small network patches (#707)

* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed typo in interface name

Signed-off-by: Russell Coker <russell@coker.com.au>

* Add interface libs_watch_shared_libs_dir

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added sysnet_watch_config_dir interface

Signed-off-by: Russell Coker <russell@coker.com.au>

* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* rename sysnet_watch_config_dir to sysnet_watch_config_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Reverted a change as I can't remember why I did it.

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>

12 files changed, 74 insertions, 4 deletions

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 5fef6a31a..3c43a1d84 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -146,6 +146,7 @@ logging_send_syslog_msg(ping_t)
 miscfiles_read_localization(ping_t)
 
 userdom_use_inherited_user_terminals(ping_t)
+term_use_unallocated_ttys(ping_t)
 
 optional_policy(`
 	munin_append_log(ping_t)
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index 954a348f0..eb097753f 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -38,11 +38,13 @@ allow firewalld_t self:fifo_file rw_fifo_file_perms;
 allow firewalld_t self:unix_stream_socket { accept listen };
 allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
 allow firewalld_t self:udp_socket create_socket_perms;
+allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
 
 allow firewalld_t firewalld_etc_rw_t:dir watch;
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto };
+allow firewalld_t firewalld_etc_rw_t:dir watch;
 
 allow firewalld_t firewalld_var_log_t:file append_file_perms;
 allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -86,6 +88,7 @@ logging_send_syslog_msg(firewalld_t)
 
 libs_watch_lib_dirs(firewalld_t)
 
+miscfiles_read_generic_certs(firewalld_t)
 miscfiles_read_localization(firewalld_t)
 
 seutil_exec_setfiles(firewalld_t)
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
index b90598fed..a58851e58 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
@@ -1,4 +1,5 @@
 /etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_etc_t,s0)
 
 /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
@@ -22,8 +23,10 @@
 /usr/sbin/muddleftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 /usr/sbin/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 /usr/sbin/vsftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/pure-ftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
-/run/proftpd.*	gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/proftpd.*			gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_runtime_t,s0)
 
 /usr/libexec/webmin/vsftpd/webalizer/xfer_log	--	gen_context(system_u:object_r:xferlog_t,s0)
 
@@ -31,6 +34,7 @@
 
 /var/log/muddleftpd\.log.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/proftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/pure-ftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index a3ff66feb..3a638a72c 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -175,6 +175,7 @@ allow ftpd_t self:tcp_socket { accept listen };
 allow ftpd_t self:shm create_shm_perms;
 allow ftpd_t self:key manage_key_perms;
 
+allow ftpd_t ftpd_etc_t:dir list_dir_perms;
 allow ftpd_t ftpd_etc_t:file read_file_perms;
 
 allow ftpd_t ftpd_keytab_t:file read_file_perms;
@@ -191,6 +192,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
 
 manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
 manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
+allow ftpd_t ftpd_runtime_t:file map;
 manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
 files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
 
@@ -400,6 +402,13 @@ optional_policy(`
 	seutil_sigchld_newrole(ftpd_t)
 ')
 
+optional_policy(`
+	systemd_connect_machined(ftpd_t)
+	systemd_dbus_chat_logind(ftpd_t)
+	systemd_read_logind_state(ftpd_t)
+	systemd_write_inherited_logind_sessions_pipes(ftpd_t)
+')
+
 ########################################
 #
 # Ctl local policy
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index a74722c23..33af29d9b 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -33,7 +33,7 @@ files_tmp_file(inetd_child_tmp_t)
 # Local policy
 #
 
-allow inetd_t self:capability { setgid setuid sys_resource };
+allow inetd_t self:capability { kill setgid setuid sys_resource };
 dontaudit inetd_t self:capability sys_tty_config;
 allow inetd_t self:process { setsched setexec setrlimit };
 allow inetd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 1f521643b..4494d0012 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -47,7 +47,7 @@ ifdef(`distro_gentoo',`
 # Local policy
 #
 
-allow NetworkManager_t self:capability { chown dac_override fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice };
+allow NetworkManager_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice };
 dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config };
 allow NetworkManager_t self:capability2 wake_alarm;
 allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
@@ -153,7 +153,9 @@ files_read_usr_src_files(NetworkManager_t)
 files_watch_etc_dirs(NetworkManager_t)
 
 fs_getattr_all_fs(NetworkManager_t)
+fs_read_nsfs_files(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
+fs_search_tmpfs(NetworkManager_t)
 fs_list_inotifyfs(NetworkManager_t)
 
 mls_file_read_all_levels(NetworkManager_t)
@@ -169,6 +171,8 @@ init_get_system_status(NetworkManager_t)
 
 auth_use_nsswitch(NetworkManager_t)
 
+libs_watch_shared_libs_dirs(NetworkManager_t)
+
 logging_send_audit_msgs(NetworkManager_t)
 logging_send_syslog_msg(NetworkManager_t)
 
@@ -192,6 +196,7 @@ sysnet_delete_dhcpc_state(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
 sysnet_manage_config(NetworkManager_t)
 sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_watch_config_dirs(NetworkManager_t)
 
 # certificates in user home directories (cert_home_t in ~/\.pki)
 userdom_read_user_certs(NetworkManager_t)
@@ -224,6 +229,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	chronyd_domtrans_cli(NetworkManager_t)
+')
+
+optional_policy(`
 	cron_read_system_job_lib_files(NetworkManager_t)
 ')
 
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index e97730fbd..c92925ca1 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -129,6 +129,7 @@ files_read_etc_runtime_files(openvpn_t)
 
 fs_getattr_all_fs(openvpn_t)
 fs_search_auto_mountpoints(openvpn_t)
+fs_search_tmpfs(openvpn_t)
 
 auth_use_pam(openvpn_t)
 
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 98b57f108..c4dd850f9 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -8,6 +8,7 @@ HOME_DIR/\.ppprc	--	gen_context(system_u:object_r:ppp_home_t,s0)
 /etc/ppp/.*secrets	--	gen_context(system_u:object_r:pppd_secret_t,s0)
 /etc/ppp/resolv\.conf	--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/(auth|ip(v6|x)?)-(up|down)	--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/etc/ppp/ip-pre-up	--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
 /usr/bin/ipppd		--	gen_context(system_u:object_r:pppd_exec_t,s0)
 /usr/bin/ppp-watch	--	gen_context(system_u:object_r:pppd_exec_t,s0)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 47111375d..70d52ca44 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -86,6 +86,7 @@ allow pppd_t self:socket create_socket_perms;
 allow pppd_t self:netlink_route_socket nlmsg_write;
 allow pppd_t self:tcp_socket { accept listen };
 allow pppd_t self:packet_socket create_socket_perms;
+allow pppd_t self:pppox_socket { connect create ioctl };
 
 allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 
@@ -108,6 +109,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file})
 
 manage_dirs_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
 manage_files_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
+allow pppd_t pppd_runtime_t:file map;
 files_runtime_filetrans(pppd_t, pppd_runtime_t, { dir file })
 
 can_exec(pppd_t, pppd_exec_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 63693603f..bfcb8fa8a 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -121,6 +121,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domain)
 
 fs_rw_rpc_named_pipes(rpc_domain)
 fs_search_auto_mountpoints(rpc_domain)
+fs_watch_rpc_pipefs_dirs(rpc_domain)
 
 files_read_etc_runtime_files(rpc_domain)
 files_read_usr_files(rpc_domain)
@@ -312,7 +313,8 @@ optional_policy(`
 # NFSD local policy
 #
 
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+allow nfsd_t self:capability { dac_override dac_read_search setpcap sys_admin sys_resource lease };
+allow nfsd_t self:process setcap;
 
 allow nfsd_t exports_t:file read_file_perms;
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -342,6 +344,8 @@ fs_mount_nfsd_fs(nfsd_t)
 fs_getattr_all_fs(nfsd_t)
 fs_getattr_all_dirs(nfsd_t)
 fs_list_nfsd_fs(nfsd_t)
+fs_list_rpc(nfsd_t)
+
 fs_watch_nfsd_dirs(nfsd_t)
 fs_watch_nfsd_files(nfsd_t)
 fs_rw_nfsd_fs(nfsd_t)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index faf172ce3..00128ef6d 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -532,6 +532,24 @@ interface(`libs_legacy_use_shared_libs',`
 
 ########################################
 ## <summary>
+##	watch lib dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_watch_shared_libs_dirs',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir watch;
+')
+
+########################################
+## <summary>
 ##	Relabel to and from the type used for
 ##	shared libraries.
 ## </summary>
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 70e873fe6..f41024669 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -569,6 +569,24 @@ interface(`sysnet_manage_config',`
 
 #######################################
 ## <summary>
+##     Watch a network config dir
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sysnet_watch_config_dirs',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	allow $1 net_conf_t:dir watch;
+')
+
+#######################################
+## <summary>
 ##	Read dhcp client runtime files.
 ## </summary>
 ## <param name="domain">