From 61514837cce8ac5d286908f52bb0fc3d60e97720 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 02 2015 11:49:11 +0000 Subject: * Fri Oct 02 2015 Lukas Vrabec 3.13.1-150 - Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. - Clean up pkcs11proxyd policy. - We need to require sandbox_web_type attribute in sandbox_x_domain_template(). - Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t." - depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t. - Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions. - Update modules_filetrans_named_content() interface to cover more modules.* files. - New policy for systemd-machined. #1255305 - In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example. - Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution) - Merge pull request #42 from vmojzis/rawhide-base - Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 89f5679..c3f3910 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -10876,7 +10876,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..a226015 100644 +index f962f76..7c3c35b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -12776,7 +12776,19 @@ index f962f76..a226015 100644 ') ######################################## -@@ -4217,6 +5039,175 @@ interface(`files_read_world_readable_sockets',` +@@ -4012,6 +4834,11 @@ interface(`files_read_kernel_modules',` + allow $1 modules_object_t:dir list_dir_perms; + read_files_pattern($1, modules_object_t, modules_object_t) + read_lnk_files_pattern($1, modules_object_t, modules_object_t) ++ ++ # allow to read module deps because of labeling changed to modules_dep_t ++ optional_policy(` ++ modutils_read_module_deps($1) ++ ') + ') + + ######################################## +@@ -4217,6 +5044,175 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -12952,7 +12964,7 @@ index f962f76..a226015 100644 ######################################## ## ## Allow the specified type to associate -@@ -4239,6 +5230,26 @@ interface(`files_associate_tmp',` +@@ -4239,6 +5235,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -12979,7 +12991,7 @@ index f962f76..a226015 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5263,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4252,17 +5268,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -13018,7 +13030,7 @@ index f962f76..a226015 100644 ## ## # -@@ -4289,6 +5320,8 @@ interface(`files_search_tmp',` +@@ -4289,6 +5325,8 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -13027,7 +13039,7 @@ index f962f76..a226015 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5358,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5363,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -13035,7 +13047,7 @@ index f962f76..a226015 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5368,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5373,7 @@ interface(`files_list_tmp',` ## ## ## @@ -13044,7 +13056,7 @@ index f962f76..a226015 100644 ## ## # -@@ -4346,21 +5380,41 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,21 +5385,41 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13092,7 +13104,7 @@ index f962f76..a226015 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5456,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5461,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -13125,7 +13137,7 @@ index f962f76..a226015 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4456,6 +5536,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,6 +5541,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -13168,7 +13180,7 @@ index f962f76..a226015 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5590,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4474,6 +5595,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -13229,7 +13241,7 @@ index f962f76..a226015 100644 ## List all tmp directories. ## ## -@@ -4519,7 +5689,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4519,7 +5694,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -13238,7 +13250,7 @@ index f962f76..a226015 100644 ## ## # -@@ -4579,7 +5749,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4579,7 +5754,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -13247,7 +13259,7 @@ index f962f76..a226015 100644 ## ## # -@@ -4611,6 +5781,44 @@ interface(`files_read_all_tmp_files',` +@@ -4611,6 +5786,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -13292,7 +13304,7 @@ index f962f76..a226015 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4664,6 +5872,16 @@ interface(`files_purge_tmp',` +@@ -4664,6 +5877,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -13309,7 +13321,7 @@ index f962f76..a226015 100644 ') ######################################## -@@ -5112,6 +6330,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -5112,6 +6335,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -13334,7 +13346,7 @@ index f962f76..a226015 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6477,24 @@ interface(`files_list_var',` +@@ -5241,6 +6482,24 @@ interface(`files_list_var',` ######################################## ## @@ -13359,7 +13371,7 @@ index f962f76..a226015 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6582,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6587,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -13368,7 +13380,7 @@ index f962f76..a226015 100644 ') ######################################## -@@ -5527,6 +6781,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6786,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -13394,7 +13406,7 @@ index f962f76..a226015 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6869,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6874,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -13420,7 +13432,7 @@ index f962f76..a226015 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6933,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6938,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -13429,7 +13441,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -5649,12 +6941,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6946,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -13445,7 +13457,7 @@ index f962f76..a226015 100644 ') ######################################## -@@ -5672,6 +6965,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6970,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -13453,7 +13465,7 @@ index f962f76..a226015 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6992,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6997,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -13481,7 +13493,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -5706,13 +7019,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +7024,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -13498,7 +13510,7 @@ index f962f76..a226015 100644 ') ######################################## -@@ -5731,7 +7043,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +7048,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -13507,7 +13519,7 @@ index f962f76..a226015 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +7076,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +7081,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -13515,7 +13527,7 @@ index f962f76..a226015 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +7090,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +7095,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -13524,7 +13536,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -5787,13 +7098,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +7103,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -13559,7 +13571,7 @@ index f962f76..a226015 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7140,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7145,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -13577,7 +13589,7 @@ index f962f76..a226015 100644 ') ######################################## -@@ -5834,9 +7164,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7169,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -13588,7 +13600,7 @@ index f962f76..a226015 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7206,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7211,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -13598,7 +13610,7 @@ index f962f76..a226015 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7228,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7233,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -13608,7 +13620,7 @@ index f962f76..a226015 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7265,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7270,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -13618,7 +13630,7 @@ index f962f76..a226015 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7304,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7309,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -13627,7 +13639,7 @@ index f962f76..a226015 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7324,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7329,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -13676,7 +13688,7 @@ index f962f76..a226015 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7388,43 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,6 +7393,43 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -13720,7 +13732,7 @@ index f962f76..a226015 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6039,7 +7439,7 @@ interface(`files_list_pids',` +@@ -6039,7 +7444,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -13729,7 +13741,7 @@ index f962f76..a226015 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6058,7 +7458,7 @@ interface(`files_read_generic_pids',` +@@ -6058,7 +7463,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -13738,7 +13750,7 @@ index f962f76..a226015 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7478,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7483,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -13747,7 +13759,7 @@ index f962f76..a226015 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7540,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7545,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13755,7 +13767,7 @@ index f962f76..a226015 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7568,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7573,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -13780,7 +13792,7 @@ index f962f76..a226015 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7599,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7604,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -13789,7 +13801,7 @@ index f962f76..a226015 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7666,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7671,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -13852,7 +13864,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -6305,42 +7710,35 @@ interface(`files_delete_all_pids',` +@@ -6305,42 +7715,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -13902,7 +13914,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -6348,18 +7746,18 @@ interface(`files_manage_all_pids',` +@@ -6348,18 +7751,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -13926,7 +13938,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -6367,37 +7765,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,37 +7770,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -13978,7 +13990,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -6405,18 +7806,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6405,18 +7811,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -14001,7 +14013,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -6424,18 +7824,18 @@ interface(`files_list_spool',` +@@ -6424,18 +7829,18 @@ interface(`files_list_spool',` ## ## # @@ -14025,7 +14037,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -6443,19 +7843,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6443,19 +7848,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -14050,7 +14062,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -6463,109 +7862,62 @@ interface(`files_read_generic_spool',` +@@ -6463,109 +7867,62 @@ interface(`files_read_generic_spool',` ## ## # @@ -14181,7 +14193,7 @@ index f962f76..a226015 100644 ## ## ## -@@ -6573,10 +7925,944 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +7930,944 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -15374,7 +15386,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..f1378d6 100644 +index 8416beb..b66e93a 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15822,7 +15834,7 @@ index 8416beb..f1378d6 100644 ## ## ## -@@ -1878,135 +2085,151 @@ interface(`fs_search_fusefs',` +@@ -1878,117 +2085,190 @@ interface(`fs_search_fusefs',` ## ## # @@ -15992,93 +16004,83 @@ index 8416beb..f1378d6 100644 -## read, write, and delete files -## on a FUSEFS filesystem. +## Unmount a FUSE filesystem. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_manage_fusefs_files',` ++## ++## ++# +interface(`fs_unmount_fusefs',` - gen_require(` - type fusefs_t; - ') - -- dontaudit $1 fusefs_t:file manage_file_perms; ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:filesystem unmount; - ') - - ######################################## - ## --## Read symbolic links on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Mounton a FUSEFS filesystem. - ## - ## - ## -@@ -2014,145 +2237,194 @@ interface(`fs_dontaudit_manage_fusefs_files',` - ## - ## - # --interface(`fs_read_fusefs_symlinks',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_mounton_fusefs',` - gen_require(` - type fusefs_t; - ') - -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:dir mounton; - ') - - ######################################## - ## --## Get the attributes of an hugetlbfs --## filesystem. ++') ++ ++######################################## ++## +## Search directories +## on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`fs_getattr_hugetlbfs',` -+interface(`fs_search_fusefs',` - gen_require(` -- type hugetlbfs_t; -+ type fusefs_t; - ') - -- allow $1 hugetlbfs_t:filesystem getattr; -+ allow $1 fusefs_t:dir search_dir_perms; - ') - - ######################################## - ## --## List hugetlbfs. -+## Do not audit attempts to list the contents -+## of directories on a FUSEFS filesystem. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## ++## +# -+interface(`fs_dontaudit_list_fusefs',` ++interface(`fs_search_fusefs',` + gen_require(` + type fusefs_t; + ') + -+ dontaudit $1 fusefs_t:dir list_dir_perms; ++ allow $1 fusefs_t:dir search_dir_perms; +') + +######################################## +## ++## Do not audit attempts to list the contents ++## of directories on a FUSEFS filesystem. + ## + ## + ## +@@ -1996,91 +2276,173 @@ interface(`fs_manage_fusefs_files',` + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_files',` ++interface(`fs_dontaudit_list_fusefs',` + gen_require(` + type fusefs_t; + ') + +- dontaudit $1 fusefs_t:file manage_file_perms; ++ dontaudit $1 fusefs_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Read symbolic links on a FUSEFS filesystem. +## Create, read, write, and delete directories +## on a FUSEFS filesystem. ## @@ -16089,20 +16091,21 @@ index 8416beb..f1378d6 100644 ## +## # --interface(`fs_list_hugetlbfs',` +-interface(`fs_read_fusefs_symlinks',` +interface(`fs_manage_fusefs_dirs',` gen_require(` -- type hugetlbfs_t; -+ type fusefs_t; + type fusefs_t; ') -- allow $1 hugetlbfs_t:dir list_dir_perms; +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 fusefs_t:dir manage_dir_perms; ') ######################################## ## --## Manage hugetlbfs dirs. +-## Get the attributes of an hugetlbfs +-## filesystem. +## Do not audit attempts to create, read, +## write, and delete directories +## on a FUSEFS filesystem. @@ -16132,20 +16135,20 @@ index 8416beb..f1378d6 100644 ## +## # --interface(`fs_manage_hugetlbfs_dirs',` +-interface(`fs_getattr_hugetlbfs',` +interface(`fs_read_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 hugetlbfs_t:filesystem getattr; + read_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Read and write hugetlbfs files. +-## List hugetlbfs. +## Execute files on a FUSEFS filesystem. ## ## @@ -16155,69 +16158,58 @@ index 8416beb..f1378d6 100644 ## +## # --interface(`fs_rw_hugetlbfs_files',` +-interface(`fs_list_hugetlbfs',` +interface(`fs_exec_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 hugetlbfs_t:dir list_dir_perms; + exec_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Allow the type to associate to hugetlbfs filesystems. +-## Manage hugetlbfs dirs. +## Make general progams in FUSEFS an entrypoint for +## the specified domain. - ## --## ++## +## - ## --## The type of the object to be associated. ++## +## The domain for which fusefs_t is an entrypoint. - ## - ## - # --interface(`fs_associate_hugetlbfs',` ++## ++## ++# +interface(`fs_fusefs_entry_type',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 hugetlbfs_t:filesystem associate; ++ ') ++ + domain_entry_file($1, fusefs_t) - ') - - ######################################## - ## --## Search inotifyfs filesystem. ++') ++ ++######################################## ++## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## The domain for which fusefs_t is an entrypoint. - ## - ## - # --interface(`fs_search_inotifyfs',` ++## ++## ++# +interface(`fs_fusefs_entrypoint',` - gen_require(` -- type inotifyfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 inotifyfs_t:dir search_dir_perms; ++ ') ++ + allow $1 fusefs_t:file entrypoint; - ') - - ######################################## - ## --## List inotifyfs filesystem. ++') ++ ++######################################## ++## +## Create, read, write, and delete files +## on a FUSEFS filesystem. ## @@ -16228,85 +16220,87 @@ index 8416beb..f1378d6 100644 ## +## # --interface(`fs_list_inotifyfs',` +-interface(`fs_manage_hugetlbfs_dirs',` +interface(`fs_manage_fusefs_files',` gen_require(` -- type inotifyfs_t; +- type hugetlbfs_t; + type fusefs_t; ') -- allow $1 inotifyfs_t:dir list_dir_perms; +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + manage_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Dontaudit List inotifyfs filesystem. +-## Read and write hugetlbfs files. +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_manage_fusefs_files',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Read symbolic links on a FUSEFS filesystem. ## ## ## -@@ -2160,53 +2432,626 @@ interface(`fs_list_inotifyfs',` +@@ -2088,53 +2450,100 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # --interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_dontaudit_manage_fusefs_files',` +-interface(`fs_rw_hugetlbfs_files',` ++interface(`fs_read_fusefs_symlinks',` gen_require(` -- type inotifyfs_t; +- type hugetlbfs_t; + type fusefs_t; ') -- dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ dontaudit $1 fusefs_t:file manage_file_perms; +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ allow $1 fusefs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Create an object in a hugetlbfs filesystem, with a private --## type using a type transition. -+## Read symbolic links on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`fs_read_fusefs_symlinks',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## +-## Allow the type to associate to hugetlbfs filesystems. +## Manage symbolic links on a FUSEFS filesystem. -+## + ## +-## +## ## --## The type of the object to be created. +-## The type of the object to be associated. +## Domain allowed access. ## ## --## -+# + # +-interface(`fs_associate_hugetlbfs',` +interface(`fs_manage_fusefs_symlinks',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 hugetlbfs_t:filesystem associate; + manage_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search inotifyfs filesystem. +## Execute a file on a FUSE filesystem +## in the specified domain. +## @@ -16330,15 +16324,12 @@ index 8416beb..f1378d6 100644 +##

+## +## - ## --## The object class of the object being created. ++## +## Domain allowed to transition. - ## - ## --## ++## ++## +## - ## --## The name of the object being created. ++## +## The type of the new process. +## +## @@ -16355,61 +16346,75 @@ index 8416beb..f1378d6 100644 +######################################## +## +## Get the attributes of a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_search_inotifyfs',` +interface(`fs_getattr_fusefs',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 inotifyfs_t:dir search_dir_perms; + allow $1 fusefs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List inotifyfs filesystem. +## Get the attributes of an hugetlbfs +## filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2142,71 +2551,527 @@ interface(`fs_search_inotifyfs',` + ## + ## + # +-interface(`fs_list_inotifyfs',` +interface(`fs_getattr_hugetlbfs',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type hugetlbfs_t; -+ ') -+ + ') + +- allow $1 inotifyfs_t:dir list_dir_perms; + allow $1 hugetlbfs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Dontaudit List inotifyfs filesystem. +## List hugetlbfs. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_dontaudit_list_inotifyfs',` +interface(`fs_list_hugetlbfs',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type hugetlbfs_t; -+ ') -+ + ') + +- dontaudit $1 inotifyfs_t:dir list_dir_perms; + allow $1 hugetlbfs_t:dir list_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in a hugetlbfs filesystem, with a private +-## type using a type transition. +## Manage hugetlbfs dirs. +## +## @@ -16867,19 +16872,55 @@ index 8416beb..f1378d6 100644 +## +## +## Domain allowed access. ++## ++## ++# ++interface(`fs_delete_kdbus_dirs', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++######################################## ++## ++## Manage kdbusfs directories. + ## + ## + ## + ## Domain allowed access. ## ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## # -interface(`fs_hugetlbfs_filetrans',` -+interface(`fs_delete_kdbus_dirs', ` ++interface(`fs_manage_kdbus_dirs',` gen_require(` - type hugetlbfs_t; +- ') + type kdbusfs_t; - ') - allow $2 hugetlbfs_t:filesystem associate; - filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ ') ++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -16888,24 +16929,25 @@ index 8416beb..f1378d6 100644 ## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -+## Manage kdbusfs directories. ++## Read kdbusfs files. ## ## ## -@@ -2214,19 +3059,19 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3079,21 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # -interface(`fs_mount_iso9660_fs',` -+interface(`fs_manage_kdbus_dirs',` ++interface(`fs_read_kdbus_files',` gen_require(` - type iso9660_t; -- ') -+ type kdbusfs_t; ++ type cgroup_t; ++ + ') - allow $1 iso9660_t:filesystem mount; -+ ') -+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -16915,25 +16957,23 @@ index 8416beb..f1378d6 100644 -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -+## Read kdbusfs files. ++## Write kdbusfs files. ## ## ## -@@ -2234,18 +3079,21 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3101,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # -interface(`fs_remount_iso9660_fs',` -+interface(`fs_read_kdbus_files',` ++interface(`fs_write_kdbus_files', ` gen_require(` - type iso9660_t; -+ type cgroup_t; -+ ++ type kdbusfs_t; ') - allow $1 iso9660_t:filesystem remount; -+ read_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -16942,23 +16982,25 @@ index 8416beb..f1378d6 100644 ## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -+## Write kdbusfs files. ++## Read and write kdbusfs files. ## ## ## -@@ -2253,38 +3101,61 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3121,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # -interface(`fs_unmount_iso9660_fs',` -+interface(`fs_write_kdbus_files', ` ++interface(`fs_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; ++ ') - allow $1 iso9660_t:filesystem unmount; -+ write_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -16967,54 +17009,33 @@ index 8416beb..f1378d6 100644 ## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -+## Read and write kdbusfs files. ++## Do not audit attempts to open, ++## get attributes, read and write ++## cgroup files. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -## # -interface(`fs_getattr_iso9660_fs',` -+interface(`fs_rw_kdbus_files',` ++interface(`fs_dontaudit_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; -+ ') - allow $1 iso9660_t:filesystem getattr; -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ dontaudit $1 kdbusfs_t:file rw_file_perms; ') ######################################## ## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -+## Do not audit attempts to open, -+## get attributes, read and write -+## cgroup files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_rw_kdbus_files',` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ dontaudit $1 kdbusfs_t:file rw_file_perms; -+') -+ -+######################################## -+## +## Manage kdbusfs files. ## ## @@ -17416,79 +17437,47 @@ index 8416beb..f1378d6 100644 ## ## ## -@@ -3743,25 +4807,61 @@ interface(`fs_getattr_rpc_pipefs',` - - ######################################### - ## --## Read and write RPC pipe filesystem named pipes. -+## Read and write RPC pipe filesystem named pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_rpc_named_pipes',` +@@ -3769,17 +4833,53 @@ interface(`fs_rw_rpc_named_pipes',` + ## + ## + # +-interface(`fs_mount_tmpfs',` ++interface(`fs_mount_tmpfs',` + gen_require(` -+ type rpc_pipefs_t; ++ type tmpfs_t; + ') + -+ allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; ++ allow $1 tmpfs_t:filesystem mount; +') + +######################################## +## -+## Mount a tmpfs filesystem. ++## Dontaudit remount a tmpfs filesystem. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`fs_mount_tmpfs',` ++interface(`fs_dontaudit_remount_tmpfs',` + gen_require(` + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:filesystem mount; ++ dontaudit $1 tmpfs_t:filesystem remount; +') + +######################################## +## -+## Dontaudit remount a tmpfs filesystem. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`fs_rw_rpc_named_pipes',` -+interface(`fs_dontaudit_remount_tmpfs',` - gen_require(` -- type rpc_pipefs_t; -+ type tmpfs_t; - ') - -- allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; -+ dontaudit $1 tmpfs_t:filesystem remount; - ') - - ######################################## - ## --## Mount a tmpfs filesystem. +## Remount a tmpfs filesystem. - ## - ## - ## -@@ -3769,17 +4869,17 @@ interface(`fs_rw_rpc_named_pipes',` - ## - ## - # --interface(`fs_mount_tmpfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_remount_tmpfs',` gen_require(` type tmpfs_t; @@ -17934,7 +17923,7 @@ index 8416beb..f1378d6 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6218,43 @@ interface(`fs_unconfined',` +@@ -4912,3 +6218,63 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -17978,6 +17967,26 @@ index 8416beb..f1378d6 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') ++ ++####################################### ++## ++## Read files in efivarfs ++## - contains Linux Kernel configuration options for UEFI systems ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_read_efivarfs_files',` ++ gen_require(` ++ type efivarfs_t; ++ ') ++ ++ read_files_pattern($1, efivarfs_t, efivarfs_t) ++') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index e7d1738..3e3ed4e 100644 --- a/policy/modules/kernel/filesystem.te @@ -28263,7 +28272,7 @@ index 6bf0ecc..b036584 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..8c77595 100644 +index 8b40377..69be4cf 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -28611,13 +28620,13 @@ index 8b40377..8c77595 100644 +ifdef(`hide_broken_symptoms',` + term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) - ') - - optional_policy(` -+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) +') + +optional_policy(` ++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) + ') + + optional_policy(` + ssh_use_ptys(xauth_t) ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) @@ -29107,17 +29116,18 @@ index 8b40377..8c77595 100644 ') optional_policy(` -@@ -517,9 +891,34 @@ optional_policy(` - optional_policy(` +@@ -518,8 +892,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) -+ + ++ dbus_session_bus_client(xdm_t) ++ dbus_connect_session_bus(xdm_t) ++ + optional_policy(` + accountsd_dbus_chat(xdm_t) + ') - - optional_policy(` -- accountsd_dbus_chat(xdm_t) ++ ++ optional_policy(` + bluetooth_dbus_chat(xdm_t) + ') + @@ -29125,7 +29135,8 @@ index 8b40377..8c77595 100644 + cpufreqselector_dbus_chat(xdm_t) + ') + -+ optional_policy(` + optional_policy(` +- accountsd_dbus_chat(xdm_t) + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') @@ -29143,7 +29154,7 @@ index 8b40377..8c77595 100644 ') ') -@@ -530,6 +929,20 @@ optional_policy(` +@@ -530,6 +932,20 @@ optional_policy(` ') optional_policy(` @@ -29164,7 +29175,7 @@ index 8b40377..8c77595 100644 hostname_exec(xdm_t) ') -@@ -547,28 +960,78 @@ optional_policy(` +@@ -547,28 +963,78 @@ optional_policy(` ') optional_policy(` @@ -29252,7 +29263,7 @@ index 8b40377..8c77595 100644 ') optional_policy(` -@@ -580,6 +1043,14 @@ optional_policy(` +@@ -580,6 +1046,14 @@ optional_policy(` ') optional_policy(` @@ -29267,7 +29278,7 @@ index 8b40377..8c77595 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1065,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1068,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -29276,7 +29287,7 @@ index 8b40377..8c77595 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1075,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1078,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -29289,7 +29300,7 @@ index 8b40377..8c77595 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1092,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1095,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -29305,7 +29316,7 @@ index 8b40377..8c77595 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1108,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1111,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -29316,7 +29327,7 @@ index 8b40377..8c77595 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1123,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1126,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -29353,7 +29364,7 @@ index 8b40377..8c77595 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1169,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1172,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -29385,7 +29396,7 @@ index 8b40377..8c77595 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1202,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1205,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -29400,7 +29411,7 @@ index 8b40377..8c77595 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1223,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1226,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -29424,7 +29435,7 @@ index 8b40377..8c77595 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1242,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1245,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -29433,7 +29444,7 @@ index 8b40377..8c77595 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1286,54 @@ optional_policy(` +@@ -785,17 +1289,54 @@ optional_policy(` ') optional_policy(` @@ -29490,7 +29501,7 @@ index 8b40377..8c77595 100644 ') optional_policy(` -@@ -803,6 +1341,10 @@ optional_policy(` +@@ -803,6 +1344,10 @@ optional_policy(` ') optional_policy(` @@ -29501,7 +29512,7 @@ index 8b40377..8c77595 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1360,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1363,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -29526,7 +29537,7 @@ index 8b40377..8c77595 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1383,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1386,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -29561,7 +29572,7 @@ index 8b40377..8c77595 100644 ') optional_policy(` -@@ -912,7 +1448,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1451,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -29570,7 +29581,7 @@ index 8b40377..8c77595 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1502,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1505,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -29602,7 +29613,7 @@ index 8b40377..8c77595 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1548,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1551,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -39089,7 +39100,7 @@ index 9933677..0b9c20a 100644 + +/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 7449974..23bbbf2 100644 +index 7449974..f32a37c 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,7 +12,7 @@ @@ -39217,7 +39228,7 @@ index 7449974..23bbbf2 100644 ') ######################################## -@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',` +@@ -333,3 +414,43 @@ interface(`modutils_exec_update_mods',` corecmd_search_bin($1) can_exec($1, update_modules_exec_t) ') @@ -39240,8 +39251,26 @@ index 7449974..23bbbf2 100644 + + files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf") + files_etc_filetrans($1, modules_conf_t, file, "modules.conf") ++ ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin") + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep") + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") ++') ++ ++ ++ +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 7a363b8..3f02a36 100644 @@ -43134,10 +43163,10 @@ index a392fc4..30cf590 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..a03b5ee +index 0000000..66b8608 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,51 @@ +@@ -0,0 +1,55 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -43157,6 +43186,7 @@ index 0000000..a03b5ee + +/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) ++/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0) +/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0) +/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0) @@ -43168,6 +43198,7 @@ index 0000000..a03b5ee +/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) ++/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) +/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0) +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0) +/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) @@ -43176,6 +43207,7 @@ index 0000000..a03b5ee +/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) +/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + ++/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0) +/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh) +/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) +/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) @@ -43187,14 +43219,15 @@ index 0000000..a03b5ee +/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) +/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) +/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) -+/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) ++/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) ++/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..cde0261 +index 0000000..4f142e9 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1497 @@ +@@ -0,0 +1,1615 @@ +## SELinux policy for systemd components + +###################################### @@ -44692,12 +44725,130 @@ index 0000000..cde0261 + + dontaudit $1 systemd_domain:dbus send_msg; +') ++ ++###################################### ++## ++## Read systemd-machined PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_machined_read_pid_files',` ++ gen_require(` ++ type systemd_machined_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) ++ read_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) ++') ++ ++###################################### ++## ++## Manage systemd-machined PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_machined_manage_pid_files',` ++ gen_require(` ++ type systemd_machined_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) ++ manage_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) ++') ++ ++###################################### ++## ++## List systemd-machined PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_machined_list_pid_dirs',` ++ gen_require(` ++ type systemd_machined_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) ++') ++ ++ ++ ++######################################## ++## ++## Search systemd-machined lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_machined_search_lib',` ++ gen_require(` ++ type systemd_machined_var_lib_t; ++ ') ++ ++ allow $1 systemd_machined_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read systemd-machined lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_machined_read_lib_files',` ++ gen_require(` ++ type systemd_machined_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t) ++') ++ ++######################################## ++## ++## Manage systemd-machined lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_machined_manage_lib_files',` ++ gen_require(` ++ type systemd_machined_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t) ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..8209291 +index 0000000..0920911 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,725 @@ +@@ -0,0 +1,775 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -44785,6 +44936,20 @@ index 0000000..8209291 + +systemd_domain_template(systemd_sysctl) + ++#domain for systemd-machined ++systemd_domain_template(systemd_machined) ++ ++type systemd_machined_unit_file_t; ++systemd_unit_file(systemd_machined_unit_file_t) ++ ++# /run/systemd/machines ++type systemd_machined_var_run_t; ++files_pid_file(systemd_machined_var_run_t) ++ ++# /var/lib/machines ++type systemd_machined_var_lib_t; ++files_type(systemd_machined_var_lib_t) ++ +####################################### +# +# Systemd_logind local policy @@ -44806,6 +44971,9 @@ index 0000000..8209291 +fs_mount_tmpfs(systemd_logind_t) +fs_unmount_tmpfs(systemd_logind_t) +fs_list_tmpfs(systemd_logind_t) ++ ++fs_read_efivarfs_files(systemd_logind_t) ++ +fs_manage_fusefs_dirs(systemd_logind_t) +fs_manage_fusefs_files(systemd_logind_t) + @@ -44939,6 +45107,39 @@ index 0000000..8209291 + xserver_search_xdm_tmp_dirs(systemd_logind_t) +') + ++######################################## ++# ++# systemd_machined local policy ++# ++ ++allow systemd_machined_t self:capability sys_ptrace; ++allow systemd_machined_t systemd_unit_file_t:service { status start }; ++allow systemd_machined_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) ++manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) ++manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) ++init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines") ++ ++manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) ++manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) ++manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) ++init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines") ++ ++kernel_dgram_send(systemd_machined_t) ++ ++init_dbus_chat(systemd_machined_t) ++init_status(systemd_machined_t) ++ ++optional_policy(` ++ dbus_connect_system_bus(systemd_machined_t) ++ dbus_system_bus_client(systemd_machined_t) ++') ++ ++optional_policy(` ++ virt_dbus_chat(systemd_machined_t) ++') ++ +####################################### +# +# systemd-networkd local policy diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 599054e..45300a0 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -7985,7 +7985,7 @@ index 1a7a97e..2c7252a 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431b..e9c4c5a 100644 +index 7fd431b..41f2a57 100644 --- a/apm.te +++ b/apm.te @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t) @@ -8014,7 +8014,7 @@ index 7fd431b..e9c4c5a 100644 domain_use_interactive_fds(apm_t) -@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t) +@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t) # Server local policy # @@ -8025,7 +8025,11 @@ index 7fd431b..e9c4c5a 100644 allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:netlink_socket create_socket_perms; -@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t) ++allow apmd_t self:netlink_generic_socket create_socket_perms; + allow apmd_t self:unix_stream_socket { accept listen }; + + allow apmd_t apmd_lock_t:file manage_file_perms; +@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t) kernel_rw_all_sysctls(apmd_t) kernel_read_system_state(apmd_t) kernel_write_proc_files(apmd_t) @@ -8033,7 +8037,7 @@ index 7fd431b..e9c4c5a 100644 dev_read_input(apmd_t) dev_read_mouse(apmd_t) -@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t) +@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t) fs_dontaudit_getattr_all_symlinks(apmd_t) fs_dontaudit_getattr_all_pipes(apmd_t) fs_dontaudit_getattr_all_sockets(apmd_t) @@ -8043,7 +8047,7 @@ index 7fd431b..e9c4c5a 100644 corecmd_exec_all_executables(apmd_t) -@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) +@@ -129,6 +133,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) auth_use_nsswitch(apmd_t) init_domtrans_script(apmd_t) @@ -8052,7 +8056,7 @@ index 7fd431b..e9c4c5a 100644 libs_exec_ld_so(apmd_t) libs_exec_lib_files(apmd_t) -@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t) +@@ -136,17 +142,16 @@ libs_exec_lib_files(apmd_t) logging_send_audit_msgs(apmd_t) logging_send_syslog_msg(apmd_t) @@ -8072,7 +8076,7 @@ index 7fd431b..e9c4c5a 100644 optional_policy(` automount_domtrans(apmd_t) -@@ -206,11 +210,15 @@ optional_policy(` +@@ -206,11 +211,15 @@ optional_policy(` ') optional_policy(` @@ -68616,10 +68620,10 @@ index 0000000..1fa6db2 +') diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te new file mode 100644 -index 0000000..6b49e41 +index 0000000..a2cb118 --- /dev/null +++ b/pkcs11proxyd.te -@@ -0,0 +1,41 @@ +@@ -0,0 +1,42 @@ +policy_module(pkcs11proxyd, 1.0.0) + +######################################## @@ -68644,6 +68648,7 @@ index 0000000..6b49e41 +# +# pkcs11proxyd local policy +# ++ +allow pkcs11proxyd_t self:capability { kill setuid setgid }; +allow pkcs11proxyd_t self:process { getpgid setpgid }; + @@ -68655,10 +68660,10 @@ index 0000000..6b49e41 +manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t) +files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file }) + -+auth_use_nsswitch(pkcs11proxyd_t) -+ +dev_read_urand(pkcs11proxyd_t) + ++auth_use_nsswitch(pkcs11proxyd_t) ++ +logging_send_syslog_msg(pkcs11proxyd_t) + diff --git a/pki.fc b/pki.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 673e3de..669d7e2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 149%{?dist} +Release: 150%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -656,6 +656,20 @@ exit 0 %endif %changelog +* Fri Oct 02 2015 Lukas Vrabec 3.13.1-150 +- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. +- Clean up pkcs11proxyd policy. +- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). +- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t." +- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t. +- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions. +- Update modules_filetrans_named_content() interface to cover more modules.* files. +- New policy for systemd-machined. #1255305 +- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example. +- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution) +- Merge pull request #42 from vmojzis/rawhide-base +- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) + * Tue Sep 29 2015 Lukas Vrabec 3.13.1-149 - Add few rules related to new policy for pkcs11proxyd - Added new policy for pkcs11proxyd daemon