Description: Make strict configuration work
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-07-03

Index: refpolicy-2.20140421/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20140421/policy/modules/roles/sysadm.te
@@ -35,6 +35,8 @@ ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
 
+selinux_read_policy(sysadm_t)
+
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
@@ -66,6 +68,10 @@ tunable_policy(`allow_ptrace',`
 ')
 
 optional_policy(`
+	system_mail_role(sysadm_r)
+')
+
+optional_policy(`
 	amanda_run_recover(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy-2.20140421/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20140421/policy/modules/kernel/kernel.te
@@ -266,6 +266,15 @@ dev_delete_generic_chr_files(kernel_t)
 dev_setattr_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 
+ifdef(`distro_debian',`
+	# for systemd access to /run before transition
+	fs_search_tmpfs(kernel_t)
+	# also for systemd before transition
+	selinux_compute_create_context(kernel_t)
+	kernel_read_unlabeled_state(kernel_t)
+')
+
+
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
 fs_mount_all_fs(kernel_t)
Index: refpolicy-2.20140421/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/system/udev.if
+++ refpolicy-2.20140421/policy/modules/system/udev.if
@@ -314,6 +314,7 @@ interface(`udev_relabelto_db',`
 
 	files_search_pids($1)
 	allow $1 udev_var_run_t:file relabelto_file_perms;
+	allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
 ')
 
 ########################################
Index: refpolicy-2.20140421/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20140421/policy/modules/kernel/filesystem.if
@@ -730,6 +730,24 @@ interface(`fs_search_cgroup_dirs',`
 
 ########################################
 ## <summary>
+##     Relabel pstore directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_relabel_pstore_dirs',`
+        gen_require(`
+                type pstore_t;
+        ')
+
+        relabel_dirs_pattern($1, pstore_t, pstore_t)
+')
+
+########################################
+## <summary>
 ##     Relabel cgroup directories.
 ## </summary>
 ## <param name="domain">
@@ -838,7 +856,6 @@ interface(`fs_read_cgroup_files',`
 interface(`fs_read_cgroup_links',`
 	gen_require(`
 		type cgroup_t;
-
 	')
 
 	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
@@ -847,6 +864,26 @@ interface(`fs_read_cgroup_links',`
 
 ########################################
 ## <summary>
+##	Create cgroup lnk_files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_cgroup_links',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	create_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Write cgroup files.
 ## </summary>
 ## <param name="domain">
@@ -4336,6 +4373,24 @@ interface(`fs_read_tmpfs_symlinks',`
 ')
 
 ########################################
+## <summary>
+##	Relabelfrom tmpfs link files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
 ## <summary>
 ##	Read and write character nodes on tmpfs filesystems.
 ## </summary>
Index: refpolicy-2.20140421/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/system/init.te
+++ refpolicy-2.20140421/policy/modules/system/init.te
@@ -147,13 +147,18 @@ kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
 
+domain_read_all_domains_state(init_t)
+
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
+fs_relabel_pstore_dirs(init_t)
+dev_read_urand(init_t)
 logging_create_devlog_dev(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
+dev_relabel_generic_symlinks(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
@@ -166,6 +171,8 @@ files_read_etc_files(init_t)
 files_rw_generic_pids(init_t)
 files_manage_etc_runtime_files(init_t)
 files_etc_filetrans_etc_runtime(init_t, file)
+files_list_usr(init_t)
+
 # Run /etc/X11/prefdm:
 files_exec_etc_files(init_t)
 # file descriptors inherited from the rootfs:
@@ -200,11 +207,20 @@ seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
+fs_relabelfrom_tmpfs_symlinks(init_t)
+
 ifdef(`distro_debian',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
 
 	allow init_t initrc_var_run_t:file manage_file_perms;
 	fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+	sysnet_write_config(initrc_t)
+	sysnet_create_config(initrc_t)
+	sysnet_manage_config(initrc_t)
+
+	optional_policy(`
+		postfix_read_config(initrc_t)
+	')
 ')
 
 ifdef(`distro_gentoo',`
@@ -224,6 +240,12 @@ tunable_policy(`init_upstart || init_sys
 ')
 
 optional_policy(`
+	modutils_read_module_config(init_t)
+	modutils_read_module_deps(init_t)
+	modutils_read_module_objects(init_t)
+')
+
+optional_policy(`
 	auth_rw_login_records(init_t)
 ')
 
@@ -243,6 +265,8 @@ optional_policy(`
 	udev_read_db(init_t)
 	udev_relabelto_db(init_t)
 	udev_create_kobject_uevent_socket(init_t)
+	# for systemd to read udev status
+	udev_read_pid_files(init_t)
 ')
 
 #optional_policy(`
@@ -1134,15 +1158,19 @@ optional_policy(`
 	clock_read_adjtime(init_t)
 ')
 
+# for systemd
+kernel_load_module(init_t)
+
 tunable_policy(`init_systemd',`
 	allow init_t self:system { status reboot halt };
 
 	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow init_t self:process { setsockcreate setfscreate setrlimit };
-	allow init_t self:process { getcap setcap };
+	allow init_t self:process { getcap setcap setsched };
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+	allow init_t self:netlink_selinux_socket create_socket_perms;
 	# Until systemd is fixed
 	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
 	allow init_t self:udp_socket create_socket_perms;
@@ -1174,6 +1202,7 @@ tunable_policy(`init_systemd',`
 	# systemd writes to /dev/watchdog on shutdown
 	dev_write_watchdog(init_t)
 
+	files_read_all_pids(init_t)
 	files_search_all(init_t)
 	files_mounton_all_mountpoints(init_t)
 	files_unmount_all_file_type_fs(init_t)
@@ -1197,6 +1226,7 @@ tunable_policy(`init_systemd',`
 	fs_getattr_all_fs(init_t)
 	fs_manage_cgroup_dirs(init_t)
 	fs_manage_cgroup_files(init_t)
+	fs_create_cgroup_links(init_t)
 	fs_manage_hugetlbfs_dirs(init_t)
 	fs_manage_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_dirs(init_t)
@@ -1228,13 +1258,16 @@ tunable_policy(`init_systemd',`
 	systemd_manage_all_unit_files(init_t)
 	systemd_logger_stream_connect(init_t)
 	systemd_manage_lnk_file_passwd_run(init_t)
+	systemd_manage_passwd_run(init_t)
 
 	create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
-
+	allow init_t init_var_run_t:sock_file manage_sock_file_perms;
+	selinux_compute_access_vector(init_t)
 	allow initrc_t init_script_file_type:service { stop start status reload };
-
-
+	auth_manage_var_auth(init_t)
+	init_rw_stream_sockets(initrc_t)
 ')
+
 auth_use_nsswitch(init_t)
 auth_rw_login_records(init_t)
 
Index: refpolicy-2.20140421/policy/modules/contrib/mta.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/mta.if
+++ refpolicy-2.20140421/policy/modules/contrib/mta.if
@@ -121,6 +121,23 @@ interface(`mta_role',`
 
 ########################################
 ## <summary>
+##	Enable system_mail_t to run in the specified role
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`system_mail_role',`
+	gen_require(`
+		type system_mail_t;
+	')
+	role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
 ##	Make the specified domain usable for a mail server.
 ## </summary>
 ## <param name="type">
Index: refpolicy-2.20140421/policy/modules/system/modutils.if
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/system/modutils.if
+++ refpolicy-2.20140421/policy/modules/system/modutils.if
@@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
 
 ########################################
 ## <summary>
+##	Read the kernel modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_read_module_objects',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	files_list_kernel_modules($1)
+	allow $1 modules_object_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read the configuration options used when
 ##	loading modules.
 ## </summary>
Index: refpolicy-2.20140421/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20140421.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20140421/policy/modules/contrib/dpkg.te
@@ -273,6 +273,7 @@ selinux_compute_access_vector(dpkg_scrip
 selinux_compute_create_context(dpkg_script_t)
 selinux_compute_relabel_context(dpkg_script_t)
 selinux_compute_user_contexts(dpkg_script_t)
+selinux_read_policy(dpkg_script_t)
 
 storage_raw_read_fixed_disk(dpkg_script_t)
 storage_raw_write_fixed_disk(dpkg_script_t)
