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
 init_dontaudit_getattr_initctl(mount_t)
+init_dontaudit_read_state(mount_t)
+init_dontaudit_write_runtime_socket(mount_t)
 
 logging_send_syslog_msg(mount_t)
 
@@ -141,6 +145,8 @@ selinux_getattr_fs(mount_t)
 
 userdom_use_all_users_fds(mount_t)
 
+dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
+
 ifdef(`distro_redhat',`
 	optional_policy(`
 		auth_read_pam_console_data(mount_t)
@@ -210,6 +216,10 @@ optional_policy(`
 	puppet_rw_tmp(mount_t)
 ')
 
+optional_policy(`
+	rpc_domtrans_rpcd(mount_t)
+')
+
 # for kernel package installation
 optional_policy(`
 	rpm_rw_pipes(mount_t)