From 7a727702c0dea4a5f0e46c7a76fee0be2c0ad9dc Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 14 2014 12:09:05 +0000 Subject: - Dontaudit rendom domains listing /proc and hittping system_map_t - devicekit_power sends out a signal to all processes on the message bus when power is going down - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - systemd_tmpfiles_t needs to _setcheckreqprot - Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it - Fixed snapperd policy - Fixed broken interfaces - Should use rw_socket_perms rather then sock_file on a unix_stream_socket - Fixed bugsfor pcp policy - pcscd seems to be using policy kit and looking at domains proc data that transition to it - Allow dbus_system_domains to be started by init - Fixed some interfaces - Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Allow ABRT to read puppet certs - Allow virtd_lxc_t to specify the label of a socket - New version of docker requires more access --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b4f3b28..da6c7d0 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8720,7 +8720,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..23627f4 100644 +index cf04cb5..0b3704b 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8761,7 +8761,7 @@ index cf04cb5..23627f4 100644 # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; -@@ -86,23 +110,45 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -8798,6 +8798,7 @@ index cf04cb5..23627f4 100644 +files_read_inherited_tmp_files(domain) +files_append_inherited_tmp_files(domain) +files_read_all_base_ro_files(domain) ++files_dontaduit_getattr_kernel_symbol_table(domain) + +# All executables should be able to search the directory they are in +corecmd_search_bin(domain) @@ -8808,7 +8809,7 @@ index cf04cb5..23627f4 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +167,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -8827,7 +8828,7 @@ index cf04cb5..23627f4 100644 ') optional_policy(` -@@ -133,6 +189,9 @@ optional_policy(` +@@ -133,6 +190,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -8837,7 +8838,7 @@ index cf04cb5..23627f4 100644 ') ######################################## -@@ -147,12 +206,18 @@ optional_policy(` +@@ -147,12 +207,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -8857,7 +8858,7 @@ index cf04cb5..23627f4 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,334 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +232,342 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9124,6 +9125,10 @@ index cf04cb5..23627f4 100644 + cron_rw_system_job_pipes(domain) +') + ++optional_policy(` ++ devicekit_dbus_chat_power(domain) ++') ++ +ifdef(`hide_broken_symptoms',` + dontaudit domain self:udp_socket listen; + allow domain domain:key { link search }; @@ -9192,6 +9197,10 @@ index cf04cb5..23627f4 100644 + prelink_exec(domain) + ') +') ++ ++optional_policy(` ++ unconfined_server_stream_connect(domain) ++') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index b876c48..27f60c6 100644 --- a/policy/modules/kernel/files.fc @@ -9443,7 +9452,7 @@ index b876c48..27f60c6 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..fa8cdcb 100644 +index f962f76..1517625 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11449,7 +11458,32 @@ index f962f76..fa8cdcb 100644 ') ######################################## -@@ -5241,6 +6319,24 @@ interface(`files_list_var',` +@@ -5112,6 +6190,24 @@ interface(`files_create_kernel_symbol_table',` + + ######################################## + ## ++## Dontaudit getattr attempts on the system.map file ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaduit_getattr_kernel_symbol_table',` ++ gen_require(` ++ type system_map_t; ++ ') ++ ++ dontaudit $1 system_map_t:file getattr; ++') ++ ++######################################## ++## + ## Read system.map in the /boot directory. + ## + ## +@@ -5241,6 +6337,24 @@ interface(`files_list_var',` ######################################## ## @@ -11474,7 +11508,7 @@ index f962f76..fa8cdcb 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5527,6 +6623,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6641,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -11500,7 +11534,7 @@ index f962f76..fa8cdcb 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6711,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6729,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11526,7 +11560,7 @@ index f962f76..fa8cdcb 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6775,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6793,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11535,7 +11569,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -5649,12 +6783,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6801,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11551,7 +11585,7 @@ index f962f76..fa8cdcb 100644 ') ######################################## -@@ -5672,6 +6807,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6825,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11559,7 +11593,7 @@ index f962f76..fa8cdcb 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6834,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6852,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11587,7 +11621,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -5706,13 +6861,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +6879,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11604,7 +11638,7 @@ index f962f76..fa8cdcb 100644 ') ######################################## -@@ -5731,7 +6885,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +6903,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11613,7 +11647,7 @@ index f962f76..fa8cdcb 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +6918,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +6936,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11621,7 +11655,7 @@ index f962f76..fa8cdcb 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +6932,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +6950,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11630,7 +11664,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -5787,13 +6940,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +6958,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11665,7 +11699,7 @@ index f962f76..fa8cdcb 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +6982,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7000,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11683,7 +11717,7 @@ index f962f76..fa8cdcb 100644 ') ######################################## -@@ -5834,9 +7006,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7024,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11694,7 +11728,7 @@ index f962f76..fa8cdcb 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7048,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7066,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11704,7 +11738,7 @@ index f962f76..fa8cdcb 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7070,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7088,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11714,7 +11748,7 @@ index f962f76..fa8cdcb 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7107,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7125,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11724,7 +11758,7 @@ index f962f76..fa8cdcb 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7146,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7164,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11733,7 +11767,7 @@ index f962f76..fa8cdcb 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7166,48 @@ interface(`files_search_pids',` +@@ -5999,22 +7184,60 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11742,16 +11776,23 @@ index f962f76..fa8cdcb 100644 search_dirs_pattern($1, var_t, var_run_t) ') +-######################################## +###################################### -+## + ## +-## Do not audit attempts to search +-## the /var/run directory. +## Add and remove entries from pid directories. -+## -+## + ## + ## +-## +-## Domain to not audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_search_pids',` +interface(`files_rw_pid_dirs',` + gen_require(` + type var_run_t; @@ -11779,21 +11820,30 @@ index f962f76..fa8cdcb 100644 + allow $1 var_run_t:dir create_dir_perms; +') + - ######################################## - ## - ## Do not audit attempts to search -@@ -6025,12 +7230,31 @@ interface(`files_dontaudit_search_pids',` ++######################################## ++## ++## Do not audit attempts to search ++## the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_pids',` + gen_require(` + type var_run_t; + ') +@@ -6025,6 +7248,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## --## List the contents of the runtime process --## ID directories (/var/run). +## Do not audit attempts to search +## the all /var/run directory. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. +## +## @@ -11808,16 +11858,10 @@ index f962f76..fa8cdcb 100644 + +######################################## +## -+## List the contents of the runtime process -+## ID directories (/var/run). -+## -+## -+## -+## Domain allowed access. - ## - ## - # -@@ -6039,7 +7263,7 @@ interface(`files_list_pids',` + ## List the contents of the runtime process + ## ID directories (/var/run). + ## +@@ -6039,7 +7281,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -11826,7 +11870,7 @@ index f962f76..fa8cdcb 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6058,7 +7282,7 @@ interface(`files_read_generic_pids',` +@@ -6058,7 +7300,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -11835,7 +11879,7 @@ index f962f76..fa8cdcb 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7302,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7320,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11844,7 +11888,7 @@ index f962f76..fa8cdcb 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7364,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7382,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11852,7 +11896,7 @@ index f962f76..fa8cdcb 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7392,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7410,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11877,7 +11921,7 @@ index f962f76..fa8cdcb 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7423,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7441,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11886,7 +11930,7 @@ index f962f76..fa8cdcb 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7490,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7508,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -11949,7 +11993,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -6305,42 +7534,35 @@ interface(`files_delete_all_pids',` +@@ -6305,42 +7552,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -11999,7 +12043,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -6348,18 +7570,18 @@ interface(`files_manage_all_pids',` +@@ -6348,18 +7588,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -12023,7 +12067,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -6367,37 +7589,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,37 +7607,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -12075,7 +12119,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -6405,18 +7630,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6405,18 +7648,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -12098,7 +12142,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -6424,18 +7648,18 @@ interface(`files_list_spool',` +@@ -6424,18 +7666,18 @@ interface(`files_list_spool',` ## ## # @@ -12122,7 +12166,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -6443,19 +7667,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6443,19 +7685,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -12147,7 +12191,7 @@ index f962f76..fa8cdcb 100644 ## ## ## -@@ -6463,55 +7686,130 @@ interface(`files_read_generic_spool',` +@@ -6463,55 +7704,43 @@ interface(`files_read_generic_spool',` ## ## # @@ -12175,46 +12219,101 @@ index f962f76..fa8cdcb 100644 ## ## -## +-## +-## Type to which the created node will be transitioned. +-## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +## -+# + # +-interface(`files_spool_filetrans',` +interface(`files_delete_all_pids',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; + type var_t, var_run_t; -+ ') -+ + ') + + files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) + delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. +## Delete all process ID directories. -+## -+## + ## + ## ## --## Type to which the created node will be transitioned. -+## Domain allowed access. +@@ -6519,53 +7748,68 @@ interface(`files_spool_filetrans',` ## ## --## -+# + # +-interface(`files_polyinstantiate_all',` +interface(`files_delete_all_pid_dirs',` -+ gen_require(` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; + attribute pidfile; + type var_t, var_run_t; -+ ') -+ + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') -+ + +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +######################################## +## +## Make the specified type a file @@ -12247,129 +12346,80 @@ index f962f76..fa8cdcb 100644 +##

+## +## - ## --## Object class(es) (single or set including {}) for which this --## the transition will occur. ++## +## Type of the file to be used as a +## spool file. - ## - ## --## ++## ++## +## +# +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; -+ ') + ') + + files_type($1) + typeattribute $1 spoolfile; -+') -+ -+######################################## -+## -+## Create all spool sockets -+## -+## - ## --## The name of the object being created. -+## Domain allowed access. - ## - ## - # --interface(`files_spool_filetrans',` -+interface(`files_create_all_spool_sockets',` - gen_require(` -- type var_t, var_spool_t; -+ attribute spoolfile; - ') - -- allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) -+ allow $1 spoolfile:sock_file create_sock_file_perms; ') ######################################## ## --## Allow access to manage all polyinstantiated --## directories on the system. -+## Delete all spool sockets +-## Unconfined access to files. ++## Create all spool sockets ## ## ## -@@ -6519,64 +7817,767 @@ interface(`files_spool_filetrans',` +@@ -6573,10 +7817,785 @@ interface(`files_polyinstantiate_all',` ## ## # --interface(`files_polyinstantiate_all',` -+interface(`files_delete_all_spool_sockets',` +-interface(`files_unconfined',` ++interface(`files_create_all_spool_sockets',` gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; +- attribute files_unconfined_type; + attribute spoolfile; ') -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) -- -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -- ') +- typeattribute $1 files_unconfined_type; ++ allow $1 spoolfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Delete all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ + allow $1 spoolfile:sock_file delete_sock_file_perms; - ') - - ######################################## - ## --## Unconfined access to files. ++') ++ ++######################################## ++## +## Relabel to and from all spool +## directory types. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_unconfined',` ++# +interface(`files_relabel_all_spool_dirs',` - gen_require(` -- attribute files_unconfined_type; ++ gen_require(` + attribute spoolfile; + type var_t; - ') - -- typeattribute $1 files_unconfined_type; ++ ') ++ + relabel_dirs_pattern($1, spoolfile, spoolfile) +') + @@ -29328,7 +29378,7 @@ index 79a45f6..9a14d49 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..afe80c5 100644 +index 17eda24..c15f72a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29799,7 +29849,7 @@ index 17eda24..afe80c5 100644 ') optional_policy(` -@@ -216,7 +501,30 @@ optional_policy(` +@@ -216,7 +501,31 @@ optional_policy(` ') optional_policy(` @@ -29827,10 +29877,11 @@ index 17eda24..afe80c5 100644 +optional_policy(` unconfined_domain(init_t) + domain_named_filetrans(init_t) ++ unconfined_server_domtrans(init_t) ') ######################################## -@@ -225,9 +533,9 @@ optional_policy(` +@@ -225,9 +534,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29842,7 +29893,7 @@ index 17eda24..afe80c5 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +566,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +567,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29859,7 +29910,7 @@ index 17eda24..afe80c5 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +591,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +592,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29902,7 +29953,7 @@ index 17eda24..afe80c5 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +628,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +629,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -29914,7 +29965,7 @@ index 17eda24..afe80c5 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +640,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +641,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -29925,7 +29976,7 @@ index 17eda24..afe80c5 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +651,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +652,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -29935,7 +29986,7 @@ index 17eda24..afe80c5 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +660,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +661,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29943,7 +29994,7 @@ index 17eda24..afe80c5 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +667,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +668,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -29951,7 +30002,7 @@ index 17eda24..afe80c5 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +675,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +676,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29969,7 +30020,7 @@ index 17eda24..afe80c5 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +693,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +694,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29983,7 +30034,7 @@ index 17eda24..afe80c5 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +708,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +709,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29997,7 +30048,7 @@ index 17eda24..afe80c5 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +721,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +722,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30008,7 +30059,7 @@ index 17eda24..afe80c5 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +734,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +735,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30016,7 +30067,7 @@ index 17eda24..afe80c5 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +753,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +754,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30040,7 +30091,7 @@ index 17eda24..afe80c5 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +786,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +787,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30048,7 +30099,7 @@ index 17eda24..afe80c5 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +820,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +821,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30059,7 +30110,7 @@ index 17eda24..afe80c5 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +844,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +845,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30068,7 +30119,7 @@ index 17eda24..afe80c5 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +859,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +860,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30076,7 +30127,7 @@ index 17eda24..afe80c5 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +880,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +881,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30084,7 +30135,7 @@ index 17eda24..afe80c5 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +890,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +891,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30129,7 +30180,7 @@ index 17eda24..afe80c5 100644 ') optional_policy(` -@@ -559,14 +935,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +936,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30161,7 +30212,7 @@ index 17eda24..afe80c5 100644 ') ') -@@ -577,6 +970,39 @@ ifdef(`distro_suse',` +@@ -577,6 +971,39 @@ ifdef(`distro_suse',` ') ') @@ -30201,7 +30252,7 @@ index 17eda24..afe80c5 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1015,8 @@ optional_policy(` +@@ -589,6 +1016,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30210,7 +30261,7 @@ index 17eda24..afe80c5 100644 ') optional_policy(` -@@ -610,6 +1038,7 @@ optional_policy(` +@@ -610,6 +1039,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30218,7 +30269,7 @@ index 17eda24..afe80c5 100644 ') optional_policy(` -@@ -626,6 +1055,17 @@ optional_policy(` +@@ -626,6 +1056,17 @@ optional_policy(` ') optional_policy(` @@ -30236,7 +30287,7 @@ index 17eda24..afe80c5 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1082,13 @@ optional_policy(` +@@ -642,9 +1083,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30250,7 +30301,7 @@ index 17eda24..afe80c5 100644 ') optional_policy(` -@@ -657,15 +1101,11 @@ optional_policy(` +@@ -657,15 +1102,11 @@ optional_policy(` ') optional_policy(` @@ -30268,7 +30319,7 @@ index 17eda24..afe80c5 100644 ') optional_policy(` -@@ -686,6 +1126,15 @@ optional_policy(` +@@ -686,6 +1127,15 @@ optional_policy(` ') optional_policy(` @@ -30284,7 +30335,7 @@ index 17eda24..afe80c5 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1175,7 @@ optional_policy(` +@@ -726,6 +1176,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30292,7 +30343,7 @@ index 17eda24..afe80c5 100644 ') optional_policy(` -@@ -743,7 +1193,13 @@ optional_policy(` +@@ -743,7 +1194,13 @@ optional_policy(` ') optional_policy(` @@ -30307,7 +30358,7 @@ index 17eda24..afe80c5 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1222,10 @@ optional_policy(` +@@ -766,6 +1223,10 @@ optional_policy(` ') optional_policy(` @@ -30318,7 +30369,7 @@ index 17eda24..afe80c5 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1235,20 @@ optional_policy(` +@@ -775,10 +1236,20 @@ optional_policy(` ') optional_policy(` @@ -30339,7 +30390,7 @@ index 17eda24..afe80c5 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1257,10 @@ optional_policy(` +@@ -787,6 +1258,10 @@ optional_policy(` ') optional_policy(` @@ -30350,7 +30401,7 @@ index 17eda24..afe80c5 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1282,6 @@ optional_policy(` +@@ -808,8 +1283,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30359,7 +30410,7 @@ index 17eda24..afe80c5 100644 ') optional_policy(` -@@ -818,6 +1290,10 @@ optional_policy(` +@@ -818,6 +1291,10 @@ optional_policy(` ') optional_policy(` @@ -30370,7 +30421,7 @@ index 17eda24..afe80c5 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1303,12 @@ optional_policy(` +@@ -827,10 +1304,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30383,7 +30434,7 @@ index 17eda24..afe80c5 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1335,60 @@ optional_policy(` +@@ -857,21 +1336,60 @@ optional_policy(` ') optional_policy(` @@ -30445,7 +30496,7 @@ index 17eda24..afe80c5 100644 ') optional_policy(` -@@ -887,6 +1404,10 @@ optional_policy(` +@@ -887,6 +1405,10 @@ optional_policy(` ') optional_policy(` @@ -30456,7 +30507,7 @@ index 17eda24..afe80c5 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1418,218 @@ optional_policy(` +@@ -897,3 +1419,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -39234,10 +39285,10 @@ index 0000000..1d9bdfd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..9785384 +index 0000000..e4b127c --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,635 @@ +@@ -0,0 +1,636 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -39532,6 +39583,7 @@ index 0000000..9785384 +mls_file_upgrade(systemd_tmpfiles_t) + +selinux_get_enforce_mode(systemd_tmpfiles_t) ++selinux_setcheckreqprot(systemd_tmpfiles_t) + +auth_manage_faillog(systemd_tmpfiles_t) +auth_relabel_faillog(systemd_tmpfiles_t) @@ -40465,7 +40517,7 @@ index 0abaf84..8b34dbc 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 5ca20a9..01e03ec 100644 +index 5ca20a9..7bbabfc 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,57 @@ @@ -40576,7 +40628,7 @@ index 5ca20a9..01e03ec 100644 ') ######################################## -@@ -175,414 +185,5 @@ interface(`unconfined_alias_domain',` +@@ -175,381 +185,12 @@ interface(`unconfined_alias_domain',` ## # interface(`unconfined_execmem_alias_program',` @@ -40949,54 +41001,64 @@ index 5ca20a9..01e03ec 100644 - ') - - allow $1 unconfined_t:dbus send_msg; --') -- --######################################## --## ++ refpolicywarn(`$0() has been deprecated.') + ') + + ######################################## + ## -## Send and receive messages from -## unconfined_t over dbus. --## --## --## --## Domain allowed access. --## --## --# ++## Connect to unconfined_server with a unix socket. + ## + ## + ## +@@ -557,20 +198,19 @@ interface(`unconfined_dbus_send',` + ## + ## + # -interface(`unconfined_dbus_chat',` -- gen_require(` ++interface(`unconfined_server_stream_connect',` + gen_require(` - type unconfined_t; - class dbus send_msg; -- ') -- ++ type unconfined_server_t; + ') + - allow $1 unconfined_t:dbus send_msg; - allow unconfined_t $1:dbus send_msg; --') -- --######################################## --## ++ files_search_pids($1) ++ files_write_generic_pid_pipes($1) ++ allow $1 unconfined_server_t:unix_stream_socket { getattr connectto }; + ') + + ######################################## + ## -## Connect to the the unconfined DBUS -## for service (acquire_svc). --## --## --## --## Domain allowed access. --## --## --# ++## Connect to unconfined_server with a unix socket. + ## + ## + ## +@@ -578,11 +218,10 @@ interface(`unconfined_dbus_chat',` + ## + ## + # -interface(`unconfined_dbus_connect',` -- gen_require(` ++interface(`unconfined_server_domtrans',` + gen_require(` - type unconfined_t; - class dbus acquire_svc; -- ') -- ++ type unconfined_server_t; + ') + - allow $1 unconfined_t:dbus acquire_svc; -+ refpolicywarn(`$0() has been deprecated.') ++ corecmd_bin_domtrans($1, unconfined_server_t) ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902d..61f19e9 100644 +index 5fe902d..fe042f9 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,7 @@ +@@ -1,207 +1,15 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) @@ -41004,7 +41066,8 @@ index 5fe902d..61f19e9 100644 # # Declarations # -- ++attribute unconfined_services; + -# usage in this module of types created by these -# calls is not correct, however we dont currently -# have another method to add access to these types @@ -41012,10 +41075,13 @@ index 5fe902d..61f19e9 100644 -userdom_manage_home_role(unconfined_r, unconfined_t) -userdom_manage_tmp_role(unconfined_r, unconfined_t) -userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -- ++type unconfined_service_t; ++domain_type(unconfined_service_t) + -type unconfined_exec_t; -init_system_domain(unconfined_t, unconfined_exec_t) -- ++unconfined_domain(unconfined_service_t) + -type unconfined_execmem_t; -type unconfined_execmem_exec_t; -init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) @@ -41205,7 +41271,8 @@ index 5fe902d..61f19e9 100644 -optional_policy(` - unconfined_dbus_chat(unconfined_execmem_t) -') -+attribute unconfined_services; ++corecmd_bin_entry_type(unconfined_service_t) ++corecmd_shell_entry_type(unconfined_service_t) diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db75976..e4eb903 100644 --- a/policy/modules/system/userdomain.fc diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index a40e705..421c075 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10427,7 +10427,7 @@ index a3760bc..a570048 100644 + +init_sigchld_script(cachefiles_kernel_t) diff --git a/calamaris.if b/calamaris.if -index cd9c528..9de38c4 100644 +index cd9c528..ba793b7 100644 --- a/calamaris.if +++ b/calamaris.if @@ -42,7 +42,7 @@ interface(`calamaris_run',` @@ -10435,7 +10435,7 @@ index cd9c528..9de38c4 100644 ') - lightsquid_domtrans($1) -+ clamd_domtrans($1) ++ calamaris_domtrans($1) roleattribute $2 calamaris_roles; ') @@ -11186,10 +11186,10 @@ index 0000000..57866f6 +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) diff --git a/chrome.if b/chrome.if new file mode 100644 -index 0000000..5977d96 +index 0000000..8ea5b7c --- /dev/null +++ b/chrome.if -@@ -0,0 +1,134 @@ +@@ -0,0 +1,133 @@ + +## policy for chrome + @@ -11276,9 +11276,8 @@ index 0000000..5977d96 + + allow chrome_sandbox_t $2:unix_dgram_socket { read write }; + allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; -+ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;; -+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown; -+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms; ++ allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;; ++ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms; + allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; + allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; + @@ -19280,7 +19279,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..ff0c9da 100644 +index 62d22cb..2d33fcd 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -19802,7 +19801,7 @@ index 62d22cb..ff0c9da 100644 ## ## ## Type to be used as a domain. -@@ -397,81 +403,66 @@ interface(`dbus_manage_lib_files',` +@@ -397,81 +403,67 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -19827,6 +19826,7 @@ index 62d22cb..ff0c9da 100644 + domain_entry_file($1, $2) + + domtrans_pattern(system_dbusd_t, $2, $1) ++ init_system_domain($1, $2) + + ps_process_pattern($1, system_dbusd_t) + @@ -19911,7 +19911,7 @@ index 62d22cb..ff0c9da 100644 ## ## ## -@@ -479,18 +470,18 @@ interface(`dbus_spec_session_domain',` +@@ -479,18 +471,18 @@ interface(`dbus_spec_session_domain',` ## ## # @@ -19935,7 +19935,7 @@ index 62d22cb..ff0c9da 100644 ## ## ## -@@ -498,98 +489,80 @@ interface(`dbus_connect_system_bus',` +@@ -498,98 +490,80 @@ interface(`dbus_connect_system_bus',` ## ## # @@ -20062,7 +20062,7 @@ index 62d22cb..ff0c9da 100644 ## ## ## -@@ -597,28 +570,32 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +571,32 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -23074,10 +23074,10 @@ index c7bb4e7..e6fe2f40 100644 sysnet_etc_filetrans_config(dnssec_triggerd_t) diff --git a/docker.fc b/docker.fc new file mode 100644 -index 0000000..1c4ac02 +index 0000000..fd679a1 --- /dev/null +++ b/docker.fc -@@ -0,0 +1,17 @@ +@@ -0,0 +1,18 @@ +/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) + +/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) @@ -23086,6 +23086,7 @@ index 0000000..1c4ac02 + +/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) +/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) ++/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0) + +/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0) + @@ -23097,10 +23098,10 @@ index 0000000..1c4ac02 +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..cc6846a +index 0000000..89401fe --- /dev/null +++ b/docker.if -@@ -0,0 +1,323 @@ +@@ -0,0 +1,324 @@ + +## The open-source application container engine. + @@ -23372,6 +23373,7 @@ index 0000000..cc6846a + + files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") + files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") ++ files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") + logging_log_filetrans($1, docker_log_t, dir, "lxc") + files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") + filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") @@ -23426,10 +23428,10 @@ index 0000000..cc6846a +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..18e4ef8 +index 0000000..a1e6966 --- /dev/null +++ b/docker.te -@@ -0,0 +1,236 @@ +@@ -0,0 +1,239 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23508,6 +23510,7 @@ index 0000000..18e4ef8 +manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file }) ++allow docker_t docker_tmpfs_t:chr_file mounton; + +manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) +manage_files_pattern(docker_t, docker_share_t, docker_share_t) @@ -23640,6 +23643,8 @@ index 0000000..18e4ef8 + +modutils_domtrans_insmod(docker_t) + ++userdom_stream_connect(docker_t) ++ +optional_policy(` + dbus_system_bus_client(docker_t) + init_dbus_chat(docker_t) @@ -28542,7 +28547,7 @@ index e39de43..6a6db28 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..edd1c94 100644 +index ab09d61..d0bfef0 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,78 @@ @@ -30013,7 +30018,7 @@ index ab09d61..edd1c94 100644 +# +interface(`gnome_create_home_config_dirs',` + gen_require(` -+ type cache_home_t; ++ type config_home_t; + ') + + allow $1 config_home_t:dir create_dir_perms; @@ -33047,7 +33052,7 @@ index 0000000..9278f85 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..c6cf456 +index 0000000..deb738f --- /dev/null +++ b/ipa.if @@ -0,0 +1,21 @@ @@ -33065,7 +33070,7 @@ index 0000000..c6cf456 +# +interface(`ipa_domtrans_otpd',` + gen_require(` -+ type ipa_otpd_t, ipa_otpd_t_exec_t; ++ type ipa_otpd_t, ipa_otpd_exec_t; + ') + + corecmd_search_bin($1) @@ -53910,7 +53915,7 @@ index 379af96..fac7d7b 100644 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) diff --git a/nut.if b/nut.if -index 57c0161..54bd4d7 100644 +index 57c0161..dae3360 100644 --- a/nut.if +++ b/nut.if @@ -1,39 +1,24 @@ @@ -53966,7 +53971,7 @@ index 57c0161..54bd4d7 100644 - files_search_pids($1) - admin_pattern($1, nut_var_run_t) -+ ps_process_pattern($1, swift_t) ++ ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te index 5b2cb0d..249224e 100644 @@ -58594,10 +58599,10 @@ index 0000000..9b8cb6b +/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 -index 0000000..4f074cb +index 0000000..f099f7c --- /dev/null +++ b/pcp.if -@@ -0,0 +1,100 @@ +@@ -0,0 +1,121 @@ +## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation + +###################################### @@ -58698,12 +58703,33 @@ index 0000000..4f074cb + corecmd_search_bin($1) + can_exec($1, pcp_pmie_exec_t) +') ++ ++######################################## ++## ++## Allow the specified domain to execute pcp_pmlogger ++## in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pcp_pmlogger_exec',` ++ gen_require(` ++ type pcp_pmlogger_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, pcp_pmlogger_exec_t) ++') ++ diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..8ec3a48 +index 0000000..d21c5d7 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,164 @@ +@@ -0,0 +1,192 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -58769,6 +58795,8 @@ index 0000000..8ec3a48 + +dev_read_urand(pcp_domain) + ++files_read_etc_files(pcp_domain) ++ +fs_getattr_all_fs(pcp_domain) + +auth_read_passwd(pcp_domain) @@ -58786,6 +58814,8 @@ index 0000000..8ec3a48 +allow pcp_pmcd_t self:netlink_route_socket create_socket_perms; +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;; + ++auth_use_nsswitch(pcp_pmcd_t) ++ +kernel_read_network_state(pcp_pmcd_t) +kernel_read_system_state(pcp_pmcd_t) +kernel_read_state(pcp_pmcd_t) @@ -58807,9 +58837,9 @@ index 0000000..8ec3a48 +fs_getattr_all_dirs(pcp_pmcd_t) +fs_list_cgroup_dirs(pcp_pmcd_t) + -+storage_getattr_fixed_disk_dev(pcp_pmcd_t) ++logging_send_syslog_msg(pcp_pmcd_t) + -+auth_use_nsswitch(pcp_pmcd_t) ++storage_getattr_fixed_disk_dev(pcp_pmcd_t) + +optional_policy(` + dbus_system_bus_client(pcp_pmcd_t) @@ -58826,9 +58856,12 @@ index 0000000..8ec3a48 + +allow pcp_pmproxy_t self:process setsched; +allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms; ++allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms; + +auth_use_nsswitch(pcp_pmproxy_t) + ++logging_send_syslog_msg(pcp_pmproxy_t) ++ +######################################## +# +# pcp_pmwebd local policy @@ -58842,21 +58875,27 @@ index 0000000..8ec3a48 +# + +allow pcp_pmmgr_t self:process { setpgid }; -+ ++allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms; +allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto; + +kernel_read_system_state(pcp_pmmgr_t) + ++auth_use_nsswitch(pcp_pmmgr_t) ++ +corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t) + ++corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t) ++corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t) ++ +corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t) + +corecmd_exec_bin(pcp_pmmgr_t) + -+auth_use_nsswitch(pcp_pmmgr_t) ++logging_send_syslog_msg(pcp_pmmgr_t) + +optional_policy(` + pcp_pmie_exec(pcp_pmmgr_t) ++ pcp_pmlogger_exec(pcp_pmmgr_t) +') + +######################################## @@ -58868,11 +58907,35 @@ index 0000000..8ec3a48 + +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto; + ++corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t) ++ ++######################################## ++# ++# pcp_pmlogger local policy ++# ++ ++allow pcp_pmlogger_t self:process setpgid; ++allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read }; ++ ++allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto; ++ ++corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t) ++corenet_tcp_bind_generic_node(pcp_pmlogger_t) ++ diff --git a/pcscd.if b/pcscd.if -index 43d50f9..7f77d32 100644 +index 43d50f9..6b1544f 100644 --- a/pcscd.if +++ b/pcscd.if -@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',` +@@ -17,6 +17,8 @@ interface(`pcscd_domtrans',` + + corecmd_search_bin($1) + domtrans_pattern($1, pcscd_exec_t, pcscd_t) ++ ++ ps_process_pattern(pcscd_t, $1) + ') + + ######################################## +@@ -50,7 +52,7 @@ interface(`pcscd_read_pid_files',` ') files_search_pids($1) @@ -58882,7 +58945,7 @@ index 43d50f9..7f77d32 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 1fb1964..c5ec0c4 100644 +index 1fb1964..36eb845 100644 --- a/pcscd.te +++ b/pcscd.te @@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") @@ -58925,7 +58988,18 @@ index 1fb1964..c5ec0c4 100644 sysnet_dns_name_resolve(pcscd_t) optional_policy(` -@@ -85,3 +82,7 @@ optional_policy(` +@@ -73,6 +70,10 @@ optional_policy(` + ') + + optional_policy(` ++ policykit_dbus_chat(pcscd_t) ++') ++ ++optional_policy(` + openct_stream_connect(pcscd_t) + openct_read_pid_files(pcscd_t) + openct_signull(pcscd_t) +@@ -85,3 +86,8 @@ optional_policy(` optional_policy(` udev_read_db(pcscd_t) ') @@ -58933,6 +59007,7 @@ index 1fb1964..c5ec0c4 100644 +optional_policy(` + virt_rw_svirt_dev(pcscd_t) +') ++ diff --git a/pegasus.fc b/pegasus.fc index dfd46e4..d40433a 100644 --- a/pegasus.fc @@ -74056,7 +74131,7 @@ index e240ac9..638d6b4 100644 + +/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) diff --git a/redis.if b/redis.if -index 16c8ecb..9fc0cb9 100644 +index 16c8ecb..2640ab5 100644 --- a/redis.if +++ b/redis.if @@ -1,9 +1,224 @@ @@ -74273,7 +74348,7 @@ index 16c8ecb..9fc0cb9 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 redis_unit_file_t:file read_file_perms; + allow $1 redis_unit_file_t:service manage_service_perms; + @@ -88175,7 +88250,7 @@ index 0000000..94105ee +') diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..838f907 +index 0000000..a299f53 --- /dev/null +++ b/snapper.te @@ -0,0 +1,66 @@ @@ -88193,8 +88268,8 @@ index 0000000..838f907 +type snapperd_log_t; +logging_log_file(snapperd_log_t) + -+type snappperd_conf_t; -+files_config_file(snappperd_conf_t) ++type snapperd_conf_t; ++files_config_file(snapperd_conf_t) + +type snapperd_data_t; +files_type(snapperd_data_t) @@ -98851,7 +98926,7 @@ index facdee8..fddb027 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..81e9d56 100644 +index f03dcf5..2a43838 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,197 @@ @@ -100188,7 +100263,7 @@ index f03dcf5..81e9d56 100644 +# virt_lxc local policy # +allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; -+allow virtd_lxc_t self:process { transition setpgid signal_perms }; ++allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms }; +allow virtd_lxc_t self:capability2 compromise_kernel; -allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; @@ -100971,7 +101046,7 @@ index 0000000..5726cdb +/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0) diff --git a/vmtools.if b/vmtools.if new file mode 100644 -index 0000000..044be2f +index 0000000..82fc528 --- /dev/null +++ b/vmtools.if @@ -0,0 +1,78 @@ @@ -101042,7 +101117,7 @@ index 0000000..044be2f + ps_process_pattern($1, vmtools_t) + + tunable_policy(`deny_ptrace',`',` -+ allow $1 ninfod_t:process ptrace; ++ allow $1 vmtools_t:process ptrace; + ') + + vmtools_systemctl($1) @@ -105172,7 +105247,7 @@ index 0000000..ceaa219 +/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) diff --git a/zoneminder.if b/zoneminder.if new file mode 100644 -index 0000000..d02a6f4 +index 0000000..e0604c7 --- /dev/null +++ b/zoneminder.if @@ -0,0 +1,374 @@ @@ -105385,7 +105460,7 @@ index 0000000..d02a6f4 +# +interface(`zoneminder_manage_lib_sock_files',` + gen_require(` -+ type sock_var_lib_t; ++ type zoneminder_sock_var_lib_t; + ') + files_search_var_lib($1) + manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a1af035..9db08e6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 23%{?dist} +Release: 24%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -578,7 +578,36 @@ SELinux Reference policy mls base module. %endif %changelog -* Mon Feb 11 2014 Miroslav Grepl 3.13.1-23 +* Fri Feb 14 2014 Miroslav Grepl 3.13.1-24 +- Dontaudit rendom domains listing /proc and hittping system_map_t +- devicekit_power sends out a signal to all processes on the message bus when power is going down +- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true +- systemd_tmpfiles_t needs to _setcheckreqprot +- Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it +- Fixed snapperd policy +- Fixed broken interfaces +- Should use rw_socket_perms rather then sock_file on a unix_stream_socket +- Fixed bugsfor pcp policy +- pcscd seems to be using policy kit and looking at domains proc data that transition to it +- Allow dbus_system_domains to be started by init +- Fixed some interfaces +- Addopt corenet rules for unbound-anchor to rpm_script_t +- Allow runuser to send send audit messages. +- Allow postfix-local to search .forward in munin lib dirs +- Allow udisks to connect to D-Bus +- Allow spamd to connect to spamd port +- Fix syntax error in snapper.te +- Dontaudit osad to search gconf home files +- Allow rhsmcertd to manage /etc/sysconf/rhn director +- Fix pcp labeling to accept /usr/bin for all daemon binaries +- Fix mcelog_read_log() interface +- Allow iscsid to manage iscsi lib files +- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. +- Allow ABRT to read puppet certs +- Allow virtd_lxc_t to specify the label of a socket +- New version of docker requires more access + +* Mon Feb 10 2014 Miroslav Grepl 3.13.1-23 - Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs