From 6f2158d257119b0a495955b398183aca5e2c0d50 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Sun, 10 Dec 2023 21:00:33 -0500
Subject: Add watches

node=localhost type=AVC msg=audit(1701960388.658:45746): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/" dev="dm-1" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.457:46142): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/etc/motd" dev="dm-1" ino=524363 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1701960389.538:46261): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/var" dev="dm-9" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.539:46264): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/var/lib" dev="dm-9" ino=262145 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.472:46167): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/run/systemd" dev="tmpfs" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.473:46170): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/run/systemd/shutdown" dev="tmpfs" ino=99 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701966176.317:51985): avc:  denied  { watch } for  pid=7186 comm="cockpit-bridge" path="/run/utmp" dev="tmpfs" ino=94 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/kernel/files.if     | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/cockpit.if |  7 +++++++
 policy/modules/system/init.if      | 18 ++++++++++++++++++
 3 files changed, 61 insertions(+)

(limited to 'policy')

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 29c8b72f..e0337d04 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6910,6 +6910,24 @@ interface(`files_rw_runtime_dirs',`
 	rw_dirs_pattern($1, var_run_t, var_run_t)
 ')
 
+########################################
+## <summary>
+##	Watch /var/lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_var_lib_dirs',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	allow $1 var_lib_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Watch /var/run directories.
@@ -6928,6 +6946,24 @@ interface(`files_watch_runtime_dirs',`
 	allow $1 var_run_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Watch /var directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_var_dirs',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read generic runtime files.
diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if
index 494967eb..7a002b3e 100644
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@@ -56,10 +56,17 @@ template(`cockpit_role_template',`
 	files_dontaudit_execute_default_files($2)
 	files_dontaudit_execuite_etc_runtime_files($2)
 	files_dontaudit_exec_runtime($2)
+	files_watch_etc_files($2)
+	files_watch_root_dirs($2)
+	files_watch_var_dirs($2)
+	files_watch_var_lib_dirs($2)
 
 	cockpit_use_ws_fds($2)
 	cockpit_rw_ws_stream_sockets($2)
 
+	init_watch_runtime_dirs($2)
+	init_watch_utmp($2)
+
 	userdom_dontaudit_execute_user_tmpfs_files($2)
 ')
 
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b8e22f3..f58db6cb 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3102,6 +3102,24 @@ interface(`init_manage_utmp',`
 	allow $1 initrc_runtime_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Add a watch on init runtime
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_watch_runtime_dirs',`
+	gen_require(`
+		type init_runtime_t;
+	')
+
+	allow $1 init_runtime_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Add a watch on utmp.
-- 
cgit v1.2.3-65-gdbad