Bug#995969: marked as done (release.debian.org: bullseye update requested for refpolicy)

Sat, 31 Aug 2024 05:09:28 -0700 

Your message dated Sat, 31 Aug 2024 13:05:44 +0100
with message-id <ztmhgdmatd23z...@powdarrmonkey.net>
and subject line Re: Bug#995969: release.debian.org: bullseye update requested 
for refpolicy
has caused the Debian Bug report #995969,
regarding release.debian.org: bullseye update requested for refpolicy
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
995969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995969
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal

[Reason]

Improvement to refpolicy for ppp, wireshark, acngtool, root login on boot
failure, and systemd-timesyncd.

[Impact]

Allows pppox (for common NBN devices in Australia to work.

Allows Wireshark to do the X stuff it wants to do (not functional otherwise).
Also allow it to get network state.

Allows acngtool to manage it's log files.

Allows kmod, ifconfig, and ping to be run by the sysadmin after the regular
boot process has failed.

Allows systemd-timesyncd to restart generic units.

[ Tests ]
Tested all of this manually.

[ Risks ]
No real risk, just added new allow rules.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in bullseye

diff -Nru refpolicy-2.20210203/debian/changelog 
refpolicy-2.20210203/debian/changelog
--- refpolicy-2.20210203/debian/changelog       2021-06-14 09:47:05.000000000 
+1000
+++ refpolicy-2.20210203/debian/changelog       2021-10-04 15:06:54.000000000 
+1100
@@ -1,3 +1,22 @@
+refpolicy (2:2.20210203-8) unstable; urgency=medium
+
+  * Label /etc/ppp/ip-pre-up as pppd_initrc_exec_t
+  * Allow wireshark to rw DRI devices, read crypto sysctls, rw the xserver
+    mesa shader cache, read the kernel network state, have execmem access
+    (probably needed for one of the many shared objects it uses), have setsched
+    access, execute lib files (for it's helper programs), manage xdg config
+    files (gives warning if it can't do this), manage xdg cache, and read xdg
+    data files.
+  * Allow acngtool_t the dac_override capability for managing log files
+  * Allow pppd to connect create and ioctl pppox_socket and allow it to map
+    pppd_runtime_t files.
+  * Allow kmod_t, ifconfig_t, and ping_t to use unallocated ttys (for sysadmin
+    login on boot failure)
+  * Allow ntpd_t to start and stop generic units when systemd is used, for
+    systemd-timesyncd.
+
+ -- Russell Coker <russ...@coker.com.au>  Mon, 04 Oct 2021 15:06:54 +1100
+
 refpolicy (2:2.20210203-7) unstable; urgency=medium
 
   * Allow certbot to create /var/log/letsencrypt and /var/lib/letsencrypt
diff -Nru refpolicy-2.20210203/debian/patches/0027-services 
refpolicy-2.20210203/debian/patches/0027-services
--- refpolicy-2.20210203/debian/patches/0027-services   2021-06-14 
09:47:05.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0027-services   2021-08-13 
03:54:44.000000000 +1000
@@ -128,7 +128,14 @@
  
  # Uses sd_notify() to inform systemd it has properly started
  init_dgram_send(aptcacher_t)
-@@ -99,8 +105,12 @@ allow acngtool_t self:unix_stream_socket
+@@ -93,14 +99,19 @@ sysnet_mmap_config_files(aptcacher_t)
+ # acngtool local policy
+ #
+ 
++allow acngtool_t self:capability dac_override;
+ allow acngtool_t self:tcp_socket create_stream_socket_perms;
+ allow acngtool_t self:unix_stream_socket create_socket_perms;
+ 
  allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
  allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
  
@@ -1874,3 +1881,60 @@
  ##    Create block devices in on a tmpfs filesystem with the
  ##    fixed disk type via an automatic type transition.
  ## </summary>
+Index: refpolicy-2.20210203/policy/modules/services/ppp.fc
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/ppp.fc
++++ refpolicy-2.20210203/policy/modules/services/ppp.fc
+@@ -8,6 +8,7 @@ HOME_DIR/\.ppprc       --      gen_context(system_u
+ /etc/ppp/.*secrets    --      gen_context(system_u:object_r:pppd_secret_t,s0)
+ /etc/ppp/resolv\.conf --      gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+ /etc/ppp/(auth|ip(v6|x)?)-(up|down)   --      
gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
++/etc/ppp/ip-pre-up    --      
gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+ 
+ /usr/bin/ipppd                --      
gen_context(system_u:object_r:pppd_exec_t,s0)
+ /usr/bin/ppp-watch    --      gen_context(system_u:object_r:pppd_exec_t,s0)
+Index: refpolicy-2.20210203/policy/modules/services/ppp.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/ppp.te
++++ refpolicy-2.20210203/policy/modules/services/ppp.te
+@@ -86,6 +86,7 @@ allow pppd_t self:socket create_socket_p
+ allow pppd_t self:netlink_route_socket nlmsg_write;
+ allow pppd_t self:tcp_socket { accept listen };
+ allow pppd_t self:packet_socket create_socket_perms;
++allow pppd_t self:pppox_socket { connect create ioctl };
+ 
+ allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms 
setattr_chr_file_perms };
+ 
+@@ -108,6 +109,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t,
+ 
+ manage_dirs_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
+ manage_files_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
++allow pppd_t pppd_runtime_t:file map;
+ files_runtime_filetrans(pppd_t, pppd_runtime_t, { dir file })
+ 
+ can_exec(pppd_t, pppd_exec_t)
+Index: refpolicy-2.20210203/policy/modules/admin/netutils.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/admin/netutils.te
++++ refpolicy-2.20210203/policy/modules/admin/netutils.te
+@@ -134,6 +134,7 @@ logging_send_syslog_msg(ping_t)
+ miscfiles_read_localization(ping_t)
+ 
+ userdom_use_inherited_user_terminals(ping_t)
++term_use_unallocated_ttys(ping_t)
+ 
+ ifdef(`hide_broken_symptoms',`
+       init_dontaudit_use_fds(ping_t)
+Index: refpolicy-2.20210203/policy/modules/services/ntp.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/services/ntp.te
++++ refpolicy-2.20210203/policy/modules/services/ntp.te
+@@ -156,6 +156,8 @@ ifdef(`init_systemd',`
+       allow ntpd_t self:capability { fowner setpcap };
+       init_read_state(ntpd_t)
+       init_reload(ntpd_t)
++      init_start_generic_units(ntpd_t)
++      init_stop_generic_units(ntpd_t)
+ 
+       # for /var/lib/systemd/clock
+       init_list_var_lib_dirs(ntpd_t)
diff -Nru refpolicy-2.20210203/debian/patches/0028-misc 
refpolicy-2.20210203/debian/patches/0028-misc
--- refpolicy-2.20210203/debian/patches/0028-misc       2021-05-06 
04:15:52.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0028-misc       2021-07-17 
20:25:09.000000000 +1000
@@ -369,6 +369,14 @@
  allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
  # for the radeon/amdgpu modules
  dontaudit kmod_t self:capability sys_admin;
+@@ -111,6 +112,7 @@ miscfiles_read_localization(kmod_t)
+ 
+ seutil_read_file_contexts(kmod_t)
+ 
++term_use_unallocated_ttys(kmod_t)
+ userdom_use_user_terminals(kmod_t)
+ 
+ userdom_dontaudit_search_user_home_dirs(kmod_t)
 Index: refpolicy-2.20210203/policy/modules/system/mount.te
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/system/mount.te
@@ -458,6 +466,14 @@
  
  allow dhcpc_t self:fifo_file rw_fifo_file_perms;
  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+@@ -339,6 +339,7 @@ term_dontaudit_use_all_ttys(ifconfig_t)
+ term_dontaudit_use_all_ptys(ifconfig_t)
+ term_dontaudit_use_ptmx(ifconfig_t)
+ term_dontaudit_use_generic_ptys(ifconfig_t)
++term_use_unallocated_ttys(ifconfig_t)
+ 
+ files_dontaudit_read_root_files(ifconfig_t)
+ 
 Index: refpolicy-2.20210203/policy/modules/system/udev.te
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/system/udev.te
@@ -839,3 +855,63 @@
 +optional_policy(`
        
userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
  ')
+Index: refpolicy-2.20210203/policy/modules/apps/wireshark.te
+===================================================================
+--- refpolicy-2.20210203.orig/policy/modules/apps/wireshark.te
++++ refpolicy-2.20210203/policy/modules/apps/wireshark.te
+@@ -31,10 +31,11 @@ optional_policy(`
+ #
+ 
+ allow wireshark_t self:capability { net_admin net_raw setgid };
+-allow wireshark_t self:process { signal getsched };
++allow wireshark_t self:process { signal getsched execmem setsched };
+ allow wireshark_t self:fifo_file rw_fifo_file_perms;
+ allow wireshark_t self:shm create_shm_perms;
+ allow wireshark_t self:packet_socket create_socket_perms;
++allow wireshark_t self:netlink_generic_socket connected_socket_perms;
+ 
+ manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+ manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+@@ -54,7 +55,9 @@ fs_tmpfs_filetrans(wireshark_t, wireshar
+ 
+ can_exec(wireshark_t, wireshark_exec_t)
+ 
++kernel_read_crypto_sysctls(wireshark_t)
+ kernel_read_kernel_sysctls(wireshark_t)
++kernel_read_network_state(wireshark_t)
+ kernel_read_system_state(wireshark_t)
+ kernel_read_sysctl(wireshark_t)
+ 
+@@ -74,6 +77,7 @@ corenet_tcp_connect_generic_port(wiresha
+ dev_read_rand(wireshark_t)
+ dev_read_sysfs(wireshark_t)
+ dev_read_urand(wireshark_t)
++dev_rw_dri(wireshark_t)
+ 
+ files_map_usr_files(wireshark_t)
+ files_read_usr_files(wireshark_t)
+@@ -84,6 +88,7 @@ fs_search_auto_mountpoints(wireshark_t)
+ 
+ auth_use_nsswitch(wireshark_t)
+ 
++libs_exec_lib_files(wireshark_t)
+ libs_read_lib_files(wireshark_t)
+ 
+ miscfiles_read_fonts(wireshark_t)
+@@ -93,6 +98,10 @@ userdom_use_user_terminals(wireshark_t)
+ 
+ userdom_user_content_access_template(wireshark, wireshark_t)
+ 
++xdg_manage_cache(wireshark_t)
++# gives warnings if it can not write its own config
++xdg_manage_config(wireshark_t)
++xdg_read_data_files(wireshark_t)
+ xdg_read_downloads(wireshark_t)
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -119,4 +128,5 @@ optional_policy(`
+ optional_policy(`
+       xserver_user_x_domain_template(wireshark, wireshark_t, 
wireshark_tmpfs_t)
+       xserver_create_xdm_tmp_sockets(wireshark_t)
++      xserver_rw_mesa_shader_cache(wireshark_t)
+ ')
diff -Nru refpolicy-2.20210203/debian/patches/0030-user-sddm 
refpolicy-2.20210203/debian/patches/0030-user-sddm
--- refpolicy-2.20210203/debian/patches/0030-user-sddm  2021-05-15 
18:59:16.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/0030-user-sddm  2021-06-14 
15:11:19.000000000 +1000
@@ -44,7 +44,7 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/kernel/corecommands.fc
 +++ refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
-@@ -251,6 +251,7 @@ ifdef(`distro_gentoo',`
+@@ -256,6 +256,7 @@ ifdef(`distro_gentoo',`
  /usr/lib/xfce4/session/xfsm-shutdown-helper -- 
gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/xfconf/xfconfd --      gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0)
diff -Nru refpolicy-2.20210203/debian/patches/2000-hacks 
refpolicy-2.20210203/debian/patches/2000-hacks
--- refpolicy-2.20210203/debian/patches/2000-hacks      2021-05-06 
03:23:13.000000000 +1000
+++ refpolicy-2.20210203/debian/patches/2000-hacks      2021-08-13 
03:52:34.000000000 +1000
@@ -19,7 +19,7 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/system/fstools.te
 +++ refpolicy-2.20210203/policy/modules/system/fstools.te
-@@ -151,6 +151,11 @@ init_use_script_ptys(fsadm_t)
+@@ -153,6 +153,11 @@ init_use_script_ptys(fsadm_t)
  init_dontaudit_getattr_initctl(fsadm_t)
  init_rw_script_stream_sockets(fsadm_t)
  
@@ -35,7 +35,7 @@
 ===================================================================
 --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
 +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
-@@ -345,6 +345,11 @@ files_dontaudit_read_root_files(ifconfig
+@@ -346,6 +346,11 @@ files_dontaudit_read_root_files(ifconfig
  init_use_fds(ifconfig_t)
  init_use_script_ptys(ifconfig_t)

--- End Message ---
--- Begin Message --- 
Hi,

On Sat, Oct 09, 2021 at 07:44:56PM +1100, Russell Coker wrote:
> [Reason]
> 
> Improvement to refpolicy for ppp, wireshark, acngtool, root login on boot
> failure, and systemd-timesyncd.

I regret to say that this bug had incorrect metadata until very recently so
it didn't show up on our list for review. I didn't spot it until it was too
late for the final bullseye point release, which was today. I'm therefore
closing the request.

Thanks,

-- 
Jonathan Wiltshire                                      j...@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- End Message ---

Reply via email to