more selinux fixes

net-analyzer/icinga2/Manifest

@@ -1,3 +1,2 @@
-AUX icinga2.initd-3 2390 BLAKE2B 1ead1dd958d978324dfa043abcc58be7ed389207e2bf4dc4786bd2705f94c70a03b84f34a55435f6d9dfcc0483e35da60c1f536dec1060bdc232108c622e0615 SHA512 a43911717fe891e70690647daa57426f70d10f9cb02c721962be4c13cfe8a95bc3ff84b9ba2a293adafc8ddacf8ea6771bd66e7ff6dabe3e732176bf6e6e474a
 DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
 EBUILD icinga2-2.11.3.ebuild 4615 BLAKE2B 15e2025925303b103de145a66ba3a04881cf6957e0f0ff6fcf5082ec5b47180cb06dcbc2f14dcf2bd9f0d1735c532a0980bb1d03f6ede46af07fdf7c3d064dff SHA512 2b365a8c1e5a14c528ea572e19a498f56389c32141a7e64d7e2af07095880986bc889fbc6a4b32ed1c71180b08579720c5bcfd6ec7ffd99abfa17fe8e59cb1a6

sec-policy/selinux-base-policy/Manifest

@@ -1,7 +1,11 @@
+AUX cron_allow_watch_crontabs.patch 305 BLAKE2B bcc4c3663c7100c8c40531e5a5832efeaad3cfe8ba343dd29976f84e62676bf21a5e5aaf38edfb5e2e3fa960fcaa3f6b15bdf5ce8532ccc6c4c2d201b664e680 SHA512 8ddacea7990bdbfec2cbb4d542f739704fe6e8379877c3c6578f09f5a93aac1f57cfedc4e7d0ccf13eb9d4c9269fe5817b4b9ad74c8907831de353c06558e0fc
+AUX git_portage_repo_fix.patch 366 BLAKE2B d78d6fe0913a51071ba4a594cbfdc2c665e98c14789e2bcd45a691c5d4a62ccfd6f4f802dd32e6792a346cc3f44fbd164b5a72eaf04efc75ea57b4d4f9c45d5a SHA512 ce4b013d7038a40f9dc25803fe7af94cfbab9cc071f8334c241f1704b1d410c3843c42c3c57fb0f2ef1e8274237fcaf355a168593b7fe6e9e14ba24c19d2e777
 AUX init_paths.patch 427 BLAKE2B adaa31a8df2ba0ad77b58a0b1bddfd9bcbd48e19c8790ac51f2e679463413c237e12977363ad6156fe329da0b976d277d352db19429870a6df9a50da223c9e9f SHA512 8275af9ef8a1ad2bd57bde249b6d7e72518897e4acc864170c69274f08e410c9b888820c9c936b2e8a7682663c5311e5d2a47da20acf9297da64eae4875d142c
 AUX init_read_syslog_config.patch 422 BLAKE2B 41814137d275eec4e6d801a318586c4040e22a512187a91dea9440026e2dc01dacc46404b7592ca71970c886b2a99f7d98989bfffc9e4e096042f13738a3003e SHA512 11cbed7bda6992a292e88628598026f8b1703b7ae258188d43e98ae140463bb5e28cfa64a9cc3864356f34b9089f79f51db4b60f2faeb05c03f8246e81d06737
+AUX logging_init_read_config.patch 400 BLAKE2B 91899869ab8ba4923e4e26ec16317d4e23734043df0d27f7693e6445669fc21e3948cd3082a3193e01ef368a967ec2d43fd5d1e0ed3172637bce1a5dc3c1c495 SHA512 06b38922971178e45492bb1a29d0d18990b8e00cc492571d78b0aaca1514f5dc0540d692fe2159afe51c09717ec02f7ea2cf795f0cfe62f566a107092bd602a0
 AUX mta_user_mail_newaliases.patch 406 BLAKE2B b8b23b24790267f301de0d6e17f9a25ac455dc3f6f7dee9f291c1e122d39fa125e86a4c5d1b3a8ac575576eebc3683b15fa1f7b8dee3016a8f046bb644ac7f42 SHA512 1515d0d79e7f33c80cebc5bd0babc2731595f31105de86df84d4940167693a274ae2271de3607369956750f22ab469fea8b247ba34cc8bb61f6a0a15d56a9328
 AUX portage_paths.patch 1745 BLAKE2B ec0d213d13ac0e1d1d9bd52d2811b37814c00c2f385af4a074267144976634d2bce66fd0b530e61924c7f3fc0abd3b0c5a9c6aab72c2834ff1cf935dff91edae SHA512 31933e1f8588d16b4f336b571ce388bc2a6204db7c99f242826c172fe9417f88cc7c40030a0712315539b1dcc2b4a56d54a194852d6123d9ef5f58750fc87ef2
+AUX sysadm_allow_watch.patch 317 BLAKE2B 5b54c9bcc242d6a8bc5ffb77d7774f325bb54dec9e370d25ce01b8597f91dee19b16aff9dd50bb12aa1420cb09ff463b3dc2ea6322c5fcc16f8f55274a438699 SHA512 730c9ad70817216f122ed4a7fad8931b6aec42e6dcc72f7e97ab1986b4d3900daeb1403380028db009c640fa4f1d1fff97e9c03913f24ba0023638b0782eb059
 DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
 DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
-EBUILD selinux-base-policy-2.20190609-r1.ebuild 3990 BLAKE2B a884c64c29bfea455af98463d44303ec6a81e2e62f9b9452617e7f28b1cc6505ab38317a1145d848e5751c4ceb87ff111f89336d5605906c53ee8f01630dc0f8 SHA512 bb3ceb178f4d4e081aae7954ae752e40e29b5921ccc898b4ad760b34535a2cec012b3b7c469553504b01186b93053ee9819f66cd40bc718e5dff4c7ba44f622a
+EBUILD selinux-base-policy-2.20190609-r1.ebuild 4113 BLAKE2B 6b340a9535c63ce7a9206a6929828ec5bda4e9bea2cfe9369d37332f4ccb48bea5cce7efd0bb20353d1e8572f0727944b207a494d00226660d240fcd602a7f66 SHA512 a2c75d9b362bb7f4f65aeb0cc3894f5df546c7cecc11bd7afa43e54873618eab799a678696fd672432944457f7269cde31975c0b2b9c8f980a4694c0a4709c84

sec-policy/selinux-base-policy/files/cron_allow_watch_crontabs.patch

@@ -0,0 +1,8 @@
+--- work/refpolicy/policy/modules/services/cron.te.orig	2020-05-17 19:58:38.079815252 +0200
++++ work/refpolicy/policy/modules/services/cron.te	2020-05-17 20:12:21.892774990 +0200
+@@ -779,3 +779,5 @@
+ optional_policy(`
+ 	unconfined_domain(unconfined_cronjob_t)
+ ')
++
++allow crond_t cron_spool_t:dir watch;

sec-policy/selinux-base-policy/files/git_portage_repo_fix.patch

@@ -0,0 +1,9 @@
+--- work/refpolicy/policy/modules/admin/portage.te.orig	2020-05-17 16:34:20.542137399 +0200
++++ work/refpolicy/policy/modules/admin/portage.te	2020-05-17 16:35:31.601142871 +0200
+@@ -538,3 +538,6 @@
+ 
+ 	files_manage_etc_runtime_files(portage_eselect_domain)
+ ')
++
++# required when using git to manage portage repositories
++allow portage_t portage_ebuild_t:file map;

sec-policy/selinux-base-policy/files/logging_init_read_config.patch

@@ -0,0 +1,10 @@
+--- work/refpolicy/policy/modules/system/logging.te.orig	2020-05-17 16:50:17.101211062 +0200
++++ work/refpolicy/policy/modules/system/logging.te	2020-05-17 16:51:46.283217930 +0200
+@@ -631,4 +631,7 @@
+ 	manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged)
+ 
+ 	files_rw_var_lib_dirs(syslogd_t)
++	
++	# openrc init script needs to read rsyslog config
++	logging_read_syslog_config(initrc_t)
+ ')

sec-policy/selinux-base-policy/files/sysadm_allow_watch.patch

@@ -0,0 +1,9 @@
+--- work/refpolicy/policy/modules/roles/sysadm.te.orig	2020-05-17 20:18:02.631758336 +0200
++++ work/refpolicy/policy/modules/roles/sysadm.te	2020-05-17 20:18:42.373756394 +0200
+@@ -1457,3 +1457,6 @@
+ 		vde_role(sysadm_r, sysadm_t)
+ 	')
+ ')
++
++allow sysadm_t file_type:file watch;
++allow sysadm_t file_type:dir watch;

sec-policy/selinux-base-policy/selinux-base-policy-2.20190609-r1.ebuild

@@ -34,6 +34,9 @@ PATCHES=(
 	${FILESDIR}/init_read_syslog_config.patch
 	${FILESDIR}/init_paths.patch
 	${FILESDIR}/mta_user_mail_newaliases.patch
+	${FILESDIR}/git_portage_repo_fix.patch
+	${FILESDIR}/sysadm_allow_watch.patch
+	${FILESDIR}/cron_allow_watch_crontabs.patch
 )
 
 # Code entirely copied from selinux-eclass (cannot inherit due to dependency on

sec-policy/selinux-feffe-policies/files/feffe.if

@@ -0,0 +1 @@
+## <summary></summary>

sec-policy/selinux-feffe-policies/files/feffe.te

@@ -1,5 +1,23 @@
 policy_module(feffe, 1.0)
 
+
+gen_require(`
+  attribute file_type;
+
+  type devicekit_disk_t;
+  type etc_t;
+
+  type mozilla_t;
+  type xdg_cache_t;
+  type fs_t;
+')
+
+dontaudit user_t file_type:file watch;
+dontaudit user_t file_type:dir watch;
+dontaudit devicekit_disk_t etc_t:dir watch;
+dontaudit mozilla_t xdg_cache_t:file { read write };
+dontaudit mozilla_t fs_t:filesystem quotaget;
+
 gen_tunable(feffe_cron_sync_to_home, false)
 tunable_policy(`feffe_cron_sync_to_home',`
   gen_require(`
@@ -45,6 +63,9 @@ tunable_policy(`feffe_use_xdm',`
 gen_tunable(feffe_xscreensaver_read_home, false)
 tunable_policy(`feffe_xscreensaver_read_home',`
   gen_require(`
+    attribute user_home_content_type;
+    attribute non_security_file_type;
+
     type user_t;
     type xscreensaver_helper_t;
     type xscreensaver_t;
@@ -54,11 +75,6 @@ tunable_policy(`feffe_xscreensaver_read_home',`
     type bin_t;
     type xscreensaver_helper_exec_t;
     type fs_t;
-
-    type usr_t;
-    type var_t;
-    type xdg_data_t;
-    type xauth_home_t;
     type xserver_t;
   ')
   dev_rw_dri(xscreensaver_helper_t)
@@ -76,22 +92,16 @@ tunable_policy(`feffe_xscreensaver_read_home',`
   search_dirs_pattern(xscreensaver_helper_t, bin_t, bin_t)
   exec_files_pattern(xscreensaver_helper_t, xscreensaver_helper_exec_t, xscreensaver_helper_exec_t)
   exec_files_pattern(xscreensaver_helper_t, bin_t, bin_t)
+  allow xscreensaver_helper_t self:unix_stream_socket { create getattr connect write read shutdown };
+  read_files_pattern(xscreensaver_helper_t, user_home_content_type, user_home_content_type)
 
   allow xscreensaver_t fs_t:filesystem getattr;
   xdg_manage_cache(xscreensaver_helper_t)
 
-  allow xscreensaver_helper_t self:unix_stream_socket create_stream_socket_perms;
-  allow xscreensaver_helper_t xserver_t:fd use;
-  allow xscreensaver_t self:process execmem;
-
-  read_files_pattern(xscreensaver_helper_t, xauth_home_t, xauth_home_t)
-
-  dontaudit xscreensaver_helper_t usr_t:file map;
-  dontaudit xscreensaver_helper_t usr_t:dir search;
-  dontaudit xscreensaver_helper_t var_t:dir search;
-  dontaudit xscreensaver_helper_t xdg_data_t:dir search;
-  dontaudit xscreensaver_helper_t self:process setsched;
-  dontaudit xscreensaver_t xdg_config_t:dir search;
-  dontaudit xscreensaver_t xdg_data_t:dir search;
+  dontaudit xscreensaver_helper_t non_security_file_type:file map;
+  dontaudit xscreensaver_helper_t non_security_file_type:dir search;
+  dontaudit xscreensaver_helper_t xserver_t:fd use;
+  dontaudit xscreensaver_t self:process execmem;
+  dontaudit xscreensaver_t user_home_content_type:dir search;
 ')
 

sec-policy/selinux-feffe-policies/files/tmp/iferror.m4

@@ -0,0 +1 @@
+ifdef(`__if_error',`m4exit(1)')

sec-policy/selinux-icinga2/Manifest

@@ -1,3 +1,3 @@
-AUX gentoonize.patch 3569 BLAKE2B 74c61ba9ae303e2cc7eb6496ea16d6ba534879618b34021cee0d489b459ea92eb0bdc0df7a91e56660c26525ece2d401b600be62a05be82ded98557fc82e27ed SHA512 bcaedd688e81c0bcc92c3cc207680b59e3cead3bc5e6e5503fb3feacb073484215d1584574aa407e4889c4fded3d6010b7d49fa0a10ea6b96bd32cebe63c7b84
+AUX gentoonize.patch 4876 BLAKE2B a096dbc55548da123ca15a0d4c49f243932b4ef123e9ce01618122e1eb8979b7d4050379487adfbef16ff02f14331213d7cc2b664fb6d9def1b6c7a585788d18 SHA512 1c276c82530adc64d12777632bbdbbb0213d59641635705559d837cb9926b7d8d41cadf553e673c686e622c193dcb67b1cb35d6324342261df0858ff47293a44
 DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
-EBUILD selinux-icinga2-2.11.3.ebuild 1071 BLAKE2B e65ac5f13b2dc0bd4c78ca1234dc1e4f4fc62265f1e0fa6fb4cd5fadff5429255b29000277b49fc4d3e94db8b48f09d4c866854e6157f6fff8f5c32270ee58c6 SHA512 12e7311ba0a229e6f7872770693be2dd37e6ce2887f3f7a627cb3602b542faf14f51fe75f8faa2d5d990e1ebd175fa8682bb38499a774f6d6bd8183142a03f13
+EBUILD selinux-icinga2-2.11.3.ebuild 1077 BLAKE2B 54fffd47616853ad07a35d996dbd2efe68d248fbfb05dd37de09c40fa18fb581ece81101595a03ec9f13a9c372a9dea2e1e9ae91f744a046bca5282d3c298d96 SHA512 8d170b5a8a414ff1bfa4aaaa862f872d739dba40154c715137c028c5699b5bae058e7ede17907fa5ed5f33d021bb3a99663f431ff07e0f15197c4be06f6f188d

sec-policy/selinux-icinga2/files/gentoonize.patch

@@ -1,6 +1,14 @@
---- icinga2-2.11.3/tools/selinux/icinga2.te.orig	2020-05-17 12:42:51.052067797 +0200
-+++ icinga2-2.11.3/tools/selinux/icinga2.te	2020-05-17 12:51:19.989106989 +0200
-@@ -58,7 +58,6 @@
+--- icinga2-2.11.3/tools/selinux/icinga2.te.orig	2020-05-17 18:29:52.446884000 +0200
++++ icinga2-2.11.3/tools/selinux/icinga2.te	2020-05-17 18:39:00.603857209 +0200
+@@ -41,7 +41,6 @@
+ 	type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
+ 	type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
+ 	type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
+-	type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
+ 	type httpd_t; type system_mail_t;
+ 	type devlog_t;
+ 	role staff_r;
+@@ -58,7 +57,6 @@
  init_script_file(icinga2_initrc_exec_t)
  
  type icinga2_unit_file_t;
@@ -8,7 +16,15 @@
  
  type icinga2_etc_t;
  files_config_file(icinga2_etc_t)
-@@ -176,7 +175,6 @@
+@@ -155,7 +153,6 @@
+ icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
+ icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
+ icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
+-icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
+ 
+ # should be moved nagios.te
+ nagios_plugin_template(notification)
+@@ -176,7 +173,6 @@
  ')
  icinga2_dontaudit_leaks_fifo(system_mail_t)
  # hipsaint notification
@@ -16,7 +32,7 @@
  sysnet_read_config(nagios_notification_plugin_t)
  allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
  allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
-@@ -216,20 +214,9 @@
+@@ -216,19 +212,8 @@
      selinux_compute_access_vector(icinga2_t)
  
      dbus_send_system_bus(icinga2_t)
@@ -24,22 +40,32 @@
 -    systemd_dbus_chat_logind(icinga2_t)
 -    # Without this it works but is very slow
 -    systemd_write_inherited_logind_sessions_pipes(icinga2_t)
--')
--
+ ')
+ 
 -optional_policy(`
 -    tunable_policy(`icinga2_run_sudo',`
 -        sudo_exec(icinga2_t)
 -    ')
- ')
- 
- 
+-')
 -
+-
+ 
  ########################################
  #
- # Icinga Webinterfaces
-@@ -273,3 +260,26 @@
+@@ -254,6 +239,8 @@
+ # Icinga2 Admin Role
+ #
+ 
++role icinga2adm_r;
++
+ userdom_unpriv_user_template(icinga2adm)
+ 
+ icinga2_admin(icinga2adm_t, icinga2adm_r)
+@@ -271,5 +258,27 @@
+ icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
+ icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
  icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
- icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
+-icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
  icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
 +
 +# Feffestuff
@@ -64,8 +90,8 @@
 +	postfix_exec_master(nagios_mail_plugin_t)
 +	postfix_domtrans_postqueue(nagios_mail_plugin_t)
 +')
---- icinga2-2.11.3/tools/selinux/icinga2.if.orig	2020-05-17 12:42:59.181068423 +0200
-+++ icinga2-2.11.3/tools/selinux/icinga2.if	2020-05-17 12:44:26.659075160 +0200
+--- icinga2-2.11.3/tools/selinux/icinga2.if.orig	2020-05-17 18:44:49.111840177 +0200
++++ icinga2-2.11.3/tools/selinux/icinga2.if	2020-05-17 18:45:18.317838749 +0200
 @@ -40,30 +40,6 @@
  
  ########################################
@@ -97,6 +123,15 @@
  ##      Allow the specified domain to read
  ##      icinga2 configuration files.
  ## </summary>
+@@ -289,7 +265,7 @@
+ 	allow $1 icinga2_t:process { signal_perms };
+ 	ps_process_pattern($1, icinga2_t)
+ 
+-    tunable_policy(`deny_ptrace',`',`
++    tunable_policy(`allow_ptrace',`
+         allow $1 icinga2_t:process ptrace;
+     ')
+ 
 @@ -312,14 +288,8 @@
  	admin_pattern($1, icinga2_spool_t)
  	admin_pattern($1, icinga2_cache_t)

sec-policy/selinux-icinga2/selinux-icinga2-2.11.3.ebuild

@@ -32,7 +32,7 @@ src_compile() {
 src_install() {
 	for i in ${POLICY_TYPES}; do
 		mkdir -p "${D}/usr/share/selinux/${i}"
-		mv "${S}/selinux/icinga2-${i}.pp" "${D}/usr/share/selinux/${i}/icinga2.pp"
+		mv "${S}/tools/selinux/icinga2-${i}.pp" "${D}/usr/share/selinux/${i}/icinga2.pp"
 	done
 }