Merge pull request SELinuxProject#751 from cgzones/selint

SELint updates
cgzones · Jan 16, 2024 · a81eefc · a81eefc
2 parents 9c3fca3 + ee176fe
commit a81eefc
Show file tree

Hide file tree

Showing 12 changed files with 40 additions and 27 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -28,8 +28,7 @@ jobs:
       uses: actions/checkout@v3
       with:
         repository: SELinuxProject/selint
-        # support exclusions in interface arguments
-        ref: 'v1.3.0'
+        ref: 'v1.5.0'
         path: selint
 
     - name: Build SELint

diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
@@ -136,7 +136,6 @@ interface(`chromium_domtrans',`
 	gen_require(`
 		type chromium_t;
 		type chromium_exec_t;
-		class dbus send_msg;
 	')
 
 	corecmd_search_bin($1)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
@@ -569,7 +569,7 @@ allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms exec
 allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton execmod watch };
 allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch };
 
-allow kern_unconfined kernel_t:system { ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload };
+allow kern_unconfined kernel_t:system { ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload }; #selint-disable:W-001
 
 allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch };
 allow kern_unconfined unlabeled_t:lnk_file  { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch };

diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
@@ -53,11 +53,8 @@ miscfiles_read_localization(devicekit_t)
 optional_policy(`
 	dbus_system_bus_client(devicekit_t)
 
-	allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
-')
-
-optional_policy(`
-	xserver_dbus_chat_xdm(devicekit_power_t)
+	devicekit_dbus_chat_disk(devicekit_t)
+	devicekit_dbus_chat_power(devicekit_t)
 ')
 
 ########################################
@@ -154,8 +151,6 @@ userdom_search_user_home_dirs(devicekit_disk_t)
 optional_policy(`
 	dbus_system_bus_client(devicekit_disk_t)
 
-	allow devicekit_disk_t devicekit_t:dbus send_msg;
-
 	optional_policy(`
 		policykit_dbus_chat(devicekit_disk_t)
 	')
@@ -294,8 +289,6 @@ optional_policy(`
 	dbus_system_bus_client(devicekit_power_t)
 	init_dbus_chat(devicekit_power_t)
 
-	allow devicekit_power_t devicekit_t:dbus send_msg;
-
 	optional_policy(`
 		networkmanager_dbus_chat(devicekit_power_t)
 	')
@@ -307,6 +300,10 @@ optional_policy(`
 	optional_policy(`
 		rpm_dbus_chat(devicekit_power_t)
 	')
+
+	optional_policy(`
+		xserver_dbus_chat_xdm(devicekit_power_t)
+	')
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
@@ -28,13 +28,11 @@
 #
 template(`postgresql_role',`
 	gen_require(`
-		class db_database all_db_database_perms;
 		class db_schema all_db_schema_perms;
 		class db_table all_db_table_perms;
 		class db_sequence all_db_sequence_perms;
 		class db_view all_db_view_perms;
 		class db_procedure all_db_procedure_perms;
-		class db_language all_db_language_perms;
 		class db_column all_db_column_perms;
 		class db_tuple all_db_tuple_perms;
 		class db_blob all_db_blob_perms;
@@ -462,13 +460,11 @@ interface(`postgresql_stream_connect',`
 #
 interface(`postgresql_unpriv_client',`
 	gen_require(`
-		class db_database all_db_database_perms;
 		class db_schema all_db_schema_perms;
 		class db_table all_db_table_perms;
 		class db_sequence all_db_sequence_perms;
 		class db_view all_db_view_perms;
 		class db_procedure all_db_procedure_perms;
-		class db_language all_db_language_perms;
 		class db_column all_db_column_perms;
 		class db_tuple all_db_tuple_perms;
 		class db_blob all_db_blob_perms;

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
@@ -367,7 +367,7 @@ template(`xserver_common_x_domain_template',`
 		attribute input_xevent_type;
 
 		class x_drawable all_x_drawable_perms;
-		class x_property all_x_property_perms;
+		#class x_property all_x_property_perms;
 		class x_event all_x_event_perms;
 		class x_synthetic_event all_x_synthetic_event_perms;
 	')

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
@@ -1189,6 +1189,7 @@ interface(`init_dontaudit_search_keys',`
 #
 interface(`init_start_system',`
 	gen_require(`
+		class system { start };
 		type init_t;
 	')
 
@@ -1207,6 +1208,7 @@ interface(`init_start_system',`
 #
 interface(`init_stop_system',`
 	gen_require(`
+		class system { stop };
 		type init_t;
 	')
 
@@ -1225,6 +1227,7 @@ interface(`init_stop_system',`
 #
 interface(`init_get_system_status',`
 	gen_require(`
+		class system { status };
 		type init_t;
 	')
 
@@ -1243,6 +1246,7 @@ interface(`init_get_system_status',`
 #
 interface(`init_enable',`
 	gen_require(`
+		class system { enable };
 		type init_t;
 	')
 
@@ -1261,6 +1265,7 @@ interface(`init_enable',`
 #
 interface(`init_disable',`
 	gen_require(`
+		class system { disable };
 		type init_t;
 	')
 
@@ -1279,6 +1284,7 @@ interface(`init_disable',`
 #
 interface(`init_reload',`
 	gen_require(`
+		class system { reload };
 		type init_t;
 	')
 
@@ -1297,6 +1303,7 @@ interface(`init_reload',`
 #
 interface(`init_reboot_system',`
 	gen_require(`
+		class system { reboot };
 		type init_t;
 	')
 
@@ -1315,6 +1322,7 @@ interface(`init_reboot_system',`
 #
 interface(`init_shutdown_system',`
 	gen_require(`
+		class system { halt };
 		type init_t;
 	')
 
@@ -1393,7 +1401,6 @@ interface(`init_dbus_chat',`
 interface(`init_run_bpf',`
 	gen_require(`
 		type init_t;
-		class bpf prog_run;
 	')
 
 	allow $1 init_t:bpf prog_run;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -258,6 +258,11 @@ seutil_read_default_contexts(init_t)
 miscfiles_read_localization(init_t)
 
 ifdef(`init_systemd',`
+	gen_require(`
+		class service { status start stop };
+		class system { status reboot halt reload };
+	')
+
 	# handle instances where an old labeled init script is encountered.
 	typeattribute init_t init_run_all_scripts_domain;
 
@@ -1113,6 +1118,10 @@ ifdef(`enable_mls',`
 ')
 
 ifdef(`init_systemd',`
+	gen_require(`
+		class service { stop start status reload };
+		class system { start stop status reboot halt reload };
+	')
 	allow initrc_t init_t:system { start stop status reboot halt reload };
 
 	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
@@ -22,6 +22,8 @@
 #
 template(`systemd_role_template',`
 	gen_require(`
+		class service { reload start status stop };
+		class system { disable enable reload start stop status };
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
 		attribute systemd_user_activated_sock_file_type, systemd_user_unix_stream_activated_socket_type;
 		type systemd_analyze_exec_t;
@@ -407,6 +409,7 @@ template(`systemd_read_user_manager_state',`
 #
 template(`systemd_user_manager_system_start',`
 	gen_require(`
+		class system { start };
 		type $1_systemd_t;
 	')
 
@@ -431,6 +434,7 @@ template(`systemd_user_manager_system_start',`
 #
 template(`systemd_user_manager_system_stop',`
 	gen_require(`
+		class system { stop };
 		type $1_systemd_t;
 	')
 
@@ -455,6 +459,7 @@ template(`systemd_user_manager_system_stop',`
 #
 template(`systemd_user_manager_system_status',`
 	gen_require(`
+		class system { status };
 		type $1_systemd_t;
 	')
 

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -1095,6 +1095,10 @@ optional_policy(`
 
 	dbus_connect_system_bus(systemd_machined_t)
 	dbus_system_bus_client(systemd_machined_t)
+
+	optional_policy(`
+		unconfined_dbus_send(systemd_machined_t)
+	')
 ')
 
 ########################################
@@ -1248,8 +1252,6 @@ allow systemd_nspawn_t self:udp_socket create_socket_perms;
 
 allow systemd_nspawn_t systemd_journal_t:dir search;
 
-allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
-
 allow systemd_nspawn_t systemd_nspawn_runtime_t:dir manage_dir_perms;
 allow systemd_nspawn_t systemd_nspawn_runtime_t:file manage_file_perms;
 init_runtime_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, dir)
@@ -1375,13 +1377,9 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
 ')
 
 optional_policy(`
-	allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
-
 	dbus_system_bus_client(systemd_nspawn_t)
 
-	optional_policy(`
-		unconfined_dbus_send(systemd_machined_t)
-	')
+	systemd_dbus_chat_machined(systemd_nspawn_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
@@ -31,7 +31,6 @@ interface(`unconfined_domain_noaudit',`
 		class dbus all_dbus_perms;
 		class nscd all_nscd_perms;
 		class passwd all_passwd_perms;
-		class service all_service_perms;
 	')
 
 	unconfined_stub($1)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
@@ -56,6 +56,10 @@ ifdef(`direct_sysadm_daemon',`
 ')
 
 ifdef(`init_systemd',`
+	gen_require(`
+		class system { status start stop reload };
+	')
+
 	# for systemd-analyze
 	init_service_status(unconfined_t)
 	# for systemd --user: