From 82acdf307907b0849752d4f8e882040e46dea154 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 20 2013 14:58:38 +0000 Subject: - Don't audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices - Add labeling for new polcykit authorizor - Dontaudit access checks from fail2ban_client - Don't audit access checks by sandbox xserver on xdb var_lib - Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream - Fix labeling for all /usr/bim/razor-lightdm-* binaries - Add filename trans for /dev/md126p1 --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index deb0e92..9edad61 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -15142,7 +15142,7 @@ index 54f1827..cc2de1a 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 1700ef2..f8f6456 100644 +index 1700ef2..38b597e 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -15181,7 +15181,15 @@ index 1700ef2..f8f6456 100644 typeattribute $1 fixed_disk_raw_read; ') -@@ -205,6 +227,7 @@ interface(`storage_create_fixed_disk_dev',` +@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',` + interface(`storage_raw_rw_fixed_disk',` + storage_raw_read_fixed_disk($1) + storage_raw_write_fixed_disk($1) ++ dev_rw_generic_blk_files($1) + ') + + ######################################## +@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',` allow $1 self:capability mknod; allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; @@ -15189,7 +15197,7 @@ index 1700ef2..f8f6456 100644 dev_add_entry_generic_dirs($1) ') -@@ -269,6 +292,48 @@ interface(`storage_dev_filetrans_fixed_disk',` +@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',` dev_filetrans($1, fixed_disk_device_t, blk_file) ') @@ -15238,7 +15246,7 @@ index 1700ef2..f8f6456 100644 ######################################## ## ## Create block devices in on a tmpfs filesystem with the -@@ -711,6 +776,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` +@@ -711,6 +777,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') @@ -15263,7 +15271,7 @@ index 1700ef2..f8f6456 100644 ######################################## ## ## Allow the caller to directly read -@@ -808,3 +891,400 @@ interface(`storage_unconfined',` +@@ -808,3 +892,401 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -15374,6 +15382,7 @@ index 1700ef2..f8f6456 100644 + dev_filetrans($1, fixed_disk_device_t, blk_file, "md7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1") @@ -20595,7 +20604,7 @@ index 5fc0391..994eec2 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index d1f64a0..97140ee 100644 +index d1f64a0..156a29f 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -20685,7 +20694,7 @@ index d1f64a0..97140ee 100644 + /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) -+/usr/bin/razor-lightdm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/bin/razor-lightdm-* -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -20752,7 +20761,7 @@ index d1f64a0..97140ee 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..18223e7 100644 +index 6bf0ecc..9388756 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -21224,18 +21233,19 @@ index 6bf0ecc..18223e7 100644 ') ######################################## -@@ -765,11 +904,91 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,11 +904,92 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` - type xdm_t, xdm_tmp_t; + type xdm_t, xdm_tmp_t, xdm_var_run_t; ++ type xdm_dbusd_t; ') files_search_tmp($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + files_search_pids($1) -+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) ++ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, { xdm_t xdm_dbusd_t } ) +') + +######################################## @@ -21318,7 +21328,7 @@ index 6bf0ecc..18223e7 100644 ') ######################################## -@@ -793,6 +1012,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +1013,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -21344,7 +21354,7 @@ index 6bf0ecc..18223e7 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -806,7 +1044,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -806,7 +1045,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -21371,7 +21381,7 @@ index 6bf0ecc..18223e7 100644 ') ######################################## -@@ -846,7 +1102,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1103,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -21399,7 +21409,7 @@ index 6bf0ecc..18223e7 100644 ') ######################################## -@@ -869,6 +1144,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -869,6 +1145,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -21424,7 +21434,7 @@ index 6bf0ecc..18223e7 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -938,7 +1231,26 @@ interface(`xserver_getattr_log',` +@@ -938,7 +1232,26 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -21452,7 +21462,7 @@ index 6bf0ecc..18223e7 100644 ') ######################################## -@@ -957,7 +1269,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -957,7 +1270,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -21461,66 +21471,167 @@ index 6bf0ecc..18223e7 100644 ') ######################################## -@@ -1004,6 +1316,45 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,7 +1317,7 @@ interface(`xserver_read_xkb_libs',` + + ######################################## + ## +-## Read xdm temporary files. ++## dontaudit access checks X keyboard extension libraries. + ## + ## + ## +@@ -1012,56 +1325,57 @@ interface(`xserver_read_xkb_libs',` + ## + ## + # +-interface(`xserver_read_xdm_tmp_files',` ++interface(`xserver_dontaudit_xkb_libs_access',` + gen_require(` +- type xdm_tmp_t; ++ type xkb_var_lib_t; + ') + +- files_search_tmp($1) +- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ dontaudit $1 xkb_var_lib_t:dir audit_access; ++ dontaudit $1 xkb_var_lib_t:file audit_access; + ') ######################################## ## +-## Do not audit attempts to read xdm temporary files. +## Read xdm config files. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain to not audit -+## -+## -+# + ## + ## + # +-interface(`xserver_dontaudit_read_xdm_tmp_files',` +interface(`xserver_read_xdm_etc_files',` -+ gen_require(` + gen_require(` +- type xdm_tmp_t; + type xdm_etc_t; -+ ') -+ + ') + +- dontaudit $1 xdm_tmp_t:dir search_dir_perms; +- dontaudit $1 xdm_tmp_t:file read_file_perms; + files_search_etc($1) + read_files_pattern($1, xdm_etc_t, xdm_etc_t) + read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) + ') + + ######################################## + ## +-## Read write xdm temporary files. ++## Manage xdm config files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit + ## + ## + # +-interface(`xserver_rw_xdm_tmp_files',` ++interface(`xserver_manage_xdm_etc_files',` + gen_require(` +- type xdm_tmp_t; ++ type xdm_etc_t; + ') + +- allow $1 xdm_tmp_t:dir search_dir_perms; +- allow $1 xdm_tmp_t:file rw_file_perms; ++ files_search_etc($1) ++ manage_files_pattern($1, xdm_etc_t, xdm_etc_t) + ') + + ######################################## + ## +-## Create, read, write, and delete xdm temporary files. ++## Read xdm temporary files. + ## + ## + ## +@@ -1069,18 +1383,18 @@ interface(`xserver_rw_xdm_tmp_files',` + ## + ## + # +-interface(`xserver_manage_xdm_tmp_files',` ++interface(`xserver_read_xdm_tmp_files',` + gen_require(` + type xdm_tmp_t; + ') + +- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ files_search_tmp($1) ++ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of +-## xdm temporary named sockets. ++## Do not audit attempts to read xdm temporary files. + ## + ## + ## +@@ -1088,12 +1402,105 @@ interface(`xserver_manage_xdm_tmp_files',` + ## + ## + # +-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` ++interface(`xserver_dontaudit_read_xdm_tmp_files',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ ++ dontaudit $1 xdm_tmp_t:dir search_dir_perms; ++ dontaudit $1 xdm_tmp_t:file read_file_perms; +') + +######################################## +## -+## Manage xdm config files. ++## Read write xdm temporary files. +## +## +## -+## Domain to not audit ++## Domain allowed access. +## +## +# -+interface(`xserver_manage_xdm_etc_files',` ++interface(`xserver_rw_xdm_tmp_files',` + gen_require(` -+ type xdm_etc_t; ++ type xdm_tmp_t; + ') + -+ files_search_etc($1) -+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t) ++ allow $1 xdm_tmp_t:dir search_dir_perms; ++ allow $1 xdm_tmp_t:file rw_file_perms; +') + +######################################## +## - ## Read xdm temporary files. - ## - ## -@@ -1017,7 +1368,7 @@ interface(`xserver_read_xdm_tmp_files',` ++## Create, read, write, and delete xdm temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_xdm_tmp_files',` + gen_require(` type xdm_tmp_t; ') -- files_search_tmp($1) -+ files_search_tmp($1) - read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) - ') - -@@ -1079,7 +1430,43 @@ interface(`xserver_manage_xdm_tmp_files',` - - ######################################## - ## --## Do not audit attempts to get the attributes of +- dontaudit $1 xdm_tmp_t:sock_file getattr; ++ manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++') ++ ++######################################## ++## +## Create, read, write, and delete xdm temporary dirs. +## +## @@ -21558,19 +21669,24 @@ index 6bf0ecc..18223e7 100644 +######################################## +## +## Do not audit attempts to get the attributes of - ## xdm temporary named sockets. - ## - ## -@@ -1093,7 +1480,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` - type xdm_tmp_t; - ') - -- dontaudit $1 xdm_tmp_t:sock_file getattr; ++## xdm temporary named sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ + dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; ') ######################################## -@@ -1111,8 +1498,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1518,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -21582,7 +21698,7 @@ index 6bf0ecc..18223e7 100644 ') ######################################## -@@ -1210,6 +1599,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` +@@ -1210,6 +1619,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -21608,7 +21724,7 @@ index 6bf0ecc..18223e7 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1634,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1654,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -21635,7 +21751,7 @@ index 6bf0ecc..18223e7 100644 ') ######################################## -@@ -1251,7 +1679,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1699,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -21644,7 +21760,7 @@ index 6bf0ecc..18223e7 100644 ## ## ## -@@ -1261,13 +1689,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1709,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -21669,7 +21785,7 @@ index 6bf0ecc..18223e7 100644 ') ######################################## -@@ -1284,10 +1722,604 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1742,604 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -23864,7 +23980,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..c7f52c2 100644 +index 3efd5b6..2f6ba05 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -24054,16 +24170,7 @@ index 3efd5b6..c7f52c2 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -395,6 +432,8 @@ interface(`auth_domtrans_chk_passwd',` - ') - - optional_policy(` -+ pcscd_manage_pub_files($1) -+ pcscd_manage_pub_pipes($1) - pcscd_read_pid_files($1) - pcscd_stream_connect($1) - ') -@@ -402,6 +441,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -402,6 +439,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') @@ -24072,7 +24179,7 @@ index 3efd5b6..c7f52c2 100644 ') ######################################## -@@ -448,6 +489,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +487,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -24098,7 +24205,7 @@ index 3efd5b6..c7f52c2 100644 ') ######################################## -@@ -467,7 +527,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +525,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -24106,7 +24213,7 @@ index 3efd5b6..c7f52c2 100644 ') ######################################## -@@ -664,6 +723,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +721,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -24117,7 +24224,7 @@ index 3efd5b6..c7f52c2 100644 ') ####################################### -@@ -763,7 +826,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +824,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -24169,7 +24276,7 @@ index 3efd5b6..c7f52c2 100644 ') ####################################### -@@ -824,9 +930,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +928,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -24200,7 +24307,7 @@ index 3efd5b6..c7f52c2 100644 ## ## ## -@@ -834,12 +960,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +958,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -24231,7 +24338,7 @@ index 3efd5b6..c7f52c2 100644 ') ######################################## -@@ -854,15 +995,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +993,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -24250,7 +24357,7 @@ index 3efd5b6..c7f52c2 100644 ## ## ## -@@ -875,13 +1016,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1014,33 @@ interface(`auth_signal_pam',` ## ## # @@ -24288,7 +24395,7 @@ index 3efd5b6..c7f52c2 100644 ') ######################################## -@@ -959,9 +1120,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1118,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -24322,7 +24429,7 @@ index 3efd5b6..c7f52c2 100644 ') ######################################## -@@ -1040,6 +1222,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1220,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -24333,7 +24440,7 @@ index 3efd5b6..c7f52c2 100644 ') ######################################## -@@ -1176,6 +1362,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1360,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -24341,7 +24448,7 @@ index 3efd5b6..c7f52c2 100644 ') ####################################### -@@ -1576,6 +1763,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1761,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -24367,7 +24474,7 @@ index 3efd5b6..c7f52c2 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1932,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1930,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -24393,7 +24500,7 @@ index 3efd5b6..c7f52c2 100644 ') ######################################## -@@ -1767,11 +1956,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +1954,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -24410,7 +24517,7 @@ index 3efd5b6..c7f52c2 100644 ') ######################################## -@@ -1805,3 +1996,219 @@ interface(`auth_unconfined',` +@@ -1805,3 +1994,219 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -28821,7 +28928,7 @@ index 5dfa44b..2502d06 100644 optional_policy(` diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..dc79c6f 100644 +index 73bb3c0..6e848de 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -28983,7 +29090,7 @@ index 73bb3c0..dc79c6f 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +310,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +310,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -29141,6 +29248,8 @@ index 73bb3c0..dc79c6f 100644 +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/talkplugin/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if @@ -30183,7 +30292,7 @@ index 4e94884..5481f47 100644 + init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..4dd92d4 100644 +index 39ea221..7094526 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -30371,7 +30480,7 @@ index 39ea221..4dd92d4 100644 # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; -+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid }; ++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid }; dontaudit syslogd_t self:capability sys_tty_config; +allow syslogd_t self:capability2 { syslog block_suspend }; # setpgid for metalog @@ -36903,10 +37012,10 @@ index 0f64692..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index a5ec88b..1749342 100644 +index a5ec88b..e7663f3 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te -@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) +@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) @@ -36921,8 +37030,13 @@ index a5ec88b..1749342 100644 +typealias udev_var_run_t alias udev_tbl_t; init_daemon_run_dir(udev_var_run_t, "udev") ++type udev_tmp_t; ++files_tmp_file(udev_tmp_t) ++ ifdef(`enable_mcs',` -@@ -37,9 +35,11 @@ ifdef(`enable_mcs',` + kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh) +@@ -37,9 +38,11 @@ ifdef(`enable_mcs',` # Local policy # @@ -36936,7 +37050,7 @@ index a5ec88b..1749342 100644 allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; -@@ -53,6 +53,7 @@ allow udev_t self:unix_dgram_socket sendto; +@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -36944,14 +37058,17 @@ index a5ec88b..1749342 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -63,31 +64,36 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -63,31 +67,40 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; -# create udev database in /dev/.udevdb -allow udev_t udev_tbl_t:file manage_file_perms; -dev_filetrans(udev_t, udev_tbl_t, file) -- ++allow udev_t udev_tmp_t:dir manage_dir_perms; ++allow udev_t udev_tmp_t:file manage_file_perms; ++files_tmp_filetrans(udev_t, udev_tmp_t, { file dir }) + list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) -read_files_pattern(udev_t, udev_rules_t, udev_rules_t) +manage_files_pattern(udev_t, udev_rules_t, udev_rules_t) @@ -36988,7 +37105,7 @@ index a5ec88b..1749342 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -98,6 +104,7 @@ corecmd_exec_all_executables(udev_t) +@@ -98,6 +111,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -36996,7 +37113,7 @@ index a5ec88b..1749342 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -106,23 +113,31 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -106,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -37032,7 +37149,7 @@ index a5ec88b..1749342 100644 mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) -@@ -144,17 +159,20 @@ auth_use_nsswitch(udev_t) +@@ -144,17 +166,20 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -37054,7 +37171,7 @@ index a5ec88b..1749342 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -170,6 +188,9 @@ sysnet_signal_dhcpc(udev_t) +@@ -170,6 +195,9 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -37064,7 +37181,7 @@ index a5ec88b..1749342 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -179,16 +200,9 @@ ifdef(`distro_gentoo',` +@@ -179,16 +207,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37083,7 +37200,7 @@ index a5ec88b..1749342 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -226,19 +240,34 @@ optional_policy(` +@@ -226,19 +247,34 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) @@ -37118,7 +37235,7 @@ index a5ec88b..1749342 100644 ') optional_policy(` -@@ -264,6 +293,10 @@ optional_policy(` +@@ -264,6 +300,10 @@ optional_policy(` ') optional_policy(` @@ -37129,7 +37246,7 @@ index a5ec88b..1749342 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -278,6 +311,15 @@ optional_policy(` +@@ -278,6 +318,15 @@ optional_policy(` ') optional_policy(` @@ -37145,7 +37262,7 @@ index a5ec88b..1749342 100644 unconfined_signal(udev_t) ') -@@ -290,6 +332,7 @@ optional_policy(` +@@ -290,6 +339,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 41328d9..2e38254 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10904,7 +10904,7 @@ index 32e8265..0de4af3 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index 914ee2d..770ae51 100644 +index 914ee2d..1544e9b 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -10934,10 +10934,12 @@ index 914ee2d..770ae51 100644 allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +83,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) ++domain_dontaudit_getsession_all_domains(chronyd_t) ++ +dev_read_rand(chronyd_t) +dev_read_urand(chronyd_t) + @@ -23011,7 +23013,7 @@ index 50d0084..6565422 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index 0872e50..5d49b4f 100644 +index 0872e50..d336d7f 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t) @@ -23056,7 +23058,15 @@ index 0872e50..5d49b4f 100644 iptables_domtrans(fail2ban_t) ') -@@ -137,14 +137,12 @@ corecmd_exec_bin(fail2ban_client_t) +@@ -129,6 +129,7 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; + + domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) + ++dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access; + stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) + + kernel_read_system_state(fail2ban_client_t) +@@ -137,14 +138,12 @@ corecmd_exec_bin(fail2ban_client_t) domain_use_interactive_fds(fail2ban_client_t) @@ -27140,7 +27150,7 @@ index d03fd43..26023f7 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 20f726b..6af4e62 100644 +index 20f726b..8e905be 100644 --- a/gnome.te +++ b/gnome.te @@ -1,18 +1,36 @@ @@ -27368,7 +27378,7 @@ index 20f726b..6af4e62 100644 +') + +optional_policy(` -+ gnome_read_home_config(gnomesystemmm_t) ++ gnome_manage_home_config(gnomesystemmm_t) +') + +optional_policy(` @@ -37396,11 +37406,104 @@ index 0000000..67b8b3d +tunable_policy(`mock_enable_homedirs',` + userdom_read_user_home_content_files(mock_build_t) +') +diff --git a/modemmanager.fc b/modemmanager.fc +index a83894c..481dca3 100644 +--- a/modemmanager.fc ++++ b/modemmanager.fc +@@ -1 +1,4 @@ + /usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) ++/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) ++ ++/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0) +diff --git a/modemmanager.if b/modemmanager.if +index b1ac8b5..90ca430 100644 +--- a/modemmanager.if ++++ b/modemmanager.if +@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',` + + ######################################## + ## ++## Execute modemmanager server in the modemmanager domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`modemmanager_systemctl',` ++ gen_require(` ++ type modemmanager_t; ++ type modemmanager_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 modemmanager_unit_file_t:file read_file_perms; ++ allow $1 modemmanager_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, modemmanager_t) ++') ++ ++######################################## ++## + ## Send and receive messages from + ## modemmanager over dbus. + ## +@@ -39,3 +63,38 @@ interface(`modemmanager_dbus_chat',` + allow $1 modemmanager_t:dbus send_msg; + allow modemmanager_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an modemmanager environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`modemmanager_admin',` ++ gen_require(` ++ type modemmanager_t; ++ type modemmanager_unit_file_t; ++ ') ++ ++ allow $1 modemmanager_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, modemmanager_t) ++ ++ modemmanager_systemctl($1) ++ admin_pattern($1, modemmanager_unit_file_t) ++ allow $1 modemmanager_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') diff --git a/modemmanager.te b/modemmanager.te -index cb4c13d..d744144 100644 +index cb4c13d..ab6fb25 100644 --- a/modemmanager.te +++ b/modemmanager.te -@@ -27,12 +27,12 @@ kernel_read_system_state(modemmanager_t) +@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) + typealias modemmanager_t alias ModemManager_t; + typealias modemmanager_exec_t alias ModemManager_exec_t; + ++type modemmanager_unit_file_t; ++systemd_unit_file(modemmanager_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t) dev_read_sysfs(modemmanager_t) dev_rw_modem(modemmanager_t) @@ -47550,7 +47653,7 @@ index 0000000..7d839fe + pulseaudio_setattr_home_dir(nsplugin_t) +') diff --git a/ntop.te b/ntop.te -index 52757d8..638c3d2 100644 +index 52757d8..6ce5c69 100644 --- a/ntop.te +++ b/ntop.te @@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t) @@ -47561,7 +47664,12 @@ index 52757d8..638c3d2 100644 corenet_all_recvfrom_netlabel(ntop_t) corenet_tcp_sendrecv_generic_if(ntop_t) corenet_raw_sendrecv_generic_if(ntop_t) -@@ -81,7 +80,6 @@ dev_rw_generic_usb_dev(ntop_t) +@@ -78,10 +77,11 @@ corenet_tcp_sendrecv_http_port(ntop_t) + + dev_read_sysfs(ntop_t) + dev_rw_generic_usb_dev(ntop_t) ++dev_read_usbmon_dev(ntop_t) ++dev_write_usbmon_dev(ntop_t) domain_use_interactive_fds(ntop_t) @@ -49990,10 +50098,10 @@ index 0000000..bddd4b3 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..877c71a +index 0000000..35f9df0 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,546 @@ +@@ -0,0 +1,547 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -50041,6 +50149,7 @@ index 0000000..877c71a +files_pid_file(openshift_var_run_t) + +type openshift_var_lib_t, openshift_file_type; ++userdom_user_home_content(openshift_var_lib_t) +files_poly(openshift_var_lib_t) +files_poly_parent(openshift_var_lib_t) +files_mountpoint(openshift_var_lib_t) @@ -54227,10 +54336,10 @@ index a14b3bc..b196183 100644 userdom_signal_unpriv_users(podsleuth_t) diff --git a/policykit.fc b/policykit.fc -index 1d76c72..4718a93 100644 +index 1d76c72..eeb33d9 100644 --- a/policykit.fc +++ b/policykit.fc -@@ -1,23 +1,20 @@ +@@ -1,23 +1,21 @@ -/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) -/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) - @@ -54241,6 +54350,7 @@ index 1d76c72..4718a93 100644 -/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) ++/usr/bin/pkla-check-authorization -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) @@ -74663,10 +74773,10 @@ index 0000000..5da5bff +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..81198c3 +index 0000000..cb720ee --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,463 @@ +@@ -0,0 +1,465 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -74774,6 +74884,8 @@ index 0000000..81198c3 +userdom_dontaudit_search_user_home_content(sandbox_xserver_t) +userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t) + ++xserver_read_xkb_libs(sandbox_xserver_t) ++xserver_dontaudit_xkb_libs_access(sandbox_xserver_t) +xserver_entry_type(sandbox_xserver_t) + +optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index a2c9477..116a81e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 53%{?dist} +Release: 54%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -535,6 +535,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jun 19 2013 Miroslav Grepl 3.12.1-54 +- Don't audit access checks by sandbox xserver on xdb var_lib +- Allow ntop to read usbmon devices +- Add labeling for new polcykit authorizor +- Dontaudit access checks from fail2ban_client +- Don't audit access checks by sandbox xserver on xdb var_lib +- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream +- Fix labeling for all /usr/bim/razor-lightdm-* binaries +- Add filename trans for /dev/md126p1 + * Tue Jun 18 2013 Miroslav Grepl 3.12.1-53 - Make vdagent able to request loading kernel module - Add support for cloud-init make it as unconfined domain