From 116d73139a7138dc451618f71dc40c56235b48e5 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 14 2011 17:48:34 +0000 Subject: - gnomeclock executes a shell - Update for screen policy to handle pipe in homedir - Fixes for polyinstatiated homedir - Fixes for namespace policy and other fixes related to polyinstantiation - Add namespace policy - Allow dovecot-deliver transition to sendmail which is needed by sieve scri - Fixes for init, psad policy which relate with confined users - Do not audit bootloader attempts to read devicekit pid files - Allow nagios service plugins to read /proc --- diff --git a/modules-mls.conf b/modules-mls.conf index ccfa3e8..2ecea15 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -2096,3 +2096,10 @@ shutdown = module # The unlabelednet module. # unlabelednet = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module diff --git a/modules-targeted.conf b/modules-targeted.conf index 905cd44..44b5b28 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2335,3 +2335,10 @@ keyboardd = module # firewalld is firewall service daemon that provides dynamic customizable # firewalld = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module diff --git a/policy-F15.patch b/policy-F15.patch index bb4ab9d..87dc4e7 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -4376,7 +4376,7 @@ index 9a6d67d..5ac3ea5 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..593cefa 100644 +index 2a91fa8..319c66a 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -4458,7 +4458,7 @@ index 2a91fa8..593cefa 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,151 @@ optional_policy(` +@@ -266,3 +291,161 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -4513,6 +4513,9 @@ index 2a91fa8..593cefa 100644 +corenet_tcp_connect_squid_port(mozilla_plugin_t) +corenet_tcp_connect_ipp_port(mozilla_plugin_t) +corenet_tcp_connect_speech_port(mozilla_plugin_t) ++corenet_tcp_connect_streaming_port(mozilla_plugin_t) ++corenet_tcp_bind_generic_node(mozilla_plugin_t) ++corenet_udp_bind_generic_node(mozilla_plugin_t) + +dev_read_rand(mozilla_plugin_t) +dev_read_urand(mozilla_plugin_t) @@ -4536,6 +4539,8 @@ index 2a91fa8..593cefa 100644 + +application_dontaudit_signull(mozilla_plugin_t) + ++logging_send_syslog_msg(mozilla_plugin_t) ++ +miscfiles_read_localization(mozilla_plugin_t) +miscfiles_read_fonts(mozilla_plugin_t) +miscfiles_read_certs(mozilla_plugin_t) @@ -4568,11 +4573,16 @@ index 2a91fa8..593cefa 100644 +') + +optional_policy(` ++ dbus_system_bus_client(mozilla_plugin_t) + dbus_session_bus_client(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) +') + +optional_policy(` ++ git_dontaudit_read_session_content_files(mozilla_plugin_t) ++') ++ ++optional_policy(` + gnome_manage_config(mozilla_plugin_t) + gnome_setattr_home_config(mozilla_plugin_t) +') @@ -4694,6 +4704,111 @@ index 931304b..e8c6795 100644 nscd_socket_use(mplayer_t) ') +diff --git a/policy/modules/apps/namespace.fc b/policy/modules/apps/namespace.fc +new file mode 100644 +index 0000000..ce51c8d +--- /dev/null ++++ b/policy/modules/apps/namespace.fc +@@ -0,0 +1,3 @@ ++ ++/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0) ++ +diff --git a/policy/modules/apps/namespace.if b/policy/modules/apps/namespace.if +new file mode 100644 +index 0000000..9747548 +--- /dev/null ++++ b/policy/modules/apps/namespace.if +@@ -0,0 +1,46 @@ ++ ++## policy for namespace ++ ++######################################## ++## ++## Execute a domain transition to run namespace_init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`namespace_init_domtrans',` ++ gen_require(` ++ type namespace_init_t, namespace_init_exec_t; ++ ') ++ ++ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t) ++') ++ ++ ++######################################## ++## ++## Execute namespace_init in the namespace_init domain, and ++## allow the specified role the namespace_init domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the namespace_init domain. ++## ++## ++# ++interface(`namespace_init_run',` ++ gen_require(` ++ type namespace_init_t; ++ ') ++ ++ namespace_init_domtrans($1) ++ role $2 types namespace_init_t; ++') +diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te +new file mode 100644 +index 0000000..ce7dbac +--- /dev/null ++++ b/policy/modules/apps/namespace.te +@@ -0,0 +1,38 @@ ++policy_module(namespace,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type namespace_init_t; ++type namespace_init_exec_t; ++init_system_domain(namespace_init_t, namespace_init_exec_t) ++role system_r types namespace_init_t; ++ ++permissive namespace_init_t; ++ ++######################################## ++# ++# namespace_init local policy ++# ++ ++allow namespace_init_t self:capability dac_override; ++ ++allow namespace_init_t self:fifo_file manage_fifo_file_perms; ++allow namespace_init_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_system_state(namespace_init_t) ++ ++domain_use_interactive_fds(namespace_init_t) ++ ++files_read_etc_files(namespace_init_t) ++files_polyinstantiate_all(namespace_init_t) ++ ++miscfiles_read_localization(namespace_init_t) ++ ++userdom_manage_user_home_content_dirs(namespace_init_t) ++userdom_manage_user_home_content_files(namespace_init_t) ++userdom_relabelto_user_home_dirs(namespace_init_t) ++userdom_relabelto_user_home_files(namespace_init_t) ++userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file }) diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc new file mode 100644 index 0000000..717eb3f @@ -6913,11 +7028,41 @@ index 0000000..5259647 + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) +') + +diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc +index 1f2cde4..7bb3047 100644 +--- a/policy/modules/apps/screen.fc ++++ b/policy/modules/apps/screen.fc +@@ -2,6 +2,7 @@ + # /home + # + HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) ++HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) + + # + # /usr diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index 320df26..879e804 100644 +index 320df26..3312145 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if -@@ -81,8 +81,6 @@ template(`screen_role_template',` +@@ -64,6 +64,9 @@ template(`screen_role_template',` + files_pid_filetrans($1_screen_t, screen_var_run_t, dir) + + allow $1_screen_t screen_home_t:dir list_dir_perms; ++ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) ++ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) ++ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) + read_files_pattern($1_screen_t, screen_home_t, screen_home_t) + read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) + +@@ -73,6 +76,7 @@ template(`screen_role_template',` + allow $3 $1_screen_t:process { signal sigchld }; + allow $1_screen_t $3:process signal; + ++ manage_fifo_files_pattern($3, screen_home_t, screen_home_t) + manage_dirs_pattern($3, screen_home_t, screen_home_t) + manage_files_pattern($3, screen_home_t, screen_home_t) + manage_lnk_files_pattern($3, screen_home_t, screen_home_t) +@@ -81,8 +85,6 @@ template(`screen_role_template',` relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) @@ -7981,7 +8126,7 @@ index 82842a0..4111a1d 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..d858795 100644 +index 34c9d01..aecd1ff 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -7995,7 +8140,16 @@ index 34c9d01..d858795 100644 /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -128,8 +130,8 @@ ifdef(`distro_debian',` +@@ -95,8 +97,6 @@ ifdef(`distro_redhat',` + + /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) + +-/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) +- + /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) +@@ -128,8 +128,8 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -8005,7 +8159,7 @@ index 34c9d01..d858795 100644 /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -247,6 +249,8 @@ ifdef(`distro_gentoo',` +@@ -247,6 +247,8 @@ ifdef(`distro_gentoo',` /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -8014,7 +8168,7 @@ index 34c9d01..d858795 100644 /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -307,6 +311,7 @@ ifdef(`distro_redhat', ` +@@ -307,6 +309,7 @@ ifdef(`distro_redhat', ` /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -8022,7 +8176,7 @@ index 34c9d01..d858795 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -316,9 +321,11 @@ ifdef(`distro_redhat', ` +@@ -316,9 +319,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -8142,7 +8296,7 @@ index b06df19..c0763c2 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index edefaf3..e9599e0 100644 +index edefaf3..14fc728 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -15,6 +15,7 @@ attribute rpc_port_type; @@ -8320,7 +8474,7 @@ index edefaf3..e9599e0 100644 -network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp network_port(ssh, tcp,22,s0) -+network_port(streaming, tcp, 1755, s0, udp, 1755, s0) ++network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0) type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) +network_port(sype, tcp,9911,s0, udp,9911,s0) @@ -10860,7 +11014,7 @@ index dfe361a..496954e 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e49c148..995fade 100644 +index e49c148..4d6bbf4 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -52,6 +52,7 @@ type anon_inodefs_t; @@ -10937,6 +11091,14 @@ index e49c148..995fade 100644 files_mountpoint(removable_t) # +@@ -266,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) + genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) + genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) + genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) ++genfscon 9p / gen_context(system_u:object_r:nfs_t,s0) + + ######################################## + # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index b4ad6d7..67e89f0 100644 --- a/policy/modules/kernel/kernel.if @@ -16029,6 +16191,23 @@ index 8b8143e..c1a2b96 100644 ps_process_pattern($1, asterisk_t) init_labeled_script_domtrans($1, asterisk_initrc_exec_t) +diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te +index b3b0176..cb0c6e7 100644 +--- a/policy/modules/services/asterisk.te ++++ b/policy/modules/services/asterisk.te +@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f + manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) + files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) + ++manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) +-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) ++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file }) + + kernel_read_system_state(asterisk_t) + kernel_read_kernel_sysctls(asterisk_t) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index d80a16b..a43e006 100644 --- a/policy/modules/services/automount.if @@ -21316,10 +21495,10 @@ index 0000000..9d8f5de +') diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te new file mode 100644 -index 0000000..01c3755 +index 0000000..5df774f --- /dev/null +++ b/policy/modules/services/dirsrv.te -@@ -0,0 +1,172 @@ +@@ -0,0 +1,171 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -21439,8 +21618,7 @@ index 0000000..01c3755 +') + +optional_policy(` -+ kerberos_read_config(dirsrv_t) -+ kerberos_dontaudit_write_config(dirsrv_t) ++ kerberos_use(dirsrv_t) +') + +optional_policy(` @@ -21745,7 +21923,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index cbe14e4..e8f3b0e 100644 +index cbe14e4..ae635c6 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -21853,7 +22031,13 @@ index cbe14e4..e8f3b0e 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -253,19 +272,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; +@@ -249,23 +268,39 @@ optional_policy(` + # + # dovecot deliver local policy + # ++ ++allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms; + allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; allow dovecot_deliver_t dovecot_t:process signull; @@ -21889,7 +22073,7 @@ index cbe14e4..e8f3b0e 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -301,5 +334,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -301,5 +336,15 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -21899,6 +22083,11 @@ index cbe14e4..e8f3b0e 100644 +optional_policy(` mta_manage_spool(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t) ++') ++ ++optional_policy(` ++ # Handle sieve scripts ++ sendmail_domtrans(dovecot_deliver_t) ') diff --git a/policy/modules/services/drbd.fc b/policy/modules/services/drbd.fc new file mode 100644 @@ -22835,10 +23024,10 @@ index 54f0737..2b552c5 100644 +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if -index 458aac6..3780650 100644 +index 458aac6..03645a9 100644 --- a/policy/modules/services/git.if +++ b/policy/modules/services/git.if -@@ -1 +1,520 @@ +@@ -1 +1,539 @@ -## GIT revision control system +## Fast Version Control System. +## @@ -23214,6 +23403,25 @@ index 458aac6..3780650 100644 + ') +') + ++####################################### ++## ++## Dontaudit the specified domain to read ++## Git daemon session content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`git_dontaudit_read_session_content_files',` ++ gen_require(` ++ type git_session_content_t; ++ ') ++ ++ dontaudit $1 git_session_content_t:file read_file_perms; ++') ++ +######################################## +## +## Allow the specified domain to read @@ -23598,6 +23806,18 @@ index 671d8fd..25c7ab8 100644 + dontaudit $1 gnomeclock_t:dbus send_msg; + dontaudit gnomeclock_t $1:dbus send_msg; +') +diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te +index 4fde46b..41dfb2b 100644 +--- a/policy/modules/services/gnomeclock.te ++++ b/policy/modules/services/gnomeclock.te +@@ -20,6 +20,7 @@ allow gnomeclock_t self:fifo_file rw_fifo_file_perms; + allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; + + corecmd_exec_bin(gnomeclock_t) ++corecmd_exec_shell(gnomeclock_t) + + files_read_etc_files(gnomeclock_t) + files_read_usr_files(gnomeclock_t) diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if index 7d97298..d6b2959 100644 --- a/policy/modules/services/gpm.if @@ -27393,7 +27613,7 @@ index e9c0982..a12d5ea 100644 admin_pattern($1, mysqld_tmp_t) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..024120d 100644 +index 0a0d63c..579f237 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -27423,7 +27643,7 @@ index 0a0d63c..024120d 100644 allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file manage_file_perms; -@@ -78,9 +79,10 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) @@ -27435,7 +27655,14 @@ index 0a0d63c..024120d 100644 kernel_read_system_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) -@@ -127,8 +129,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + ++corecmd_exec_bin(mysqld_t) ++corecmd_exec_shell(mysqld_t) ++ + corenet_all_recvfrom_unlabeled(mysqld_t) + corenet_all_recvfrom_netlabel(mysqld_t) + corenet_tcp_sendrecv_generic_if(mysqld_t) +@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) userdom_read_user_home_content_files(mysqld_t) ifdef(`distro_redhat',` @@ -27445,7 +27672,7 @@ index 0a0d63c..024120d 100644 ') tunable_policy(`mysql_connect_any',` -@@ -155,6 +156,7 @@ optional_policy(` +@@ -155,6 +159,7 @@ optional_policy(` allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; @@ -27453,7 +27680,7 @@ index 0a0d63c..024120d 100644 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,6 +177,7 @@ dev_list_sysfs(mysqld_safe_t) +@@ -175,6 +180,7 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -27461,7 +27688,7 @@ index 0a0d63c..024120d 100644 files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) -@@ -183,11 +186,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) +@@ -183,11 +189,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) hostname_exec(mysqld_safe_t) @@ -31563,7 +31790,7 @@ index 29b9295..2a70dd1 100644 pyzor_signal(procmail_t) ') diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if -index bc329d1..f040c20 100644 +index bc329d1..0589f97 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if @@ -91,7 +91,6 @@ interface(`psad_manage_config',` @@ -31583,7 +31810,7 @@ index bc329d1..f040c20 100644 ## ## ## -@@ -176,6 +175,26 @@ interface(`psad_append_log',` +@@ -176,6 +175,45 @@ interface(`psad_append_log',` ######################################## ## @@ -31605,12 +31832,31 @@ index bc329d1..f040c20 100644 + write_files_pattern($1, psad_var_log_t, psad_var_log_t) +') + ++####################################### ++## ++## Allow the specified domain to setattr to psad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_setattr_log',` ++ gen_require(` ++ type psad_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t) ++') ++ +######################################## +## ## Read and write psad fifo files. ## ## -@@ -186,7 +205,7 @@ interface(`psad_append_log',` +@@ -186,7 +224,7 @@ interface(`psad_append_log',` # interface(`psad_rw_fifo_file',` gen_require(` @@ -31619,7 +31865,34 @@ index bc329d1..f040c20 100644 ') files_search_var_lib($1) -@@ -233,7 +252,7 @@ interface(`psad_rw_tmp_files',` +@@ -196,6 +234,26 @@ interface(`psad_rw_fifo_file',` + + ####################################### + ## ++## Allow setattr to psad fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_setattr_fifo_file',` ++ gen_require(` ++ type psad_t, psad_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 psad_var_lib_t:fifo_file setattr; ++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) ++') ++ ++####################################### ++## + ## Read and write psad tmp files. + ## + ## +@@ -233,7 +291,7 @@ interface(`psad_rw_tmp_files',` interface(`psad_admin',` gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; @@ -31628,7 +31901,7 @@ index bc329d1..f040c20 100644 type psad_tmp_t; ') -@@ -245,18 +264,18 @@ interface(`psad_admin',` +@@ -245,18 +303,18 @@ interface(`psad_admin',` role_transition $2 psad_initrc_exec_t system_r; allow $2 system_r; @@ -36564,7 +36837,7 @@ index 22adaca..784c363 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..2b6aef5 100644 +index 2dad3c8..1d1b95f 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -36628,21 +36901,21 @@ index 2dad3c8..2b6aef5 100644 type ssh_t; type ssh_exec_t; typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; -@@ -76,9 +77,12 @@ ubac_constrained(ssh_tmpfs_t) +@@ -76,8 +77,12 @@ ubac_constrained(ssh_tmpfs_t) type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; -files_type(ssh_home_t) userdom_user_home_content(ssh_home_t) - ++files_poly_parent(ssh_home_t) ++ +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) +') -+ + ############################## # - # SSH client local policy -@@ -95,15 +99,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -95,15 +100,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -36659,7 +36932,7 @@ index 2dad3c8..2b6aef5 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -113,6 +113,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -113,6 +114,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -36667,7 +36940,7 @@ index 2dad3c8..2b6aef5 100644 # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -124,9 +125,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) +@@ -124,9 +126,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config @@ -36681,7 +36954,7 @@ index 2dad3c8..2b6aef5 100644 kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -138,6 +140,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) +@@ -138,6 +141,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -36690,7 +36963,7 @@ index 2dad3c8..2b6aef5 100644 dev_read_urand(ssh_t) -@@ -162,6 +166,7 @@ logging_read_generic_logs(ssh_t) +@@ -162,6 +167,7 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) miscfiles_read_localization(ssh_t) @@ -36698,7 +36971,7 @@ index 2dad3c8..2b6aef5 100644 seutil_read_config(ssh_t) -@@ -169,14 +174,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) +@@ -169,14 +175,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -36717,7 +36990,7 @@ index 2dad3c8..2b6aef5 100644 ') tunable_policy(`use_nfs_home_dirs',` -@@ -200,6 +204,57 @@ optional_policy(` +@@ -200,6 +205,57 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -36775,7 +37048,7 @@ index 2dad3c8..2b6aef5 100644 ############################## # # ssh_keysign_t local policy -@@ -209,7 +264,7 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,7 +265,7 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -36784,7 +37057,7 @@ index 2dad3c8..2b6aef5 100644 dev_read_urand(ssh_keysign_t) -@@ -232,33 +287,43 @@ optional_policy(` +@@ -232,33 +288,43 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -36837,7 +37110,7 @@ index 2dad3c8..2b6aef5 100644 ') optional_policy(` -@@ -266,11 +331,24 @@ optional_policy(` +@@ -266,11 +332,24 @@ optional_policy(` ') optional_policy(` @@ -36863,7 +37136,7 @@ index 2dad3c8..2b6aef5 100644 ') optional_policy(` -@@ -284,6 +362,11 @@ optional_policy(` +@@ -284,6 +363,11 @@ optional_policy(` ') optional_policy(` @@ -36875,7 +37148,7 @@ index 2dad3c8..2b6aef5 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +375,26 @@ optional_policy(` +@@ -292,26 +376,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -36921,7 +37194,7 @@ index 2dad3c8..2b6aef5 100644 ') dnl endif TODO ######################################## -@@ -324,7 +407,6 @@ tunable_policy(`ssh_sysadm_login',` +@@ -324,7 +408,6 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; @@ -36929,7 +37202,7 @@ index 2dad3c8..2b6aef5 100644 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; -@@ -353,10 +435,6 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -353,10 +436,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -40294,7 +40567,7 @@ index da2601a..61bce48 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 145fc4b..d1f5057 100644 +index 145fc4b..f596720 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -40619,7 +40892,7 @@ index 145fc4b..d1f5057 100644 optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -301,20 +413,32 @@ optional_policy(` +@@ -301,20 +413,33 @@ optional_policy(` # XDM Local policy # @@ -40649,6 +40922,7 @@ index 145fc4b..d1f5057 100644 + +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) ++ +#Handle mislabeled files in homedir +userdom_delete_user_home_content_files(xdm_t) +userdom_signull_unpriv_users(xdm_t) @@ -40656,7 +40930,7 @@ index 145fc4b..d1f5057 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -322,43 +446,69 @@ can_exec(xdm_t, xdm_exec_t) +@@ -322,43 +447,69 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -40733,7 +41007,7 @@ index 145fc4b..d1f5057 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -367,18 +517,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -367,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -40761,7 +41035,7 @@ index 145fc4b..d1f5057 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -390,18 +548,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -390,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -40785,7 +41059,7 @@ index 145fc4b..d1f5057 100644 dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -410,18 +572,23 @@ dev_setattr_xserver_misc_dev(xdm_t) +@@ -410,18 +573,23 @@ dev_setattr_xserver_misc_dev(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -40812,7 +41086,7 @@ index 145fc4b..d1f5057 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -432,9 +599,17 @@ files_list_mnt(xdm_t) +@@ -432,9 +600,17 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -40830,7 +41104,7 @@ index 145fc4b..d1f5057 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -443,28 +618,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -443,28 +619,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -40869,7 +41143,7 @@ index 145fc4b..d1f5057 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -473,9 +656,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -473,9 +657,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -40900,7 +41174,7 @@ index 145fc4b..d1f5057 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -491,6 +695,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -491,6 +696,12 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -40913,7 +41187,7 @@ index 145fc4b..d1f5057 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -504,11 +714,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -504,11 +715,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -40935,7 +41209,7 @@ index 145fc4b..d1f5057 100644 ') optional_policy(` -@@ -516,12 +736,49 @@ optional_policy(` +@@ -516,12 +737,49 @@ optional_policy(` ') optional_policy(` @@ -40985,7 +41259,7 @@ index 145fc4b..d1f5057 100644 hostname_exec(xdm_t) ') -@@ -539,28 +796,64 @@ optional_policy(` +@@ -539,28 +797,64 @@ optional_policy(` ') optional_policy(` @@ -41059,7 +41333,7 @@ index 145fc4b..d1f5057 100644 ') optional_policy(` -@@ -572,6 +865,10 @@ optional_policy(` +@@ -572,6 +866,10 @@ optional_policy(` ') optional_policy(` @@ -41070,7 +41344,7 @@ index 145fc4b..d1f5057 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +893,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +894,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -41079,7 +41353,7 @@ index 145fc4b..d1f5057 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +907,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,6 +908,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -41094,7 +41368,7 @@ index 145fc4b..d1f5057 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +934,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -629,12 +935,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -41116,7 +41390,7 @@ index 145fc4b..d1f5057 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +954,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -642,6 +955,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -41124,7 +41398,7 @@ index 145fc4b..d1f5057 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +981,6 @@ dev_rw_apm_bios(xserver_t) +@@ -668,7 +982,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -41132,7 +41406,7 @@ index 145fc4b..d1f5057 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,11 +990,17 @@ dev_wx_raw_memory(xserver_t) +@@ -678,11 +991,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -41150,7 +41424,7 @@ index 145fc4b..d1f5057 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -693,8 +1011,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -693,8 +1012,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -41164,7 +41438,7 @@ index 145fc4b..d1f5057 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1039,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1040,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -41179,7 +41453,7 @@ index 145fc4b..d1f5057 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1099,28 @@ optional_policy(` +@@ -773,12 +1100,28 @@ optional_policy(` ') optional_policy(` @@ -41209,7 +41483,7 @@ index 145fc4b..d1f5057 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1129,10 @@ optional_policy(` +@@ -787,6 +1130,10 @@ optional_policy(` ') optional_policy(` @@ -41220,7 +41494,7 @@ index 145fc4b..d1f5057 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1148,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1149,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -41234,7 +41508,7 @@ index 145fc4b..d1f5057 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -813,7 +1159,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -813,7 +1160,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -41243,7 +41517,7 @@ index 145fc4b..d1f5057 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -826,6 +1172,9 @@ init_use_fds(xserver_t) +@@ -826,6 +1173,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -41253,7 +41527,7 @@ index 145fc4b..d1f5057 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -833,6 +1182,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -833,6 +1183,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -41265,7 +41539,7 @@ index 145fc4b..d1f5057 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -841,11 +1195,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1196,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -41282,7 +41556,7 @@ index 145fc4b..d1f5057 100644 ') optional_policy(` -@@ -853,6 +1210,10 @@ optional_policy(` +@@ -853,6 +1211,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -41293,7 +41567,7 @@ index 145fc4b..d1f5057 100644 ######################################## # # Rules common to all X window domains -@@ -896,7 +1257,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -896,7 +1258,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -41302,7 +41576,7 @@ index 145fc4b..d1f5057 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -950,11 +1311,31 @@ allow x_domain self:x_resource { read write }; +@@ -950,11 +1312,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -41334,7 +41608,7 @@ index 145fc4b..d1f5057 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -976,18 +1357,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -976,18 +1358,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -42350,7 +42624,7 @@ index bea0ade..a0feb45 100644 optional_policy(` diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 54d122b..069790d 100644 +index 54d122b..46929ca 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0) @@ -42396,17 +42670,19 @@ index 54d122b..069790d 100644 allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) -@@ -394,3 +409,11 @@ optional_policy(` +@@ -394,3 +409,13 @@ optional_policy(` xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') + +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(polydomain) -+ userdom_manage_user_home_content_dirs(polydomain) -+ userdom_manage_user_home_content_files(polydomain) -+ userdom_relabelto_user_home_dirs(polydomain) -+ userdom_relabelto_user_home_files(polydomain) ++') ++ ++optional_policy(` ++ tunable_policy(`allow_polyinstantiation',` ++ namespace_init_domtrans(polydomain) ++ ') +') diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if index 89cc088..81e5ed4 100644 @@ -42759,7 +43035,7 @@ index 6fed22c..06e5395 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index ed152c4..be3bb8f 100644 +index ed152c4..a398d39 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,40 @@ interface(`init_script_domain',` @@ -43060,7 +43336,7 @@ index ed152c4..be3bb8f 100644 ') ######################################## -@@ -868,8 +1004,12 @@ interface(`init_script_file_domtrans',` +@@ -868,9 +1004,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -43071,9 +43347,11 @@ index ed152c4..be3bb8f 100644 + # service script searches all filesystems via mountpoint + fs_search_all($1) domtrans_pattern($1, $2, initrc_t) ++ allow $1 $2:file ioctl; files_search_etc($1) ') -@@ -1130,12 +1270,7 @@ interface(`init_read_script_state',` + +@@ -1130,12 +1271,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -43087,7 +43365,7 @@ index ed152c4..be3bb8f 100644 ') ######################################## -@@ -1375,6 +1510,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1511,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -43115,7 +43393,7 @@ index ed152c4..be3bb8f 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1617,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1618,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -43141,7 +43419,7 @@ index ed152c4..be3bb8f 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1674,7 +1849,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -43150,7 +43428,7 @@ index ed152c4..be3bb8f 100644 ') ######################################## -@@ -1749,3 +1924,93 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +1925,93 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -43245,7 +43523,7 @@ index ed152c4..be3bb8f 100644 + allow $1 init_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 0580e7c..1618f9d 100644 +index 0580e7c..90ca53f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -43824,7 +44102,17 @@ index 0580e7c..1618f9d 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,6 +998,10 @@ optional_policy(` +@@ -734,10 +994,20 @@ optional_policy(` + ') + + optional_policy(` ++ psad_setattr_fifo_file(initrc_t) ++ psad_setattr_log(initrc_t) ++ psad_write_log(initrc_t) ++') ++ ++optional_policy(` + puppet_rw_tmp(initrc_t) ') optional_policy(` @@ -43835,7 +44123,7 @@ index 0580e7c..1618f9d 100644 quota_manage_flags(initrc_t) ') -@@ -746,6 +1010,10 @@ optional_policy(` +@@ -746,6 +1016,10 @@ optional_policy(` ') optional_policy(` @@ -43846,7 +44134,7 @@ index 0580e7c..1618f9d 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -767,8 +1035,6 @@ optional_policy(` +@@ -767,8 +1041,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -43855,7 +44143,7 @@ index 0580e7c..1618f9d 100644 ') optional_policy(` -@@ -777,14 +1043,21 @@ optional_policy(` +@@ -777,14 +1049,21 @@ optional_policy(` ') optional_policy(` @@ -43877,7 +44165,7 @@ index 0580e7c..1618f9d 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -806,11 +1079,19 @@ optional_policy(` +@@ -806,11 +1085,19 @@ optional_policy(` ') optional_policy(` @@ -43898,7 +44186,7 @@ index 0580e7c..1618f9d 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -820,6 +1101,25 @@ optional_policy(` +@@ -820,6 +1107,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -43924,7 +44212,7 @@ index 0580e7c..1618f9d 100644 ') optional_policy(` -@@ -845,3 +1145,59 @@ optional_policy(` +@@ -845,3 +1151,59 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -51401,7 +51689,7 @@ index 28b88de..10340bc 100644 + type_transition $1 user_tmp_t:process $2; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index df29ca1..97b3c20 100644 +index df29ca1..b13e0f3 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0) @@ -51443,7 +51731,7 @@ index df29ca1..97b3c20 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,18 +87,21 @@ ubac_constrained(user_home_dir_t) +@@ -71,21 +87,25 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -51466,7 +51754,11 @@ index df29ca1..97b3c20 100644 typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; files_tmp_file(user_tmp_t) userdom_user_home_content(user_tmp_t) -@@ -94,3 +113,25 @@ userdom_user_home_content(user_tmpfs_t) ++files_poly_parent(user_tmp_t) + + type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; + files_tmpfs_file(user_tmpfs_t) +@@ -94,3 +114,25 @@ userdom_user_home_content(user_tmpfs_t) type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index b77d2c2..570253c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.12 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,17 @@ exit 0 %endif %changelog +* Fri Jan 14 2011 Miroslav Grepl 3.9.12-7 +- gnomeclock executes a shell +- Update for screen policy to handle pipe in homedir +- Fixes for polyinstatiated homedir +- Fixes for namespace policy and other fixes related to polyinstantiation +- Add namespace policy +- Allow dovecot-deliver transition to sendmail which is needed by sieve scripts +- Fixes for init, psad policy which relate with confined users +- Do not audit bootloader attempts to read devicekit pid files +- Allow nagios service plugins to read /proc + * Tue Jan 11 2011 Miroslav Grepl 3.9.12-6 - Add firewalld policy - Allow vmware_host to read samba config