Various fixes

policy/modules/admin/su.if

@@ -40,11 +40,12 @@ template(`su_restricted_domain_template', `
 	role $3 types $1_su_t;
 
 	allow $2 $1_su_t:process signal;
+	allow $1_su_t $2:process { sigkill signal };
 
 	allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
 	allow $1_su_t self:key { search write };
-	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:process { setexec setsched setrlimit signal };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
@@ -77,7 +78,11 @@ template(`su_restricted_domain_template', `
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
+	auth_create_faillog_files($1_su_t)
 	auth_rw_faillog($1_su_t)
+	auth_setattr_faillog_files($1_su_t)
+	auth_rw_lastlog($1_su_t)
+	auth_write_login_records($1_su_t)
 
 	domain_use_interactive_fds($1_su_t)
 
@@ -150,9 +155,11 @@ template(`su_role_template',`
 	domain_interactive_fd($1_su_t)
 	role $4 types $1_su_t;
 
+	allow $1_su_t $2:process { sigkill signal };
+
 	allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
 	dontaudit $1_su_t self:capability { net_admin sys_tty_config };
-	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:process { setexec setsched setrlimit signal };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:key { search write };
@@ -178,7 +185,11 @@ template(`su_role_template',`
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
+	auth_create_faillog_files($1_su_t)
 	auth_rw_faillog($1_su_t)
+	auth_setattr_faillog_files($1_su_t)
+	auth_rw_lastlog($1_su_t)
+	auth_write_login_records($1_su_t)
 
 	corecmd_search_bin($1_su_t)
 

policy/modules/kernel/devices.if

@@ -4946,6 +4946,24 @@ interface(`dev_rw_generic_usb_dev',`
 	rw_chr_files_pattern($1, device_t, usb_device_t)
 ')
 
+########################################
+## <summary>
+##	Delete the generic USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_usb_dev',`
+	gen_require(`
+		type device_t, usb_device_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, usb_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Relabel generic the USB devices.

policy/modules/kernel/kernel.te

@@ -390,10 +390,16 @@ ifdef(`init_systemd',`
 	')
 
 	optional_policy(`
+		dev_setattr_generic_usb_dev(kernel_t)
+		dev_delete_generic_usb_dev(kernel_t)
+
 		storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
 		storage_setattr_fixed_disk_dev(kernel_t)
 		storage_create_fixed_disk_dev(kernel_t)
 		storage_delete_fixed_disk_dev(kernel_t)
+
+		storage_setattr_scsi_generic_dev(kernel_t)
+		storage_delete_scsi_generic_dev(kernel_t)
 	')
 ')
 

policy/modules/kernel/storage.if

@@ -539,6 +539,26 @@ interface(`storage_write_scsi_generic',`
 	typeattribute $1 scsi_generic_write;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to delete the generic
+##	SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_delete_scsi_generic_dev',`
+	gen_require(`
+		type scsi_generic_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Set attributes of the device nodes

policy/modules/roles/sysadm.te

@@ -33,6 +33,9 @@ ifndef(`enable_mls',`
 # Local policy
 #
 
+# for networkctl and possibly other networking tools
+allow sysadm_t self:netlink_route_socket rw_netlink_socket_perms;
+
 corecmd_exec_shell(sysadm_t)
 
 corenet_ib_access_unlabeled_pkeys(sysadm_t)

policy/modules/services/glusterfs.te

@@ -1,5 +1,16 @@
 policy_module(glusterfs)
 
+## <desc>
+##	<p>
+##	Allow the gluster daemon to manage unlabeled
+##	objects. This could happen if the underlying
+##	gluster brick experiences data corruption
+##	and you want to allow gluster to handle
+##	files with corrupted or missing xattrs.
+##	</p>
+## </desc>
+gen_tunable(glusterfs_manage_unlabeled, false)
+
 ## <desc>
 ##	<p>
 ##	Allow the gluster daemon to automatically
@@ -152,6 +163,14 @@ userdom_dontaudit_search_user_runtime_root(glusterd_t)
 
 xdg_dontaudit_search_data_dirs(glusterd_t)
 
+tunable_policy(`glusterfs_manage_unlabeled',`
+	kernel_manage_unlabeled_dirs(glusterd_t)
+	kernel_manage_unlabeled_files(glusterd_t)
+	kernel_manage_unlabeled_symlinks(glusterd_t)
+	kernel_manage_unlabeled_blk_files(glusterd_t)
+	kernel_manage_unlabeled_chr_files(glusterd_t)
+')
+
 tunable_policy(`glusterfs_modify_policy',`
 	# needed by relabeling hooks when adding bricks
 	seutil_domtrans_semanage(glusterd_t)

policy/modules/services/rpc.fc

@@ -1,4 +1,5 @@
 /etc/exports	--	gen_context(system_u:object_r:exports_t,s0)
+/etc/exports\.d(/.*)?	--	gen_context(system_u:object_r:exports_t,s0)
 
 /etc/rc\.d/init\.d/nfs	--	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/nfslock	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)

policy/modules/services/rpc.if

@@ -87,6 +87,24 @@ interface(`rpc_read_exports',`
 	allow $1 exports_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create export files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_create_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	create_files_pattern($1, exports_t, exports_t)
+')
+
 ########################################
 ## <summary>
 ##	Write export files.

policy/modules/services/zfs.te

@@ -33,6 +33,7 @@ files_runtime_file(zfs_runtime_t)
 
 allow zed_t self:process signal;
 allow zed_t self:capability sys_admin;
+dontaudit zed_t self:capability net_admin;
 allow zed_t self:fifo_file rw_fifo_file_perms;
 allow zed_t self:unix_dgram_socket create_socket_perms;
 allow zed_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -71,6 +72,12 @@ udev_search_runtime(zed_t)
 
 zfs_rw_zpool_cache(zed_t)
 
+optional_policy(`
+	# for managing /etc/exports.d/zfs.exports
+	rpc_create_exports(zed_t)
+	rpc_write_exports(zed_t)
+')
+
 ########################################
 #
 # zfs local policy

policy/modules/system/init.fc

@@ -35,6 +35,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/dracut/modules\.d/[^/]+/.*\.service	--	gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/systemd-executor	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/systemd-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/systemd-oomd	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)

policy/modules/system/init.if

@@ -378,6 +378,9 @@ interface(`init_daemon_domain',`
 
 		allow init_t $1:process2 { nnp_transition nosuid_transition };
 
+		# for /run/systemd/private
+		init_write_runtime_socket($1)
+
 		optional_policy(`
 			systemd_stream_connect_socket_proxyd($1)
 		')
@@ -1604,6 +1607,25 @@ interface(`init_manage_runtime_dirs', `
 	manage_dirs_pattern($1, init_runtime_t, init_runtime_t)
 ')
 
+######################################
+## <summary>
+## 	Create, read, write, and delete
+##	files in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_runtime_files', `
+	gen_require(`
+		type init_runtime_t;
+	')
+
+	manage_files_pattern($1, init_runtime_t, init_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Create files in an init runtime directory with a private type.

policy/modules/system/systemd.fc

@@ -38,6 +38,7 @@
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-pcrextend		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pcrphase		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pstore		--	gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)

policy/modules/system/systemd.te

@@ -1131,6 +1131,7 @@ systemd_log_parse_environment(systemd_modules_load_t)
 allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
 allow systemd_networkd_t self:netlink_generic_socket create_socket_perms;
 allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_netfilter_socket create_socket_perms;
 allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
 allow systemd_networkd_t self:packet_socket create_socket_perms;
 allow systemd_networkd_t self:process { getcap setcap setfscreate };
@@ -1456,11 +1457,13 @@ optional_policy(`
 allow systemd_pcrphase_t self:capability dac_override;
 dontaudit systemd_pcrphase_t self:capability net_admin;
 
+dev_read_sysfs(systemd_pcrphase_t)
 dev_rw_tpm(systemd_pcrphase_t)
 dev_write_kmsg(systemd_pcrphase_t)
 
 # read /etc/machine-id
 files_read_etc_runtime_files(systemd_pcrphase_t)
+files_search_var_lib(systemd_pcrphase_t)
 
 fs_read_efivarfs_files(systemd_pcrphase_t)
 fs_getattr_cgroup(systemd_pcrphase_t)
@@ -1471,6 +1474,9 @@ kernel_read_kernel_sysctls(systemd_pcrphase_t)
 kernel_read_system_state(systemd_pcrphase_t)
 
 init_read_state(systemd_pcrphase_t)
+# for writing the TPM public key and measurements to /var/lib/systemd and /run/systemd
+init_manage_runtime_files(systemd_pcrphase_t)
+init_manage_var_lib_files(systemd_pcrphase_t)
 
 logging_send_syslog_msg(systemd_pcrphase_t)
 
@@ -1930,6 +1936,9 @@ selinux_compute_create_context(systemd_user_session_type)
 
 storage_getattr_fixed_disk_dev(systemd_user_session_type)
 
+# for systemd-executor
+init_exec(systemd_user_session_type)
+
 # for /run/systemd/notify
 init_dgram_send(systemd_user_session_type)
 init_signal(systemd_user_session_type)

policy/modules/system/udev.te

@@ -103,6 +103,8 @@ kernel_search_debugfs(udev_t)
 kernel_search_key(udev_t)
 # kpartx:
 kernel_get_sysvipc_info(udev_t)
+# needed as of systemd 255
+kernel_read_fs_sysctls(udev_t)
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
 kernel_read_network_state(udev_t)