Merge pull request #787 from 0xC0ncord/various/20240515

Various fixes
SELinuxProject · Jun 28, 2024 · 7c79790 · 7c79790
2 parents ae71af8 + 0126cb1
commit 7c79790
Show file tree

Hide file tree

Showing 14 changed files with 108 additions and 4 deletions.
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
@@ -131,6 +131,7 @@ domain_use_interactive_fds(ping_t)
 
 files_read_etc_files(ping_t)
 
+kernel_read_net_sysctls(ping_t)
 kernel_read_system_state(ping_t)
 
 auth_use_nsswitch(ping_t)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
@@ -31,9 +31,10 @@
 template(`su_restricted_domain_template', `
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')
 
-	type $1_su_t;
+	type $1_su_t, sudomain;
 	domain_entry_file($1_su_t, su_exec_t)
 	domain_type($1_su_t)
 	domain_interactive_fd($1_su_t)
@@ -148,9 +149,10 @@ template(`su_restricted_domain_template', `
 template(`su_role_template',`
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')
 
-	type $1_su_t;
+	type $1_su_t, sudomain;
 	userdom_user_application_domain($1_su_t, su_exec_t)
 	domain_interactive_fd($1_su_t)
 	role $4 types $1_su_t;
@@ -309,3 +311,21 @@ interface(`su_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, su_exec_t)
 ')
+
+#######################################
+## <summary>
+##	Send signals to all su domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`su_signal_all',`
+	gen_require(`
+		attribute sudomain;
+	')
+
+	allow $1 sudomain:process signal;
+')
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
@@ -14,6 +14,7 @@ gen_tunable(su_allow_user_exec_domains, false)
 #
 # Declarations
 #
+attribute sudomain;
 
 type su_exec_t;
 corecmd_executable_file(su_exec_t)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
@@ -204,13 +204,18 @@ template(`sudo_role_template',`
 
 		ifdef(`init_systemd',`
 			init_dbus_chat($1_sudo_t)
+
+			systemd_read_logind_state($1_sudo_t)
 		')
 	')
 
 	optional_policy(`
 		fprintd_dbus_chat($1_sudo_t)
 	')
 
+	optional_policy(`
+		su_signal_all($1_sudo_t)
+	')
 ')
 
 ########################################

diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
@@ -60,6 +60,7 @@ manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
 manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
 manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
 files_spool_filetrans(asterisk_t, asterisk_spool_t, { dir file })
+allow asterisk_t asterisk_spool_t:dir watch;
 
 manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
 manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
@@ -158,6 +159,10 @@ optional_policy(`
 	alsa_read_config(asterisk_t)
 ')
 
+optional_policy(`
+	certbot_read_lib(asterisk_t)
+')
+
 optional_policy(`
 	mysql_stream_connect(asterisk_t)
 	mysql_tcp_connect(asterisk_t)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
@@ -317,6 +317,7 @@ allow container_domain container_ro_file_t:sock_file read_sock_file_perms;
 fs_tmpfs_filetrans(container_domain, container_tmpfs_t, { dir file fifo_file lnk_file sock_file })
 manage_dirs_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 mmap_manage_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
+mmap_exec_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 manage_fifo_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 manage_lnk_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 manage_sock_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
@@ -621,6 +621,25 @@ interface(`dbus_use_system_bus_fds',`
 	allow $1 system_dbusd_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Use PIDFD file descriptors from the
+##	DBUS system bus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_use_system_bus_pidfds',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and

diff --git a/policy/modules/services/node_exporter.te b/policy/modules/services/node_exporter.te
@@ -59,9 +59,12 @@ kernel_read_fs_sysctls(node_exporter_t)
 kernel_read_kernel_sysctls(node_exporter_t)
 kernel_read_net_sysctls(node_exporter_t)
 kernel_read_network_state(node_exporter_t)
+kernel_read_rpc_sysctls(node_exporter_t)
 kernel_read_software_raid_state(node_exporter_t)
 kernel_read_system_state(node_exporter_t)
 
+miscfiles_read_localization(node_exporter_t)
+
 # to read udev state data
 udev_read_runtime_files(node_exporter_t)
 

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
@@ -615,6 +615,7 @@ optional_policy(`
 
 optional_policy(`
 	mta_manage_spool(postfix_pipe_t)
+	mta_watch_spool(postfix_pipe_t)
 	mta_send_mail(postfix_pipe_t)
 ')
 
@@ -844,7 +845,7 @@ optional_policy(`
 
 optional_policy(`
 	sasl_connect(postfix_smtpd_t)
-	sasl_read_keytab(postfix_smtpd_t)
+	sasl_mmap_read_keytab(postfix_smtpd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
@@ -38,6 +38,25 @@ interface(`sasl_read_keytab',`
 	read_files_pattern($1, saslauthd_keytab_t, saslauthd_keytab_t)
 ')
 
+########################################
+## <summary>
+##	Memory map and read SASL keytab files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sasl_mmap_read_keytab',`
+	gen_require(`
+		type saslauthd_keytab_t;
+	')
+
+	files_search_etc($1)
+	mmap_read_files_pattern($1, saslauthd_keytab_t, saslauthd_keytab_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -610,7 +610,7 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		dbus_connect_system_bus(init_t)
-		dbus_use_system_bus_fds(init_t)
+		dbus_use_system_bus_pidfds(init_t)
 	')
 
 	optional_policy(`
@@ -620,6 +620,10 @@ ifdef(`init_systemd',`
 		kubernetes_read_config(init_t)
 	')
 
+	optional_policy(`
+		locallogin_use_pidfds(init_t)
+	')
+
 	optional_policy(`
 		# var-lib-nfs-rpc_pipefs.mount creates /var/lib/nfs/rpc_pipefs
 		# if it does not exist

diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
@@ -57,6 +57,24 @@ interface(`locallogin_use_fds',`
 	allow $1 local_login_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Use PIDFDs from local login.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`locallogin_use_pidfds',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	allow $1 local_login_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to inherit local login file descriptors.

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
@@ -343,6 +343,7 @@ domain_use_interactive_fds(ifconfig_t)
 
 files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)
 
 fs_getattr_xattr_fs(ifconfig_t)
 fs_read_nsfs_files(ifconfig_t)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -1040,6 +1040,12 @@ ifdef(`distro_redhat',`
 	userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
 ')
 
+ifdef(`init_systemd',`
+	optional_policy(`
+		ssh_use_sshd_pidfds(systemd_logind_t)
+	')
+')
+
 tunable_policy(`systemd_logind_get_bootloader',`
 	fs_getattr_dos_fs(systemd_logind_t)
 	fs_list_dos(systemd_logind_t)