From 1414f9f3a7f952f9fc21c5510b4ee69664546fd1 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 18 2011 14:12:22 +0000 Subject: Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain Allow init process to setrlimit on itself Take away transition rules for users executing ssh-keygen Allow setroubleshoot_fixit_t to read /dev/urand Allow sshd to relbale tunnel sockets Allow fail2ban domtrans to shorewall in the same way as with iptables Add support for lnk files in the /var/lib/sssd directory Allow system mail to connect to courier-authdaemon over an unix stream socket --- diff --git a/policy-F16.patch b/policy-F16.patch index 57b4a25..a39cbd1 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -852,7 +852,7 @@ index 5e062bc..3cbfffb 100644 + modutils_read_module_deps(ddcprobe_t) +') diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te -index 72bc6d8..9b39fcd 100644 +index 72bc6d8..1f55eba 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -19,6 +19,7 @@ dontaudit dmesg_t self:capability sys_tty_config; @@ -863,7 +863,7 @@ index 72bc6d8..9b39fcd 100644 kernel_read_kernel_sysctls(dmesg_t) kernel_read_ring_buffer(dmesg_t) kernel_clear_ring_buffer(dmesg_t) -@@ -47,7 +48,13 @@ logging_write_generic_logs(dmesg_t) +@@ -47,7 +48,11 @@ logging_write_generic_logs(dmesg_t) miscfiles_read_localization(dmesg_t) userdom_dontaudit_use_unpriv_user_fds(dmesg_t) @@ -871,8 +871,6 @@ index 72bc6d8..9b39fcd 100644 +userdom_use_inherited_user_terminals(dmesg_t) + +optional_policy(` -+ abrt_cache_append(dmesg_t) -+ abrt_rw_fifo_file(dmesg_t) + abrt_manage_pid_files(dmesg_t) +') @@ -1232,7 +1230,7 @@ index 4f7bd3c..a29af21 100644 - unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..db17bbe 100644 +index 7090dae..98f0a2e 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t) @@ -1294,6 +1292,15 @@ index 7090dae..db17bbe 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) +@@ -138,7 +139,7 @@ ifdef(`distro_debian', ` + ') + + optional_policy(` +- abrt_cache_manage(logrotate_t) ++ abrt_manage_cache(logrotate_t) + ') + + optional_policy(` @@ -154,6 +155,10 @@ optional_policy(` ') @@ -3364,6 +3371,14 @@ index bc00875..2efc0d7 100644 dbus_system_bus_client(smoltclient_t) ') +diff --git a/policy/modules/admin/sosreport.fc b/policy/modules/admin/sosreport.fc +index a40478e..050f521 100644 +--- a/policy/modules/admin/sosreport.fc ++++ b/policy/modules/admin/sosreport.fc +@@ -1 +1,3 @@ + /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) ++ ++/.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0) diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if index 94c01b5..f64bd93 100644 --- a/policy/modules/admin/sosreport.if @@ -3378,11 +3393,21 @@ index 94c01b5..f64bd93 100644 ######################################## diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te -index fe1c377..557e37f 100644 +index fe1c377..bedbb9b 100644 --- a/policy/modules/admin/sosreport.te +++ b/policy/modules/admin/sosreport.te -@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t) +@@ -74,13 +74,17 @@ files_read_all_symlinks(sosreport_t) + # for blkid.tab + files_manage_etc_runtime_files(sosreport_t) + files_etc_filetrans_etc_runtime(sosreport_t, file) ++files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") + + fs_getattr_all_fs(sosreport_t) + fs_list_inotifyfs(sosreport_t) ++storage_dontaudit_read_fixed_disk(sosreport_t) ++storage_dontaudit_read_removable_device(sosreport_t) ++ # some config files do not have configfile attribute # sosreport needs to read various files on system -auth_read_all_files_except_shadow(sosreport_t) @@ -3390,7 +3415,7 @@ index fe1c377..557e37f 100644 auth_use_nsswitch(sosreport_t) init_domtrans_script(sosreport_t) -@@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t) +@@ -92,13 +96,11 @@ logging_send_syslog_msg(sosreport_t) miscfiles_read_localization(sosreport_t) @@ -3400,7 +3425,12 @@ index fe1c377..557e37f 100644 sysnet_read_config(sosreport_t) optional_policy(` -@@ -110,6 +107,11 @@ optional_policy(` + abrt_manage_pid_files(sosreport_t) ++ abrt_manage_cache(sosreport_t) + ') + + optional_policy(` +@@ -110,6 +112,11 @@ optional_policy(` ') optional_policy(` @@ -15362,7 +15392,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..02cf550 100644 +index fae1ab1..b949cfb 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -15455,7 +15485,7 @@ index fae1ab1..02cf550 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,120 @@ allow unconfined_domain_type domain:key *; +@@ -160,3 +197,122 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -15487,6 +15517,8 @@ index fae1ab1..02cf550 100644 + abrt_read_pid_files(domain) + abrt_read_state(domain) + abrt_signull(domain) ++ abrt_append_cache(domain) ++ abrt_rw_fifo_file(domain) +') + +optional_policy(` @@ -20261,7 +20293,7 @@ index be4de58..7e8b6ec 100644 init_exec(secadm_t) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..bfabe3f 100644 +index 2be17d2..2c588ca 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,55 @@ policy_module(staff, 2.2.0) @@ -20314,7 +20346,7 @@ index 2be17d2..bfabe3f 100644 +') + +optional_policy(` -+ abrt_cache_read(staff_t) ++ abrt_read_cache(staff_t) +') + optional_policy(` @@ -22216,7 +22248,7 @@ index 0000000..49f2c54 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..e5a8559 100644 +index e5bfdd4..50e49e6 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -12,15 +12,93 @@ role user_r; @@ -22234,7 +22266,7 @@ index e5bfdd4..e5a8559 100644 +') + +optional_policy(` -+ abrt_cache_read(user_t) ++ abrt_read_cache(user_t) +') + optional_policy(` @@ -22597,7 +22629,7 @@ index 1bd5812..0d7d8d1 100644 +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if -index 0b827c5..bfb68b2 100644 +index 0b827c5..46e3aa9 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -71,6 +71,7 @@ interface(`abrt_read_state',` @@ -22608,21 +22640,22 @@ index 0b827c5..bfb68b2 100644 ps_process_pattern($1, abrt_t) ') -@@ -160,8 +161,44 @@ interface(`abrt_run_helper',` +@@ -160,8 +161,7 @@ interface(`abrt_run_helper',` ######################################## ## -## Send and receive messages from -## abrt over dbus. +## Read abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_cache_read',` + ## + ## + ## +@@ -169,7 +169,45 @@ interface(`abrt_run_helper',` + ## + ## + # +-interface(`abrt_cache_manage',` ++interface(`abrt_read_cache',` + gen_require(` + type abrt_var_cache_t; + ') @@ -22641,21 +22674,30 @@ index 0b827c5..bfb68b2 100644 +## +## +# -+interface(`abrt_cache_append',` ++interface(`abrt_append_cache',` + gen_require(` + type abrt_var_cache_t; + ') + -+ append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) ++ ++ allow $1 abrt_var_cache_t:file append_inherited_file_perms; +') + +######################################## +## +## Manage abrt cache - ## - ## - ## -@@ -253,6 +290,24 @@ interface(`abrt_manage_pid_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_manage_cache',` + gen_require(` + type abrt_var_cache_t; + ') +@@ -253,6 +291,24 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -22680,7 +22722,7 @@ index 0b827c5..bfb68b2 100644 ##################################### ## ## All of the rules required to administrate -@@ -286,18 +341,116 @@ interface(`abrt_admin',` +@@ -286,18 +342,116 @@ interface(`abrt_admin',` role_transition $2 abrt_initrc_exec_t system_r; allow $2 system_r; @@ -29885,7 +29927,7 @@ index 01d31f1..8e2754b 100644 /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if -index 9971337..870265d 100644 +index 9971337..7481ccc 100644 --- a/policy/modules/services/courier.if +++ b/policy/modules/services/courier.if @@ -90,7 +90,7 @@ template(`courier_domain_template',` @@ -29897,7 +29939,31 @@ index 9971337..870265d 100644 ## ## Domain allowed to transition. ## -@@ -109,7 +109,7 @@ interface(`courier_domtrans_authdaemon',` +@@ -104,12 +104,31 @@ interface(`courier_domtrans_authdaemon',` + domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) + ') + ++####################################### ++## ++## Connect to courier-authdaemon over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`courier_stream_connect_authdaemon',` ++ gen_require(` ++ type courier_authdaemon_t, courier_spool_t; ++ ') ++ ++ files_search_spool($1) ++ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) ++') ++ + ######################################## + ## ## Execute the courier POP3 and IMAP server with ## a domain transition. ## @@ -29906,7 +29972,7 @@ index 9971337..870265d 100644 ## ## Domain allowed to transition. ## -@@ -127,7 +127,7 @@ interface(`courier_domtrans_pop',` +@@ -127,7 +146,7 @@ interface(`courier_domtrans_pop',` ## ## Read courier config files ## @@ -29915,7 +29981,7 @@ index 9971337..870265d 100644 ## ## Domain allowed access. ## -@@ -138,6 +138,7 @@ interface(`courier_read_config',` +@@ -138,6 +157,7 @@ interface(`courier_read_config',` type courier_etc_t; ') @@ -29923,7 +29989,7 @@ index 9971337..870265d 100644 read_files_pattern($1, courier_etc_t, courier_etc_t) ') -@@ -146,7 +147,7 @@ interface(`courier_read_config',` +@@ -146,7 +166,7 @@ interface(`courier_read_config',` ## Create, read, write, and delete courier ## spool directories. ## @@ -29932,7 +29998,7 @@ index 9971337..870265d 100644 ## ## Domain allowed access. ## -@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',` +@@ -157,6 +177,7 @@ interface(`courier_manage_spool_dirs',` type courier_spool_t; ') @@ -29940,7 +30006,7 @@ index 9971337..870265d 100644 manage_dirs_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -165,7 +167,7 @@ interface(`courier_manage_spool_dirs',` +@@ -165,7 +186,7 @@ interface(`courier_manage_spool_dirs',` ## Create, read, write, and delete courier ## spool files. ## @@ -29949,7 +30015,7 @@ index 9971337..870265d 100644 ## ## Domain allowed access. ## -@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',` +@@ -176,6 +197,7 @@ interface(`courier_manage_spool_files',` type courier_spool_t; ') @@ -29957,7 +30023,7 @@ index 9971337..870265d 100644 manage_files_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -183,7 +186,7 @@ interface(`courier_manage_spool_files',` +@@ -183,7 +205,7 @@ interface(`courier_manage_spool_files',` ## ## Read courier spool files. ## @@ -29966,7 +30032,7 @@ index 9971337..870265d 100644 ## ## Domain allowed access. ## -@@ -194,6 +197,7 @@ interface(`courier_read_spool',` +@@ -194,6 +216,7 @@ interface(`courier_read_spool',` type courier_spool_t; ') @@ -35673,7 +35739,7 @@ index f590a1f..338e5bf 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..35a2c0b 100644 +index 2a69e5e..2599f96 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t) @@ -35727,7 +35793,7 @@ index 2a69e5e..35a2c0b 100644 files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) -@@ -94,5 +107,34 @@ optional_policy(` +@@ -94,5 +107,38 @@ optional_policy(` ') optional_policy(` @@ -35742,6 +35808,10 @@ index 2a69e5e..35a2c0b 100644 + libs_exec_ldconfig(fail2ban_t) +') + ++optional_policy(` ++ shorewall_domtrans(fail2ban_t) ++') ++ +######################################## +# +# fail2ban client local policy @@ -37908,7 +37978,7 @@ index a627b34..c4cfc6d 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te -index 03742d8..b28c4f9 100644 +index 03742d8..d5795a5 100644 --- a/policy/modules/services/gpsd.te +++ b/policy/modules/services/gpsd.te @@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t) @@ -37923,7 +37993,7 @@ index 03742d8..b28c4f9 100644 allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; allow gpsd_t self:tcp_socket create_stream_socket_perms; -@@ -38,14 +39,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +@@ -38,16 +39,24 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) @@ -37945,8 +38015,11 @@ index 03742d8..b28c4f9 100644 + term_use_unallocated_ttys(gpsd_t) term_setattr_unallocated_ttys(gpsd_t) ++term_use_usb_ttys(gpsd_t) + + auth_use_nsswitch(gpsd_t) -@@ -56,6 +64,12 @@ logging_send_syslog_msg(gpsd_t) +@@ -56,6 +65,12 @@ logging_send_syslog_msg(gpsd_t) miscfiles_read_localization(gpsd_t) optional_policy(` @@ -42958,7 +43031,7 @@ index 343cee3..fff3a52 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..4e45f74 100644 +index 64268e4..d46b314 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -43047,7 +43120,14 @@ index 64268e4..4e45f74 100644 ') optional_policy(` -@@ -111,6 +116,8 @@ optional_policy(` +@@ -108,9 +113,15 @@ optional_policy(` + ') + + optional_policy(` ++ courier_stream_connect_authdaemon(system_mail_t) ++') ++ ++optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -43056,7 +43136,7 @@ index 64268e4..4e45f74 100644 ') optional_policy(` -@@ -124,12 +131,9 @@ optional_policy(` +@@ -124,12 +135,9 @@ optional_policy(` ') optional_policy(` @@ -43071,7 +43151,7 @@ index 64268e4..4e45f74 100644 ') optional_policy(` -@@ -146,6 +150,10 @@ optional_policy(` +@@ -146,6 +154,10 @@ optional_policy(` ') optional_policy(` @@ -43082,7 +43162,7 @@ index 64268e4..4e45f74 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,22 +166,13 @@ optional_policy(` +@@ -158,22 +170,13 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -43108,7 +43188,7 @@ index 64268e4..4e45f74 100644 ') optional_policy(` -@@ -189,9 +188,17 @@ optional_policy(` +@@ -189,6 +192,10 @@ optional_policy(` ') optional_policy(` @@ -43119,13 +43199,6 @@ index 64268e4..4e45f74 100644 smartmon_read_tmp_files(system_mail_t) ') -+optional_policy(` -+ abrt_rw_fifo_file(mta_user_agent) -+') -+ - # should break this up among sections: - - optional_policy(` @@ -199,15 +206,16 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -55301,7 +55374,7 @@ index bcdd16c..7c379a8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te -index 086cd5f..79347e7 100644 +index 086cd5f..a181f01 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t) @@ -55381,15 +55454,19 @@ index 086cd5f..79347e7 100644 dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -@@ -152,6 +171,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -151,7 +170,11 @@ kernel_read_system_state(setroubleshoot_fixit_t) + corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) ++dev_read_sysfs(setroubleshoot_fixit_t) ++dev_read_urand(setroubleshoot_fixit_t) ++ seutil_domtrans_setfiles(setroubleshoot_fixit_t) +seutil_domtrans_setsebool(setroubleshoot_fixit_t) files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +184,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +187,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -56569,7 +56646,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..be6e1fa 100644 +index 22adaca..b13cd67 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -56682,7 +56759,7 @@ index 22adaca..be6e1fa 100644 + allow $1_t self:process { signal getcap getsched setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; -+ allow $1_t self:tun_socket create_socket_perms; ++ allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto }; # ssh agent connections: allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:shm create_shm_perms; @@ -56822,7 +56899,7 @@ index 22adaca..be6e1fa 100644 - allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; - allow $3 $1_ssh_agent_t:process sigchld; + -+ ssh_run_keygen($3,$2) ++ ssh_exec_keygen($3) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) @@ -56832,7 +56909,7 @@ index 22adaca..be6e1fa 100644 - allow $1 sshd_t:fifo_file { getattr read }; + allow $1 sshd_t:fifo_file read_fifo_file_perms; - ') ++') + +###################################### +## @@ -56850,7 +56927,7 @@ index 22adaca..be6e1fa 100644 + ') + + allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; -+') + ') + ######################################## ## @@ -56923,10 +57000,26 @@ index 22adaca..be6e1fa 100644 ## Read ssh home directory content ## ## -@@ -680,6 +776,32 @@ interface(`ssh_domtrans_keygen',` - domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) - ') +@@ -682,6 +778,50 @@ interface(`ssh_domtrans_keygen',` + ######################################## + ## ++## Execute the ssh key generator in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ssh_exec_keygen',` ++ gen_require(` ++ type ssh_keygen_exec_t; ++ ') ++ ++ can_exec($1, ssh_keygen_exec_t) ++') ++ +####################################### +## +## Execute ssh-keygen in the iptables domain, and @@ -56953,10 +57046,12 @@ index 22adaca..be6e1fa 100644 + ssh_domtrans_keygen($1) +') + - ######################################## - ## ++######################################## ++## ## Read ssh server keys -@@ -695,7 +817,7 @@ interface(`ssh_dontaudit_read_server_keys',` + ## + ## +@@ -695,7 +835,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -56965,7 +57060,7 @@ index 22adaca..be6e1fa 100644 ') ###################################### -@@ -735,3 +857,81 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +875,81 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -57543,7 +57638,7 @@ index 2dad3c8..02e70c9 100644 + ssh_rw_dgram_sockets(chroot_user_t) ') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if -index 941380a..6dbfc01 100644 +index 941380a..ce8c972 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -5,9 +5,9 @@ @@ -57574,7 +57669,23 @@ index 941380a..6dbfc01 100644 ') ######################################## -@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',` +@@ -148,6 +148,7 @@ interface(`sssd_read_lib_files',` + + files_search_var_lib($1) + read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ++ read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) + ') + + ######################################## +@@ -168,6 +169,7 @@ interface(`sssd_manage_lib_files',` + + files_search_var_lib($1) + manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ++ manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) + ') + + ######################################## +@@ -225,21 +227,15 @@ interface(`sssd_stream_connect',` ## The role to be allowed to manage the sssd domain. ## ## @@ -57600,7 +57711,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..7d5a298 100644 +index 8ffa257..bd55865 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -57617,16 +57728,18 @@ index 8ffa257..7d5a298 100644 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -39,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) +@@ -38,8 +40,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) + manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) ++manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,11 +50,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,11 +51,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -57643,7 +57756,7 @@ index 8ffa257..7d5a298 100644 domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) -@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t) +@@ -60,6 +68,7 @@ domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) @@ -57651,7 +57764,7 @@ index 8ffa257..7d5a298 100644 fs_list_inotifyfs(sssd_t) -@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t) +@@ -69,7 +78,7 @@ seutil_read_file_contexts(sssd_t) mls_file_read_to_clearance(sssd_t) @@ -57660,7 +57773,7 @@ index 8ffa257..7d5a298 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) -@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t) +@@ -79,6 +88,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -57673,7 +57786,7 @@ index 8ffa257..7d5a298 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,4 +101,28 @@ optional_policy(` +@@ -87,4 +102,28 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -59622,7 +59735,7 @@ index 7c5d8d8..d711fd5 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..75d8556 100644 +index 3eca020..ea9593c 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,74 @@ policy_module(virt, 1.4.0) @@ -60166,7 +60279,7 @@ index 3eca020..75d8556 100644 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -@@ -457,8 +635,324 @@ optional_policy(` +@@ -457,8 +635,325 @@ optional_policy(` ') optional_policy(` @@ -60306,6 +60419,7 @@ index 3eca020..75d8556 100644 +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) +allow virtd_t virtd_lxc_t:process { signal signull sigkill }; + ++allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; +manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) @@ -60395,8 +60509,8 @@ index 3eca020..75d8556 100644 +manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -+rw_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -+rw_blk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) ++rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) ++rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +can_exec(svirt_lxc_domain, svirt_lxc_file_t) + +kernel_getattr_proc(svirt_lxc_domain) @@ -65558,7 +65672,7 @@ index 94fd8dd..b5e5c70 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..f69ea00 100644 +index 29a9565..29930e4 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -65754,7 +65868,7 @@ index 29a9565..f69ea00 100644 + +tunable_policy(`init_systemd',` + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; -+ allow init_t self:process { setsockcreate setfscreate }; ++ allow init_t self:process { setsockcreate setfscreate setrlimit }; + allow init_t self:process { getcap setcap }; + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -67643,12 +67757,12 @@ index e5836d3..eae9427 100644 - unconfined_domain(ldconfig_t) -') diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc -index be6a81b..ddae53a 100644 +index be6a81b..9a27055 100644 --- a/policy/modules/system/locallogin.fc +++ b/policy/modules/system/locallogin.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) -+/root/.\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) ++/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) @@ -69271,7 +69385,7 @@ index 8b5c196..da41726 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..2e0bdd4 100644 +index 15832c7..b9e7b60 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,17 +17,29 @@ type mount_exec_t; @@ -69451,20 +69565,16 @@ index 15832c7..2e0bdd4 100644 logging_send_syslog_msg(mount_t) -@@ -126,6 +185,12 @@ sysnet_use_portmap(mount_t) +@@ -126,6 +185,8 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) +userdom_manage_user_home_content_dirs(mount_t) +userdom_read_user_home_content_symlinks(mount_t) -+ -+optional_policy(` -+ abrt_rw_fifo_file(mount_t) -+') ifdef(`distro_redhat',` optional_policy(` -@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +202,28 @@ ifdef(`distro_ubuntu',` ') ') @@ -69503,7 +69613,7 @@ index 15832c7..2e0bdd4 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -174,6 +241,8 @@ optional_policy(` +@@ -174,6 +237,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -69512,7 +69622,7 @@ index 15832c7..2e0bdd4 100644 ') optional_policy(` -@@ -181,6 +250,28 @@ optional_policy(` +@@ -181,6 +246,28 @@ optional_policy(` ') optional_policy(` @@ -69541,7 +69651,7 @@ index 15832c7..2e0bdd4 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,21 +279,83 @@ optional_policy(` +@@ -188,21 +275,83 @@ optional_policy(` ') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 78a0520..7605845 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 40.2%{?dist} +Release: 41%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -482,6 +482,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Oct 18 2011 Miroslav Grepl 3.10.0-41 +- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain +- Allow init process to setrlimit on itself +- Take away transition rules for users executing ssh-keygen +- Allow setroubleshoot_fixit_t to read /dev/urand +- Allow sshd to relbale tunnel sockets +- Allow fail2ban domtrans to shorewall in the same way as with iptables +- Add support for lnk files in the /var/lib/sssd directory +- Allow system mail to connect to courier-authdaemon over an unix stream socket + * Mon Oct 17 2011 Dan Walsh 3.10.0-40.2 - Add passwd_file_t for /etc/ptmptmp