From 64f816485266a757ddce13bedfb2f67e86f5ccec Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 18 2016 11:42:21 +0000 Subject: * Mon Apr 18 2016 Lukas Vrabec 3.13.1-183 - Allow modemmanager to talk to logind - Dontaudit tor daemon needs net_admin capability. rhbz#1311788 - Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042 - Xorg now writes content in users homedir. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 6e99a9d..a7af2a1 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9a9cb7e..2b4a386 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -29116,16 +29116,17 @@ index cc877c7..b8e6e98 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..53f66a4 100644 +index 8274418..5f31270 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc -@@ -2,13 +2,38 @@ +@@ -2,13 +2,39 @@ # HOME_DIR # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) +HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.local/share/fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) ++HOME_DIR/\.local/share/xorg(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) @@ -29158,7 +29159,7 @@ index 8274418..53f66a4 100644 # # /dev -@@ -22,13 +47,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -22,13 +48,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -29181,7 +29182,7 @@ index 8274418..53f66a4 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +79,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +80,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -29223,7 +29224,7 @@ index 8274418..53f66a4 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -91,19 +133,34 @@ ifndef(`distro_debian',` +@@ -91,19 +134,34 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -29262,7 +29263,7 @@ index 8274418..53f66a4 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -111,7 +168,18 @@ ifndef(`distro_debian',` +@@ -111,7 +169,18 @@ ifndef(`distro_debian',` /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -31042,7 +31043,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..436b1e0 100644 +index 8b40377..fe6657c 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32099,7 +32100,7 @@ index 8b40377..436b1e0 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1128,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1128,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -32118,6 +32119,11 @@ index 8b40377..436b1e0 100644 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t, file) +manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) ++ ++manage_dirs_pattern(xserver_t, xdm_home_t, xdm_home_t) ++manage_files_pattern(xserver_t, xdm_home_t, xdm_home_t) ++manage_lnk_files_pattern(xserver_t, xdm_home_t, xdm_home_t) ++gnome_data_filetrans(xserver_t, xdm_home_t, dir, "xorg") kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) @@ -32136,7 +32142,7 @@ index 8b40377..436b1e0 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1174,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1179,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -32168,7 +32174,7 @@ index 8b40377..436b1e0 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1207,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1212,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -32183,7 +32189,7 @@ index 8b40377..436b1e0 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1228,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1233,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -32207,7 +32213,7 @@ index 8b40377..436b1e0 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1247,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1252,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -32216,7 +32222,7 @@ index 8b40377..436b1e0 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1291,54 @@ optional_policy(` +@@ -785,17 +1296,54 @@ optional_policy(` ') optional_policy(` @@ -32273,7 +32279,7 @@ index 8b40377..436b1e0 100644 ') optional_policy(` -@@ -803,6 +1346,10 @@ optional_policy(` +@@ -803,6 +1351,10 @@ optional_policy(` ') optional_policy(` @@ -32284,7 +32290,7 @@ index 8b40377..436b1e0 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1365,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1370,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -32309,7 +32315,7 @@ index 8b40377..436b1e0 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1388,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1393,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -32344,7 +32350,7 @@ index 8b40377..436b1e0 100644 ') optional_policy(` -@@ -912,7 +1453,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1458,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -32353,7 +32359,7 @@ index 8b40377..436b1e0 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1507,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1512,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -32385,7 +32391,7 @@ index 8b40377..436b1e0 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1553,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1558,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f8463ff..e3721a3 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -49519,7 +49519,7 @@ index b1ac8b5..24782b3 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..6e2a403 100644 +index d15eb5b..7f3c31d 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -49561,6 +49561,14 @@ index d15eb5b..6e2a403 100644 logging_send_syslog_msg(modemmanager_t) +@@ -56,3 +63,7 @@ optional_policy(` + udev_read_db(modemmanager_t) + udev_manage_pid_files(modemmanager_t) + ') ++ ++optional_policy(` ++ systemd_dbus_chat_logind(modemmanager_t) ++') diff --git a/mojomojo.fc b/mojomojo.fc index 7b827ca..5ee8a0f 100644 --- a/mojomojo.fc @@ -107581,7 +107589,7 @@ index 61c2e07..3b86095 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..40e9303 100644 +index 5ceacde..9353adb 100644 --- a/tor.te +++ b/tor.te @@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) @@ -107608,7 +107616,16 @@ index 5ceacde..40e9303 100644 ######################################## # # Local policy -@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) +@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; + allow tor_t tor_etc_t:file read_file_perms; + allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; + ++dontaudit tor_t self:capability { net_admin }; ++ + manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) + manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) + manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) corenet_udp_sendrecv_generic_node(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) @@ -107616,7 +107633,7 @@ index 5ceacde..40e9303 100644 corenet_sendrecv_dns_server_packets(tor_t) corenet_udp_bind_dns_port(tor_t) corenet_udp_sendrecv_dns_port(tor_t) -@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t) +@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_tcp_bind_tor_port(tor_t) corenet_tcp_sendrecv_tor_port(tor_t) @@ -107624,7 +107641,7 @@ index 5ceacde..40e9303 100644 corenet_sendrecv_all_client_packets(tor_t) corenet_tcp_connect_all_ports(tor_t) -@@ -98,19 +108,22 @@ dev_read_urand(tor_t) +@@ -98,19 +110,22 @@ dev_read_urand(tor_t) domain_use_interactive_fds(tor_t) files_read_etc_runtime_files(tor_t) @@ -116833,7 +116850,7 @@ index 0928c5d..d270a72 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index a64aad3..fe078eb 100644 +index a64aad3..d923154 100644 --- a/xguest.te +++ b/xguest.te @@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0) @@ -116902,7 +116919,7 @@ index a64aad3..fe078eb 100644 storage_raw_read_removable_device(xguest_t) storage_raw_write_removable_device(xguest_t) ',` -@@ -54,9 +55,22 @@ ifndef(`enable_mls',` +@@ -54,9 +55,25 @@ ifndef(`enable_mls',` ') optional_policy(` @@ -116913,6 +116930,9 @@ index a64aad3..fe078eb 100644 +kernel_dontaudit_request_load_module(xguest_t) +kernel_read_software_raid_state(xguest_t) + ++#GDM runs the X server as the unprivileged user. ++dev_rw_input_dev(xguest_t) ++ +tunable_policy(`selinuxuser_execstack',` + allow xguest_t self:process execstack; +') @@ -116926,7 +116946,7 @@ index a64aad3..fe078eb 100644 files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -65,10 +79,9 @@ optional_policy(` +@@ -65,10 +82,9 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -116938,7 +116958,7 @@ index a64aad3..fe078eb 100644 ') ') -@@ -84,12 +97,25 @@ optional_policy(` +@@ -84,12 +100,25 @@ optional_policy(` ') ') @@ -116950,23 +116970,23 @@ index a64aad3..fe078eb 100644 + +optional_policy(` + colord_dbus_chat(xguest_t) + ') + + optional_policy(` +- gnomeclock_dontaudit_dbus_chat(xguest_t) ++ chrome_role(xguest_r, xguest_t) +') + +optional_policy(` -+ chrome_role(xguest_r, xguest_t) ++ thumb_role(xguest_r, xguest_t) +') + +optional_policy(` -+ thumb_role(xguest_r, xguest_t) - ') - - optional_policy(` -- gnomeclock_dontaudit_dbus_chat(xguest_t) + dbus_dontaudit_chat_system_bus(xguest_t) ') optional_policy(` -@@ -97,75 +123,78 @@ optional_policy(` +@@ -97,75 +126,78 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index aa9e7a9..88fc414 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 182%{?dist} +Release: 183%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -653,6 +653,12 @@ exit 0 %endif %changelog +* Mon Apr 18 2016 Lukas Vrabec 3.13.1-183 +- Allow modemmanager to talk to logind +- Dontaudit tor daemon needs net_admin capability. rhbz#1311788 +- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042 +- Xorg now writes content in users homedir. + * Fri Apr 08 2016 Lukas Vrabec 3.13.1-182 - rename several contrib modules according to their filenames - Add interface gnome_filetrans_cert_home_content()