Merge pull request #1062 from 0xC0ncord/various-20251113

Various fixes

Author: pebenito

policy/modules/admin/netutils.te

@@ -35,6 +35,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 # Perform network administration operations and have raw access to the network.
 allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
 dontaudit netutils_t self:capability { dac_override sys_tty_config };
+# For running tcpdump in another namespace.
+allow netutils_t self:cap_userns net_raw;
 allow netutils_t self:process { getcap setcap signal_perms };
 # netlink_generic_socket for nmap.
 allow netutils_t self:netlink_generic_socket create_socket_perms;

policy/modules/services/container.te

@@ -365,10 +365,10 @@ allow container_domain container_ro_file_t:dir_file_class_set { watch watch_moun
 fs_tmpfs_filetrans(container_domain, container_tmpfs_t, { dir file fifo_file lnk_file sock_file })
 manage_dirs_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 mmap_manage_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
-mmap_exec_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 manage_fifo_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 manage_lnk_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 manage_sock_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
+can_exec(container_domain, container_tmpfs_t)
 allow container_domain container_tmpfs_t:dir_file_class_set { watch watch_mount watch_reads watch_sb watch_with_perm };
 
 can_exec(container_domain, container_file_t)

policy/modules/services/crio.te

@@ -36,8 +36,13 @@ files_mounton_etc_dirs(crio_t)
 # watch /usr/share/containers/oci/hooks.d
 files_watch_usr_dirs(crio_t)
 
+fs_create_bpf_dirs(crio_t)
+fs_manage_bpf_files(crio_t)
+
 kernel_dgram_send(crio_t)
 kernel_read_irq_sysctls(crio_t)
+kernel_read_vm_overcommit_sysctl(crio_t)
+kernel_request_load_module(crio_t)
 
 auth_use_nsswitch(crio_t)
 
@@ -50,6 +55,8 @@ container_read_home_config(crio_t)
 
 container_watch_config_dirs(crio_t)
 
+crio_read_conmon_state(crio_t)
+
 # Ensure conmon runs in s0 so that it can talk to the container
 podman_spec_rangetrans_conmon(crio_t, s0)
 

policy/modules/services/kanidm.te

@@ -97,6 +97,11 @@ miscfiles_read_generic_certs(kanidmd_t)
 
 userdom_use_inherited_user_terminals(kanidmd_t)
 
+ifdef(`init_systemd',`
+	systemd_StateDirectory(kanidm_var_lib_t)
+	systemd_RuntimeDirectory(kanidmd_runtime_t)
+')
+
 optional_policy(`
 	certbot_read_lib(kanidmd_t)
 ')
@@ -151,6 +156,12 @@ logging_send_syslog_msg(kanidm_unixd_t)
 
 userdom_use_inherited_user_terminals(kanidm_unixd_t)
 
+ifdef(`init_systemd',`
+	systemd_CacheDirectory(kanidm_unixd_cache_t)
+	systemd_StateDirectory(kanidm_unixd_var_lib_t)
+	systemd_RuntimeDirectory(kanidm_unixd_runtime_t)
+')
+
 ########################################
 #
 # kanidm-unixd-tasks local policy

policy/modules/services/podman.te

@@ -91,6 +91,9 @@ ifdef(`init_systemd',`
 	systemd_read_journal_files(podman_t)
 	systemd_watch_journal_dirs(podman_t)
 
+	# aardvark-dns watches resolv.conf
+	systemd_watch_resolved_runtime(podman_t)
+
 	# podman auto-update will restart the unit for
 	# the container when it is updated
 	container_start_units(podman_t)

policy/modules/services/tuned.te

@@ -29,10 +29,12 @@ files_runtime_file(tuned_runtime_t)
 # Local policy
 #
 
-allow tuned_t self:capability { sys_admin sys_nice };
+allow tuned_t self:capability { sys_admin sys_nice sys_ptrace };
 dontaudit tuned_t self:capability { dac_override sys_tty_config };
+allow tuned_t self:cap_userns sys_ptrace;
 allow tuned_t self:process { setsched signal };
 allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
 exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
@@ -50,12 +52,16 @@ manage_files_pattern(tuned_t, tuned_runtime_t, tuned_runtime_t)
 manage_dirs_pattern(tuned_t, tuned_runtime_t, tuned_runtime_t)
 files_runtime_filetrans(tuned_t, tuned_runtime_t, { dir file })
 
+kernel_getattr_proc(tuned_t)
 kernel_read_system_state(tuned_t)
 kernel_read_network_state(tuned_t)
 kernel_read_kernel_sysctls(tuned_t)
 kernel_request_load_module(tuned_t)
+kernel_rw_fs_sysctls(tuned_t)
 kernel_rw_kernel_sysctl(tuned_t)
 kernel_rw_hotplug_sysctls(tuned_t)
+kernel_rw_net_sysctls(tuned_t)
+kernel_rw_vm_overcommit_sysctl(tuned_t)
 kernel_rw_vm_sysctls(tuned_t)
 
 corecmd_exec_bin(tuned_t)
@@ -67,20 +73,43 @@ dev_read_urand(tuned_t)
 dev_rw_sysfs(tuned_t)
 dev_rw_pmqos(tuned_t)
 
+# enumerate all running processes
+domain_read_all_domains_state(tuned_t)
+
 files_read_usr_files(tuned_t)
 files_dontaudit_search_home(tuned_t)
 files_dontaudit_list_tmp(tuned_t)
 
 fs_getattr_xattr_fs(tuned_t)
 
+selinux_get_fs_mount(tuned_t)
+# set SELinux cache_threshold
+selinux_set_parameters(tuned_t)
+
+auth_use_nsswitch(tuned_t)
+
+libs_exec_ldconfig(tuned_t)
+
 logging_send_syslog_msg(tuned_t)
 
+miscfiles_read_generic_certs(tuned_t)
 miscfiles_read_localization(tuned_t)
 
+seutil_dontaudit_search_config(tuned_t)
+
 udev_read_runtime_files(tuned_t)
 
 userdom_dontaudit_search_user_home_dirs(tuned_t)
 
+ifdef(`init_systemd',`
+	init_get_system_status(tuned_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(tuned_t)
+	dbus_connect_system_bus(tuned_t)
+')
+
 optional_policy(`
 	fstools_domtrans(tuned_t)
 ')

policy/modules/system/init.if

@@ -421,6 +421,56 @@ interface(`init_named_socket_activation',`
 	')
 ')
 
+#########################################
+## <summary>
+##	Automatic creation of unit directories (systemd).
+##	This interface should only be used for non-runtime
+##	directories, as systemd will not automatically
+##	delete them when the unit is stopped. For runtime
+##	directories, use init_manage_abstract_unit_dir().
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the directory to create.
+##	</summary>
+## </param>
+#
+interface(`init_create_abstract_unit_dir',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
+
+		allow init_t $1:dir { create_dir_perms setattr };
+	')
+')
+
+#########################################
+## <summary>
+##	Automatic management of unit directories (systemd).
+##	This interface should only be used for runtime
+##	directories, as systemd will automatically delete
+##	them when the unit is stopped. For non-runtime
+##	directories, use init_create_abstract_unit_dir().
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the directory to manage.
+##	</summary>
+## </param>
+#
+interface(`init_manage_abstract_unit_dir',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
+
+		allow init_t $1:dir manage_dir_perms;
+		allow init_t $1:file delete_file_perms;
+		allow init_t $1:sock_file delete_sock_file_perms;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Create a domain for short running processes

policy/modules/system/init.te

@@ -618,6 +618,9 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		container_remount_fs(init_t)
+		container_run_system_engine_bpf(init_t)
+
+		fs_manage_bpf_files(init_t)
 	')
 
 	optional_policy(`

policy/modules/system/systemd.if

@@ -1182,6 +1182,86 @@ interface(`systemd_PrivateDevices',`
 	fs_read_tmpfs_symlinks($1)
 ')
 
+######################################
+## <summary>
+##   Allow systemd to create a directory with a private type
+##   via the CacheDirectory= directive in the [Service] section
+##   of the unit.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type of the directory to create.
+##	</summary>
+## </param>
+#
+interface(`systemd_CacheDirectory',`
+	init_create_abstract_unit_dir($1)
+')
+
+######################################
+## <summary>
+##   Allow systemd to create a directory with a private type
+##   via the StateDirectory= directive in the [Service] section
+##   of the unit.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type of the directory to create.
+##	</summary>
+## </param>
+#
+interface(`systemd_StateDirectory',`
+	init_create_abstract_unit_dir($1)
+')
+
+######################################
+## <summary>
+##   Allow systemd to create a directory with a private type
+##   via the LogDirectory= directive in the [Service] section
+##   of the unit.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type of the directory to create.
+##	</summary>
+## </param>
+#
+interface(`systemd_LogDirectory',`
+	init_create_abstract_unit_dir($1)
+')
+
+######################################
+## <summary>
+##   Allow systemd to create a directory with a private type
+##   via the ConfigurationDirectory= directive in the [Service] section
+##   of the unit.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type of the directory to create.
+##	</summary>
+## </param>
+#
+interface(`systemd_ConfigurationDirectory',`
+	init_create_abstract_unit_dir($1)
+')
+
+######################################
+## <summary>
+##   Allow systemd to manage a directory with a private type
+##   via the RuntimeDirectory= directive in the [Service] section
+##   of the unit.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type of the directory to manage.
+##	</summary>
+## </param>
+#
+interface(`systemd_RuntimeDirectory',`
+	init_manage_abstract_unit_dir($1)
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from
@@ -2799,6 +2879,24 @@ interface(`systemd_read_resolved_runtime',`
 	read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 ')
 
+#######################################
+## <summary>
+##  Allow domain to watch resolv.conf file generated by systemd_resolved
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_watch_resolved_runtime',`
+	gen_require(`
+		type systemd_resolved_runtime_t;
+	')
+
+	allow $1 systemd_resolved_runtime_t:file watch;
+')
+
 #######################################
 ## <summary>
 ##  Allow domain to read directory containing resolv.conf

policy/modules/system/systemd.te

@@ -260,6 +260,7 @@ files_type(systemd_pstore_var_lib_t)
 type systemd_resolved_t;
 type systemd_resolved_exec_t;
 init_daemon_domain(systemd_resolved_t, systemd_resolved_exec_t)
+init_named_socket_activation(systemd_resolved_t, systemd_resolved_runtime_t)
 
 type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
 files_runtime_file(systemd_resolved_runtime_t)
@@ -2332,6 +2333,7 @@ can_exec(systemd_user_session_type, systemd_generator_exec_t)
 
 dev_write_sysfs_dirs(systemd_user_session_type)
 dev_read_sysfs(systemd_user_session_type)
+dev_dontaudit_getattr_generic_blk_files(systemd_user_session_type)
 
 domain_getattr_all_entry_files(systemd_user_session_type)