Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package refpolicy [ Reason ] Improvement to policy for certbot, dhcp, mon, fsadm, and java. [ Impact ] This allows certbot to work out of the box on the first run. It correctly labels dhclient hooks scripts and wide-dhcpv6-client hooks. Changes to mon and fsadm policy support megaraid (AKA PERC) RAID controllers. Made the Java policy work for JRE 17. [ Tests ] Tested all of this manually. [ Risks ] No real risk, just added new allow rules. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock refpolicy/2:2.20210203-7 diff -Nru refpolicy-2.20210203/debian/changelog refpolicy-2.20210203/debian/changelog --- refpolicy-2.20210203/debian/changelog 2021-05-08 17:55:06.000000000 +1000 +++ refpolicy-2.20210203/debian/changelog 2021-06-14 09:47:05.000000000 +1000 @@ -1,3 +1,19 @@ +refpolicy (2:2.20210203-7) unstable; urgency=medium + + * Allow certbot to create /var/log/letsencrypt and /var/lib/letsencrypt + * Label /etc/wide-dhcpv6/dhcp6c-ifupdown /etc/wide-dhcpv6/dhcp6c-script + /etc/dhcp/dhclient-enter-hooks.d/* and /etc/dhcp/dhclient-exit-hooks.d/* + as bin_t. + * Allow mon_local_test_t to run smartctl in fsadm_t for megaraid and other + corner cases and allowed fsadm_t to read fsdaemon_var_lib_t. Dontaudit + fsadm_t inheriting file handles from mon_t. + * Allow fsadm_t to do a file type trans for creating + /dev/megaraid_sas_ioctl_node + * Allow java_t to exec bin_t and lib_t files for jspawnhelper, and to read + cgroup files. Needed for JRE 17 + + -- Russell Coker <russ...@coker.com.au> Mon, 14 Jun 2021 09:47:05 +1000 + refpolicy (2:2.20210203-6) unstable; urgency=medium * Add policy for cockpit web admin tool diff -Nru refpolicy-2.20210203/debian/patches/0027-services refpolicy-2.20210203/debian/patches/0027-services --- refpolicy-2.20210203/debian/patches/0027-services 2021-05-06 04:09:33.000000000 +1000 +++ refpolicy-2.20210203/debian/patches/0027-services 2021-06-14 09:47:05.000000000 +1000 @@ -217,26 +217,6 @@ dev_rw_xserver_misc(boinc_t) domain_read_all_domains_state(boinc_t) -Index: refpolicy-2.20210203/policy/modules/services/certbot.te -=================================================================== ---- refpolicy-2.20210203.orig/policy/modules/services/certbot.te -+++ refpolicy-2.20210203/policy/modules/services/certbot.te -@@ -80,11 +80,15 @@ corenet_tcp_connect_dns_port(certbot_t) - # bind to http port for standalone mode - corenet_tcp_bind_http_port(certbot_t) - -+dev_read_urand(certbot_t) -+ - domain_use_interactive_fds(certbot_t) - - files_read_etc_files(certbot_t) - files_read_usr_files(certbot_t) - -+# dontaudit for attempts to write python cache files -+libs_dontaudit_write_lib_dirs(certbot_t) - libs_exec_ldconfig(certbot_t) - # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2 - libs_exec_lib_files(certbot_t) Index: refpolicy-2.20210203/policy/modules/services/clamav.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/services/clamav.te @@ -561,7 +541,7 @@ files_read_usr_files(mon_local_test_t) files_search_mnt(mon_local_test_t) files_search_spool(mon_local_test_t) -@@ -197,8 +203,11 @@ files_list_boot(mon_local_test_t) +@@ -197,9 +203,13 @@ files_list_boot(mon_local_test_t) fs_search_auto_mountpoints(mon_local_test_t) fs_getattr_nfs(mon_local_test_t) fs_getattr_xattr_fs(mon_local_test_t) @@ -571,9 +551,11 @@ +fs_read_cgroup_files(mon_local_test_t) +fs_search_cgroup_dirs(mon_local_test_t) fs_search_nfs(mon_local_test_t) ++fstools_domtrans(mon_local_test_t) storage_getattr_fixed_disk_dev(mon_local_test_t) -@@ -211,12 +220,14 @@ application_exec_all(mon_local_test_t) + storage_getattr_removable_dev(mon_local_test_t) +@@ -211,12 +221,14 @@ application_exec_all(mon_local_test_t) auth_use_nsswitch(mon_local_test_t) @@ -1765,3 +1747,130 @@ dontaudit inetd_t self:capability sys_tty_config; allow inetd_t self:process { setsched setexec setrlimit }; allow inetd_t self:fifo_file rw_fifo_file_perms; +Index: refpolicy-2.20210203/policy/modules/kernel/corecommands.fc +=================================================================== +--- refpolicy-2.20210203.orig/policy/modules/kernel/corecommands.fc ++++ refpolicy-2.20210203/policy/modules/kernel/corecommands.fc +@@ -43,6 +43,8 @@ ifdef(`distro_redhat',` + /etc/cron\.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/dhcp/dhclient-enter-hooks.d(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/etc/dhcp/dhclient-exit-hooks.d(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + + /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) + /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) +@@ -101,6 +103,9 @@ ifdef(`distro_redhat',` + + /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/etc/wide-dhcpv6/dhcp6c-ifupdown -- gen_context(system_u:object_r:bin_t,s0) ++/etc/wide-dhcpv6/dhcp6c-script -- gen_context(system_u:object_r:bin_t,s0) ++ + /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) +Index: refpolicy-2.20210203/policy/modules/kernel/storage.fc +=================================================================== +--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.fc ++++ refpolicy-2.20210203/policy/modules/kernel/storage.fc +@@ -29,6 +29,7 @@ + /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) ++/dev/megaraid.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/mmcblk.* -c gen_context(system_u:object_r:removable_device_t,s0) + /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) +Index: refpolicy-2.20210203/policy/modules/system/fstools.te +=================================================================== +--- refpolicy-2.20210203.orig/policy/modules/system/fstools.te ++++ refpolicy-2.20210203/policy/modules/system/fstools.te +@@ -137,6 +137,8 @@ mls_file_write_all_levels(fsadm_t) + + selinux_getattr_fs(fsadm_t) + ++storage_dev_filetrans_fixed_disk_control(fsadm_t, "megaraid_sas_ioctl_node") ++storage_manage_fixed_disk(fsadm_t) + storage_raw_read_fixed_disk(fsadm_t) + storage_raw_write_fixed_disk(fsadm_t) + storage_raw_read_removable_device(fsadm_t) +@@ -192,6 +194,10 @@ optional_policy(` + ') + + optional_policy(` ++ fsdaemon_read_lib(fsadm_t) ++') ++ ++optional_policy(` + livecd_rw_tmp_files(fsadm_t) + ') + +@@ -201,6 +207,10 @@ optional_policy(` + ') + + optional_policy(` ++ mon_dontaudit_use_fds(fsadm_t) ++') ++ ++optional_policy(` + nis_use_ypbind(fsadm_t) + ') + +Index: refpolicy-2.20210203/policy/modules/apps/java.te +=================================================================== +--- refpolicy-2.20210203.orig/policy/modules/apps/java.te ++++ refpolicy-2.20210203/policy/modules/apps/java.te +@@ -128,11 +128,17 @@ tunable_policy(`allow_java_execstack',` + auth_use_nsswitch(java_t) + + corecmd_search_bin(java_t) ++corecmd_exec_bin(java_t) + + dev_read_sysfs(java_t) + ++fs_read_cgroup_files(java_t) ++fs_search_cgroup_dirs(java_t) ++ + locallogin_use_fds(java_t) + ++libs_exec_lib_files(java_t) ++ + userdom_read_user_tmp_files(java_t) + userdom_use_user_terminals(java_t) + +Index: refpolicy-2.20210203/policy/modules/kernel/storage.if +=================================================================== +--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.if ++++ refpolicy-2.20210203/policy/modules/kernel/storage.if +@@ -309,6 +309,30 @@ interface(`storage_dev_filetrans_fixed_d + + ######################################## + ## <summary> ++## Create char devices in /dev with the fixed disk type ++## via an automatic type transition. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++## <param name="filename" optional="true"> ++## <summary> ++## Optional filename of the char device to be created ++## </summary> ++## </param> ++# ++interface(`storage_dev_filetrans_fixed_disk_control',` ++ gen_require(` ++ type fixed_disk_device_t; ++ ') ++ ++ dev_filetrans($1, fixed_disk_device_t, chr_file, $2) ++') ++ ++######################################## ++## <summary> + ## Create block devices in on a tmpfs filesystem with the + ## fixed disk type via an automatic type transition. + ## </summary> diff -Nru refpolicy-2.20210203/debian/patches/0030-user-sddm refpolicy-2.20210203/debian/patches/0030-user-sddm --- refpolicy-2.20210203/debian/patches/0030-user-sddm 2021-04-06 13:27:36.000000000 +1000 +++ refpolicy-2.20210203/debian/patches/0030-user-sddm 2021-05-15 18:59:16.000000000 +1000 @@ -347,7 +347,7 @@ =================================================================== --- refpolicy-2.20210203.orig/policy/modules/apps/chromium.te +++ refpolicy-2.20210203/policy/modules/apps/chromium.te -@@ -271,6 +271,7 @@ optional_policy(` +@@ -275,6 +275,7 @@ optional_policy(` optional_policy(` gnome_dbus_chat_all_gkeyringd(chromium_t) diff -Nru refpolicy-2.20210203/debian/patches/0035-certbot refpolicy-2.20210203/debian/patches/0035-certbot --- refpolicy-2.20210203/debian/patches/0035-certbot 2021-05-06 03:50:58.000000000 +1000 +++ refpolicy-2.20210203/debian/patches/0035-certbot 2021-05-15 22:18:05.000000000 +1000 @@ -53,15 +53,44 @@ =================================================================== --- refpolicy-2.20210203.orig/policy/modules/services/certbot.te +++ refpolicy-2.20210203/policy/modules/services/certbot.te -@@ -46,6 +46,7 @@ allow certbot_t self:netlink_route_socke - files_search_var_lib(certbot_t) +@@ -43,9 +43,10 @@ allow certbot_t self:udp_socket all_udp_ + allow certbot_t self:tcp_socket all_tcp_socket_perms; + allow certbot_t self:netlink_route_socket create_netlink_socket_perms; + +-files_search_var_lib(certbot_t) ++files_var_lib_filetrans(certbot_t, certbot_lib_t, dir, "letsencrypt") manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t) manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t) +allow certbot_t certbot_lib_t:file relabelfrom; manage_dirs_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t) manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t) -@@ -114,5 +115,17 @@ optional_policy(` +@@ -62,7 +63,7 @@ allow certbot_t certbot_tmp_t:file mmap_ + allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms; + allow certbot_t certbot_runtime_t:file mmap_exec_file_perms; + +-logging_search_logs(certbot_t) ++logging_log_filetrans(certbot_t, certbot_log_t, dir, "letsencrypt") + allow certbot_t certbot_log_t:dir manage_dir_perms; + allow certbot_t certbot_log_t:file manage_file_perms; + +@@ -80,11 +81,15 @@ corenet_tcp_connect_dns_port(certbot_t) + # bind to http port for standalone mode + corenet_tcp_bind_http_port(certbot_t) + ++dev_read_urand(certbot_t) ++ + domain_use_interactive_fds(certbot_t) + + files_read_etc_files(certbot_t) + files_read_usr_files(certbot_t) + ++# dontaudit for attempts to write python cache files ++libs_dontaudit_write_lib_dirs(certbot_t) + libs_exec_ldconfig(certbot_t) + # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2 + libs_exec_lib_files(certbot_t) +@@ -110,5 +115,17 @@ optional_policy(` # for writing to webroot apache_manage_sys_content(certbot_t)