From 3399c511433cc6439b21d5d3aef96f47861a2ec7 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 12 2014 11:41:36 +0000 Subject: * Tue Aug 12 2014 Lukas Vrabec 3.12.1-72 - docker needs to be able to look at everything in /dev - Allow all processes to send themselves signals - Allow sysadm_t to create netlink_tcpdiag socket - sysadm_t should be allowed to communicate with networkmanager - These are required for bluejeans to work on a unconfined.pp disabled machine - docker needs setfcap - Allow svirt domains to manage chr files and blk files for mknod commands - Allow fail2ban to read audit logs - Allow cachefilesd_t to send itself signals - Allow smokeping cgi script to send syslog messages - Allow svirt sandbox domains to relabel content - Since apache content can be placed anywhere, we should just allow apache to search through any directory - These are required for bluejeans to work on a unconfined.pp disabled machine --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index cc5dd12..d2b48ca 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6011,7 +6011,7 @@ index b31c054..5e37a40 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..d86836b 100644 +index 76f285e..a3c0103 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6272,7 +6272,33 @@ index 76f285e..d86836b 100644 ## Create, delete, read, and write block device files. ## ## -@@ -1003,6 +1130,26 @@ interface(`dev_getattr_all_blk_files',` +@@ -983,6 +1110,25 @@ interface(`dev_tmpfs_filetrans_dev',` + + ######################################## + ## ++## Allow getattr on all device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_all',` ++ gen_require(` ++ attribute device_node; ++ type device_t; ++ ') ++ ++ allow $1 { device_t device_node }:dir_file_class_set getattr; ++') ++ ++######################################## ++## + ## Getattr on all block file device nodes. + ## + ## +@@ -1003,6 +1149,26 @@ interface(`dev_getattr_all_blk_files',` ######################################## ## @@ -6299,7 +6325,7 @@ index 76f285e..d86836b 100644 ## Dontaudit getattr on all block file device nodes. ## ## -@@ -1034,6 +1181,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` +@@ -1034,6 +1200,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` interface(`dev_getattr_all_chr_files',` gen_require(` attribute device_node; @@ -6307,7 +6333,7 @@ index 76f285e..d86836b 100644 ') getattr_chr_files_pattern($1, device_t, device_node) -@@ -1206,6 +1354,42 @@ interface(`dev_create_all_chr_files',` +@@ -1206,6 +1373,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -6350,7 +6376,7 @@ index 76f285e..d86836b 100644 ## Delete all block device files. ## ## -@@ -1560,25 +1744,6 @@ interface(`dev_relabel_autofs_dev',` +@@ -1560,25 +1763,6 @@ interface(`dev_relabel_autofs_dev',` ######################################## ## @@ -6376,7 +6402,7 @@ index 76f285e..d86836b 100644 ## Read and write the PCMCIA card manager device. ## ## -@@ -1682,6 +1847,26 @@ interface(`dev_filetrans_cardmgr',` +@@ -1682,6 +1866,26 @@ interface(`dev_filetrans_cardmgr',` ######################################## ## @@ -6403,7 +6429,7 @@ index 76f285e..d86836b 100644 ## Get the attributes of the CPU ## microcode and id interfaces. ## -@@ -1791,6 +1976,24 @@ interface(`dev_rw_crypto',` +@@ -1791,6 +1995,24 @@ interface(`dev_rw_crypto',` rw_chr_files_pattern($1, device_t, crypt_device_t) ') @@ -6428,7 +6454,7 @@ index 76f285e..d86836b 100644 ####################################### ## ## Set the attributes of the dlm control devices. -@@ -1883,6 +2086,25 @@ interface(`dev_rw_dri',` +@@ -1883,6 +2105,25 @@ interface(`dev_rw_dri',` ######################################## ## @@ -6454,7 +6480,7 @@ index 76f285e..d86836b 100644 ## Dontaudit read and write on the dri devices. ## ## -@@ -2017,7 +2239,7 @@ interface(`dev_rw_input_dev',` +@@ -2017,7 +2258,7 @@ interface(`dev_rw_input_dev',` ######################################## ## @@ -6463,7 +6489,7 @@ index 76f285e..d86836b 100644 ## ## ## -@@ -2025,17 +2247,19 @@ interface(`dev_rw_input_dev',` +@@ -2025,17 +2266,73 @@ interface(`dev_rw_input_dev',` ## ## # @@ -6484,72 +6510,6 @@ index 76f285e..d86836b 100644 ## -## Set the attributes of the framebuffer device node. +## Read ipmi devices. - ## - ## - ## -@@ -2043,36 +2267,35 @@ interface(`dev_getattr_framebuffer_dev',` - ## - ## - # --interface(`dev_setattr_framebuffer_dev',` -+interface(`dev_read_ipmi_dev',` - gen_require(` -- type device_t, framebuf_device_t; -+ type device_t, ipmi_device_t; - ') - -- setattr_chr_files_pattern($1, device_t, framebuf_device_t) -+ read_chr_files_pattern($1, device_t, ipmi_device_t) - ') - - ######################################## - ## --## Dot not audit attempts to set the attributes --## of the framebuffer device node. -+## Read and write ipmi devices. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_setattr_framebuffer_dev',` -+interface(`dev_rw_ipmi_dev',` - gen_require(` -- type framebuf_device_t; -+ type device_t, ipmi_device_t; - ') - -- dontaudit $1 framebuf_device_t:chr_file setattr; -+ rw_chr_files_pattern($1, device_t, ipmi_device_t) - ') - - ######################################## - ## --## Read the framebuffer. -+## Get the attributes of the framebuffer device node. - ## - ## - ## -@@ -2080,9 +2303,64 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',` - ## - ## - # --interface(`dev_read_framebuffer',` -+interface(`dev_getattr_framebuffer_dev',` - gen_require(` -- type framebuf_device_t; -+ type device_t, framebuf_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, framebuf_device_t) -+') -+ -+######################################## -+## -+## Set the attributes of the framebuffer device node. +## +## +## @@ -6557,36 +6517,35 @@ index 76f285e..d86836b 100644 +## +## +# -+interface(`dev_setattr_framebuffer_dev',` ++interface(`dev_read_ipmi_dev',` + gen_require(` -+ type device_t, framebuf_device_t; ++ type device_t, ipmi_device_t; + ') + -+ setattr_chr_files_pattern($1, device_t, framebuf_device_t) ++ read_chr_files_pattern($1, device_t, ipmi_device_t) +') + +######################################## +## -+## Dot not audit attempts to set the attributes -+## of the framebuffer device node. ++## Read and write ipmi devices. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_setattr_framebuffer_dev',` ++interface(`dev_rw_ipmi_dev',` + gen_require(` -+ type framebuf_device_t; ++ type device_t, ipmi_device_t; + ') + -+ dontaudit $1 framebuf_device_t:chr_file setattr; ++ rw_chr_files_pattern($1, device_t, ipmi_device_t) +') + +######################################## +## -+## Read the framebuffer. ++## Get the attributes of the framebuffer device node. +## +## +## @@ -6594,13 +6553,21 @@ index 76f285e..d86836b 100644 +## +## +# -+interface(`dev_read_framebuffer',` ++interface(`dev_getattr_framebuffer_dev',` + gen_require(` -+ type framebuf_device_t; - ') - - read_chr_files_pattern($1, device_t, framebuf_device_t) -@@ -2402,7 +2680,97 @@ interface(`dev_filetrans_lirc',` ++ type device_t, framebuf_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, framebuf_device_t) ++') ++ ++######################################## ++## ++## Set the attributes of the framebuffer device node. + ## + ## + ## +@@ -2402,7 +2699,97 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -6699,7 +6666,7 @@ index 76f285e..d86836b 100644 ## ## ## -@@ -2725,7 +3093,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3112,7 @@ interface(`dev_write_misc',` ## ## ## @@ -6708,7 +6675,7 @@ index 76f285e..d86836b 100644 ## ## # -@@ -2903,20 +3271,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3290,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -6733,7 +6700,7 @@ index 76f285e..d86836b 100644 ##

## ## -@@ -2925,43 +3293,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3312,34 @@ interface(`dev_getattr_mtrr_dev',` ##
## # @@ -6789,7 +6756,7 @@ index 76f285e..d86836b 100644 ## range registers (MTRR). ##
## -@@ -2970,13 +3329,13 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3348,13 @@ interface(`dev_write_mtrr',` ##
## # @@ -6806,7 +6773,7 @@ index 76f285e..d86836b 100644 ') ######################################## -@@ -3144,6 +3503,42 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3522,42 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -6849,7 +6816,7 @@ index 76f285e..d86836b 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3558,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3577,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -6874,7 +6841,7 @@ index 76f285e..d86836b 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3667,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3686,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -6901,7 +6868,7 @@ index 76f285e..d86836b 100644 ## ## ## -@@ -3262,12 +3693,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3712,13 @@ interface(`dev_rw_printer',` ## ## # @@ -6918,7 +6885,7 @@ index 76f285e..d86836b 100644 ') ######################################## -@@ -3399,7 +3831,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +3850,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -6927,7 +6894,7 @@ index 76f285e..d86836b 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +3845,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +3864,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -6936,7 +6903,7 @@ index 76f285e..d86836b 100644 ') ######################################## -@@ -3855,7 +4287,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4306,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -6945,7 +6912,7 @@ index 76f285e..d86836b 100644 ## ## ## -@@ -3863,53 +4295,53 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,53 +4314,53 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -7010,7 +6977,7 @@ index 76f285e..d86836b 100644 ## ## ## -@@ -3917,37 +4349,35 @@ interface(`dev_list_sysfs',` +@@ -3917,37 +4368,35 @@ interface(`dev_list_sysfs',` ## ## # @@ -7055,7 +7022,7 @@ index 76f285e..d86836b 100644 ## ## ## -@@ -3955,26 +4385,145 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,41 +4404,160 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -7082,17 +7049,23 @@ index 76f285e..d86836b 100644 -## hardware installed on the system. -##

-## -+## -+## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## +-## + # +-interface(`dev_read_sysfs',` +interface(`dev_dontaudit_search_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ + gen_require(` + type sysfs_t; + ') + +- read_files_pattern($1, sysfs_t, sysfs_t) +- read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- + dontaudit $1 sysfs_t:dir search_dir_perms; +') + @@ -7209,10 +7182,25 @@ index 76f285e..d86836b 100644 +## hardware installed on the system. +##

+## - ## - ## - ## Domain allowed access. -@@ -4016,6 +4565,62 @@ interface(`dev_rw_sysfs',` ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dev_read_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ read_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ + list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + +@@ -4016,6 +4584,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -7275,7 +7263,7 @@ index 76f285e..d86836b 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +4718,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +4737,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -7301,7 +7289,7 @@ index 76f285e..d86836b 100644 ## Getattr generic the USB devices. ## ## -@@ -4409,9 +5033,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5052,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -7313,7 +7301,7 @@ index 76f285e..d86836b 100644 ## ## ## -@@ -4419,17 +5043,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5062,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -7336,7 +7324,7 @@ index 76f285e..d86836b 100644 ## ## ## -@@ -4437,12 +5061,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5080,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -7352,7 +7340,7 @@ index 76f285e..d86836b 100644 ') ######################################## -@@ -4539,6 +5163,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5182,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -7487,7 +7475,7 @@ index 76f285e..d86836b 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5309,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5328,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -7512,7 +7500,7 @@ index 76f285e..d86836b 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5532,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5551,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7557,7 +7545,7 @@ index 76f285e..d86836b 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5659,946 @@ interface(`dev_unconfined',` +@@ -4851,3 +5678,946 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -8831,7 +8819,7 @@ index 6a1e4d1..1b9b0b5 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..32d58ca 100644 +index cf04cb5..8fd98fc 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -8898,7 +8886,7 @@ index cf04cb5..32d58ca 100644 # create child processes in the domain -allow domain self:process { fork sigchld }; -+allow domain self:process { getcap fork getsched sigchld }; ++allow domain self:process { getcap fork getsched signal_perms }; # Use trusted objects in /dev +dev_read_cpu_online(domain) @@ -21411,10 +21399,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..4786c5e 100644 +index 2522ca6..3651c0c 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,86 @@ policy_module(sysadm, 2.6.1) +@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) # Declarations # @@ -21428,11 +21416,12 @@ index 2522ca6..4786c5e 100644 role sysadm_r; userdom_admin_user_template(sysadm) ++allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -ifndef(`enable_mls',` - userdom_security_admin_template(sysadm_t, sysadm_r) -') -- + ######################################## # # Local policy @@ -21512,7 +21501,7 @@ index 2522ca6..4786c5e 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +102,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +104,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -21527,7 +21516,7 @@ index 2522ca6..4786c5e 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +112,9 @@ optional_policy(` +@@ -71,9 +114,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -21538,7 +21527,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -87,6 +128,7 @@ optional_policy(` +@@ -87,6 +130,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -21546,7 +21535,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -110,11 +152,17 @@ optional_policy(` +@@ -110,11 +154,17 @@ optional_policy(` ') optional_policy(` @@ -21564,7 +21553,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -122,11 +170,27 @@ optional_policy(` +@@ -122,11 +172,27 @@ optional_policy(` ') optional_policy(` @@ -21594,7 +21583,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -140,6 +204,10 @@ optional_policy(` +@@ -140,6 +206,10 @@ optional_policy(` ') optional_policy(` @@ -21605,7 +21594,7 @@ index 2522ca6..4786c5e 100644 dmesg_exec(sysadm_t) ') -@@ -156,6 +224,10 @@ optional_policy(` +@@ -156,6 +226,10 @@ optional_policy(` ') optional_policy(` @@ -21616,7 +21605,7 @@ index 2522ca6..4786c5e 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -175,6 +247,13 @@ optional_policy(` +@@ -175,6 +249,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -21630,7 +21619,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -182,15 +261,20 @@ optional_policy(` +@@ -182,15 +263,20 @@ optional_policy(` ') optional_policy(` @@ -21654,7 +21643,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -210,22 +294,20 @@ optional_policy(` +@@ -210,22 +296,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -21683,7 +21672,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -237,14 +319,27 @@ optional_policy(` +@@ -237,14 +321,28 @@ optional_policy(` ') optional_policy(` @@ -21698,6 +21687,7 @@ index 2522ca6..4786c5e 100644 optional_policy(` + networkmanager_filetrans_named_content(sysadm_t) ++ networkmanager_stream_connect(sysadm_t) +') + +optional_policy(` @@ -21711,7 +21701,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -252,10 +347,20 @@ optional_policy(` +@@ -252,10 +350,20 @@ optional_policy(` ') optional_policy(` @@ -21732,7 +21722,7 @@ index 2522ca6..4786c5e 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +371,41 @@ optional_policy(` +@@ -266,35 +374,41 @@ optional_policy(` ') optional_policy(` @@ -21781,7 +21771,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -308,6 +419,7 @@ optional_policy(` +@@ -308,6 +422,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -21789,7 +21779,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -315,12 +427,20 @@ optional_policy(` +@@ -315,12 +430,20 @@ optional_policy(` ') optional_policy(` @@ -21811,7 +21801,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -345,7 +465,18 @@ optional_policy(` +@@ -345,7 +468,18 @@ optional_policy(` ') optional_policy(` @@ -21831,7 +21821,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -356,19 +487,11 @@ optional_policy(` +@@ -356,19 +490,11 @@ optional_policy(` ') optional_policy(` @@ -21852,7 +21842,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -380,10 +503,6 @@ optional_policy(` +@@ -380,10 +506,6 @@ optional_policy(` ') optional_policy(` @@ -21863,7 +21853,7 @@ index 2522ca6..4786c5e 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +510,9 @@ optional_policy(` +@@ -391,6 +513,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -21873,7 +21863,7 @@ index 2522ca6..4786c5e 100644 ') optional_policy(` -@@ -398,31 +520,34 @@ optional_policy(` +@@ -398,31 +523,34 @@ optional_policy(` ') optional_policy(` @@ -21914,7 +21904,7 @@ index 2522ca6..4786c5e 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +560,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +563,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21925,7 +21915,7 @@ index 2522ca6..4786c5e 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +580,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +583,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -27130,7 +27120,7 @@ index 6bf0ecc..44be5f2 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..0777a7f 100644 +index 8b40377..635442b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -27471,13 +27461,13 @@ index 8b40377..0777a7f 100644 +ifdef(`hide_broken_symptoms',` + term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) - ') - - optional_policy(` -+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) +') + +optional_policy(` ++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) + ') + + optional_policy(` + ssh_use_ptys(xauth_t) ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) @@ -27961,17 +27951,17 @@ index 8b40377..0777a7f 100644 + optional_policy(` + accountsd_dbus_chat(xdm_t) + ') - - optional_policy(` -- accountsd_dbus_chat(xdm_t) ++ ++ optional_policy(` + bluetooth_dbus_chat(xdm_t) + ') + + optional_policy(` + cpufreqselector_dbus_chat(xdm_t) + ') -+ -+ optional_policy(` + + optional_policy(` +- accountsd_dbus_chat(xdm_t) + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') @@ -28279,7 +28269,7 @@ index 8b40377..0777a7f 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1267,44 @@ optional_policy(` +@@ -785,17 +1267,50 @@ optional_policy(` ') optional_policy(` @@ -28316,6 +28306,12 @@ index 8b40377..0777a7f 100644 +') + +optional_policy(` ++ mozilla_plugin_read_state(xserver_t) ++ mozilla_plugin_rw_tmp_files(xserver_t) ++ mozilla_plugin_rw_tmpfs_files(xserver_t) ++') ++ ++optional_policy(` udev_read_db(xserver_t) ') @@ -28326,7 +28322,7 @@ index 8b40377..0777a7f 100644 ') optional_policy(` -@@ -803,6 +1312,10 @@ optional_policy(` +@@ -803,6 +1318,10 @@ optional_policy(` ') optional_policy(` @@ -28337,7 +28333,7 @@ index 8b40377..0777a7f 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1331,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1337,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -28362,7 +28358,7 @@ index 8b40377..0777a7f 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1354,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1360,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28397,7 +28393,7 @@ index 8b40377..0777a7f 100644 ') optional_policy(` -@@ -912,7 +1419,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -28406,7 +28402,7 @@ index 8b40377..0777a7f 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1473,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -28438,7 +28434,7 @@ index 8b40377..0777a7f 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1519,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1525,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index eef1c92..5e8f985 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5077,7 +5077,7 @@ index f6eb485..9eba5f5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..e755e58 100644 +index 6649962..a78899a 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) @@ -5780,7 +5780,7 @@ index 6649962..e755e58 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -450,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5864,6 +5864,7 @@ index 6649962..e755e58 100644 +files_exec_usr_files(httpd_t) files_list_mnt(httpd_t) +files_read_mnt_symlinks(httpd_t) ++files_search_all(httpd_t) files_search_spool(httpd_t) files_read_var_symlinks(httpd_t) files_read_var_lib_files(httpd_t) @@ -6018,7 +6019,7 @@ index 6649962..e755e58 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6078,7 +6079,7 @@ index 6649962..e755e58 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +796,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6169,7 +6170,7 @@ index 6649962..e755e58 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +842,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +843,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6250,7 +6251,7 @@ index 6649962..e755e58 100644 ') optional_policy(` -@@ -749,24 +895,32 @@ optional_policy(` +@@ -749,24 +896,32 @@ optional_policy(` ') optional_policy(` @@ -6289,7 +6290,7 @@ index 6649962..e755e58 100644 ') optional_policy(` -@@ -775,6 +929,10 @@ optional_policy(` +@@ -775,6 +930,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6300,7 +6301,7 @@ index 6649962..e755e58 100644 ') optional_policy(` -@@ -786,35 +944,60 @@ optional_policy(` +@@ -786,35 +945,60 @@ optional_policy(` ') optional_policy(` @@ -6374,7 +6375,7 @@ index 6649962..e755e58 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1005,18 @@ optional_policy(` +@@ -822,8 +1006,18 @@ optional_policy(` ') optional_policy(` @@ -6393,7 +6394,7 @@ index 6649962..e755e58 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1025,7 @@ optional_policy(` +@@ -832,6 +1026,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6401,7 +6402,7 @@ index 6649962..e755e58 100644 ') optional_policy(` -@@ -842,20 +1036,40 @@ optional_policy(` +@@ -842,20 +1037,40 @@ optional_policy(` ') optional_policy(` @@ -6448,7 +6449,7 @@ index 6649962..e755e58 100644 ') optional_policy(` -@@ -863,19 +1077,35 @@ optional_policy(` +@@ -863,19 +1078,35 @@ optional_policy(` ') optional_policy(` @@ -6484,7 +6485,7 @@ index 6649962..e755e58 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1113,189 @@ optional_policy(` +@@ -883,65 +1114,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6696,7 +6697,7 @@ index 6649962..e755e58 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1304,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1305,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6851,7 +6852,7 @@ index 6649962..e755e58 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1388,106 @@ optional_policy(` +@@ -1083,172 +1389,106 @@ optional_policy(` ') ') @@ -7088,7 +7089,7 @@ index 6649962..e755e58 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1495,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1496,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7185,7 +7186,7 @@ index 6649962..e755e58 100644 ######################################## # -@@ -1321,8 +1570,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1571,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7202,7 +7203,7 @@ index 6649962..e755e58 100644 ') ######################################## -@@ -1330,49 +1586,38 @@ optional_policy(` +@@ -1330,49 +1587,38 @@ optional_policy(` # User content local policy # @@ -7267,7 +7268,7 @@ index 6649962..e755e58 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1627,101 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1628,101 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -10718,10 +10719,10 @@ index 8de2ab9..3b41945 100644 + domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) ') diff --git a/cachefilesd.te b/cachefilesd.te -index a3760bc..a570048 100644 +index a3760bc..660e5d3 100644 --- a/cachefilesd.te +++ b/cachefilesd.te -@@ -1,52 +1,124 @@ +@@ -1,52 +1,125 @@ policy_module(cachefilesd, 1.1.0) -######################################## @@ -10794,6 +10795,7 @@ index a3760bc..a570048 100644 +# rules. +# allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; ++allow cachefilesd_t self:process signal_perms; +# Allow manipulation of pid file +allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; @@ -24557,10 +24559,10 @@ index 0000000..76eb32e +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..96c47ea +index 0000000..dfb6b04 --- /dev/null +++ b/docker.te -@@ -0,0 +1,273 @@ +@@ -0,0 +1,278 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -24620,7 +24622,7 @@ index 0000000..96c47ea +# +# docker local policy +# -+allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service }; ++allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service setfcap }; +allow docker_t self:process { getattr signal_perms }; +allow docker_t self:fifo_file rw_fifo_file_perms; +allow docker_t self:unix_stream_socket create_stream_socket_perms; @@ -24754,7 +24756,7 @@ index 0000000..96c47ea +kernel_request_load_module(docker_t) +kernel_mounton_messages(docker_t) + -+dev_getattr_all_blk_files(docker_t) ++dev_getattr_all(docker_t) +dev_getattr_sysfs_fs(docker_t) +dev_read_urand(docker_t) +dev_read_lvm_control(docker_t) @@ -24782,6 +24784,7 @@ index 0000000..96c47ea +fs_relabelfrom_xattr_fs(docker_t) +fs_relabelfrom_tmpfs(docker_t) +fs_read_tmpfs_symlinks(docker_t) ++fs_list_hugetlbfs(docker_t) + +term_use_generic_ptys(docker_t) +term_use_ptmx(docker_t) @@ -24799,6 +24802,10 @@ index 0000000..96c47ea +userdom_read_all_users_state(docker_t) + +optional_policy(` ++ gpm_getattr_gpmctl(docker_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(docker_t) + init_dbus_chat(docker_t) + @@ -26745,7 +26752,7 @@ index 50d0084..94e1936 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e567..2b435ed 100644 +index cf0e567..a743483 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -26773,9 +26780,11 @@ index cf0e567..2b435ed 100644 files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) -@@ -93,23 +91,35 @@ auth_use_nsswitch(fail2ban_t) +@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t) + auth_use_nsswitch(fail2ban_t) logging_read_all_logs(fail2ban_t) ++logging_read_audit_log(fail2ban_t) logging_send_syslog_msg(fail2ban_t) +logging_dontaudit_search_audit_logs(fail2ban_t) @@ -26813,7 +26822,7 @@ index cf0e567..2b435ed 100644 iptables_domtrans(fail2ban_t) ') -@@ -118,6 +128,10 @@ optional_policy(` +@@ -118,6 +129,10 @@ optional_policy(` ') optional_policy(` @@ -26824,7 +26833,7 @@ index cf0e567..2b435ed 100644 shorewall_domtrans(fail2ban_t) ') -@@ -131,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -26851,7 +26860,7 @@ index cf0e567..2b435ed 100644 logging_search_all_logs(fail2ban_client_t) - -miscfiles_read_localization(fail2ban_client_t) -+logging_dontaudit_search_audit_logs(fail2ban_client_t) ++logging_read_audit_log(fail2ban_client_t) userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) @@ -45713,7 +45722,7 @@ index 6ffaba2..549fb8c 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..7490fe3 100644 +index 6194b80..f741e56 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -45778,10 +45787,7 @@ index 6194b80..7490fe3 100644 - allow $2 mozilla_t:shm rw_shm_perms; - - stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) -+ allow $2 mozilla_t:shm { associate getattr }; -+ allow $2 mozilla_t:shm { unix_read unix_write }; -+ allow $2 mozilla_t:unix_stream_socket connectto; - +- - allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; @@ -45789,6 +45795,11 @@ index 6194b80..7490fe3 100644 - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") ++ allow $2 mozilla_t:shm { associate getattr }; ++ allow $2 mozilla_t:shm { unix_read unix_write }; ++ allow $2 mozilla_t:unix_stream_socket connectto; + +- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") + # X access, Home files + manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) + manage_files_pattern($2, mozilla_home_t, mozilla_home_t) @@ -45797,15 +45808,13 @@ index 6194b80..7490fe3 100644 + relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) -- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + #should be remove then with adding of roleattribute + mozilla_run_plugin(mozilla_t, $1) + mozilla_dbus_chat($2) -- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; -- - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; @@ -45845,14 +45854,14 @@ index 6194b80..7490fe3 100644 - mozilla_run_plugin($2, $1) - mozilla_run_plugin_config($2, $1) -+ mozilla_filetrans_home_content($2) - +- - allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) - - allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; - allow $2 mozilla_plugin_t:fd use; -- ++ mozilla_filetrans_home_content($2) + - stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) - - allow mozilla_plugin_t $2:process signull; @@ -46226,7 +46235,7 @@ index 6194b80..7490fe3 100644 ## ## ## -@@ -433,76 +356,144 @@ interface(`mozilla_dbus_chat',` +@@ -433,57 +356,162 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -46241,33 +46250,23 @@ index 6194b80..7490fe3 100644 - allow $1 mozilla_plugin_t:dbus send_msg; - allow mozilla_plugin_t $1:dbus send_msg; + allow $1 mozilla_t:tcp_socket rw_socket_perms; - ') - --######################################## ++') ++ +####################################### - ## --## Read and write mozilla TCP sockets. ++## +## Read mozilla_plugin tmpfs files - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access +## - ## - # --interface(`mozilla_rw_tcp_sockets',` -- gen_require(` -- type mozilla_t; -- ') ++## ++# +interface(`mozilla_plugin_read_tmpfs_files',` + gen_require(` + type mozilla_plugin_tmpfs_t; + ') - -- allow $1 mozilla_t:tcp_socket rw_socket_perms; ++ + allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; +') + @@ -46291,8 +46290,7 @@ index 6194b80..7490fe3 100644 ######################################## ## --## Create, read, write, and delete --## mozilla plugin rw files. +-## Read and write mozilla TCP sockets. +## Delete mozilla_plugin tmpfs files ## ## @@ -46302,15 +46300,14 @@ index 6194b80..7490fe3 100644 ## ## # --interface(`mozilla_manage_plugin_rw_files',` +-interface(`mozilla_rw_tcp_sockets',` +interface(`mozilla_plugin_delete_tmpfs_files',` gen_require(` -- type mozilla_plugin_rw_t; +- type mozilla_t; + type mozilla_plugin_tmpfs_t; ') -- libs_search_lib($1) -- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +- allow $1 mozilla_t:tcp_socket rw_socket_perms; + allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; +') + @@ -46352,7 +46349,8 @@ index 6194b80..7490fe3 100644 ######################################## ## --## Read mozilla_plugin tmpfs files. +-## Create, read, write, and delete +-## mozilla plugin rw files. +## Dontaudit read/write to a mozilla_plugin leaks ## ## @@ -46362,15 +46360,15 @@ index 6194b80..7490fe3 100644 ## ## # --interface(`mozilla_plugin_read_tmpfs_files',` +-interface(`mozilla_manage_plugin_rw_files',` +interface(`mozilla_plugin_dontaudit_leaks',` gen_require(` -- type mozilla_plugin_tmpfs_t; +- type mozilla_plugin_rw_t; + type mozilla_plugin_t; ') -- fs_search_tmpfs($1) -- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; +- libs_search_lib($1) +- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; +') + @@ -46390,21 +46388,39 @@ index 6194b80..7490fe3 100644 + ') + + dontaudit $1 mozilla_plugin_tmp_t:file { read write }; ++') ++ ++####################################### ++## ++## Allow read/write to a mozilla_plugin tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mozilla_plugin_rw_tmp_files',` ++ gen_require(` ++ type mozilla_plugin_tmp_t; ++ ') ++ ++ dontaudit $1 mozilla_plugin_tmp_t:file { read write }; ') ######################################## ## --## Delete mozilla_plugin tmpfs files. +-## Read mozilla_plugin tmpfs files. +## Create, read, write, and delete +## mozilla_plugin rw files. ## ## ## -@@ -510,19 +501,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -491,18 +519,18 @@ interface(`mozilla_manage_plugin_rw_files',` ## ## # --interface(`mozilla_plugin_delete_tmpfs_files',` +-interface(`mozilla_plugin_read_tmpfs_files',` +interface(`mozilla_plugin_manage_rw_files',` gen_require(` - type mozilla_plugin_tmpfs_t; @@ -46412,64 +46428,48 @@ index 6194b80..7490fe3 100644 ') - fs_search_tmpfs($1) -- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; +- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; + allow $1 mozilla_plugin_rw_t:file manage_file_perms; + allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; ') ######################################## ## --## Create, read, write, and delete --## generic mozilla plugin home content. +-## Delete mozilla_plugin tmpfs files. +## read mozilla_plugin rw files. ## ## ## -@@ -530,45 +520,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -510,19 +538,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # --interface(`mozilla_manage_generic_plugin_home_content',` +-interface(`mozilla_plugin_delete_tmpfs_files',` +interface(`mozilla_plugin_read_rw_files',` gen_require(` -- type mozilla_plugin_home_t; +- type mozilla_plugin_tmpfs_t; + type mozilla_plugin_rw_t; ') -- userdom_search_user_home_dirs($1) -- allow $1 mozilla_plugin_home_t:dir manage_dir_perms; -- allow $1 mozilla_plugin_home_t:file manage_file_perms; -- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; -- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; -- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; +- fs_search_tmpfs($1) +- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; + read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ') ######################################## ## --## Create objects in user home --## directories with the generic mozilla --## plugin home type. +-## Create, read, write, and delete +-## generic mozilla plugin home content. +## Create mozilla content in the user home directory +## with an correct label. ## ## ## - ## Domain allowed access. +@@ -530,45 +557,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## # --interface(`mozilla_home_filetrans_plugin_home',` +-interface(`mozilla_manage_generic_plugin_home_content',` +interface(`mozilla_filetrans_home_content',` + gen_require(` @@ -46477,7 +46477,12 @@ index 6194b80..7490fe3 100644 + type mozilla_home_t; ') -- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) +- userdom_search_user_home_dirs($1) +- allow $1 mozilla_plugin_home_t:dir manage_dir_perms; +- allow $1 mozilla_plugin_home_t:file manage_file_perms; +- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; +- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; +- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla") @@ -46506,6 +46511,41 @@ index 6194b80..7490fe3 100644 + gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web") + ') ') + + ######################################## + ## +-## Create objects in user home +-## directories with the generic mozilla +-## plugin home type. ++## Allow the domain to read mozilla_plugin state files in /proc. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`mozilla_home_filetrans_plugin_home',` ++interface(`mozilla_plugin_read_state',` + gen_require(` +- type mozilla_plugin_home_t; ++ type mozilla_plugin_t; + ') + +- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) ++ kernel_search_proc($1) ++ ps_process_pattern($1, mozilla_plugin_t) + ') + diff --git a/mozilla.te b/mozilla.te index 11ac8e4..372b342 100644 @@ -91569,7 +91609,7 @@ index 1fa51c1..82e111c 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te -index ec031a0..26b6da1 100644 +index ec031a0..61a9f8c 100644 --- a/smokeping.te +++ b/smokeping.te @@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) @@ -91597,7 +91637,7 @@ index ec031a0..26b6da1 100644 mta_send_mail(smokeping_t) netutils_domtrans_ping(smokeping_t) -@@ -60,17 +58,20 @@ netutils_domtrans_ping(smokeping_t) +@@ -60,17 +58,22 @@ netutils_domtrans_ping(smokeping_t) optional_policy(` apache_content_template(smokeping_cgi) @@ -91605,20 +91645,22 @@ index ec031a0..26b6da1 100644 + + manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) + manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) ++ ++ getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) - manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) -+ getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) - -- getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) + files_read_etc_files(smokeping_cgi_script_t) + files_search_tmp(smokeping_cgi_script_t) + files_search_var_lib(smokeping_cgi_script_t) +- getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) ++ auth_read_passwd(smokeping_cgi_script_t) + - files_read_etc_files(httpd_smokeping_cgi_script_t) - files_search_tmp(httpd_smokeping_cgi_script_t) - files_search_var_lib(httpd_smokeping_cgi_script_t) -+ auth_read_passwd(smokeping_cgi_script_t) ++ logging_send_syslog_msg(smokeping_cgi_script_t) - sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) + sysnet_dns_name_resolve(smokeping_cgi_script_t) @@ -103067,7 +103109,7 @@ index facdee8..d179539 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..f5766e6 100644 +index f03dcf5..eef3cb7 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,227 @@ @@ -104549,7 +104591,7 @@ index f03dcf5..f5766e6 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1153,316 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1153,317 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -104625,8 +104667,8 @@ index f03dcf5..f5766e6 100644 +manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr; -+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto }; + +allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; +rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) @@ -104845,6 +104887,7 @@ index f03dcf5..f5766e6 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; ++manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t) + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow svirt_lxc_net_t self:capability sys_admin; @@ -105004,7 +105047,7 @@ index f03dcf5..f5766e6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1475,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1476,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -105019,7 +105062,7 @@ index f03dcf5..f5766e6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1493,8 @@ optional_policy(` +@@ -1192,9 +1494,8 @@ optional_policy(` ######################################## # @@ -105030,7 +105073,7 @@ index f03dcf5..f5766e6 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1507,218 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1508,218 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 7b86bef..a7014b4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 71%{?dist} +Release: 72%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,21 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Aug 12 2014 Lukas Vrabec 3.12.1-72 +- docker needs to be able to look at everything in /dev +- Allow all processes to send themselves signals +- Allow sysadm_t to create netlink_tcpdiag socket +- sysadm_t should be allowed to communicate with networkmanager +- These are required for bluejeans to work on a unconfined.pp disabled machine +- docker needs setfcap +- Allow svirt domains to manage chr files and blk files for mknod commands +- Allow fail2ban to read audit logs +- Allow cachefilesd_t to send itself signals +- Allow smokeping cgi script to send syslog messages +- Allow svirt sandbox domains to relabel content +- Since apache content can be placed anywhere, we should just allow apache to search through any directory +- These are required for bluejeans to work on a unconfined.pp disabled machin + * Mon Aug 4 2014 Miroslav Grepl 3.13.1-71 - shell_exec_t should not be in cockip.fc