From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D6314C433DB
	for <selinux-refpolicy@archiver.kernel.org>; Wed, 27 Jan 2021 07:16:00 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 9FB482072E
	for <selinux-refpolicy@archiver.kernel.org>; Wed, 27 Jan 2021 07:16:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233578AbhA0HPh (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Wed, 27 Jan 2021 02:15:37 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35482 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233309AbhA0HN3 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 27 Jan 2021 02:13:29 -0500
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B81FC0613D6
        for <selinux-refpolicy@vger.kernel.org>; Tue, 26 Jan 2021 23:12:49 -0800 (PST)
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 0D34316BED
        for <selinux-refpolicy@vger.kernel.org>; Wed, 27 Jan 2021 18:12:46 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1611731566;
        bh=/6AtgUueUZBRv2zu85QlWaP530bIczW/6VrurXyZNRg=; l=7223;
        h=Date:From:To:Subject:From;
        b=irn7odpg8Z82ow9/q/+Bd6HZRNjuU91hCqBhUJvwmhvDpYYjsDINlKp/+6uxMUbXH
         QNq9x7WvyuV73vMfSAAbBJS3Wh2K7KXSDE6ALOD/Ajffu1RfgsGZS6WwmPFo+2A1c6
         f/Rb0GlEjpfL8FWqYfa1kUy31ilEa2gxpI/stHK4=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id A48A4133BEA7; Wed, 27 Jan 2021 18:12:41 +1100 (AEDT)
Date:   Wed, 27 Jan 2021 18:12:41 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] misc network patches with Dominick's changes
Message-ID: <YBESacEBUo/hzFVH@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Here's the latest version of my misc network patch with some changes
Dominick suggested and with the controversial things from my previous
patch removed.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210126/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20210126/policy/modules/admin/netutils.te
@@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;
 
 corenet_all_recvfrom_netlabel(ping_t)
 corenet_sendrecv_icmp_packets(ping_t)
@@ -156,13 +157,14 @@ allow traceroute_t self:capability { net
 allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
 allow traceroute_t self:process signal;
 allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:packet_socket { map create_socket_perms };
 allow traceroute_t self:udp_socket create_socket_perms;
 
 can_exec(traceroute_t, traceroute_exec_t)
 
 kernel_read_system_state(traceroute_t)
 kernel_read_network_state(traceroute_t)
+kernel_search_fs_sysctls(traceroute_t)
 
 corecmd_search_bin(traceroute_t)
 
@@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t)
 
 logging_send_syslog_msg(traceroute_t)
 
+miscfiles_read_generic_certs(traceroute_t)
 miscfiles_read_localization(traceroute_t)
 
 userdom_use_inherited_user_terminals(traceroute_t)
Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
 /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
 
 /etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf	--	gen_context(system_u:object_r:net_conf_t,s0)
 
 ifdef(`distro_redhat',`
 /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210126/policy/modules/system/sysnetwork.te
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5)
 # Declarations
 #
 
+## <desc>
+##      <p>
+##      Determine whether DHCP client
+##      can manage samba
+##      </p>
+## </desc>
+gen_tunable(dhcpc_manage_samba, false)
+
 attribute_role dhcpc_roles;
 roleattribute system_r dhcpc_roles;
 
@@ -175,6 +183,18 @@ ifdef(`init_systemd',`
 ')
 
 optional_policy(`
+	tunable_policy(`dhcpc_manage_samba',`
+        	samba_manage_var_files(dhcpc_t)
+		init_exec_script_files(dhcpc_t)
+		init_get_system_status(dhcpc_t)
+		samba_stop(dhcpc_t)
+		samba_start(dhcpc_t)
+		samba_reload(dhcpc_t)
+		samba_status(dhcpc_t)
+	')
+')
+
+optional_policy(`
 	avahi_domtrans(dhcpc_t)
 ')
 
Index: refpolicy-2.20210126/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210126/policy/modules/roles/unprivuser.te
@@ -25,6 +25,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	netutils_domtrans_ping(user_t)
+')
+
+optional_policy(`
 	screen_role_template(user, user_r, user_t)
 ')
 
Index: refpolicy-2.20210126/policy/modules/services/samba.if
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/samba.if
+++ refpolicy-2.20210126/policy/modules/services/samba.if
@@ -729,3 +729,79 @@ interface(`samba_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
 ')
+
+########################################
+## <summary>
+##	start samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_start',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service start;
+')
+
+########################################
+## <summary>
+##	stop samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_stop',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service stop;
+')
+
+########################################
+## <summary>
+##	get status of samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_status',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	reload samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_reload',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service reload;
+')
Index: refpolicy-2.20210126/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210126/policy/modules/services/mon.te
@@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_
 manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
 files_runtime_filetrans(mon_t, mon_runtime_t, file)
 
+# to read fips_enabled
+kernel_read_crypto_sysctls(mon_t)
+
 kernel_read_kernel_sysctls(mon_t)
 kernel_read_network_state(mon_t)
 kernel_read_system_state(mon_t)
Index: refpolicy-2.20210126/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20210126/policy/modules/services/mailman.te
@@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
 dev_read_urand(mailman_cgi_t)
 
 files_search_locks(mailman_cgi_t)
+files_read_usr_files(mailman_cgi_t)
 
 term_use_controlling_term(mailman_cgi_t)
 
Index: refpolicy-2.20210126/policy/modules/services/dkim.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/dkim.te
+++ refpolicy-2.20210126/policy/modules/services/dkim.te
@@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi
 
 corenet_udp_bind_generic_node(dkim_milter_t)
 corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_udp_bind_generic_port(dkim_milter_t)
 
 dev_read_urand(dkim_milter_t)
 # for cpu/online