From 084f9557dc841cee777136ad433f63ce45020e7e Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 26 2011 12:49:22 +0000 Subject: Allow policykit to talk to the systemd via dbus Move chrome_sandbox_nacl_t to permissive domains Additional rules for chrome_sandbox_nacl --- diff --git a/policy-F16.patch b/policy-F16.patch index 60b7398..ffb6ad5 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1937,10 +1937,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..23bef3c +index 0000000..c66d190 --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,333 @@ +@@ -0,0 +1,343 @@ +policy_module(permissivedomains,16) + +optional_policy(` @@ -2274,6 +2274,16 @@ index 0000000..23bef3c + permissive mongod_t; + permissive thin_t; +') ++ ++optional_policy(` ++ gen_require(` ++ type chrome_sandbox_nacl_t; ++ ') ++ ++ permissive chrome_sandbox_nacl_t; ++') ++ ++ diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 --- a/policy/modules/admin/portage.fc @@ -4791,10 +4801,10 @@ index 0000000..7cbe3a7 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..9eeb8bb +index 0000000..26aba30 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,152 @@ +@@ -0,0 +1,171 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4819,8 +4829,6 @@ index 0000000..9eeb8bb +application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t) +role system_r types chrome_sandbox_nacl_t; + -+permissive chrome_sandbox_nacl_t; -+ +######################################## +# +# chrome_sandbox local policy @@ -4874,7 +4882,8 @@ index 0000000..9eeb8bb + +fs_dontaudit_getattr_all_fs(chrome_sandbox_t) + -+userdom_rw_user_tmpfs_files(chrome_sandbox_t) ++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) ++ +userdom_use_user_ptys(chrome_sandbox_t) +userdom_write_inherited_user_tmp_files(chrome_sandbox_t) +userdom_read_inherited_user_home_content_files(chrome_sandbox_t) @@ -4935,18 +4944,38 @@ index 0000000..9eeb8bb +# chrome_sandbox_nacl local policy +# + ++allow chrome_sandbox_nacl_t self:process execmem; +allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; +allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; -+domain_use_interactive_fds(chrome_sandbox_nacl_t) ++allow chrome_sandbox_nacl_t self:shm create_shm_perms; ++allow chrome_sandbox_nacl_t self:unix_dgram_socket create_socket_perms; ++ ++allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; ++allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; +allow chrome_sandbox_t chrome_sandbox_nacl_t:process share; + ++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) ++fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) ++ ++domain_use_interactive_fds(chrome_sandbox_nacl_t) ++ +dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero; + +domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) + ++kernel_read_system_state(chrome_sandbox_nacl_t) ++ ++dev_read_urand(chrome_sandbox_nacl_t) ++ +files_read_etc_files(chrome_sandbox_nacl_t) + +miscfiles_read_localization(chrome_sandbox_nacl_t) ++ ++corecmd_sbin_entry_type(chrome_sandbox_nacl_t) ++ ++userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) ++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) ++userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te index 37475dd..7db4a01 100644 --- a/policy/modules/apps/cpufreqselector.te @@ -48297,7 +48326,7 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te -index 1e7169d..05409ab 100644 +index 1e7169d..add05dd 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) @@ -48343,7 +48372,7 @@ index 1e7169d..05409ab 100644 auth_use_nsswitch(policykit_t) -@@ -67,45 +76,90 @@ logging_send_syslog_msg(policykit_t) +@@ -67,45 +76,92 @@ logging_send_syslog_msg(policykit_t) miscfiles_read_localization(policykit_t) @@ -48354,6 +48383,8 @@ index 1e7169d..05409ab 100644 +optional_policy(` + dbus_system_domain(policykit_t, policykit_exec_t) + ++ init_dbus_chat(policykit_t) ++ + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') @@ -48440,7 +48471,7 @@ index 1e7169d..05409ab 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,6 +172,14 @@ optional_policy(` +@@ -118,6 +174,14 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -48455,7 +48486,7 @@ index 1e7169d..05409ab 100644 ######################################## # # polkit_grant local policy -@@ -125,7 +187,8 @@ optional_policy(` +@@ -125,7 +189,8 @@ optional_policy(` allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -48465,7 +48496,7 @@ index 1e7169d..05409ab 100644 allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -155,9 +218,12 @@ miscfiles_read_localization(policykit_grant_t) +@@ -155,9 +220,12 @@ miscfiles_read_localization(policykit_grant_t) userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -48479,7 +48510,7 @@ index 1e7169d..05409ab 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -169,7 +235,8 @@ optional_policy(` +@@ -169,7 +237,8 @@ optional_policy(` allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -48489,7 +48520,7 @@ index 1e7169d..05409ab 100644 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -207,4 +274,3 @@ optional_policy(` +@@ -207,4 +276,3 @@ optional_policy(` kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') @@ -61048,7 +61079,7 @@ index 7c5d8d8..d711fd5 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..f0e49aa 100644 +index 3eca020..148ce98 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,81 @@ policy_module(virt, 1.4.0) @@ -61437,9 +61468,9 @@ index 3eca020..f0e49aa 100644 logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) - -+selinux_validate_context(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -61576,7 +61607,7 @@ index 3eca020..f0e49aa 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +619,352 @@ files_search_all(virt_domain) +@@ -440,25 +619,360 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -61758,6 +61789,7 @@ index 3eca020..f0e49aa 100644 +manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) ++allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; + +kernel_read_network_state(virtd_lxc_t) +kernel_search_network_sysctl(virtd_lxc_t) @@ -61768,6 +61800,7 @@ index 3eca020..f0e49aa 100644 +corecmd_exec_shell(virtd_lxc_t) + +dev_read_sysfs(virtd_lxc_t) ++dev_relabel_all_dev_nodes(virtd_lxc_t) + +domain_use_interactive_fds(virtd_lxc_t) + @@ -61887,6 +61920,10 @@ index 3eca020..f0e49aa 100644 + +miscfiles_read_fonts(svirt_lxc_domain) + ++optional_policy(` ++ apache_exec_modules(svirt_lxc_domain) ++') ++ +virt_lxc_domain_template(svirt_lxc_net) + +allow svirt_lxc_net_t self:udp_socket create_socket_perms; @@ -61908,6 +61945,8 @@ index 3eca020..f0e49aa 100644 + +domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t) +domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t) ++fs_noxattr_type(svirt_lxc_file_t) ++term_pty(svirt_lxc_file_t) + +######################################## +# @@ -75022,7 +75061,7 @@ index db75976..494ec08 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..34d01ef 100644 +index 4b2878a..c595fd2 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -76929,83 +76968,93 @@ index 4b2878a..34d01ef 100644 files_search_tmp($1) ') -@@ -2419,24 +3003,23 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2419,6 +3003,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2) ') --######################################## +####################################### - ## --## Read user tmpfs files. ++## +## Getattr user tmpfs files. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`userdom_read_user_tmpfs_files',` -- gen_require(` -- type user_tmpfs_t; -- ') ++## ++# +interface(`userdom_getattr_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') - -- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- allow $1 user_tmpfs_t:dir list_dir_perms; -- fs_search_tmpfs($1) ++ + getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + fs_search_tmpfs($1) - ') - ++') ++ ######################################## -@@ -2449,12 +3032,12 @@ interface(`userdom_read_user_tmpfs_files',` - ## - ## - # --interface(`userdom_rw_user_tmpfs_files',` -+interface(`userdom_read_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; + ## + ## Read user tmpfs files. +@@ -2435,13 +3038,14 @@ interface(`userdom_read_user_tmpfs_files',` ') -- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) allow $1 user_tmpfs_t:dir list_dir_perms; fs_search_tmpfs($1) -@@ -2462,7 +3045,7 @@ interface(`userdom_rw_user_tmpfs_files',` + ') ######################################## ## --## Create, read, write, and delete user tmpfs files. +-## Read user tmpfs files. +## Read/Write user tmpfs files. ## ## ## -@@ -2470,12 +3053,13 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,7 +3066,7 @@ interface(`userdom_rw_user_tmpfs_files',` + + ######################################## + ## +-## Create, read, write, and delete user tmpfs files. ++## Read/Write inherited user tmpfs files. + ## + ## + ## +@@ -2470,14 +3074,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # -interface(`userdom_manage_user_tmpfs_files',` -+interface(`userdom_rw_user_tmpfs_files',` ++interface(`userdom_rw_inherited_user_tmpfs_files',` gen_require(` type user_tmpfs_t; ') - manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) +- allow $1 user_tmpfs_t:dir list_dir_perms; +- fs_search_tmpfs($1) ++ allow $1 user_tmpfs_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Execute user tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_execute_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ allow $1 user_tmpfs_t:file execute; ') -@@ -2572,7 +3156,7 @@ interface(`userdom_use_user_ttys',` + + ######################################## +@@ -2572,7 +3192,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -77014,7 +77063,7 @@ index 4b2878a..34d01ef 100644 ## ## ## -@@ -2580,70 +3164,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,48 +3200,97 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -77066,25 +77115,20 @@ index 4b2878a..34d01ef 100644 - allow $1 user_tty_device_t:chr_file rw_term_perms; allow $1 user_devpts_t:chr_file rw_term_perms; - term_list_ptys($1) - ') - - ######################################## - ## --## Do not audit attempts to read and write --## a user domain tty and pty. ++') ++ ++######################################## ++## +## Read and write a inherited user domain pty. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`userdom_dontaudit_use_user_terminals',` ++## ++## ++# +interface(`userdom_use_inherited_user_ptys',` - gen_require(` -- type user_tty_device_t, user_devpts_t; ++ gen_require(` + type user_devpts_t; + ') + @@ -77138,25 +77182,10 @@ index 4b2878a..34d01ef 100644 + + allow $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_term_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read and write -+## a user domain tty and pty. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_use_user_terminals',` -+ gen_require(` -+ type user_tty_device_t, user_devpts_t; - ') + ') - dontaudit $1 user_tty_device_t:chr_file rw_term_perms; + ######################################## +@@ -2644,6 +3313,25 @@ interface(`userdom_dontaudit_use_user_terminals',` dontaudit $1 user_devpts_t:chr_file rw_term_perms; ') @@ -77182,7 +77211,7 @@ index 4b2878a..34d01ef 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2713,6 +3365,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,6 +3401,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -77207,7 +77236,7 @@ index 4b2878a..34d01ef 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2736,24 +3406,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3442,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -77232,7 +77261,7 @@ index 4b2878a..34d01ef 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3424,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3460,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -77258,7 +77287,7 @@ index 4b2878a..34d01ef 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3485,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3521,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -77267,7 +77296,7 @@ index 4b2878a..34d01ef 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3501,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3537,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -77301,7 +77330,7 @@ index 4b2878a..34d01ef 100644 ') ######################################## -@@ -2972,7 +3589,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3625,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -77310,7 +77339,7 @@ index 4b2878a..34d01ef 100644 ') ######################################## -@@ -3027,7 +3644,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3680,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -77357,7 +77386,7 @@ index 4b2878a..34d01ef 100644 ') ######################################## -@@ -3064,6 +3719,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3755,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -77365,7 +77394,7 @@ index 4b2878a..34d01ef 100644 kernel_search_proc($1) ') -@@ -3142,6 +3798,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3834,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -77390,7 +77419,7 @@ index 4b2878a..34d01ef 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3160,6 +3834,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3870,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -77415,7 +77444,7 @@ index 4b2878a..34d01ef 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3886,1076 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3922,1076 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 89fd479..74b8f98 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 49%{?dist} +Release: 50%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -480,6 +480,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Oct 25 2011 Miroslav Grepl 3.10.0-50 +- Allow policykit to talk to the systemd via dbus +- Move chrome_sandbox_nacl_t to permissive domains +- Additional rules for chrome_sandbox_nacl + * Tue Oct 25 2011 Miroslav Grepl 3.10.0-49 - Change bootstrap name to nacl - Chrome still needs execmem