From 7a208696f9f4b236db73579a73f0c606723b5b17 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 28 2010 19:55:48 +0000 Subject: - Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node - Fix label on /lib/systemd/* --- diff --git a/.gitignore b/.gitignore index c87b0e2..6fce5d5 100644 --- a/.gitignore +++ b/.gitignore @@ -227,3 +227,4 @@ serefpolicy* /serefpolicy-3.9.4.tgz /serefpolicy-3.9.5.tgz /serefpolicy-3.9.6.tgz +/config.tgz diff --git a/policy-F14.patch b/policy-F14.patch index 00cfae2..4a79637 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -148,6 +148,42 @@ index 0000000..e9c43b1 +This manual page was written by Dominick Grift . +.SH "SEE ALSO" +selinux(8), git(8), chcon(1), semodule(8), setsebool(8) +diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors +index 6760c95..34edd2a 100644 +--- a/policy/flask/access_vectors ++++ b/policy/flask/access_vectors +@@ -27,6 +27,8 @@ common file + swapon + quotaon + mounton ++ audit_access ++ execmod + } + + +@@ -160,19 +162,20 @@ inherits file + { + execute_no_trans + entrypoint +- execmod + open + } + + class lnk_file + inherits file ++{ ++ open ++} + + class chr_file + inherits file + { + execute_no_trans + entrypoint +- execmod + open + } + diff --git a/policy/global_tunables b/policy/global_tunables index 3316f6e..6e82b1e 100644 --- a/policy/global_tunables @@ -479,7 +515,7 @@ index 3c7b1e8..1e155f5 100644 + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te -index 75ce30f..b845467 100644 +index 75ce30f..f3347aa 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t) @@ -502,14 +538,13 @@ index 75ce30f..b845467 100644 kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) -@@ -92,8 +98,16 @@ sysnet_dns_name_resolve(logwatch_t) +@@ -92,11 +98,20 @@ sysnet_dns_name_resolve(logwatch_t) sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) -- --mta_send_mail(logwatch_t) +userdom_dontaudit_list_admin_dir(logwatch_t) -+ + +-mta_send_mail(logwatch_t) +#mta_send_mail(logwatch_t) +mta_base_mail_template(logwatch) +mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) @@ -521,6 +556,10 @@ index 75ce30f..b845467 100644 ifdef(`distro_redhat',` files_search_all(logwatch_t) ++ files_getattr_all_files(logwatch_t) + files_getattr_all_file_type_fs(logwatch_t) + ') + diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 0e19d80..9d58abe 100644 --- a/policy/modules/admin/mrtg.te @@ -5439,10 +5478,21 @@ index c1d5f50..989f88c 100644 + + diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te -index a3225d4..7551020 100644 +index a3225d4..9cd8b55 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te -@@ -102,6 +102,10 @@ optional_policy(` +@@ -90,7 +90,9 @@ tunable_policy(`qemu_use_usb',` + ') + + optional_policy(` +- samba_domtrans_smbd(qemu_t) ++ tunable_policy(`qemu_use_cifs',` ++ samba_domtrans_smbd(qemu_t) ++ ') + ') + + optional_policy(` +@@ -102,6 +104,10 @@ optional_policy(` xen_rw_image_files(qemu_t) ') @@ -5453,7 +5503,7 @@ index a3225d4..7551020 100644 ######################################## # # Unconfined qemu local policy -@@ -112,6 +116,8 @@ optional_policy(` +@@ -112,6 +118,8 @@ optional_policy(` typealias unconfined_qemu_t alias qemu_unconfined_t; application_type(unconfined_qemu_t) unconfined_domain(unconfined_qemu_t) @@ -5462,6 +5512,83 @@ index a3225d4..7551020 100644 allow unconfined_qemu_t self:process { execstack execmem }; allow unconfined_qemu_t qemu_exec_t:file execmod; +diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc +index 4c091ca..a58f123 100644 +--- a/policy/modules/apps/rssh.fc ++++ b/policy/modules/apps/rssh.fc +@@ -1 +1,3 @@ + /usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0) ++ ++/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) +diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if +index 7cdac1e..6f9f6e6 100644 +--- a/policy/modules/apps/rssh.if ++++ b/policy/modules/apps/rssh.if +@@ -64,3 +64,21 @@ interface(`rssh_read_ro_content',` + read_files_pattern($1, rssh_ro_t, rssh_ro_t) + read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t) + ') ++ ++######################################## ++## ++## Execute a domain transition to run rssh_chroot_helper. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rssh_domtrans_chroot_helper',` ++ gen_require(` ++ type rssh_chroot_helper_t, rssh_chroot_helper_exec_t; ++ ') ++ ++ domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t) ++') +diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te +index c605046..15c17a0 100644 +--- a/policy/modules/apps/rssh.te ++++ b/policy/modules/apps/rssh.te +@@ -31,6 +31,12 @@ typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; + typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t }; + userdom_user_home_content(rssh_rw_t) + ++type rssh_chroot_helper_t; ++type rssh_chroot_helper_exec_t; ++init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t) ++ ++permissive rssh_chroot_helper_t; ++ + ############################## + # + # Local policy +@@ -78,3 +84,25 @@ ssh_rw_stream_sockets(rssh_t) + optional_policy(` + nis_use_ypbind(rssh_t) + ') ++ ++######################################## ++# ++# rssh_chroot_helper local policy ++# ++rssh_domtrans_chroot_helper(rssh_t) ++ ++allow rssh_chroot_helper_t self:capability { sys_chroot setuid }; ++ ++allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms; ++allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms; ++ ++domain_use_interactive_fds(rssh_chroot_helper_t) ++ ++files_read_etc_files(rssh_chroot_helper_t) ++ ++auth_use_nsswitch(rssh_chroot_helper_t) ++ ++logging_send_syslog_msg(rssh_chroot_helper_t) ++ ++miscfiles_read_localization(rssh_chroot_helper_t) ++ diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te index 9ec1478..26bb71c 100644 --- a/policy/modules/apps/sambagui.te @@ -5503,7 +5630,7 @@ index 0000000..15778fd +# No types are sandbox_exec_t diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..587c440 +index 0000000..9783c8f --- /dev/null +++ b/policy/modules/apps/sandbox.if @@ -0,0 +1,339 @@ @@ -5558,7 +5685,7 @@ index 0000000..587c440 + dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; -+ dontaudit sandbox_x_domain $1:process signal; ++ dontaudit sandbox_x_domain $1:process { signal sigkill }; + + allow $1 sandbox_tmpfs_type:file manage_file_perms; + dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; @@ -5848,10 +5975,10 @@ index 0000000..587c440 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..10b7c23 +index 0000000..c575b31 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,427 @@ +@@ -0,0 +1,428 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6053,6 +6180,7 @@ index 0000000..10b7c23 +term_use_ptmx(sandbox_x_domain) + +application_dontaudit_signal(sandbox_x_domain) ++application_dontaudit_sigkill(sandbox_x_domain) + +logging_send_syslog_msg(sandbox_x_domain) +logging_dontaudit_search_logs(sandbox_x_domain) @@ -8404,7 +8532,7 @@ index 3517db2..bd4c23d 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 5302dac..06efed6 100644 +index 5302dac..2e30bb2 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -8837,7 +8965,35 @@ index 5302dac..06efed6 100644 ') ######################################## -@@ -5317,6 +5624,43 @@ interface(`files_search_pids',` +@@ -5189,6 +5496,27 @@ interface(`files_delete_all_locks',` + + ######################################## + ## ++## Relabel all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabel_all_lock_dirs',` ++ gen_require(` ++ attribute lockfile; ++ type var_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## + ## Read all lock files. + ## + ## +@@ -5317,6 +5645,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -8881,7 +9037,7 @@ index 5302dac..06efed6 100644 ######################################## ## ## Do not audit attempts to search -@@ -5524,6 +5868,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5524,6 +5889,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -8944,7 +9100,7 @@ index 5302dac..06efed6 100644 ## Read all process ID files. ## ## -@@ -5541,6 +5941,44 @@ interface(`files_read_all_pids',` +@@ -5541,6 +5962,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -8989,7 +9145,7 @@ index 5302dac..06efed6 100644 ') ######################################## -@@ -5826,3 +6264,247 @@ interface(`files_unconfined',` +@@ -5826,3 +6285,247 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -9695,7 +9851,7 @@ index 437a42a..54a884b 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 0dff98e..a09ab47 100644 +index 0dff98e..7f1a558 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -52,6 +52,7 @@ type anon_inodefs_t; @@ -9763,11 +9919,12 @@ index 0dff98e..a09ab47 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -247,6 +266,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -247,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) +files_type(removable_t) ++dev_node(removable_t) files_mountpoint(removable_t) # @@ -18497,7 +18654,7 @@ index e182bf4..f80e725 100644 snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..ea74262 100644 +index 0d5711c..27a2b36 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -18512,7 +18669,17 @@ index 0d5711c..ea74262 100644 ') ############################## -@@ -76,7 +76,7 @@ template(`dbus_role_template',` +@@ -52,8 +52,7 @@ template(`dbus_role_template',` + # + + type $1_dbusd_t, session_bus_type; +- domain_type($1_dbusd_t) +- domain_entry_file($1_dbusd_t, dbusd_exec_t) ++ application_domain($1_dbusd_t, dbusd_exec_t) + ubac_constrained($1_dbusd_t) + role $2 types $1_dbusd_t; + +@@ -76,7 +75,7 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions @@ -18521,7 +18688,7 @@ index 0d5711c..ea74262 100644 allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -@@ -88,14 +88,15 @@ template(`dbus_role_template',` +@@ -88,14 +87,15 @@ template(`dbus_role_template',` files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) @@ -18540,7 +18707,7 @@ index 0d5711c..ea74262 100644 kernel_read_system_state($1_dbusd_t) kernel_read_kernel_sysctls($1_dbusd_t) -@@ -116,7 +117,7 @@ template(`dbus_role_template',` +@@ -116,7 +116,7 @@ template(`dbus_role_template',` dev_read_urand($1_dbusd_t) @@ -18549,7 +18716,7 @@ index 0d5711c..ea74262 100644 domain_read_all_domains_state($1_dbusd_t) files_read_etc_files($1_dbusd_t) -@@ -149,17 +150,25 @@ template(`dbus_role_template',` +@@ -149,17 +149,25 @@ template(`dbus_role_template',` term_use_all_terms($1_dbusd_t) @@ -18577,7 +18744,7 @@ index 0d5711c..ea74262 100644 xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) ') -@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',` +@@ -181,10 +189,12 @@ interface(`dbus_system_bus_client',` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -18590,7 +18757,7 @@ index 0d5711c..ea74262 100644 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -431,14 +442,27 @@ interface(`dbus_system_domain',` +@@ -431,14 +441,27 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -18619,7 +18786,7 @@ index 0d5711c..ea74262 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -497,3 +521,22 @@ interface(`dbus_unconfined',` +@@ -497,3 +520,22 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -24435,7 +24602,7 @@ index da5b33d..b9ab551 100644 optional_policy(` diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc -index 386543b..e0aab89 100644 +index 386543b..ee7bed8 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc @@ -1,7 +1,13 @@ @@ -24452,6 +24619,16 @@ index 386543b..e0aab89 100644 /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) +@@ -16,7 +22,8 @@ + /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) + /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) + +-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) ++/var/log/wicd.* ++ + /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) + + /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if index 2324d9e..8069487 100644 --- a/policy/modules/services/networkmanager.if @@ -38179,10 +38356,10 @@ index f9a06d2..3d407c6 100644 files_read_etc_files(zos_remote_t) diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if -index ac50333..a5678f1 100644 +index ac50333..9017b02 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if -@@ -130,3 +130,57 @@ interface(`application_signull',` +@@ -130,3 +130,75 @@ interface(`application_signull',` allow $1 application_domain_type:process signull; ') @@ -38225,6 +38402,24 @@ index ac50333..a5678f1 100644 + +######################################## +## ++## Dontaudit kill signal sent to all application domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`application_dontaudit_sigkill',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ dontaudit $1 application_domain_type:process sigkill; ++') ++ ++######################################## ++## +## Send signal to all application domains. +## +## @@ -38288,7 +38483,7 @@ index 1c4b1e7..2997dd7 100644 /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..ce67a96 100644 +index bea0ade..a1069bf 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -38481,7 +38676,34 @@ index bea0ade..ce67a96 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -1500,6 +1587,8 @@ interface(`auth_manage_login_records',` +@@ -896,6 +983,26 @@ interface(`auth_manage_var_auth',` + + ######################################## + ## ++## Relabel all var auth files. Used by various other applications ++## and pam applets etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_relabel_var_auth_dirs',` ++ gen_require(` ++ type var_auth_t; ++ ') ++ ++ files_search_var($1) ++ relabel_dirs_pattern($1, var_auth_t, var_auth_t) ++') ++ ++######################################## ++## + ## Read PAM PID files. + ## + ## +@@ -1500,6 +1607,8 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -38490,7 +38712,7 @@ index bea0ade..ce67a96 100644 files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1620,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1640,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -38854,7 +39076,7 @@ index 15e02e4..7c6933f 100644 files_read_kernel_modules(hotplug_t) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 9775375..51bde2a 100644 +index 9775375..36cc87d 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -24,7 +24,19 @@ ifdef(`distro_gentoo',` @@ -38867,7 +39089,7 @@ index 9775375..51bde2a 100644 +# +# systemd init scripts +# -+/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) ++/lib/systemd/[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0) + +# +# /sbin @@ -39278,7 +39500,7 @@ index df3fa64..73dc579 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8a105fd..aa33f57 100644 +index 8a105fd..fc65044 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -39326,15 +39548,16 @@ index 8a105fd..aa33f57 100644 type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) -@@ -63,6 +85,7 @@ role system_r types initrc_t; +@@ -63,6 +85,8 @@ role system_r types initrc_t; # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) +corecmd_bin_entry_type(initrc_t) ++corecmd_bin_domtrans(init_t, initrc_t) type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -87,7 +110,7 @@ ifdef(`enable_mls',` +@@ -87,7 +111,7 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -39343,7 +39566,7 @@ index 8a105fd..aa33f57 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -100,7 +123,9 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -100,7 +124,9 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -39354,7 +39577,7 @@ index 8a105fd..aa33f57 100644 # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -114,11 +139,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -114,11 +140,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -39368,7 +39591,7 @@ index 8a105fd..aa33f57 100644 # Early devtmpfs dev_rw_generic_chr_files(init_t) -@@ -127,9 +154,13 @@ domain_kill_all_domains(init_t) +@@ -127,9 +155,13 @@ domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) @@ -39382,7 +39605,7 @@ index 8a105fd..aa33f57 100644 files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) -@@ -162,12 +193,15 @@ init_domtrans_script(init_t) +@@ -162,12 +194,15 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -39398,7 +39621,7 @@ index 8a105fd..aa33f57 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +212,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +213,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -39407,7 +39630,7 @@ index 8a105fd..aa33f57 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +220,96 @@ tunable_policy(`init_upstart',` +@@ -186,12 +221,99 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -39469,16 +39692,19 @@ index 8a105fd..aa33f57 100644 + + seutil_read_file_contexts(init_t) + ++ + # Permissions for systemd-tmpfiles, needs its own policy. -+ files_relabel_all_pid_files(init_t) -+ files_relabel_all_pid_files(init_t) -+ files_manage_all_pids(init_t) -+ files_manage_all_locks(init_t) -+ files_manage_generic_tmp_dirs(init_t) -+ files_manage_generic_tmp_files(init_t) -+ files_relabelfrom_tmp_files(init_t) ++ files_relabel_all_lock_dirs(initrc_t) ++ files_relabel_all_pid_files(initrc_t) ++ files_relabel_all_pid_files(initrc_t) ++ files_manage_all_pids(initrc_t) ++ files_manage_all_locks(initrc_t) ++ files_manage_generic_tmp_files(initrc_t) ++ files_manage_generic_tmp_dirs(initrc_t) ++ files_relabelfrom_tmp_files(initrc_t) + -+ auth_manage_var_auth(init_t) ++ auth_manage_var_auth(initrc_t) ++ auth_relabel_var_auth_dirs(initrc_t) +') + optional_policy(` @@ -39504,7 +39730,7 @@ index 8a105fd..aa33f57 100644 ') optional_policy(` -@@ -199,10 +317,23 @@ optional_policy(` +@@ -199,10 +321,23 @@ optional_policy(` ') optional_policy(` @@ -39528,7 +39754,7 @@ index 8a105fd..aa33f57 100644 unconfined_domain(init_t) ') -@@ -212,7 +343,7 @@ optional_policy(` +@@ -212,7 +347,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -39537,7 +39763,7 @@ index 8a105fd..aa33f57 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,6 +372,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,6 +376,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -39545,7 +39771,7 @@ index 8a105fd..aa33f57 100644 can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -258,11 +390,23 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,11 +394,23 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -39569,7 +39795,7 @@ index 8a105fd..aa33f57 100644 corecmd_exec_all_executables(initrc_t) -@@ -291,6 +435,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +439,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -39577,7 +39803,7 @@ index 8a105fd..aa33f57 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +443,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +447,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -39593,7 +39819,7 @@ index 8a105fd..aa33f57 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +468,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +472,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -39605,7 +39831,7 @@ index 8a105fd..aa33f57 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +487,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +491,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -39619,7 +39845,7 @@ index 8a105fd..aa33f57 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +502,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +506,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -39628,7 +39854,7 @@ index 8a105fd..aa33f57 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +516,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +520,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -39636,7 +39862,7 @@ index 8a105fd..aa33f57 100644 selinux_get_enforce_mode(initrc_t) -@@ -380,6 +534,7 @@ auth_read_pam_pid(initrc_t) +@@ -380,6 +538,7 @@ auth_read_pam_pid(initrc_t) auth_delete_pam_pid(initrc_t) auth_delete_pam_console_data(initrc_t) auth_use_nsswitch(initrc_t) @@ -39644,7 +39870,7 @@ index 8a105fd..aa33f57 100644 libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) -@@ -394,13 +549,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +553,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -39660,7 +39886,7 @@ index 8a105fd..aa33f57 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -473,7 +629,7 @@ ifdef(`distro_redhat',` +@@ -473,7 +633,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -39669,7 +39895,7 @@ index 8a105fd..aa33f57 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -519,6 +675,19 @@ ifdef(`distro_redhat',` +@@ -519,6 +679,19 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -39689,7 +39915,7 @@ index 8a105fd..aa33f57 100644 ') optional_policy(` -@@ -526,10 +695,17 @@ ifdef(`distro_redhat',` +@@ -526,10 +699,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -39707,7 +39933,7 @@ index 8a105fd..aa33f57 100644 ') optional_policy(` -@@ -544,6 +720,35 @@ ifdef(`distro_suse',` +@@ -544,6 +724,35 @@ ifdef(`distro_suse',` ') ') @@ -39743,7 +39969,7 @@ index 8a105fd..aa33f57 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -556,6 +761,8 @@ optional_policy(` +@@ -556,6 +765,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -39752,7 +39978,7 @@ index 8a105fd..aa33f57 100644 ') optional_policy(` -@@ -572,6 +779,7 @@ optional_policy(` +@@ -572,6 +783,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -39760,7 +39986,7 @@ index 8a105fd..aa33f57 100644 ') optional_policy(` -@@ -584,6 +792,11 @@ optional_policy(` +@@ -584,6 +796,11 @@ optional_policy(` ') optional_policy(` @@ -39772,7 +39998,7 @@ index 8a105fd..aa33f57 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -600,6 +813,9 @@ optional_policy(` +@@ -600,6 +817,9 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -39782,7 +40008,7 @@ index 8a105fd..aa33f57 100644 optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -701,7 +917,13 @@ optional_policy(` +@@ -701,7 +921,13 @@ optional_policy(` ') optional_policy(` @@ -39796,7 +40022,7 @@ index 8a105fd..aa33f57 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -724,6 +946,10 @@ optional_policy(` +@@ -724,6 +950,10 @@ optional_policy(` ') optional_policy(` @@ -39807,7 +40033,7 @@ index 8a105fd..aa33f57 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -745,6 +971,10 @@ optional_policy(` +@@ -745,6 +975,10 @@ optional_policy(` ') optional_policy(` @@ -39818,7 +40044,7 @@ index 8a105fd..aa33f57 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -766,8 +996,6 @@ optional_policy(` +@@ -766,8 +1000,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39827,7 +40053,7 @@ index 8a105fd..aa33f57 100644 ') optional_policy(` -@@ -776,14 +1004,21 @@ optional_policy(` +@@ -776,14 +1008,21 @@ optional_policy(` ') optional_policy(` @@ -39849,7 +40075,7 @@ index 8a105fd..aa33f57 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,11 +1040,19 @@ optional_policy(` +@@ -805,11 +1044,19 @@ optional_policy(` ') optional_policy(` @@ -39870,14 +40096,13 @@ index 8a105fd..aa33f57 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -819,6 +1062,25 @@ optional_policy(` +@@ -819,6 +1066,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') + + # Allow SELinux aware applications to request rpm_script_t execution + rpm_transition_script(initrc_t) -+ + + optional_policy(` + gen_require(` @@ -39892,11 +40117,12 @@ index 8a105fd..aa33f57 100644 +') + +optional_policy(` ++ rpm_read_db(initrc_t) + rpm_delete_db(initrc_t) ') optional_policy(` -@@ -844,3 +1106,59 @@ optional_policy(` +@@ -844,3 +1110,59 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -43774,7 +44000,7 @@ index 025348a..5b277ea 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index a054cf5..4867243 100644 +index a054cf5..f24ab6b 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto; @@ -43785,16 +44011,17 @@ index a054cf5..4867243 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -72,7 +73,7 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t) +@@ -72,7 +73,8 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t) manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) +files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) ++allow udev_t udev_var_run_t:file mounton; kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) -@@ -111,15 +112,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +@@ -111,15 +113,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) @@ -43816,7 +44043,7 @@ index a054cf5..4867243 100644 mcs_ptrace_all(udev_t) -@@ -186,6 +192,7 @@ ifdef(`distro_redhat',` +@@ -186,6 +193,7 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -43824,7 +44051,7 @@ index a054cf5..4867243 100644 term_search_ptys(udev_t) -@@ -216,11 +223,16 @@ optional_policy(` +@@ -216,11 +224,16 @@ optional_policy(` ') optional_policy(` @@ -43841,7 +44068,7 @@ index a054cf5..4867243 100644 ') optional_policy(` -@@ -233,6 +245,10 @@ optional_policy(` +@@ -233,6 +246,10 @@ optional_policy(` ') optional_policy(` @@ -43852,7 +44079,7 @@ index a054cf5..4867243 100644 lvm_domtrans(udev_t) ') -@@ -259,6 +275,10 @@ optional_policy(` +@@ -259,6 +276,10 @@ optional_policy(` ') optional_policy(` @@ -43863,7 +44090,7 @@ index a054cf5..4867243 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +293,11 @@ optional_policy(` +@@ -273,6 +294,11 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index d0fa46a..b3e6413 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.7 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,17 @@ exit 0 %endif %changelog +* Thu Oct 28 2010 Dan Walsh 3.9.7-7 +- Dontaudit sandbox sending sigkill to all user domains +- Add policy for rssh_chroot_helper +- Add missing flask definitions +- Allow udev to relabelto removable_t +- Fix label on /var/log/wicd.log +- Transition to initrc_t from init when executing bin_t +- Add audit_access permissions to file +- Make removable_t a device_node +- Fix label on /lib/systemd/* + * Fri Oct 22 2010 Dan Walsh 3.9.7-6 - Fixes for systemd to manage /var/run - Dontaudit leaks by firstboot diff --git a/sources b/sources index 6d66d22..5a31809 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ 04730b4c56ff60274b246bcf4576355c serefpolicy-3.9.7.tgz +409b40c8102b1617681ba17c31032e66 config.tgz