Description: misc patches for daemon policy
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-07-03

Index: refpolicy-2.20140421/policy/modules/contrib/fetchmail.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy-2.20140421/policy/modules/contrib/fetchmail.te
@@ -47,6 +47,7 @@ create_files_pattern(fetchmail_t, fetchm
 setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
 
+allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
 allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
 mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
 
Index: refpolicy-2.20140421/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/mysql.te
+++ refpolicy-2.20140421/policy/modules/contrib/mysql.te
@@ -70,7 +70,7 @@ dontaudit mysqld_t self:capability sys_t
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
+allow mysqld_t self:unix_stream_socket { connectto accept listen };
 allow mysqld_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -99,6 +99,7 @@ manage_sock_files_pattern(mysqld_t, mysq
 files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
 
 kernel_read_kernel_sysctls(mysqld_t)
+kernel_read_vm_sysctls(mysqld_t)
 kernel_read_network_state(mysqld_t)
 kernel_read_system_state(mysqld_t)
 
Index: refpolicy-2.20140421/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20140421/policy/modules/contrib/tor.te
@@ -41,7 +41,7 @@ systemd_unit_file(tor_unit_file_t)
 # Local policy
 #
 
-allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20140421/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20140421/policy/modules/contrib/cron.if
@@ -910,3 +910,21 @@ interface(`cron_manage_system_spool',`
 	files_search_spool($1)
 	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
 ')
+
+########################################
+## <summary>
+##      Access temporary files crond creates for script output
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`read_write_crond_tmp',`
+	gen_require(`
+		type crond_tmp_t;
+	')
+
+	allow $1 crond_tmp_t:file rw_file_perms;
+')
Index: refpolicy-2.20140421/policy/modules/contrib/sysstat.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/sysstat.te
+++ refpolicy-2.20140421/policy/modules/contrib/sysstat.te
@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_ov
 allow sysstat_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
 setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
 manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
 logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
@@ -39,8 +38,10 @@ kernel_read_fs_sysctls(sysstat_t)
 kernel_read_rpc_sysctls(sysstat_t)
 
 corecmd_exec_bin(sysstat_t)
+corecmd_exec_shell(sysstat_t)
 
 dev_read_sysfs(sysstat_t)
+dev_getattr_sysfs(sysstat_t)
 dev_read_urand(sysstat_t)
 
 files_search_var(sysstat_t)
@@ -66,4 +67,5 @@ userdom_dontaudit_list_user_home_dirs(sy
 
 optional_policy(`
 	cron_system_entry(sysstat_t, sysstat_exec_t)
+	read_write_crond_tmp(sysstat_t)
 ')
Index: refpolicy-2.20140421/policy/modules/contrib/dirmngr.fc
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/dirmngr.fc
+++ refpolicy-2.20140421/policy/modules/contrib/dirmngr.fc
@@ -7,6 +7,7 @@
 /var/log/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_log_t,s0)
 
 /var/lib/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
+/var/cache/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
 
 /var/run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
 
Index: refpolicy-2.20140421/policy/modules/contrib/xen.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/xen.te
+++ refpolicy-2.20140421/policy/modules/contrib/xen.te
@@ -219,6 +219,7 @@ domtrans_pattern(xend_t, xenstored_exec_
 xen_stream_connect_xenstore(xend_t)
 
 kernel_read_kernel_sysctls(xend_t)
+kernel_read_vm_sysctls(xend_t)
 kernel_read_system_state(xend_t)
 kernel_write_xen_state(xend_t)
 kernel_read_xen_state(xend_t)
Index: refpolicy-2.20140421/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/system/udev.te
+++ refpolicy-2.20140421/policy/modules/system/udev.te
@@ -202,6 +202,11 @@ ifdef(`distro_debian',`
 	')
 ')
 
+optional_policy(`
+	# for systemd-udevd when starting xen domu
+	virt_read_config(udev_t)
+')
+
 ifdef(`distro_gentoo',`
 	# during boot, init scripts use /dev/.rcsysinit
 	# existance to determine if we are in early booting
@@ -329,6 +334,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
+	fs_manage_xenfs_files(udev_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20140421/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20140421/policy/modules/system/fstools.te
@@ -195,6 +195,10 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(fsadm_t)
+
+	# Xen causes losetup to run with a presumably accidentally inherited
+	# file handle for /run/xen-hotplug/block
+	dontaudit_udev_pidfile_rw(fsadm_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20140421/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/system/udev.if
+++ refpolicy-2.20140421/policy/modules/system/udev.if
@@ -261,6 +261,24 @@ interface(`udev_search_pids',`
 
 ########################################
 ## <summary>
+##	dontaudit attempts to read/write udev pidfiles
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dontaudit_udev_pidfile_rw',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	dontaudit $1 udev_var_run_t:file { read write };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev pid directories
 ## </summary>
Index: refpolicy-2.20140421/policy/modules/contrib/apt.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/apt.if
+++ refpolicy-2.20140421/policy/modules/contrib/apt.if
@@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
 ##	</summary>
 ## </param>
 #
+interface(`apt_manage_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir manage_dir_perms;
+	allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read apt package cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`apt_read_cache',`
 	gen_require(`
 		type apt_var_cache_t;
Index: refpolicy-2.20140421/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20140421/policy/modules/contrib/cron.te
@@ -336,6 +336,14 @@ ifdef(`distro_debian',`
 	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')
+	optional_policy(`
+		apt_manage_cache(system_cronjob_t)
+		apt_read_db(system_cronjob_t)
+	')
+')
+
+optional_policy(`
+	ntp_read_conf(system_cronjob_t)
 ')
 
 ifdef(`distro_redhat',`
Index: refpolicy-2.20140421/policy/modules/contrib/ntp.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/ntp.if
+++ refpolicy-2.20140421/policy/modules/contrib/ntp.if
@@ -18,6 +18,23 @@ interface(`ntp_stub',`
 
 ########################################
 ## <summary>
+##	Read ntp.conf
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_read_conf',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+	allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute ntp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20140421/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/system/init.te
+++ refpolicy-2.20140421/policy/modules/system/init.te
@@ -151,6 +151,7 @@ corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
+logging_create_devlog_dev(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
 
@@ -1141,6 +1142,7 @@ tunable_policy(`init_systemd',`
 	allow init_t self:process { getcap setcap };
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
 	# Until systemd is fixed
 	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
 	allow init_t self:udp_socket create_socket_perms;
@@ -1225,6 +1227,7 @@ tunable_policy(`init_systemd',`
 	systemd_manage_unit_dirs(init_t)
 	systemd_manage_all_unit_files(init_t)
 	systemd_logger_stream_connect(init_t)
+	systemd_manage_lnk_file_passwd_run(init_t)
 
 	create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
 
Index: refpolicy-2.20140421/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20140421/policy/modules/system/systemd.if
@@ -477,6 +477,24 @@ interface(`systemd_read_fifo_file_passwd
     read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
 ')
 
+######################################
+## <summary>
+##  Allow to domain to create systemd-passwd symlink
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_manage_lnk_file_passwd_run',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
+')
+
 #######################################
 ## <summary>
 ##  Send generic signals to systemd_passwd_agent processes.
Index: refpolicy-2.20140421/policy/modules/contrib/clamav.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/clamav.te
+++ refpolicy-2.20140421/policy/modules/contrib/clamav.te
@@ -215,6 +215,10 @@ corenet_sendrecv_http_client_packets(fre
 corenet_tcp_connect_http_port(freshclam_t)
 corenet_tcp_sendrecv_http_port(freshclam_t)
 
+corenet_sendrecv_http_cache_client_packets(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_sendrecv_http_cache_port(freshclam_t)
+
 corenet_sendrecv_squid_client_packets(freshclam_t)
 corenet_tcp_connect_squid_port(freshclam_t)
 corenet_tcp_sendrecv_squid_port(freshclam_t)
Index: refpolicy-2.20140421/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20140421/policy/modules/contrib/dpkg.te
@@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
 domain_interactive_fd(dpkg_script_t)
 role dpkg_roles types dpkg_script_t;
 
+spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
+
 type dpkg_script_tmp_t;
 files_tmp_file(dpkg_script_tmp_t)
 
Index: refpolicy-2.20140421/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20140421/policy/modules/kernel/devices.if
@@ -589,6 +589,24 @@ interface(`dev_getattr_generic_chr_files
 
 ########################################
 ## <summary>
+##	Allow setattr for generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	Dontaudit getattr for generic character device files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20140421/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20140421/policy/modules/kernel/kernel.te
@@ -263,6 +263,7 @@ dev_create_generic_blk_files(kernel_t)
 dev_delete_generic_blk_files(kernel_t)
 dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 
 # Mount root file system. Used when loading a policy
Index: refpolicy-2.20140421/policy/modules/contrib/postfix.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/postfix.te
+++ refpolicy-2.20140421/policy/modules/contrib/postfix.te
@@ -654,6 +654,10 @@ optional_policy(`
 	ppp_sigchld(postfix_postqueue_t)
 ')
 
+optional_policy(`
+	userdom_sigchld_all_users(postfix_postqueue_t)
+')
+
 ########################################
 #
 # Qmgr local policy
