From 3f1341d528aac8afa8e4c626857eb8b446a6e3af Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 08 2014 05:25:43 +0000 Subject: - Change hsperfdata_root to have as user_tmp_t - Allow rsyslog low-level network access - Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by li - Allow conman to resolve DNS and use user ptys - update pegasus_openlmi_admin_t policy - nslcd wants chown capability - Dontaudit exec insmod in boinc policy --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b0f6b27..f459a64 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8742,7 +8742,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..0b3704b 100644 +index cf04cb5..806e1cc 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8880,7 +8880,7 @@ index cf04cb5..0b3704b 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +232,342 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +232,346 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9100,6 +9100,10 @@ index cf04cb5..0b3704b 100644 +') + +optional_policy(` ++ userdom_filetrans_named_user_tmp_files(named_filetrans_domain) ++') ++ ++optional_policy(` + virt_filetrans_named_content(named_filetrans_domain) +') + @@ -9224,7 +9228,7 @@ index cf04cb5..0b3704b 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..9cbe36a 100644 +index b876c48..bbd0e79 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9358,7 +9362,7 @@ index b876c48..9cbe36a 100644 # # /selinux # -@@ -178,25 +191,29 @@ ifdef(`distro_debian',` +@@ -178,13 +191,14 @@ ifdef(`distro_debian',` # # /srv # @@ -9375,11 +9379,7 @@ index b876c48..9cbe36a 100644 /tmp/.* <> /tmp/\.journal <> - /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) - /tmp/lost\+found/.* <> -+/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) -+/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) - +@@ -194,9 +208,10 @@ ifdef(`distro_debian',` # # /usr # @@ -9391,7 +9391,7 @@ index b876c48..9cbe36a 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +221,9 @@ ifdef(`distro_debian',` +@@ -204,15 +219,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9408,7 +9408,7 @@ index b876c48..9cbe36a 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +231,6 @@ ifdef(`distro_debian',` +@@ -220,8 +229,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9417,7 +9417,7 @@ index b876c48..9cbe36a 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +238,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +236,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9426,7 +9426,7 @@ index b876c48..9cbe36a 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +246,25 @@ ifndef(`distro_redhat',` +@@ -237,11 +244,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9453,7 +9453,7 @@ index b876c48..9cbe36a 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +279,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +277,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9468,14 +9468,14 @@ index b876c48..9cbe36a 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +296,5 @@ ifdef(`distro_debian',` +@@ -271,3 +294,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..ae94e80 100644 +index f962f76..337a00e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -12384,7 +12384,7 @@ index f962f76..ae94e80 100644 ## ## ## -@@ -6573,10 +7835,785 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +7835,784 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -13039,7 +13039,6 @@ index f962f76..ae94e80 100644 + files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") -+ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") @@ -24486,7 +24485,7 @@ index 6bf0ecc..bf98136 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..2a244f6 100644 +index 8b40377..f0e5cc0 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -25125,7 +25124,7 @@ index 8b40377..2a244f6 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +693,153 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +693,155 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -25148,12 +25147,14 @@ index 8b40377..2a244f6 100644 + fs_manage_nfs_dirs(xdm_t) + fs_manage_nfs_files(xdm_t) + fs_manage_nfs_symlinks(xdm_t) ++ fs_append_nfs_files(xdm_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(xdm_t) + fs_manage_cifs_files(xdm_t) + fs_manage_cifs_symlinks(xdm_t) ++ fs_append_cifs_files(xdm_t) +') + +tunable_policy(`use_fusefs_home_dirs',` @@ -25285,7 +25286,7 @@ index 8b40377..2a244f6 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -503,11 +853,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -503,11 +855,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -25312,7 +25313,7 @@ index 8b40377..2a244f6 100644 ') optional_policy(` -@@ -517,9 +882,34 @@ optional_policy(` +@@ -517,9 +884,34 @@ optional_policy(` optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -25348,7 +25349,7 @@ index 8b40377..2a244f6 100644 ') ') -@@ -530,6 +920,20 @@ optional_policy(` +@@ -530,6 +922,20 @@ optional_policy(` ') optional_policy(` @@ -25369,7 +25370,7 @@ index 8b40377..2a244f6 100644 hostname_exec(xdm_t) ') -@@ -547,28 +951,78 @@ optional_policy(` +@@ -547,28 +953,78 @@ optional_policy(` ') optional_policy(` @@ -25457,7 +25458,7 @@ index 8b40377..2a244f6 100644 ') optional_policy(` -@@ -580,6 +1034,14 @@ optional_policy(` +@@ -580,6 +1036,14 @@ optional_policy(` ') optional_policy(` @@ -25472,7 +25473,7 @@ index 8b40377..2a244f6 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1056,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1058,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -25481,7 +25482,7 @@ index 8b40377..2a244f6 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1066,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1068,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -25494,7 +25495,7 @@ index 8b40377..2a244f6 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1083,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1085,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -25510,7 +25511,7 @@ index 8b40377..2a244f6 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1099,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1101,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -25521,7 +25522,7 @@ index 8b40377..2a244f6 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1114,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1116,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -25558,7 +25559,7 @@ index 8b40377..2a244f6 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1160,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1162,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -25590,7 +25591,7 @@ index 8b40377..2a244f6 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1193,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1195,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -25605,7 +25606,7 @@ index 8b40377..2a244f6 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1214,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1216,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -25629,7 +25630,7 @@ index 8b40377..2a244f6 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1233,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1235,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -25638,7 +25639,7 @@ index 8b40377..2a244f6 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1277,44 @@ optional_policy(` +@@ -785,17 +1279,44 @@ optional_policy(` ') optional_policy(` @@ -25685,7 +25686,7 @@ index 8b40377..2a244f6 100644 ') optional_policy(` -@@ -803,6 +1322,10 @@ optional_policy(` +@@ -803,6 +1324,10 @@ optional_policy(` ') optional_policy(` @@ -25696,7 +25697,7 @@ index 8b40377..2a244f6 100644 xfs_stream_connect(xserver_t) ') -@@ -818,10 +1341,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,10 +1343,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -25710,7 +25711,7 @@ index 8b40377..2a244f6 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -829,7 +1352,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -829,7 +1354,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -25719,7 +25720,7 @@ index 8b40377..2a244f6 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1365,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1367,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -25754,7 +25755,7 @@ index 8b40377..2a244f6 100644 ') optional_policy(` -@@ -912,7 +1430,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1432,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -25763,7 +25764,7 @@ index 8b40377..2a244f6 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1484,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1486,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -25795,7 +25796,7 @@ index 8b40377..2a244f6 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1530,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1532,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -33298,7 +33299,7 @@ index 4e94884..b144ffe 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..cdc1c76 100644 +index 59b04c1..1259fbd 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -33497,7 +33498,7 @@ index 59b04c1..cdc1c76 100644 # sys_nice for rsyslog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; -+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid }; ++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; dontaudit syslogd_t self:capability sys_tty_config; +allow syslogd_t self:capability2 { syslog block_suspend }; # setpgid for metalog @@ -33509,15 +33510,18 @@ index 59b04c1..cdc1c76 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -371,6 +413,7 @@ allow syslogd_t self:udp_socket create_socket_perms; +@@ -369,8 +411,10 @@ allow syslogd_t self:unix_dgram_socket sendto; + allow syslogd_t self:fifo_file rw_fifo_file_perms; + allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; ++allow syslogd_t self:rawip_socket create_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; +allow syslogd_t syslog_conf_t:dir list_dir_perms; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -389,30 +432,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +433,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -33567,7 +33571,7 @@ index 59b04c1..cdc1c76 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +481,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +482,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -33576,7 +33580,7 @@ index 59b04c1..cdc1c76 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +493,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +494,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -33604,7 +33608,7 @@ index 59b04c1..cdc1c76 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +526,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +527,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -33622,7 +33626,7 @@ index 59b04c1..cdc1c76 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +548,11 @@ init_use_fds(syslogd_t) +@@ -466,11 +549,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -33637,7 +33641,7 @@ index 59b04c1..cdc1c76 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -507,15 +589,40 @@ optional_policy(` +@@ -507,15 +590,40 @@ optional_policy(` ') optional_policy(` @@ -33678,7 +33682,7 @@ index 59b04c1..cdc1c76 100644 ') optional_policy(` -@@ -526,3 +633,26 @@ optional_policy(` +@@ -526,3 +634,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -41857,10 +41861,10 @@ index 5fe902d..fcc9efe 100644 + rpm_transition_script(unconfined_service_t, system_r) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..e4eb903 100644 +index db75976..4ca3a28 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,24 @@ +@@ -1,4 +1,28 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -41886,8 +41890,12 @@ index db75976..e4eb903 100644 +HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) ++ ++/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) ++/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) ++ diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..b921b57 100644 +index 9dc60c6..102478f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -44163,7 +44171,34 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -2661,6 +3341,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2538,6 +3218,26 @@ interface(`userdom_manage_user_tmp_files',` + ######################################## + ## + ## Create, read, write, and delete user ++## temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_filetrans_named_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user + ## temporary symbolic links. + ## + ## +@@ -2661,6 +3361,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -44189,7 +44224,7 @@ index 9dc60c6..b921b57 100644 ######################################## ## ## Read user tmpfs files. -@@ -2677,13 +3376,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2677,13 +3396,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -44205,7 +44240,7 @@ index 9dc60c6..b921b57 100644 ## ## ## -@@ -2704,7 +3404,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2704,7 +3424,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -44214,7 +44249,7 @@ index 9dc60c6..b921b57 100644 ## ## ## -@@ -2712,14 +3412,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2712,14 +3432,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -44249,7 +44284,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -2814,6 +3530,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3550,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -44274,7 +44309,7 @@ index 9dc60c6..b921b57 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3566,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3586,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -44317,7 +44352,7 @@ index 9dc60c6..b921b57 100644 ## ## ## -@@ -2856,14 +3602,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3622,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -44355,7 +44390,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -2882,8 +3647,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3667,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -44385,7 +44420,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -2955,69 +3739,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3759,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -44486,7 +44521,7 @@ index 9dc60c6..b921b57 100644 ## ## ## -@@ -3025,12 +3808,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3828,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -44501,7 +44536,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -3094,7 +3877,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +3897,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -44510,7 +44545,7 @@ index 9dc60c6..b921b57 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +3893,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,16 +3913,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -44521,11 +44556,33 @@ index 9dc60c6..b921b57 100644 files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Send signull to unprivileged user domains. ++## Send general signals to unprivileged user domains. + ## + ## + ## +@@ -3127,30 +3932,12 @@ interface(`userdom_search_user_home_content',` + ## + ## + # +-interface(`userdom_signull_unpriv_users',` ++interface(`userdom_signal_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + +- allow $1 unpriv_userdomain:process signull; -') - -######################################## -## --## Send signull to unprivileged user domains. +-## Send general signals to unprivileged user domains. -## -## -## @@ -44533,75 +44590,44 @@ index 9dc60c6..b921b57 100644 -## -## -# --interface(`userdom_signull_unpriv_users',` +-interface(`userdom_signal_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - -- allow $1 unpriv_userdomain:process signull; -+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; -+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; +- allow $1 unpriv_userdomain:process signal; ++ allow $1 unpriv_userdomain:process signal; ') ######################################## -@@ -3214,31 +3981,49 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4001,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') - dontaudit $1 user_devpts_t:chr_file rw_file_perms; + dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; - ') - - ######################################## - ## --## Relabel files to unprivileged user pty types. ++') ++ ++######################################## ++## +## Do not audit attempts to open user ptys. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_relabelto_user_ptys',` -+interface(`userdom_dontaudit_open_user_ptys',` - gen_require(` - type user_devpts_t; - ') - -- allow $1 user_devpts_t:chr_file relabelto; -+ dontaudit $1 user_devpts_t:chr_file open; - ') - - ######################################## - ## --## Do not audit attempts to relabel files from --## user pty types. -+## Relabel files to unprivileged user pty types. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_relabelto_user_ptys',` ++interface(`userdom_dontaudit_open_user_ptys',` + gen_require(` + type user_devpts_t; + ') + -+ allow $1 user_devpts_t:chr_file relabelto; -+') -+ -+######################################## -+## -+## Do not audit attempts to relabel files from -+## user pty types. - ## - ## - ## -@@ -3269,7 +4054,83 @@ interface(`userdom_write_user_tmp_files',` ++ dontaudit $1 user_devpts_t:chr_file open; + ') + + ######################################## +@@ -3269,7 +4074,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -44686,7 +44712,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -3287,7 +4148,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3287,7 +4168,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -44695,7 +44721,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -3306,6 +4167,7 @@ interface(`userdom_read_all_users_state',` +@@ -3306,6 +4187,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -44703,7 +44729,7 @@ index 9dc60c6..b921b57 100644 kernel_search_proc($1) ') -@@ -3382,6 +4244,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4264,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -44746,7 +44772,7 @@ index 9dc60c6..b921b57 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4300,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4320,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -44771,7 +44797,7 @@ index 9dc60c6..b921b57 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4351,1680 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4371,1680 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -44940,7 +44966,7 @@ index 9dc60c6..b921b57 100644 + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir list_dir_perms; -+') + ') + +######################################## +## @@ -44959,7 +44985,7 @@ index 9dc60c6..b921b57 100644 + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir search_dir_perms; - ') ++') + +######################################## +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index bc6b66b..2f410dd 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -14431,10 +14431,10 @@ index 0000000..54b4b04 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 0000000..0de2d4d +index 0000000..d6b0314 --- /dev/null +++ b/conman.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,49 @@ +policy_module(conman, 1.0.0) + +######################################## @@ -14462,7 +14462,7 @@ index 0000000..0de2d4d + +allow conman_t self:fifo_file rw_fifo_file_perms; +allow conman_t self:unix_stream_socket create_stream_socket_perms; -+allow conman_t self:tcp_socket { listen create_socket_perms }; ++allow conman_t self:tcp_socket { accept listen create_socket_perms }; + +manage_dirs_pattern(conman_t, conman_log_t, conman_log_t) +manage_files_pattern(conman_t, conman_log_t, conman_log_t) @@ -14477,6 +14477,10 @@ index 0000000..0de2d4d + +logging_send_syslog_msg(conman_t) + ++sysnet_dns_name_resolve(conman_t) ++ ++userdom_use_user_ptys(conman_t) ++ +optional_policy(` + freeipmi_stream_connect(conman_t) +') @@ -53622,7 +53626,7 @@ index 97df768..852d1c6 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 421bf1a..b80dbe5 100644 +index 421bf1a..e3f91f6 100644 --- a/nslcd.te +++ b/nslcd.te @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) @@ -53636,7 +53640,7 @@ index 421bf1a..b80dbe5 100644 -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; -allow nslcd_t self:unix_stream_socket { accept listen }; -+allow nslcd_t self:capability { dac_override setgid setuid sys_nice }; ++allow nslcd_t self:capability { chown dac_override setgid setuid sys_nice }; +allow nslcd_t self:process { setsched signal signull }; +allow nslcd_t self:unix_stream_socket create_stream_socket_perms; @@ -60369,7 +60373,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..aa814c8 100644 +index 608f454..6054e92 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -60388,7 +60392,7 @@ index 608f454..aa814c8 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,319 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,324 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -60566,6 +60570,8 @@ index 608f454..aa814c8 100644 +# pegasus openlmi service local policy +# + ++fs_getattr_all_fs(pegasus_openlmi_admin_t) ++ +init_manage_transient_unit(pegasus_openlmi_admin_t) +init_disable_services(pegasus_openlmi_admin_t) +init_enable_services(pegasus_openlmi_admin_t) @@ -60580,6 +60586,9 @@ index 608f454..aa814c8 100644 + +allow pegasus_openlmi_service_t self:udp_socket create_socket_perms; + ++logging_read_syslog_pid(pegasus_openlmi_admin_t) ++logging_read_generic_logs(pegasus_openlmi_admin_t) ++ +optional_policy(` + dbus_system_bus_client(pegasus_openlmi_admin_t) + @@ -60713,7 +60722,7 @@ index 608f454..aa814c8 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +357,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -60744,7 +60753,7 @@ index 608f454..aa814c8 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +383,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -60777,7 +60786,7 @@ index 608f454..aa814c8 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +411,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -60789,7 +60798,7 @@ index 608f454..aa814c8 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +427,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -60825,7 +60834,7 @@ index 608f454..aa814c8 100644 ') optional_policy(` -@@ -151,16 +456,24 @@ optional_policy(` +@@ -151,16 +461,24 @@ optional_policy(` ') optional_policy(` @@ -60854,7 +60863,7 @@ index 608f454..aa814c8 100644 ') optional_policy(` -@@ -168,7 +481,7 @@ optional_policy(` +@@ -168,7 +486,7 @@ optional_policy(` ') optional_policy(` @@ -60863,7 +60872,7 @@ index 608f454..aa814c8 100644 ') optional_policy(` -@@ -180,6 +493,7 @@ optional_policy(` +@@ -180,6 +498,7 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 0f5906d..c046312 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 43%{?dist} +Release: 44%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -588,6 +588,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 8 2014 Miroslav Grepl 3.13.1-44 +- Change hsperfdata_root to have as user_tmp_t +- Allow rsyslog low-level network access +- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm +- Allow conman to resolve DNS and use user ptys +- update pegasus_openlmi_admin_t policy +- nslcd wants chown capability +- Dontaudit exec insmod in boinc policy + * Fri Apr 4 2014 Miroslav Grepl 3.13.1-43 - Add labels for /var/named/chroot_sdb/dev devices - Add support for strongimcv