From a89c907a561219881a90cad0231f4b5ec8909f2a Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Aug 15 2016 10:24:51 +0000
Subject: Backport access_vectors from Rawhide to increase security policy and

make working new allow rules.

---

diff --git a/policy-f24-base.patch b/policy-f24-base.patch
index 26c12a1..78fc080 100644
--- a/policy-f24-base.patch
+++ b/policy-f24-base.patch
@@ -877,10 +877,71 @@ index 3a45f23..ee7d7b3 100644
  constrain socket_class_set { create relabelto relabelfrom } 
  (
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..2e137e6 100644
+index a94b169..ebca901 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
-@@ -329,6 +329,7 @@ class process
+@@ -121,6 +121,60 @@ common x_device
+ }
+ 
+ #
++# Define a common for capability access vectors.
++#
++common cap
++{
++	# The capabilities are defined in include/linux/capability.h
++	# Capabilities >= 32 are defined in the cap2 common.
++	# Care should be taken to ensure that these are consistent with
++	# those definitions. (Order matters)
++
++	chown
++	dac_override
++	dac_read_search
++	fowner
++	fsetid
++	kill
++	setgid
++	setuid
++	setpcap
++	linux_immutable
++	net_bind_service
++	net_broadcast
++	net_admin
++	net_raw
++	ipc_lock
++	ipc_owner
++	sys_module
++	sys_rawio
++	sys_chroot
++	sys_ptrace
++	sys_pacct
++	sys_admin
++	sys_boot
++	sys_nice
++	sys_resource
++	sys_time
++	sys_tty_config
++	mknod
++	lease
++	audit_write
++	audit_control
++	setfcap
++}
++
++common cap2
++{
++	mac_override	# unused by SELinux
++	mac_admin	# unused by SELinux
++	syslog
++	wake_alarm
++	block_suspend
++	audit_read
++}
++
++#
+ # Define the access vectors.
+ #
+ # class class_name [ inherits common_name ] { permission_name ... }
+@@ -329,6 +383,7 @@ class process
  	execheap
  	setkeycreate
  	setsockcreate
@@ -888,36 +949,85 @@ index a94b169..2e137e6 100644
  }
  
  
-@@ -393,6 +394,13 @@ class system
+@@ -393,60 +448,31 @@ class system
  	syslog_mod
  	syslog_console
  	module_request
++	# these are overloaded userspace
++	# permissions from systemd
 +	halt
 +	reboot
 +	status
++	start
++	stop
++	enable
++	disable
++	reload
 +	undefined
-+    enable
-+    disable
-+    reload
  }
  
  #
-@@ -443,10 +451,13 @@ class capability
- class capability2 
+-# Define the access vector interpretation for controling capabilies
++# Define the access vector interpretation for controlling capabilities
+ #
+ 
+ class capability
+-{
+-	# The capabilities are defined in include/linux/capability.h
+-	# Capabilities >= 32 are defined in the capability2 class.
+-	# Care should be taken to ensure that these are consistent with
+-	# those definitions. (Order matters)
++inherits cap
+ 
+-	chown           
+-	dac_override    
+-	dac_read_search 
+-	fowner          
+-	fsetid          
+-	kill            
+-	setgid           
+-	setuid           
+-	setpcap          
+-	linux_immutable  
+-	net_bind_service 
+-	net_broadcast    
+-	net_admin        
+-	net_raw          
+-	ipc_lock         
+-	ipc_owner        
+-	sys_module       
+-	sys_rawio        
+-	sys_chroot       
+-	sys_ptrace       
+-	sys_pacct        
+-	sys_admin        
+-	sys_boot         
+-	sys_nice         
+-	sys_resource     
+-	sys_time         
+-	sys_tty_config  
+-	mknod
+-	lease
+-	audit_write
+-	audit_control
+-	setfcap
+-}
+-
+-class capability2 
++class capability2
++inherits cap2
  {
- 	mac_override	# unused by SELinux
+-	mac_override	# unused by SELinux
 -	mac_admin	# unused by SELinux
-+	mac_admin
- 	syslog
- 	wake_alarm
+-	syslog
+-	wake_alarm
+-	block_suspend
 +	epolwakeup
- 	block_suspend
 +	compromise_kernel
-+	audit_read
  }
  
  #
-@@ -690,6 +701,8 @@ class nscd
+@@ -690,6 +716,8 @@ class nscd
  	shmemhost
  	getserv
  	shmemserv
@@ -926,7 +1036,7 @@ index a94b169..2e137e6 100644
  }
  
  # Define the access vector interpretation for controlling
-@@ -831,6 +844,38 @@ inherits socket
+@@ -831,6 +859,38 @@ inherits socket
  	attach_queue
  }
  
@@ -965,7 +1075,7 @@ index a94b169..2e137e6 100644
  class x_pointer
  inherits x_device
  
-@@ -865,3 +910,18 @@ inherits database
+@@ -865,3 +925,28 @@ inherits database
  	implement
  	execute
  }
@@ -984,8 +1094,18 @@ index a94b169..2e137e6 100644
 +{
 +	read
 +}
++
++#
++# Define the access vector interpretation for controlling capabilities
++# in user namespaces
++#
++class cap_userns
++inherits cap
++
++class cap2_userns
++inherits cap2
 diff --git a/policy/flask/security_classes b/policy/flask/security_classes
-index 14a4799..9bb9aa4 100644
+index 14a4799..6e16f5e 100644
 --- a/policy/flask/security_classes
 +++ b/policy/flask/security_classes
 @@ -121,6 +121,18 @@ class kernel_service
@@ -1007,7 +1127,7 @@ index 14a4799..9bb9aa4 100644
  # Still More SE-X Windows stuff
  class x_pointer			# userspace
  class x_keyboard		# userspace
-@@ -131,4 +143,11 @@ class db_view			# userspace
+@@ -131,4 +143,15 @@ class db_view			# userspace
  class db_sequence		# userspace
  class db_language		# userspace
  
@@ -1018,6 +1138,10 @@ index 14a4799..9bb9aa4 100644
 +class proxy
 +
 +
++# Capability checks when on a non-init user namespace
++class cap_userns
++class cap2_userns
++
  # FLASK
 diff --git a/policy/global_booleans b/policy/global_booleans
 index 66e85ea..d02654d 100644