From 116a117fbabe9d49a993685fb55b4405fe3369cf Mon Sep 17 00:00:00 2001 From: Miroslav Date: Sep 09 2011 11:28:28 +0000 Subject: - removing unconfined_notrans_t no longer necessary - Clean up handling of secure_mode_insmod and secure_mode_policyload - Remove unconfined_mount_t --- diff --git a/policy-F16.patch b/policy-F16.patch index 213601a..7a1c25d 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -101,10 +101,10 @@ index 14a4799..067ecfc 100644 + # FLASK diff --git a/policy/global_booleans b/policy/global_booleans -index 111d004..9df7b5e 100644 +index 111d004..c90e80d 100644 --- a/policy/global_booleans +++ b/policy/global_booleans -@@ -6,7 +6,7 @@ +@@ -6,25 +6,10 @@ ## ##

@@ -113,23 +113,24 @@ index 111d004..9df7b5e 100644 ## newrole, from transitioning to administrative ## user domains. ##

-@@ -15,14 +15,14 @@ gen_bool(secure_mode,false) - - ## - ##

--## Disable transitions to insmod. -+## disallow programs and users from transitioning to insmod domain. - ##

##
- gen_bool(secure_mode_insmod,false) + gen_bool(secure_mode,false) - ## - ##

+-## +-##

+-## Disable transitions to insmod. +-##

+-##
+-gen_bool(secure_mode_insmod,false) +- +-## +-##

-## boolean to determine whether the system permits loading policy, setting -+## prevent all confined domains from loading policy, setting - ## enforcing mode, and changing boolean values. Set this to true and you - ## have to reboot to set it back - ##

+-## enforcing mode, and changing boolean values. Set this to true and you +-## have to reboot to set it back +-##

+-##
+-gen_bool(secure_mode_policyload,false) diff --git a/policy/global_tunables b/policy/global_tunables index 4705ab6..262b5ba 100644 --- a/policy/global_tunables @@ -3621,10 +3622,10 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..3d2f418 100644 +index 441cf22..d3dd0b9 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te -@@ -79,8 +79,8 @@ selinux_compute_create_context(chfn_t) +@@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -3635,9 +3636,10 @@ index 441cf22..3d2f418 100644 fs_getattr_xattr_fs(chfn_t) fs_search_auto_mountpoints(chfn_t) -@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t) + # for SSP dev_read_urand(chfn_t) ++dev_dontaudit_getattr_all(chfn_t) -auth_domtrans_chk_passwd(chfn_t) -auth_dontaudit_read_shadow(chfn_t) @@ -3646,7 +3648,7 @@ index 441cf22..3d2f418 100644 # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) -@@ -118,6 +116,10 @@ userdom_use_unpriv_users_fds(chfn_t) +@@ -118,6 +117,10 @@ userdom_use_unpriv_users_fds(chfn_t) # on user home dir userdom_dontaudit_search_user_home_content(chfn_t) @@ -3657,7 +3659,7 @@ index 441cf22..3d2f418 100644 ######################################## # # Crack local policy -@@ -194,8 +196,7 @@ selinux_compute_create_context(groupadd_t) +@@ -194,8 +197,7 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -3667,7 +3669,7 @@ index 441cf22..3d2f418 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -291,17 +292,18 @@ selinux_compute_create_context(passwd_t) +@@ -291,17 +293,18 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -3690,7 +3692,7 @@ index 441cf22..3d2f418 100644 domain_use_interactive_fds(passwd_t) -@@ -323,7 +325,7 @@ miscfiles_read_localization(passwd_t) +@@ -323,7 +326,7 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) @@ -3699,7 +3701,7 @@ index 441cf22..3d2f418 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -332,6 +334,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3707,7 +3709,7 @@ index 441cf22..3d2f418 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -381,8 +384,7 @@ dev_read_urand(sysadm_passwd_t) +@@ -381,8 +385,7 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3717,7 +3719,7 @@ index 441cf22..3d2f418 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) -@@ -426,7 +428,7 @@ optional_policy(` +@@ -426,7 +429,7 @@ optional_policy(` # Useradd local policy # @@ -3726,7 +3728,7 @@ index 441cf22..3d2f418 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -448,6 +450,9 @@ corecmd_exec_shell(useradd_t) +@@ -448,8 +451,12 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3735,8 +3737,11 @@ index 441cf22..3d2f418 100644 + domain_use_interactive_fds(useradd_t) domain_read_all_domains_state(useradd_t) ++domain_dontaudit_read_all_domains_state(useradd_t) -@@ -460,6 +465,7 @@ fs_search_auto_mountpoints(useradd_t) + files_manage_etc_files(useradd_t) + files_search_var_lib(useradd_t) +@@ -460,6 +467,7 @@ fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) @@ -3744,7 +3749,7 @@ index 441cf22..3d2f418 100644 # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) -@@ -469,8 +475,7 @@ selinux_compute_create_context(useradd_t) +@@ -469,8 +477,7 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -3754,7 +3759,7 @@ index 441cf22..3d2f418 100644 auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,21 +503,11 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,21 +505,11 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -16755,10 +16760,24 @@ index f125dc2..3c6e827 100644 ######################################## # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 6346378..edbe041 100644 +index 6346378..8c500cd 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if -@@ -2072,7 +2072,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -345,13 +345,8 @@ interface(`kernel_load_module',` + attribute can_load_kernmodule; + ') + +- allow $1 self:capability sys_module; + typeattribute $1 can_load_kernmodule; + +- # load_module() calls stop_machine() which +- # calls sched_setscheduler() +- allow $1 self:capability sys_nice; +- kernel_setsched($1) + ') + + ######################################## +@@ -2072,7 +2067,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -16767,7 +16786,7 @@ index 6346378..edbe041 100644 ') ######################################## -@@ -2293,7 +2293,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2293,7 +2288,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -16776,7 +16795,7 @@ index 6346378..edbe041 100644 ## ## # -@@ -2475,6 +2475,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2475,6 +2470,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -16801,7 +16820,7 @@ index 6346378..edbe041 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2619,7 +2637,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2619,7 +2632,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -16810,7 +16829,7 @@ index 6346378..edbe041 100644 ') ######################################## -@@ -2657,6 +2675,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2657,6 +2670,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -16835,7 +16854,7 @@ index 6346378..edbe041 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2684,6 +2720,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2684,6 +2715,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -16861,7 +16880,7 @@ index 6346378..edbe041 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2793,6 +2848,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2793,6 +2843,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -16895,7 +16914,7 @@ index 6346378..edbe041 100644 ######################################## ## -@@ -2948,6 +3030,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2948,6 +3025,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -16920,9 +16939,11 @@ index 6346378..edbe041 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2963,3 +3063,23 @@ interface(`kernel_unconfined',` +@@ -2962,4 +3057,25 @@ interface(`kernel_unconfined',` + ') typeattribute $1 kern_unconfined; ++ kernel_load_module($1) ') + +######################################## @@ -16945,10 +16966,23 @@ index 6346378..edbe041 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index d91c62f..848f59b 100644 +index d91c62f..e8faa88 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) +@@ -1,5 +1,12 @@ + policy_module(kernel, 1.13.3) + ++## ++##

++## disallow programs and users from transitioning to insmod domain. ++##

++##
++gen_bool(secure_mode_insmod,false) ++ + ######################################## + # + # Declarations +@@ -50,6 +57,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) type debugfs_t; fs_type(debugfs_t) @@ -16957,7 +16991,7 @@ index d91c62f..848f59b 100644 allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) -@@ -157,6 +159,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -157,6 +166,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -16965,7 +16999,7 @@ index d91c62f..848f59b 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -242,11 +245,14 @@ dev_search_usbfs(kernel_t) +@@ -242,11 +252,14 @@ dev_search_usbfs(kernel_t) # devtmpfs handling: dev_create_generic_dirs(kernel_t) dev_delete_generic_dirs(kernel_t) @@ -16984,7 +17018,7 @@ index d91c62f..848f59b 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -255,7 +261,8 @@ fs_unmount_all_fs(kernel_t) +@@ -255,7 +268,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -16994,7 +17028,7 @@ index d91c62f..848f59b 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -269,25 +276,47 @@ files_list_root(kernel_t) +@@ -269,25 +283,47 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -17042,7 +17076,7 @@ index d91c62f..848f59b 100644 ') optional_policy(` -@@ -297,6 +326,19 @@ optional_policy(` +@@ -297,6 +333,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -17062,7 +17096,7 @@ index d91c62f..848f59b 100644 ') optional_policy(` -@@ -334,9 +376,7 @@ optional_policy(` +@@ -334,9 +383,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -17073,7 +17107,7 @@ index d91c62f..848f59b 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -345,7 +385,7 @@ optional_policy(` +@@ -345,7 +392,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -17082,7 +17116,7 @@ index d91c62f..848f59b 100644 ') ') -@@ -358,6 +398,15 @@ optional_policy(` +@@ -358,6 +405,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -17098,6 +17132,23 @@ index d91c62f..848f59b 100644 ######################################## # # Unlabeled process local policy +@@ -387,3 +443,16 @@ allow kern_unconfined unlabeled_t:filesystem *; + allow kern_unconfined unlabeled_t:association *; + allow kern_unconfined unlabeled_t:packet *; + allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; ++ ++gen_require(` ++ bool secure_mode_insmod; ++') ++ ++if( ! secure_mode_insmod ) { ++ allow can_load_kernmodule self:capability sys_module; ++ # load_module() calls stop_machine() which ++ # calls sched_setscheduler() ++ allow can_load_kernmodule self:capability sys_nice; ++ kernel_setsched(can_load_kernmodule) ++'} ++ diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index f52faaf..6bb6529 100644 --- a/policy/modules/kernel/mcs.if @@ -17170,7 +17221,7 @@ index 7be4ddf..4d4c577 100644 -# This module currently does not have any file contexts. +/selinux -l gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index ca7e808..9ca9557 100644 +index ca7e808..f155e92 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` @@ -17279,8 +17330,11 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ') -@@ -311,6 +345,8 @@ interface(`selinux_set_enforce_mode',` - bool secure_mode_policyload; +@@ -308,21 +342,13 @@ interface(`selinux_set_enforce_mode',` + gen_require(` + type security_t; + attribute can_setenforce; +- bool secure_mode_policyload; ') + dev_getattr_sysfs_fs($1) @@ -17288,8 +17342,23 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; typeattribute $1 can_setenforce; -@@ -342,6 +378,8 @@ interface(`selinux_load_policy',` - bool secure_mode_policyload; +- +- if(!secure_mode_policyload) { +- allow $1 security_t:security setenforce; +- +- ifdef(`distro_rhel4',` +- # needed for systems without audit support +- auditallow $1 security_t:security setenforce; +- ') +- } + ') + + ######################################## +@@ -339,21 +365,13 @@ interface(`selinux_load_policy',` + gen_require(` + type security_t; + attribute can_load_policy; +- bool secure_mode_policyload; ') + dev_getattr_sysfs_fs($1) @@ -17297,7 +17366,19 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; typeattribute $1 can_load_policy; -@@ -371,6 +409,8 @@ interface(`selinux_read_policy',` +- +- if(!secure_mode_policyload) { +- allow $1 security_t:security load_policy; +- +- ifdef(`distro_rhel4',` +- # needed for systems without audit support +- auditallow $1 security_t:security load_policy; +- ') +- } + ') + + ######################################## +@@ -371,6 +389,8 @@ interface(`selinux_read_policy',` type security_t; ') @@ -17306,27 +17387,58 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; allow $1 security_t:security read_policy; -@@ -436,6 +476,8 @@ interface(`selinux_set_generic_booleans',` - bool secure_mode_policyload; +@@ -433,20 +453,14 @@ interface(`selinux_set_boolean',` + interface(`selinux_set_generic_booleans',` + gen_require(` + type security_t; +- bool secure_mode_policyload; ++ attribute can_setbool; ') ++ typeattribute $1 can_setbool; + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; +- +- if(!secure_mode_policyload) { +- allow $1 security_t:security setbool; +- +- ifdef(`distro_rhel4',` +- # needed for systems without audit support +- auditallow $1 security_t:security setbool; +- ') +- } + ') -@@ -478,7 +520,10 @@ interface(`selinux_set_all_booleans',` - bool secure_mode_policyload; + ######################################## +@@ -475,20 +489,15 @@ interface(`selinux_set_all_booleans',` + gen_require(` + type security_t; + attribute boolean_type; +- bool secure_mode_policyload; ++ attribute can_setbool; ') ++ typeattribute $1 can_setbool; + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; + allow $1 boolean_type:dir list_dir_perms; allow $1 boolean_type:file rw_file_perms; +- +- if(!secure_mode_policyload) { +- allow $1 security_t:security setbool; +- +- ifdef(`distro_rhel4',` +- # needed for systems without audit support +- auditallow $1 security_t:security setbool; +- ') +- } + ') - if(!secure_mode_policyload) { -@@ -519,6 +564,8 @@ interface(`selinux_set_parameters',` + ######################################## +@@ -519,6 +528,8 @@ interface(`selinux_set_parameters',` attribute can_setsecparam; ') @@ -17335,7 +17447,7 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setsecparam; -@@ -542,6 +589,8 @@ interface(`selinux_validate_context',` +@@ -542,6 +553,8 @@ interface(`selinux_validate_context',` type security_t; ') @@ -17344,7 +17456,7 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security check_context; -@@ -584,6 +633,8 @@ interface(`selinux_compute_access_vector',` +@@ -584,6 +597,8 @@ interface(`selinux_compute_access_vector',` type security_t; ') @@ -17353,7 +17465,7 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av; -@@ -605,6 +656,8 @@ interface(`selinux_compute_create_context',` +@@ -605,6 +620,8 @@ interface(`selinux_compute_create_context',` type security_t; ') @@ -17362,7 +17474,7 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_create; -@@ -626,6 +679,8 @@ interface(`selinux_compute_member',` +@@ -626,6 +643,8 @@ interface(`selinux_compute_member',` type security_t; ') @@ -17371,7 +17483,7 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_member; -@@ -655,6 +710,8 @@ interface(`selinux_compute_relabel_context',` +@@ -655,6 +674,8 @@ interface(`selinux_compute_relabel_context',` type security_t; ') @@ -17380,7 +17492,7 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; -@@ -675,6 +732,8 @@ interface(`selinux_compute_user_contexts',` +@@ -675,6 +696,8 @@ interface(`selinux_compute_user_contexts',` type security_t; ') @@ -17389,10 +17501,14 @@ index ca7e808..9ca9557 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; -@@ -697,3 +756,24 @@ interface(`selinux_unconfined',` +@@ -696,4 +719,28 @@ interface(`selinux_unconfined',` + ') typeattribute $1 selinux_unconfined_type; - ') ++ selinux_set_all_booleans($1) ++ selinux_load_policy($1) ++ selinux_set_parameters($1) ++') + +######################################## +## @@ -17412,13 +17528,36 @@ index ca7e808..9ca9557 100644 + type $1, boolean_type; + fs_type($1) + mls_trusted_object($1) -+') + ') + diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te -index d70e0b3..e1358fe 100644 +index d70e0b3..97b254e 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te -@@ -18,6 +18,7 @@ attribute selinux_unconfined_type; +@@ -1,5 +1,14 @@ + policy_module(selinux, 1.9.1) + ++## ++##

++## prevent all confined domains from loading policy, setting ++## enforcing mode, and changing boolean values. Set this to true and you ++## have to reboot to set it back ++##

++##
++gen_bool(secure_mode_policyload,false) ++ + ######################################## + # + # Declarations +@@ -8,6 +17,7 @@ policy_module(selinux, 1.9.1) + attribute boolean_type; + attribute can_load_policy; + attribute can_setenforce; ++attribute can_setbool; + attribute can_setsecparam; + attribute selinux_unconfined_type; + +@@ -18,14 +28,15 @@ attribute selinux_unconfined_type; # type security_t, boolean_type; fs_type(security_t) @@ -17426,6 +17565,45 @@ index d70e0b3..e1358fe 100644 mls_trusted_object(security_t) sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) + genfscon securityfs / gen_context(system_u:object_r:security_t,s0) + +-neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; +-neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; +-neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; ++neverallow ~{ can_load_policy } security_t:security load_policy; ++neverallow ~{ can_setenforce } security_t:security setenforce; ++neverallow ~{ can_setsecparam } security_t:security setsecparam; + + ######################################## + # +@@ -41,11 +52,24 @@ allow selinux_unconfined_type boolean_type:file read_file_perms; + allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; + + if(!secure_mode_policyload) { +- allow selinux_unconfined_type boolean_type:file rw_file_perms; +- allow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; ++ allow can_setenforce security_t:security setenforce; ++ ++ ifdef(`distro_rhel4',` ++ # needed for systems without audit support ++ auditallow can_setenforce security_t:security setenforce; ++ ') ++ ++ allow can_load_policy security_t:security load_policy; ++ ++ ifdef(`distro_rhel4',` ++ # needed for systems without audit support ++ auditallow can_load_policy security_t:security load_policy; ++ ') ++ ++ allow can_setbool boolean_type:security setbool; + + ifdef(`distro_rhel4',` + # needed for systems without audit support +- auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; ++ auditallow can_setbool boolean_type:security setbool; + ') + } diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 1700ef2..6b7eabb 100644 --- a/policy/modules/kernel/storage.if @@ -19979,10 +20157,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..a55926b +index 0000000..e3db8d4 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,531 @@ +@@ -0,0 +1,507 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -20048,11 +20226,6 @@ index 0000000..a55926b +role system_r types unconfined_t; +typealias unconfined_t alias unconfined_crontab_t; + -+type unconfined_notrans_t; -+type unconfined_notrans_exec_t; -+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) -+role unconfined_r types unconfined_notrans_t; -+ +######################################## +# +# Local policy @@ -20102,12 +20275,6 @@ index 0000000..a55926b + +systemd_config_all_services(unconfined_t) + -+optional_policy(` -+ mount_run_unconfined(unconfined_t, unconfined_r) -+ # Unconfined running as system_r -+ mount_domtrans_unconfined(unconfined_t) -+') -+ +seutil_run_loadpolicy(unconfined_t, unconfined_r) +seutil_run_setsebool(unconfined_t, unconfined_r) +seutil_run_setfiles(unconfined_t, unconfined_r) @@ -20496,19 +20663,6 @@ index 0000000..a55926b + +######################################## +# -+# Unconfined notrans Local policy -+# -+ -+allow unconfined_notrans_t self:process { execstack execmem }; -+unconfined_domain_noaudit(unconfined_notrans_t) -+userdom_unpriv_usertype(unconfined, unconfined_notrans_t) -+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) -+# Allow SELinux aware applications to request rpm_script execution -+rpm_transition_script(unconfined_notrans_t) -+domain_ptrace_all_domains(unconfined_notrans_t) -+ -+######################################## -+# +# Unconfined mount local policy +# + @@ -21481,7 +21635,7 @@ index c0f858d..d639ae0 100644 accountsd_manage_lib_files($1) diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te -index 1632f10..5bc08d2 100644 +index 1632f10..493bde2 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0) @@ -21493,7 +21647,15 @@ index 1632f10..5bc08d2 100644 type accountsd_var_lib_t; files_type(accountsd_var_lib_t) -@@ -32,10 +34,12 @@ files_read_usr_files(accountsd_t) +@@ -18,6 +20,7 @@ files_type(accountsd_var_lib_t) + # + + allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; ++allow accountsd_t self:process signal; + allow accountsd_t self:fifo_file rw_fifo_file_perms; + + manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) +@@ -32,10 +35,12 @@ files_read_usr_files(accountsd_t) files_read_mnt_files(accountsd_t) fs_list_inotifyfs(accountsd_t) @@ -21506,7 +21668,7 @@ index 1632f10..5bc08d2 100644 miscfiles_read_localization(accountsd_t) -@@ -55,3 +59,8 @@ optional_policy(` +@@ -55,3 +60,8 @@ optional_policy(` optional_policy(` policykit_dbus_chat(accountsd_t) ') @@ -25800,10 +25962,10 @@ index fa62787..ffd0da5 100644 admin_pattern($1, certmaster_etc_rw_t) diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te -index 3384132..daef4e1 100644 +index 3384132..97d3269 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te -@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) +@@ -43,23 +43,25 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) # log files manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) @@ -25826,6 +25988,8 @@ index 3384132..daef4e1 100644 corenet_tcp_bind_generic_node(certmaster_t) corenet_tcp_bind_certmaster_port(certmaster_t) ++dev_read_urand(certmaster_t) ++ files_search_etc(certmaster_t) +files_read_usr_files(certmaster_t) files_list_var(certmaster_t) @@ -28557,7 +28721,7 @@ index 35241ed..92acfae 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..3c9cf5a 100644 +index f7583ab..ee001c7 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -28691,7 +28855,7 @@ index f7583ab..3c9cf5a 100644 # -allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; -+allow crond_t self:capability { dac_override chown setgid setuid sys_nice dac_read_search }; ++allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; -allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; @@ -30915,7 +31079,7 @@ index f706b99..13d3a35 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..5a06fc7 100644 +index f231f17..544ab05 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -31100,7 +31264,7 @@ index f231f17..5a06fc7 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +325,25 @@ optional_policy(` +@@ -276,9 +325,30 @@ optional_policy(` ') optional_policy(` @@ -31126,6 +31290,11 @@ index f231f17..5a06fc7 100644 +optional_policy(` vbetool_domtrans(devicekit_power_t) ') ++ ++optional_policy(` ++ corenet_tcp_connect_xserver_port(devicekit_power_t) ++ xserver_stream_connect(devicekit_power_t) ++') diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc index 767e0c7..7956248 100644 --- a/policy/modules/services/dhcp.fc @@ -35311,10 +35480,10 @@ index 0000000..3b1870a + diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te new file mode 100644 -index 0000000..030a521 +index 0000000..3d67b98 --- /dev/null +++ b/policy/modules/services/glance.te -@@ -0,0 +1,122 @@ +@@ -0,0 +1,131 @@ +policy_module(glance, 1.0.0) + +######################################## @@ -35329,6 +35498,9 @@ index 0000000..030a521 +type glance_registry_initrc_exec_t; +init_script_file(glance_registry_initrc_exec_t) + ++type glance_registry_tmp_t; ++files_tmp_file(glance_registry_tmp_t) ++ +type glance_api_t; +type glance_api_exec_t; +init_daemon_domain(glance_api_t, glance_api_exec_t) @@ -35357,6 +35529,10 @@ index 0000000..030a521 +allow glance_registry_t self:unix_stream_socket create_stream_socket_perms; +allow glance_registry_t self:tcp_socket create_stream_socket_perms; + ++manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) ++manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) ++files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) ++ +manage_dirs_pattern(glance_registry_t, glance_log_t, glance_log_t) +manage_files_pattern(glance_registry_t, glance_log_t, glance_log_t) +logging_log_filetrans(glance_registry_t, glance_log_t, { dir file }) @@ -35423,6 +35599,8 @@ index 0000000..030a521 + +dev_read_urand(glance_api_t) + ++fs_getattr_xattr_fs(glance_api_t) ++ +domain_use_interactive_fds(glance_api_t) + +files_read_etc_files(glance_api_t) @@ -45867,7 +46045,7 @@ index b524673..9d90fb3 100644 admin_pattern($1, pptp_var_run_t) diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..53f977a 100644 +index 2af42e7..95a25b6 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -45959,7 +46137,15 @@ index 2af42e7..53f977a 100644 userdom_dontaudit_use_unpriv_user_fds(pppd_t) userdom_search_user_home_dirs(pppd_t) -@@ -194,6 +197,8 @@ optional_policy(` +@@ -187,13 +190,15 @@ optional_policy(` + ') + + optional_policy(` +- tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',` ++ tunable_policy(`pppd_can_insmod',` + modutils_domtrans_insmod_uncond(pppd_t) + ') + ') optional_policy(` mta_send_mail(pppd_t) @@ -50792,7 +50978,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..2977339 100644 +index e30bb63..be3f853 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -50963,7 +51149,13 @@ index e30bb63..2977339 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t) +@@ -574,11 +575,13 @@ samba_read_winbind_pid(smbcontrol_t) + + domain_use_interactive_fds(smbcontrol_t) + ++term_use_console(smbcontrol_t) ++ + files_read_etc_files(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) @@ -50972,7 +51164,7 @@ index e30bb63..2977339 100644 ######################################## # -@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +647,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -50997,7 +51189,7 @@ index e30bb63..2977339 100644 ######################################## # # SWAT Local policy -@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +682,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -51006,7 +51198,7 @@ index e30bb63..2977339 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +697,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -51021,7 +51213,7 @@ index e30bb63..2977339 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +717,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -51029,7 +51221,7 @@ index e30bb63..2977339 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +760,8 @@ logging_search_logs(swat_t) +@@ -754,6 +762,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -51038,7 +51230,7 @@ index e30bb63..2977339 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +816,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -51060,7 +51252,7 @@ index e30bb63..2977339 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +844,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -51068,7 +51260,7 @@ index e30bb63..2977339 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +916,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -51077,7 +51269,7 @@ index e30bb63..2977339 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +932,18 @@ optional_policy(` +@@ -922,6 +934,18 @@ optional_policy(` # optional_policy(` @@ -51096,7 +51288,7 @@ index e30bb63..2977339 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +954,12 @@ optional_policy(` +@@ -932,9 +956,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -51351,7 +51543,7 @@ index f1aea88..a5a75a8 100644 admin_pattern($1, saslauthd_var_run_t) ') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te -index cfc60dd..53a9d2d 100644 +index cfc60dd..791c5b3 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t) @@ -51364,7 +51556,7 @@ index cfc60dd..53a9d2d 100644 type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) -@@ -38,17 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; +@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t self:tcp_socket create_socket_perms; @@ -51381,14 +51573,14 @@ index cfc60dd..53a9d2d 100644 kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) - ++kernel_rw_afs_state(saslauthd_t) ++ +#577519 +corecmd_exec_bin(saslauthd_t) -+ + corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) - corenet_tcp_sendrecv_generic_if(saslauthd_t) -@@ -94,6 +93,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` +@@ -94,6 +94,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` optional_policy(` kerberos_keytab_template(saslauthd, saslauthd_t) @@ -51410,7 +51602,7 @@ index 0000000..d5c3c3f +/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if new file mode 100644 -index 0000000..8aef188 +index 0000000..b077a62 --- /dev/null +++ b/policy/modules/services/sblim.if @@ -0,0 +1,78 @@ @@ -51453,7 +51645,7 @@ index 0000000..8aef188 + ') + + files_search_pids($1) -+ allow $1 gatherd_var_run_t:file read_file_perms; ++ allow $1 sblim_var_run_t:file read_file_perms; +') + + @@ -53919,7 +54111,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..4ecf377 100644 +index 8ffa257..69e86c3 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -53928,7 +54120,7 @@ index 8ffa257..4ecf377 100644 # -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; + -+allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; ++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; -allow sssd_t self:fifo_file rw_file_perms; +allow sssd_t self:fifo_file rw_fifo_file_perms; @@ -54093,7 +54285,7 @@ index 08d999c..bca4388 100644 /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) /var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te -index 52f0d6c..7ef2b18 100644 +index 52f0d6c..1473d95 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te @@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0) @@ -54114,7 +54306,15 @@ index 52f0d6c..7ef2b18 100644 allow sysstat_t self:fifo_file rw_fifo_file_perms; can_exec(sysstat_t, sysstat_exec_t) -@@ -51,12 +49,16 @@ fs_getattr_xattr_fs(sysstat_t) +@@ -36,6 +34,7 @@ kernel_read_kernel_sysctls(sysstat_t) + kernel_read_fs_sysctls(sysstat_t) + kernel_read_rpc_sysctls(sysstat_t) + ++corecmd_exec_shell(sysstat_t) + corecmd_exec_bin(sysstat_t) + + dev_read_urand(sysstat_t) +@@ -51,12 +50,16 @@ fs_getattr_xattr_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) term_use_console(sysstat_t) @@ -54132,7 +54332,7 @@ index 52f0d6c..7ef2b18 100644 miscfiles_read_localization(sysstat_t) userdom_dontaudit_list_user_home_dirs(sysstat_t) -@@ -64,7 +66,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t) +@@ -64,7 +67,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t) optional_policy(` cron_system_entry(sysstat_t, sysstat_exec_t) ') @@ -58161,7 +58361,7 @@ index 130ced9..b6fb17a 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..00b270e 100644 +index 143c893..453a478 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -58527,7 +58727,7 @@ index 143c893..00b270e 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t) +@@ -325,43 +454,63 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -58545,6 +58745,7 @@ index 143c893..00b270e 100644 +files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) +relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) ++can_exec(xdm_t, xdm_tmp_t) manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) @@ -58596,7 +58797,7 @@ index 143c893..00b270e 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -370,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -58624,7 +58825,7 @@ index 143c893..00b270e 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -393,38 +549,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -58678,7 +58879,7 @@ index 143c893..00b270e 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -435,9 +602,23 @@ files_list_mnt(xdm_t) +@@ -435,9 +603,23 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -58702,7 +58903,7 @@ index 143c893..00b270e 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +627,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +628,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -58742,7 +58943,7 @@ index 143c893..00b270e 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -58773,7 +58974,7 @@ index 143c893..00b270e 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -58788,7 +58989,7 @@ index 143c893..00b270e 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -58810,7 +59011,7 @@ index 143c893..00b270e 100644 ') optional_policy(` -@@ -519,12 +748,62 @@ optional_policy(` +@@ -519,12 +749,62 @@ optional_policy(` ') optional_policy(` @@ -58873,7 +59074,7 @@ index 143c893..00b270e 100644 hostname_exec(xdm_t) ') -@@ -542,28 +821,69 @@ optional_policy(` +@@ -542,28 +822,69 @@ optional_policy(` ') optional_policy(` @@ -58952,7 +59153,7 @@ index 143c893..00b270e 100644 ') optional_policy(` -@@ -575,6 +895,14 @@ optional_policy(` +@@ -575,6 +896,14 @@ optional_policy(` ') optional_policy(` @@ -58967,7 +59168,7 @@ index 143c893..00b270e 100644 xfs_stream_connect(xdm_t) ') -@@ -599,7 +927,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -599,7 +928,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -58976,7 +59177,7 @@ index 143c893..00b270e 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +941,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -58992,7 +59193,7 @@ index 143c893..00b270e 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +968,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -59014,7 +59215,7 @@ index 143c893..00b270e 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +988,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +989,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -59022,7 +59223,7 @@ index 143c893..00b270e 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,7 +1015,6 @@ dev_rw_apm_bios(xserver_t) +@@ -672,7 +1016,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -59030,7 +59231,7 @@ index 143c893..00b270e 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -682,11 +1024,17 @@ dev_wx_raw_memory(xserver_t) +@@ -682,11 +1025,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -59048,7 +59249,7 @@ index 143c893..00b270e 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1045,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1046,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -59062,7 +59263,7 @@ index 143c893..00b270e 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1064,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1065,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -59071,7 +59272,7 @@ index 143c893..00b270e 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1071,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1072,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -59086,7 +59287,7 @@ index 143c893..00b270e 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1130,40 @@ optional_policy(` +@@ -778,16 +1131,40 @@ optional_policy(` ') optional_policy(` @@ -59128,7 +59329,7 @@ index 143c893..00b270e 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1172,10 @@ optional_policy(` +@@ -796,6 +1173,10 @@ optional_policy(` ') optional_policy(` @@ -59139,7 +59340,7 @@ index 143c893..00b270e 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1191,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1192,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -59153,7 +59354,7 @@ index 143c893..00b270e 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1202,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1203,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -59162,7 +59363,7 @@ index 143c893..00b270e 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1215,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1216,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -59172,7 +59373,7 @@ index 143c893..00b270e 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1225,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1226,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -59184,7 +59385,7 @@ index 143c893..00b270e 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1238,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1239,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -59201,7 +59402,7 @@ index 143c893..00b270e 100644 ') optional_policy(` -@@ -862,6 +1253,10 @@ optional_policy(` +@@ -862,6 +1254,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -59212,7 +59413,7 @@ index 143c893..00b270e 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1300,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1301,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -59221,7 +59422,7 @@ index 143c893..00b270e 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1354,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1355,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -59253,7 +59454,7 @@ index 143c893..00b270e 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1400,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1401,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -59702,10 +59903,18 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..5b765ce 100644 +index 28ad538..59742f4 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', ` +@@ -5,6 +5,7 @@ + /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) + /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) + /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0) + /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) + + /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) +@@ -30,6 +31,7 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -59713,7 +59922,7 @@ index 28ad538..5b765ce 100644 /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -@@ -45,5 +46,4 @@ ifdef(`distro_gentoo', ` +@@ -45,5 +47,4 @@ ifdef(`distro_gentoo', ` /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) @@ -64539,7 +64748,7 @@ index 532181a..2410551 100644 /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 9c0faab..dd6530e 100644 +index 9c0faab..5d93844 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,7 +12,7 @@ @@ -64578,11 +64787,36 @@ index 9c0faab..dd6530e 100644 ## Read the configuration options used when ## loading modules. ##
+@@ -152,13 +172,7 @@ interface(`modutils_domtrans_insmod_uncond',` + ## + # + interface(`modutils_domtrans_insmod',` +- gen_require(` +- bool secure_mode_insmod; +- ') +- +- if (!secure_mode_insmod) { +- modutils_domtrans_insmod_uncond($1) +- } ++ modutils_domtrans_insmod_uncond($1) + ') + + ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index a0eef20..d5408ff 100644 +index a0eef20..406f160 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te -@@ -18,11 +18,12 @@ type insmod_t; +@@ -1,9 +1,5 @@ + policy_module(modutils, 1.10.1) + +-gen_require(` +- bool secure_mode_insmod; +-') +- + ######################################## + # + # Declarations +@@ -18,11 +14,12 @@ type insmod_t; type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) mls_file_write_all_levels(insmod_t) @@ -64596,7 +64830,7 @@ index a0eef20..d5408ff 100644 # module dependencies type modules_dep_t; -@@ -36,6 +37,9 @@ role system_r types update_modules_t; +@@ -36,6 +33,9 @@ role system_r types update_modules_t; type update_modules_tmp_t; files_tmp_file(update_modules_tmp_t) @@ -64606,7 +64840,7 @@ index a0eef20..d5408ff 100644 ######################################## # # depmod local policy -@@ -55,12 +59,15 @@ corecmd_search_bin(depmod_t) +@@ -55,12 +55,15 @@ corecmd_search_bin(depmod_t) domain_use_interactive_fds(depmod_t) @@ -64622,7 +64856,7 @@ index a0eef20..d5408ff 100644 fs_getattr_xattr_fs(depmod_t) -@@ -70,10 +77,11 @@ init_use_fds(depmod_t) +@@ -70,10 +73,11 @@ init_use_fds(depmod_t) init_use_script_fds(depmod_t) init_use_script_ptys(depmod_t) @@ -64635,7 +64869,7 @@ index a0eef20..d5408ff 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -95,7 +103,6 @@ optional_policy(` +@@ -95,7 +99,6 @@ optional_policy(` ') optional_policy(` @@ -64643,7 +64877,7 @@ index a0eef20..d5408ff 100644 unconfined_domain(depmod_t) ') -@@ -104,11 +111,12 @@ optional_policy(` +@@ -104,11 +107,12 @@ optional_policy(` # insmod local policy # @@ -64657,7 +64891,7 @@ index a0eef20..d5408ff 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -118,6 +126,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) +@@ -118,6 +122,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) can_exec(insmod_t, insmod_exec_t) @@ -64667,7 +64901,7 @@ index a0eef20..d5408ff 100644 kernel_load_module(insmod_t) kernel_request_load_module(insmod_t) kernel_read_system_state(insmod_t) -@@ -126,6 +137,7 @@ kernel_write_proc_files(insmod_t) +@@ -126,6 +133,7 @@ kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -64675,7 +64909,7 @@ index a0eef20..d5408ff 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -143,6 +155,7 @@ dev_rw_agp(insmod_t) +@@ -143,6 +151,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -64683,7 +64917,7 @@ index a0eef20..d5408ff 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -161,11 +174,18 @@ files_write_kernel_modules(insmod_t) +@@ -161,11 +170,18 @@ files_write_kernel_modules(insmod_t) fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) @@ -64702,7 +64936,7 @@ index a0eef20..d5408ff 100644 logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t) +@@ -174,41 +190,38 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) @@ -64711,14 +64945,20 @@ index a0eef20..d5408ff 100644 +term_use_all_inherited_terms(insmod_t) userdom_dontaudit_search_user_home_dirs(insmod_t) - if( ! secure_mode_insmod ) { -@@ -187,28 +206,27 @@ optional_policy(` +-if( ! secure_mode_insmod ) { +- kernel_domtrans_to(insmod_t, insmod_exec_t) +-} ++kernel_domtrans_to(insmod_t, insmod_exec_t) + + optional_policy(` + alsa_domtrans(insmod_t) ') optional_policy(` - firstboot_dontaudit_rw_pipes(insmod_t) - firstboot_dontaudit_rw_stream_sockets(insmod_t) + devicekit_use_fds_disk(insmod_t) ++ devicekit_dontaudit_read_pid_files(insmod_t) ') optional_policy(` @@ -64747,7 +64987,7 @@ index a0eef20..d5408ff 100644 ') optional_policy(` -@@ -236,6 +254,10 @@ optional_policy(` +@@ -236,6 +249,10 @@ optional_policy(` ') optional_policy(` @@ -64758,7 +64998,7 @@ index a0eef20..d5408ff 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -296,7 +318,7 @@ logging_send_syslog_msg(update_modules_t) +@@ -296,7 +313,7 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) @@ -64790,7 +65030,7 @@ index 72c746e..704d2d7 100644 +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 8b5c196..1be2768 100644 +index 8b5c196..da41726 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,12 @@ interface(`mount_domtrans',` @@ -64806,7 +65046,7 @@ index 8b5c196..1be2768 100644 ') ######################################## -@@ -45,8 +51,73 @@ interface(`mount_run',` +@@ -45,12 +51,77 @@ interface(`mount_run',` role $2 types mount_t; optional_policy(` @@ -64829,11 +65069,11 @@ index 8b5c196..1be2768 100644 + + optional_policy(` + samba_run_smbmount(mount_t, $2) -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute fusermount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. @@ -64853,7 +65093,7 @@ index 8b5c196..1be2768 100644 +interface(`mount_run_fusermount',` + gen_require(` + type mount_t; - ') ++ ') + + mount_domtrans_fusermount($1) + role $2 types mount_t; @@ -64878,22 +65118,14 @@ index 8b5c196..1be2768 100644 + + allow $1 mount_var_run_t:file read_file_perms; + files_search_pids($1) - ') - - ######################################## -@@ -84,9 +155,11 @@ interface(`mount_exec',` - interface(`mount_signal',` - gen_require(` - type mount_t; -+ type unconfined_mount_t; - ') - - allow $1 mount_t:process signal; -+ allow $1 unconfined_mount_t:process signal; - ') - - ######################################## -@@ -95,7 +168,7 @@ interface(`mount_signal',` ++') ++ ++######################################## ++## + ## Execute mount in the caller domain. + ## + ## +@@ -95,7 +166,7 @@ interface(`mount_signal',` ## ## ## @@ -64902,54 +65134,45 @@ index 8b5c196..1be2768 100644 ## ## # -@@ -135,6 +208,24 @@ interface(`mount_send_nfs_client_request',` +@@ -135,45 +206,119 @@ interface(`mount_send_nfs_client_request',` ######################################## ## +-## Execute mount in the unconfined mount domain. +## Read the mount tmp directory -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`mount_domtrans_unconfined',` +interface(`mount_list_tmp',` -+ gen_require(` + gen_require(` +- type unconfined_mount_t, mount_exec_t; + type mount_tmp_t; -+ ') -+ + ') + +- domtrans_pattern($1, mount_exec_t, unconfined_mount_t) + allow $1 mount_tmp_t:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Execute mount in the unconfined mount domain. - ## - ## -@@ -176,4 +267,113 @@ interface(`mount_run_unconfined',` + ') - mount_domtrans_unconfined($1) - role $2 types unconfined_mount_t; -+ -+ optional_policy(` -+ rpc_run_rpcd(unconfined_mount_t, $2) -+ ') -+ -+ optional_policy(` -+ samba_run_smbmount(unconfined_mount_t, $2) -+ ') -+') -+ -+######################################## -+## + ######################################## + ## +-## Execute mount in the unconfined mount domain, and +-## allow the specified role the unconfined mount domain, +-## and use the caller's terminal. +## Execute fusermount in the mount domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`mount_domtrans_fusermount',` + gen_require(` @@ -64968,7 +65191,8 @@ index 8b5c196..1be2768 100644 +## Execute fusermount. +##
+## -+## + ## +-## Role allowed access. +## Domain allowed access. +## +## @@ -64988,14 +65212,19 @@ index 8b5c196..1be2768 100644 +## +## +## Domain to not audit. -+## -+## -+# + ## + ## +-## + # +-interface(`mount_run_unconfined',` +interface(`mount_dontaudit_exec_fusermount',` -+ gen_require(` + gen_require(` +- type unconfined_mount_t; + type fusermount_exec_t; -+ ') -+ + ') + +- mount_domtrans_unconfined($1) +- role $2 types unconfined_mount_t; + dontaudit $1 fusermount_exec_t:file exec_file_perms; +') + @@ -65042,10 +65271,10 @@ index 8b5c196..1be2768 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..79bc8f4 100644 +index 15832c7..2e0bdd4 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -17,8 +17,15 @@ type mount_exec_t; +@@ -17,17 +17,29 @@ type mount_exec_t; init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -65061,12 +65290,12 @@ index 15832c7..79bc8f4 100644 type mount_tmp_t; files_tmp_file(mount_tmp_t) -@@ -28,6 +35,18 @@ files_tmp_file(mount_tmp_t) - # policy--duplicate type declaration - type unconfined_mount_t; - application_domain(unconfined_mount_t, mount_exec_t) -+role system_r types unconfined_mount_t; -+ + +-# causes problems with interfaces when +-# this is optionally declared in monolithic +-# policy--duplicate type declaration +-type unconfined_mount_t; +-application_domain(unconfined_mount_t, mount_exec_t) +type mount_var_run_t; +files_pid_file(mount_var_run_t) +dev_associate(mount_var_run_t) @@ -65080,7 +65309,7 @@ index 15832c7..79bc8f4 100644 ######################################## # -@@ -35,7 +54,11 @@ application_domain(unconfined_mount_t, mount_exec_t) +@@ -35,7 +47,11 @@ application_domain(unconfined_mount_t, mount_exec_t) # # setuid/setgid needed to mount cifs @@ -65093,7 +65322,7 @@ index 15832c7..79bc8f4 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,9 +69,24 @@ can_exec(mount_t, mount_exec_t) +@@ -46,9 +62,24 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -65119,7 +65348,7 @@ index 15832c7..79bc8f4 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -57,65 +95,93 @@ kernel_request_load_module(mount_t) +@@ -57,65 +88,93 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -65222,7 +65451,7 @@ index 15832c7..79bc8f4 100644 logging_send_syslog_msg(mount_t) -@@ -126,6 +192,12 @@ sysnet_use_portmap(mount_t) +@@ -126,6 +185,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -65235,7 +65464,7 @@ index 15832c7..79bc8f4 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,26 +213,28 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',` ') ') @@ -65274,7 +65503,7 @@ index 15832c7..79bc8f4 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -174,6 +248,8 @@ optional_policy(` +@@ -174,6 +241,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -65283,7 +65512,7 @@ index 15832c7..79bc8f4 100644 ') optional_policy(` -@@ -181,6 +257,28 @@ optional_policy(` +@@ -181,6 +250,28 @@ optional_policy(` ') optional_policy(` @@ -65312,7 +65541,7 @@ index 15832c7..79bc8f4 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,13 +286,52 @@ optional_policy(` +@@ -188,21 +279,83 @@ optional_policy(` ') ') @@ -65346,15 +65575,21 @@ index 15832c7..79bc8f4 100644 optional_policy(` samba_domtrans_smbmount(mount_t) + samba_read_config(mount_t) -+') -+ + ') + +-######################################## +-# +-# Unconfined mount local policy +-# +optional_policy(` + ssh_exec(mount_t) +') -+ -+optional_policy(` + + optional_policy(` +- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) +- unconfined_domain(unconfined_mount_t) + usbmuxd_stream_connect(mount_t) -+') + ') + +optional_policy(` + virt_read_blk_images(mount_t) @@ -65362,22 +65597,8 @@ index 15832c7..79bc8f4 100644 + +optional_policy(` + vmware_exec_host(mount_t) - ') - - ######################################## -@@ -203,6 +340,43 @@ optional_policy(` - # - - optional_policy(` -+ unconfined_domain_noaudit(unconfined_mount_t) +') + -+optional_policy(` -+ userdom_unpriv_usertype(unconfined, unconfined_mount_t) - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) -- unconfined_domain(unconfined_mount_t) - ') -+ +###################################### +# +# showmount local policy @@ -67119,10 +67340,10 @@ index 0000000..9eaa38e +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..fdb31d8 +index 0000000..42276b7 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,414 @@ +@@ -0,0 +1,416 @@ +## SELinux policy for systemd components + +####################################### @@ -67206,7 +67427,9 @@ index 0000000..fdb31d8 + ') + + files_search_var_lib($1) -+ allow $1 systemd_unit_file_type:file read_file_perms; ++ allow $1 systemd_unit_file_type:file read_file_perms; ++ allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms; ++ allow $1 systemd_unit_file_type:dir list_dir_perms; +') + +##################################### @@ -68338,10 +68561,10 @@ index ce2fbb9..8b34dbc 100644 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 416e668..a56f542 100644 +index 416e668..683497a 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if -@@ -12,27 +12,34 @@ +@@ -12,27 +12,29 @@ # interface(`unconfined_domain_noaudit',` gen_require(` @@ -68349,7 +68572,6 @@ index 416e668..a56f542 100644 class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; -+ bool secure_mode_insmod; ') # Use any Linux capability. @@ -68358,10 +68580,6 @@ index 416e668..a56f542 100644 + allow $1 self:capability ~sys_module; + allow $1 self:capability2 syslog; + allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; -+ -+ if (!secure_mode_insmod) { -+ allow $1 self:capability sys_module; -+ } # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; @@ -68383,7 +68601,7 @@ index 416e668..a56f542 100644 kernel_unconfined($1) corenet_unconfined($1) -@@ -43,6 +50,13 @@ interface(`unconfined_domain_noaudit',` +@@ -43,6 +45,13 @@ interface(`unconfined_domain_noaudit',` files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) @@ -68397,7 +68615,7 @@ index 416e668..a56f542 100644 tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. -@@ -69,6 +83,7 @@ interface(`unconfined_domain_noaudit',` +@@ -69,6 +78,7 @@ interface(`unconfined_domain_noaudit',` optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -68405,7 +68623,7 @@ index 416e668..a56f542 100644 ') optional_policy(` -@@ -122,6 +137,10 @@ interface(`unconfined_domain_noaudit',` +@@ -122,6 +132,10 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -68416,7 +68634,7 @@ index 416e668..a56f542 100644 unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` -@@ -178,412 +197,3 @@ interface(`unconfined_alias_domain',` +@@ -178,412 +192,3 @@ interface(`unconfined_alias_domain',` interface(`unconfined_execmem_alias_program',` refpolicywarn(`$0($1) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index fc9b871..ab8325f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 25%{?dist} +Release: 26%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,11 @@ SELinux Reference policy mls base module. %endif %changelog ++* Fri Sep 9 2011 Miroslav Grepl 3.10.0-26 +- removing unconfined_notrans_t no longer necessary +- Clean up handling of secure_mode_insmod and secure_mode_policyload +- Remove unconfined_mount_t + * Tue Sep 6 2011 Miroslav Grepl 3.10.0-25 - Add exim_exec_t label for /usr/sbin/exim_tidydb - Call init_dontaudit_rw_stream_socket() interface in mta policy