rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   24215197a63a3be82b7c0ba93242f702bfd74a80
  2.   SOURCES
  3.   policy-rhel-7.0.z-base.patch
Blob Blame History Raw 
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index a99f6e9..ee8e830 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -135,6 +135,7 @@ files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
 
+init_read_state(bootloader_t)
 init_getattr_initctl(bootloader_t)
 init_use_script_ptys(bootloader_t)
 init_use_script_fds(bootloader_t)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 17357e5..bb4a6f0 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -34,6 +34,7 @@ kernel_dontaudit_write_kernel_sysctl(dmesg_t)
 
 dev_read_sysfs(dmesg_t)
 dev_read_kmsg(dmesg_t)
+dev_read_raw_memory(dmesg_t)
 
 fs_search_auto_mountpoints(dmesg_t)
 
@@ -51,6 +52,8 @@ init_use_script_ptys(dmesg_t)
 logging_send_syslog_msg(dmesg_t)
 logging_write_generic_logs(dmesg_t)
 
+miscfiles_read_hwdata(dmesg_t)
+
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
 userdom_use_inherited_user_terminals(dmesg_t)
 
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index fc6d1d3..612503a 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -35,6 +35,7 @@ allow sudodomain self:unix_stream_socket create_stream_socket_perms;
 allow sudodomain self:unix_dgram_socket sendto;
 allow sudodomain self:unix_stream_socket connectto;
 allow sudodomain self:key manage_key_perms;
+allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms;
 
 kernel_getattr_core_if(sudodomain)
 kernel_link_key(sudodomain)
@@ -97,6 +98,10 @@ userdom_search_user_home_content(sudodomain)
 userdom_search_admin_dir(sudodomain)
 userdom_manage_all_users_keys(sudodomain)
 
+tunable_policy(`authlogin_yubikey',`
+    auth_manage_home_content(sudodomain)
+')
+
 optional_policy(`
 	dbus_system_bus_client(sudodomain)
 ')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 72e1a41..26e21b2 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -272,7 +272,7 @@ network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
 network_port(puppet, tcp, 8140, s0)
 network_port(pxe, udp,4011,s0)
 network_port(pyzor, udp,24441,s0)
-network_port(neutron, tcp,9696,s0)
+network_port(neutron, tcp,9696,s0, tcp,9697,s0)
 network_port(radacct, udp,1646,s0, udp,1813,s0)
 network_port(radius, udp,1645,s0, udp,1812,s0)
 network_port(radsec, tcp,2083,s0)
@@ -312,6 +312,7 @@ network_port(stunnel) # no defined portcon
 network_port(svn, tcp,3690,s0, udp,3690,s0)
 network_port(svrloc, tcp,427,s0, udp,427,s0)
 network_port(swat, tcp,901,s0)
+network_port(swift, tcp,6200-6203,s0)
 network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
 network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
 network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
@@ -326,6 +327,7 @@ network_port(trisoap, tcp,10200,s0, udp,10200,s0)
 network_port(ups, tcp,3493,s0)
 network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
+network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0)
 network_port(varnishd, tcp,6081-6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index fb27ae5..d86836b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5532,6 +5532,24 @@ interface(`dev_rw_xserver_misc',`
 
 ########################################
 ## <summary>
+##	Dontaudit attempts to Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_leaked_xserver_misc',`
+	gen_require(`
+		type xserver_misc_device_t;
+	')
+
+	dontaudit $1 xserver_misc_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
 ##	Read and write X server miscellaneous devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 64d9761..269db99 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -137,9 +137,10 @@ term_use_controlling_term(domain)
 
 # list the root directory
 files_list_root(domain)
-# allow all domains to search through default_t directory, since users sometimes
-# place labels within these directories.  (samba_share_t) for example.
-files_search_default(domain)
+# allow all domains to search through base_file_type directory, since users 
+# sometimes place labels within these directories.  (samba_share_t) for example.
+files_search_base_file_types(domain)
+
 files_read_inherited_tmp_files(domain)
 files_append_inherited_tmp_files(domain)
 files_read_all_base_ro_files(domain)
@@ -148,6 +149,10 @@ files_dontaduit_getattr_kernel_symbol_table(domain)
 # All executables should be able to search the directory they are in
 corecmd_search_bin(domain)
 
+optional_policy(`
+    userdom_search_admin_dir(domain)
+')
+
 tunable_policy(`domain_kernel_load_modules',`
 	kernel_request_load_module(domain)
 ')
@@ -419,6 +424,7 @@ optional_policy(`
 
 optional_policy(`
 	sysnet_filetrans_named_content(named_filetrans_domain)
+    sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
 ')
 
 optional_policy(`
@@ -429,6 +435,7 @@ optional_policy(`
 	systemd_filetrans_named_content(named_filetrans_domain)
 	systemd_filetrans_named_hostname(named_filetrans_domain)
 	systemd_filetrans_home_content(named_filetrans_domain)
+    systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
 ')
 
 optional_policy(`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 2dd815a..8a14ff2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -982,6 +982,24 @@ interface(`files_relabel_non_security_files',`
 
 ########################################
 ## <summary>
+##	Search all base file dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_base_file_types',`
+	gen_require(`
+		attribute base_file_type;
+	')
+
+	allow $1 base_file_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel all base file types.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index 924f856..7b26d12 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -21,5 +21,5 @@ HOME_DIR/\.Private(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
 /usr/lib/udev/devices/hugepages/.*	<<none>>
 /usr/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
 /usr/lib/udev/devices/shm/.*	<<none>>
-/var/run/[^/]*/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
-/var/run/[^/]*/gvfs/.*	<<none>>
+/var/run/user/[^/]*/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
+/var/run/user/[^/]*/gvfs/.*	<<none>>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 3270372..170e7da 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
 
 ########################################
 ## <summary>
+##	Dontaudit attempts to set the priority of kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_setsched',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:process setsched;
+')
+
+########################################
+## <summary>
 ##	Send a SIGCHLD signal to kernel threads.
 ## </summary>
 ## <param name="domain">
@@ -180,6 +198,24 @@ interface(`kernel_signal',`
 
 ########################################
 ## <summary>
+##	Send signull to kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_signull',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Allows the kernel to share state information with
 ##	the caller.
 ## </summary>
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index d6519a1..5a9d307 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -39,6 +39,9 @@ type ssh_keygen_t;
 type ssh_keygen_exec_t;
 init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
 
+type ssh_keygen_tmp_t;
+files_tmp_file(ssh_keygen_tmp_t)
+
 type sshd_keygen_t;
 type sshd_keygen_exec_t;
 init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t)
@@ -468,6 +471,10 @@ manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
 userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
 userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
 
+manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
+manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
+files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir })
+
 kernel_read_system_state(ssh_keygen_t)
 kernel_read_kernel_sysctls(ssh_keygen_t)
 
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 36fbb93..ed25543 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,7 +1,7 @@
-HOME_DIR/\.yubico(/.*)?				gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.yubico(/.*)?				    gen_context(system_u:object_r:auth_home_t,s0)
 HOME_DIR/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 HOME_DIR/\.google_authenticator~		gen_context(system_u:object_r:auth_home_t,s0)
-/root/\.yubico(/.*)?				gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.yubico(/.*)?                    gen_context(system_u:object_r:auth_home_t,s0)
 /root/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 /root/\.google_authenticator~			gen_context(system_u:object_r:auth_home_t,s0)
 
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index c74d0d5..42803b7 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -2232,6 +2232,26 @@ interface(`auth_read_home_content',`
 	read_files_pattern($1, auth_home_t, auth_home_t)
 ')
 
+########################################
+## <summary>
+##	Read the authorization data in the user home directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_home_content',`
+	
+	gen_require(`
+		type auth_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, auth_home_t, auth_home_t)
+    manage_dirs_pattern($1, auth_home_t, auth_home_t)
+')
 
 ########################################
 ## <summary>
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 9b993c6..837948b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -14,7 +14,7 @@ gen_tunable(authlogin_radius, false)
 
 ## <desc>
 ## <p>
-## Allow users to login using a yubikey  server
+## Allow users to login using a yubikey OTP server or challenge response mode
 ## </p>
 ## </desc>
 gen_tunable(authlogin_yubikey, false)
@@ -455,9 +455,29 @@ sysnet_dns_name_resolve(nsswitch_domain)
 
 systemd_hostnamed_read_config(nsswitch_domain)
 
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+    allow nsswitch_domain self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+	corenet_tcp_sendrecv_generic_if(nsswitch_domain)
+	corenet_tcp_sendrecv_generic_node(nsswitch_domain)
+	corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
+	corenet_tcp_connect_ldap_port(nsswitch_domain)
+	corenet_sendrecv_ldap_client_packets(nsswitch_domain)
+')
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+	# Support for LDAPS
+	dev_read_rand(nsswitch_domain)
+	# LDAP Configuration using encrypted requires
+	dev_read_urand(nsswitch_domain)
+	sysnet_read_config(nsswitch_domain)
+')
+
 tunable_policy(`authlogin_nsswitch_use_ldap',`
 	miscfiles_read_generic_certs(nsswitch_domain)
-	sysnet_use_ldap(nsswitch_domain)
 ')
 
 optional_policy(`
@@ -468,6 +488,7 @@ optional_policy(`
 
 optional_policy(`
 	tunable_policy(`authlogin_nsswitch_use_ldap',`
+        ldap_read_certs(nsswitch_domain)
 		ldap_stream_connect(nsswitch_domain)
 	')
 ')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c983546..d76c572 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -324,6 +324,7 @@ optional_policy(`
 
 optional_policy(`
 	kdump_read_crash(init_t)
+	kdump_read_config(init_t)
 ')
 
 optional_policy(`
@@ -484,6 +485,11 @@ ifdef(`distro_redhat',`
     optional_policy(`
         rpc_manage_nfs_state_data(init_t)
     ')
+
+    optional_policy(`
+        sysnet_relabelfrom_dhcpc_state(init_t)
+        sysnet_setattr_dhcp_state(init_t)
+    ')
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 7ca1e9e..5338f4d 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -93,6 +93,7 @@ allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
 read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
 read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets")
 
 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
 read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -339,6 +340,7 @@ userdom_use_inherited_user_terminals(ipsec_mgmt_t)
 optional_policy(`
 	bind_read_dnssec_keys(ipsec_mgmt_t)
 	bind_read_config(ipsec_mgmt_t)
+	bind_read_state(ipsec_mgmt_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 821e74c..50b1c3c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -769,6 +769,26 @@ interface(`sysnet_search_dhcp_state',`
 	allow $1 dhcp_state_t:dir search_dir_perms;
 ')
 
+#######################################
+## <summary>
+##	Set the attributes of network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_setattr_dhcp_state',`
+	gen_require(`
+		type dhcp_state_t;
+	')
+
+    files_search_var_lib($1)
+	allow $1 dhcp_state_t:file setattr_file_perms;
+')
+
+
 ########################################
 ## <summary>
 ##	Create DHCP state data.
@@ -881,12 +901,14 @@ interface(`sysnet_use_ldap',`
 
 	# Support for LDAPS
 	dev_read_rand($1)
+	# LDAP Configuration using encrypted requires
 	dev_read_urand($1)
 
 	sysnet_read_config($1)
 
-	# LDAP Configuration using encrypted requires
-	dev_read_urand($1)
+	optional_policy(`
+		ldap_read_certs($1)
+	')
 ')
 
 ########################################
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 28f16ce..f94755e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -320,6 +320,7 @@ allow ifconfig_t self:tcp_socket { create ioctl };
 can_exec(ifconfig_t, ifconfig_exec_t)
 
 manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
 create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
 files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
 allow ifconfig_t ifconfig_var_run_t:file mounton;
@@ -346,6 +347,7 @@ dev_mount_sysfs_fs(ifconfig_t)
 dev_unmount_sysfs_fs(ifconfig_t)
 
 domain_use_interactive_fds(ifconfig_t)
+domain_read_all_domains_state(ifconfig_t)
 
 read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
 
@@ -384,10 +386,15 @@ logging_send_syslog_msg(ifconfig_t)
 seutil_use_runinit_fds(ifconfig_t)
 
 sysnet_dns_name_resolve(ifconfig_t)
+sysnet_filetrans_named_content_ifconfig(ifconfig_t)
 
 userdom_use_inherited_user_terminals(ifconfig_t)
 userdom_use_all_users_fds(ifconfig_t)
 
+optional_policy(`
+	hostname_exec(ifconfig_t)
+')
+
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(ifconfig_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8bca1d7..24b2af3 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -369,6 +369,24 @@ interface(`systemd_write_inherited_logind_sessions_pipes',`
 
 ######################################
 ## <summary>
+##	Dontaudit attempts to write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',`
+	gen_require(`
+		type systemd_logind_sessions_t;
+	')
+
+	dontaudit $1 systemd_logind_sessions_t:fifo_file write;
+')
+
+######################################
+## <summary>
 ##	Write systemd inhibit pipes.
 ## </summary>
 ## <param name="domain">

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation