From 913fabe1c83f83505b3f243c85f6441e5932e3da Mon Sep 17 00:00:00 2001 From: Miroslav Date: Aug 04 2011 20:32:55 +0000 Subject: - fetchmail can use kerberos - ksmtuned reads in shell programs - gnome_systemctl_t reads the process state of ntp - dnsmasq_t asks the kernel to load multiple kernel mod - Add rules for domains executing systemctl - Bogus text within fc file --- diff --git a/policy-F16.patch b/policy-F16.patch index 860e92d..0d78818 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1084,7 +1084,7 @@ index 3c7b1e8..1e155f5 100644 + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te -index 75ce30f..b48b383 100644 +index 75ce30f..7db2988 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -19,6 +19,12 @@ files_lock_file(logwatch_lock_t) @@ -1143,7 +1143,7 @@ index 75ce30f..b48b383 100644 files_getattr_all_file_type_fs(logwatch_t) ') -@@ -145,3 +160,22 @@ optional_policy(` +@@ -145,3 +160,23 @@ optional_policy(` samba_read_log(logwatch_t) samba_read_share_files(logwatch_t) ') @@ -1158,6 +1158,7 @@ index 75ce30f..b48b383 100644 +manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) + +dev_read_rand(logwatch_mail_t) ++dev_read_sysfs(logwatch_mail_t) + +logging_read_all_logs(logwatch_mail_t) + @@ -6678,7 +6679,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index fbb5c5a..170963f 100644 +index fbb5c5a..2339227 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -6716,7 +6717,7 @@ index fbb5c5a..170963f 100644 ') ######################################## -@@ -228,6 +238,33 @@ interface(`mozilla_run_plugin',` +@@ -228,6 +238,35 @@ interface(`mozilla_run_plugin',` mozilla_domtrans_plugin($1) role $2 types mozilla_plugin_t; @@ -6725,6 +6726,8 @@ index fbb5c5a..170963f 100644 + allow $1 mozilla_plugin_t:fd use; + + allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; ++ allow mozilla_plugin_t $1:shm rw_shm_perms; ++ allow mozilla_plugin_t $1:sem create_sem_perms; + + ps_process_pattern($1, mozilla_plugin_t) + allow $1 mozilla_plugin_t:process { ptrace signal_perms }; @@ -6750,7 +6753,7 @@ index fbb5c5a..170963f 100644 ') ######################################## -@@ -269,9 +306,27 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -269,9 +308,27 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -6779,7 +6782,7 @@ index fbb5c5a..170963f 100644 ## ## ## -@@ -279,28 +334,28 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -279,28 +336,28 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # @@ -16004,7 +16007,7 @@ index 6346378..edbe041 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index d91c62f..9740613 100644 +index d91c62f..848f59b 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -16024,12 +16027,21 @@ index d91c62f..9740613 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -247,6 +250,9 @@ dev_delete_generic_blk_files(kernel_t) - dev_create_generic_chr_files(kernel_t) - dev_delete_generic_chr_files(kernel_t) +@@ -242,11 +245,14 @@ dev_search_usbfs(kernel_t) + # devtmpfs handling: + dev_create_generic_dirs(kernel_t) + dev_delete_generic_dirs(kernel_t) +-dev_create_generic_blk_files(kernel_t) +-dev_delete_generic_blk_files(kernel_t) +-dev_create_generic_chr_files(kernel_t) +-dev_delete_generic_chr_files(kernel_t) ++dev_create_all_blk_files(kernel_t) ++dev_delete_all_blk_files(kernel_t) ++dev_create_all_chr_files(kernel_t) ++dev_delete_all_chr_files(kernel_t) dev_mounton(kernel_t) +dev_filetrans_all_named_dev(kernel_t) -+#storage_filetrans_all_named_dev(kernel_t) ++storage_filetrans_all_named_dev(kernel_t) +term_filetrans_all_named_dev(kernel_t) # Mount root file system. Used when loading a policy @@ -18983,7 +18995,7 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..fc2c9ec +index 0000000..db35ff1 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,553 @@ @@ -19364,9 +19376,9 @@ index 0000000..fc2c9ec + lpd_run_checkpc(unconfined_t, unconfined_r) +') + -+optional_policy(` -+ mock_role(unconfined_r, unconfined_t) -+') ++#optional_policy(` ++# mock_role(unconfined_r, unconfined_t) ++#') + +optional_policy(` + modutils_run_update_mods(unconfined_t, unconfined_r) @@ -30896,10 +30908,10 @@ index 9bd812b..c4abec3 100644 ## an dnsmasq environment ## diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te -index fdaeeba..df87ba8 100644 +index fdaeeba..d707dde 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te -@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) +@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) @@ -30910,7 +30922,11 @@ index fdaeeba..df87ba8 100644 kernel_read_kernel_sysctls(dnsmasq_t) kernel_read_system_state(dnsmasq_t) -@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t) ++kernel_request_load_module(dnsmasq_t) + + corenet_all_recvfrom_unlabeled(dnsmasq_t) + corenet_all_recvfrom_netlabel(dnsmasq_t) +@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t) miscfiles_read_localization(dnsmasq_t) @@ -30919,7 +30935,7 @@ index fdaeeba..df87ba8 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -96,7 +99,16 @@ optional_policy(` +@@ -96,7 +100,16 @@ optional_policy(` ') optional_policy(` @@ -30936,7 +30952,7 @@ index fdaeeba..df87ba8 100644 ') optional_policy(` -@@ -114,4 +126,5 @@ optional_policy(` +@@ -114,4 +127,5 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) virt_read_pid_files(dnsmasq_t) @@ -32449,6 +32465,21 @@ index 6537214..7d64c0a 100644 ps_process_pattern($1, fetchmail_t) files_list_etc($1) +diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te +index 3459d93..c39305a 100644 +--- a/policy/modules/services/fetchmail.te ++++ b/policy/modules/services/fetchmail.te +@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) + userdom_dontaudit_search_user_home_dirs(fetchmail_t) + + optional_policy(` ++ kerberos_use(fetchmail_t) ++') ++ ++optional_policy(` + procmail_domtrans(fetchmail_t) + ') + diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te index 9b7036a..4770f61 100644 --- a/policy/modules/services/finger.te @@ -33797,7 +33828,7 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..b9032a7 100644 +index 4fde46b..eac72e4 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te @@ -9,24 +9,32 @@ type gnomeclock_t; @@ -33836,7 +33867,7 @@ index 4fde46b..b9032a7 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,12 +43,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,12 +43,47 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -33876,17 +33907,13 @@ index 4fde46b..b9032a7 100644 +files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t) +files_manage_etc_symlinks(gnomeclock_systemctl_t) + -+fs_dontaudit_search_cgroup_dirs(gnomeclock_systemctl_t) -+ -+# needed by systemctl -+init_stream_connect(gnomeclock_systemctl_t) -+init_read_state(gnomeclock_systemctl_t) -+init_list_pid_dirs(gnomeclock_systemctl_t) ++miscfiles_read_localization(gnomeclock_systemctl_t) + +systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t) + +optional_policy(` -+ ntpd_read_unit_file(gnomeclock_systemctl_t) ++ ntp_read_unit_file(gnomeclock_systemctl_t) ++ ntp_read_state(gnomeclock_systemctl_t) +') diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if index 7d97298..d6b2959 100644 @@ -35215,7 +35242,7 @@ index da2127e..6538d66 100644 + +sysnet_read_config(jabberd_domain) diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc -index 3525d24..74ec098 100644 +index 3525d24..e065744 100644 --- a/policy/modules/services/kerberos.fc +++ b/policy/modules/services/kerberos.fc @@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -35227,13 +35254,12 @@ index 3525d24..74ec098 100644 /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -@@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +@@ -30,4 +30,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) +/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) + -+krb5_host_rcache_t /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if @@ -35798,7 +35824,7 @@ index 6fd0b4c..b733e45 100644 - ') diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te -index a73b7a1..7fa55e8 100644 +index a73b7a1..677998f 100644 --- a/policy/modules/services/ksmtuned.te +++ b/policy/modules/services/ksmtuned.te @@ -9,6 +9,9 @@ type ksmtuned_t; @@ -35822,13 +35848,14 @@ index a73b7a1..7fa55e8 100644 manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) -@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t) +@@ -31,9 +38,17 @@ kernel_read_system_state(ksmtuned_t) dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) +domain_dontaudit_read_all_domains_state(ksmtuned_t) corecmd_exec_bin(ksmtuned_t) ++corecmd_exec_shell(ksmtuned_t) files_read_etc_files(ksmtuned_t) @@ -36263,7 +36290,7 @@ index 49e04e5..69db026 100644 /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te -index 6a78de1..0aebce6 100644 +index 6a78de1..a32fbe8 100644 --- a/policy/modules/services/lircd.te +++ b/policy/modules/services/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -36283,7 +36310,7 @@ index 6a78de1..0aebce6 100644 allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:unix_dgram_socket create_socket_perms; allow lircd_t self:tcp_socket create_stream_socket_perms; -@@ -44,13 +45,13 @@ corenet_tcp_bind_lirc_port(lircd_t) +@@ -44,13 +45,14 @@ corenet_tcp_bind_lirc_port(lircd_t) corenet_tcp_sendrecv_all_ports(lircd_t) corenet_tcp_connect_lirc_port(lircd_t) @@ -36293,6 +36320,7 @@ index 6a78de1..0aebce6 100644 dev_filetrans_lirc(lircd_t) dev_rw_lirc(lircd_t) dev_rw_input_dev(lircd_t) ++dev_read_sysfs(lircd_t) -files_read_etc_files(lircd_t) +files_read_config_files(lircd_t) @@ -37663,15 +37691,14 @@ index 47e3612..ece07ab 100644 # The milter runs from /var/lib/spamass-milter diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc new file mode 100644 -index 0000000..68ad33f +index 0000000..8d0e473 --- /dev/null +++ b/policy/modules/services/mock.fc -@@ -0,0 +1,6 @@ +@@ -0,0 +1,5 @@ + +/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0) + -+/var/lib/mock -d gen_context(system_u:object_r:mock_var_lib_t,s0) -+/var/lib/mock(/.*)? <> ++/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0) +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if new file mode 100644 @@ -40576,7 +40603,7 @@ index e79dccc..50202ef 100644 /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if -index e80f8c0..be0d107 100644 +index e80f8c0..d90ed98 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',` @@ -40593,7 +40620,7 @@ index e80f8c0..be0d107 100644 +## +## +# -+interface(`ntpd_read_unit_file',` ++interface(`ntp_read_unit_file',` + gen_require(` + type ntpd_unit_file_t; + ') @@ -40605,7 +40632,33 @@ index e80f8c0..be0d107 100644 ######################################## ## ## Read and write ntpd shared memory. -@@ -140,11 +159,10 @@ interface(`ntp_rw_shm',` +@@ -122,6 +141,25 @@ interface(`ntp_rw_shm',` + + ######################################## + ## ++## Allow the domain to read ntpd state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntp_read_state',` ++ gen_require(` ++ type ntpd_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, ntpd_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an ntp environment + ## +@@ -140,11 +178,10 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; @@ -49859,7 +49912,7 @@ index adea9f9..d5b2d93 100644 init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te -index 606a098..f00a814 100644 +index 606a098..5e4d100 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -35,7 +35,7 @@ ifdef(`enable_mls',` @@ -49867,7 +49920,7 @@ index 606a098..f00a814 100644 # -allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin }; -+allow fsdaemon_t self:capability { dac_override setpcap setgid sys_rawio sys_admin }; ++allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; @@ -57262,7 +57315,7 @@ index 21ae664..3e448dd 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te -index 9fb4747..16b2616 100644 +index 9fb4747..a59cfc2 100644 --- a/policy/modules/services/zarafa.te +++ b/policy/modules/services/zarafa.te @@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t) @@ -57285,7 +57338,7 @@ index 9fb4747..16b2616 100644 ######################################## # # zarafa-deliver local policy -@@ -57,6 +63,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) +@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) corenet_tcp_bind_generic_node(zarafa_gateway_t) corenet_tcp_bind_pop_port(zarafa_gateway_t) @@ -57303,11 +57356,10 @@ index 9fb4747..16b2616 100644 +manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) + -+ ####################################### # # zarafa-ical local policy -@@ -136,6 +157,34 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) +@@ -136,6 +156,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) corenet_tcp_sendrecv_all_ports(zarafa_spooler_t) corenet_tcp_connect_smtp_port(zarafa_spooler_t) @@ -57321,6 +57373,8 @@ index 9fb4747..16b2616 100644 +allow zarafa_gateway_t self:capability { chown kill }; +allow zarafa_gateway_t self:process setrlimit; + ++dev_read_rand(zarafa_gateway_t) ++ +corenet_tcp_bind_pop_port(zarafa_gateway_t) + +####################################### @@ -57342,7 +57396,7 @@ index 9fb4747..16b2616 100644 ######################################## # # zarafa domains local policy -@@ -156,6 +205,4 @@ kernel_read_system_state(zarafa_domain) +@@ -156,6 +206,4 @@ kernel_read_system_state(zarafa_domain) files_read_etc_files(zarafa_domain) @@ -59254,7 +59308,7 @@ index 94fd8dd..417ec32 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..4d20828 100644 +index 29a9565..2163271 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -59330,7 +59384,7 @@ index 29a9565..4d20828 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -100,11 +134,15 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -100,11 +134,16 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -59347,10 +59401,11 @@ index 29a9565..4d20828 100644 +manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) +manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) +files_pid_filetrans(init_t, init_var_run_t, { dir file }) ++allow init_t init_var_run_t:dir mounton; allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -114,25 +152,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -114,25 +153,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -59385,7 +59440,7 @@ index 29a9565..4d20828 100644 files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: files_exec_etc_files(init_t) -@@ -151,10 +198,19 @@ mls_file_read_all_levels(init_t) +@@ -151,10 +199,19 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -59406,7 +59461,7 @@ index 29a9565..4d20828 100644 # Run init scripts. init_domtrans_script(init_t) -@@ -162,12 +218,16 @@ init_domtrans_script(init_t) +@@ -162,12 +219,16 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -59423,7 +59478,7 @@ index 29a9565..4d20828 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +238,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +239,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -59432,7 +59487,7 @@ index 29a9565..4d20828 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,16 +246,136 @@ tunable_policy(`init_upstart',` +@@ -186,16 +247,137 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -59497,6 +59552,7 @@ index 29a9565..4d20828 100644 + files_create_lock_dirs(init_t) + files_relabel_all_lock_dirs(init_t) + ++ fs_getattr_all_fs(init_t) + fs_manage_cgroup_dirs(init_t) + fs_manage_cgroup_files(init_t) + fs_manage_hugetlbfs_dirs(init_t) @@ -59571,7 +59627,7 @@ index 29a9565..4d20828 100644 ') optional_policy(` -@@ -203,6 +383,17 @@ optional_policy(` +@@ -203,6 +385,17 @@ optional_policy(` ') optional_policy(` @@ -59589,7 +59645,7 @@ index 29a9565..4d20828 100644 unconfined_domain(init_t) ') -@@ -212,7 +403,7 @@ optional_policy(` +@@ -212,7 +405,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -59598,7 +59654,7 @@ index 29a9565..4d20828 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -59614,7 +59670,7 @@ index 29a9565..4d20828 100644 init_write_initctl(initrc_t) -@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -59651,7 +59707,7 @@ index 29a9565..4d20828 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -59659,7 +59715,7 @@ index 29a9565..4d20828 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -59670,7 +59726,7 @@ index 29a9565..4d20828 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -59687,7 +59743,7 @@ index 29a9565..4d20828 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -59695,7 +59751,7 @@ index 29a9565..4d20828 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -59707,7 +59763,7 @@ index 29a9565..4d20828 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -59721,7 +59777,7 @@ index 29a9565..4d20828 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -59730,7 +59786,7 @@ index 29a9565..4d20828 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -59738,7 +59794,7 @@ index 29a9565..4d20828 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -59746,7 +59802,7 @@ index 29a9565..4d20828 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -59768,7 +59824,7 @@ index 29a9565..4d20828 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -59779,7 +59835,7 @@ index 29a9565..4d20828 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +702,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +704,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -59788,7 +59844,7 @@ index 29a9565..4d20828 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +717,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +719,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -59796,7 +59852,7 @@ index 29a9565..4d20828 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +747,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +749,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -59830,7 +59886,7 @@ index 29a9565..4d20828 100644 ') optional_policy(` -@@ -531,10 +781,26 @@ ifdef(`distro_redhat',` +@@ -531,10 +783,26 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -59857,7 +59913,7 @@ index 29a9565..4d20828 100644 ') optional_policy(` -@@ -549,6 +815,39 @@ ifdef(`distro_suse',` +@@ -549,6 +817,39 @@ ifdef(`distro_suse',` ') ') @@ -59897,7 +59953,7 @@ index 29a9565..4d20828 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +860,8 @@ optional_policy(` +@@ -561,6 +862,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -59906,7 +59962,7 @@ index 29a9565..4d20828 100644 ') optional_policy(` -@@ -577,6 +878,7 @@ optional_policy(` +@@ -577,6 +880,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -59914,7 +59970,7 @@ index 29a9565..4d20828 100644 ') optional_policy(` -@@ -589,6 +891,11 @@ optional_policy(` +@@ -589,6 +893,11 @@ optional_policy(` ') optional_policy(` @@ -59926,7 +59982,7 @@ index 29a9565..4d20828 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +912,13 @@ optional_policy(` +@@ -605,9 +914,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -59940,7 +59996,7 @@ index 29a9565..4d20828 100644 ') optional_policy(` -@@ -649,6 +960,11 @@ optional_policy(` +@@ -649,6 +962,11 @@ optional_policy(` ') optional_policy(` @@ -59952,7 +60008,7 @@ index 29a9565..4d20828 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1005,7 @@ optional_policy(` +@@ -689,6 +1007,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -59960,7 +60016,7 @@ index 29a9565..4d20828 100644 ') optional_policy(` -@@ -706,7 +1023,13 @@ optional_policy(` +@@ -706,7 +1025,13 @@ optional_policy(` ') optional_policy(` @@ -59974,7 +60030,7 @@ index 29a9565..4d20828 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1052,10 @@ optional_policy(` +@@ -729,6 +1054,10 @@ optional_policy(` ') optional_policy(` @@ -59985,7 +60041,7 @@ index 29a9565..4d20828 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1065,20 @@ optional_policy(` +@@ -738,10 +1067,20 @@ optional_policy(` ') optional_policy(` @@ -60006,7 +60062,7 @@ index 29a9565..4d20828 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1087,10 @@ optional_policy(` +@@ -750,6 +1089,10 @@ optional_policy(` ') optional_policy(` @@ -60017,7 +60073,7 @@ index 29a9565..4d20828 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1112,6 @@ optional_policy(` +@@ -771,8 +1114,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -60026,7 +60082,7 @@ index 29a9565..4d20828 100644 ') optional_policy(` -@@ -790,10 +1129,12 @@ optional_policy(` +@@ -790,10 +1131,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -60039,7 +60095,7 @@ index 29a9565..4d20828 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1146,6 @@ optional_policy(` +@@ -805,7 +1148,6 @@ optional_policy(` ') optional_policy(` @@ -60047,7 +60103,7 @@ index 29a9565..4d20828 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1155,24 @@ optional_policy(` +@@ -815,11 +1157,24 @@ optional_policy(` ') optional_policy(` @@ -60073,7 +60129,7 @@ index 29a9565..4d20828 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1182,25 @@ optional_policy(` +@@ -829,6 +1184,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -60099,7 +60155,7 @@ index 29a9565..4d20828 100644 ') optional_policy(` -@@ -844,6 +1216,10 @@ optional_policy(` +@@ -844,6 +1218,10 @@ optional_policy(` ') optional_policy(` @@ -60110,7 +60166,7 @@ index 29a9565..4d20828 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1230,149 @@ optional_policy(` +@@ -854,3 +1232,149 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -63233,7 +63289,7 @@ index 2cc4bda..167c358 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 170e2c7..7b10445 100644 +index 170e2c7..b85fc73 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -199,6 +199,10 @@ interface(`seutil_run_newrole',` @@ -63449,7 +63505,7 @@ index 170e2c7..7b10445 100644 ## Full management of the semanage ## module store. ## -@@ -1149,3 +1313,199 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1149,3 +1313,198 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -63527,7 +63583,6 @@ index 170e2c7..7b10445 100644 + seutil_get_semanage_read_lock($1) + + userdom_dontaudit_write_user_home_content_files($1) -+ +') + + @@ -64708,10 +64763,10 @@ index 0000000..3248032 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..7501ef8 +index 0000000..d46fb42 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,377 @@ +@@ -0,0 +1,376 @@ +## SELinux policy for systemd components + +####################################### @@ -64729,17 +64784,16 @@ index 0000000..7501ef8 + gen_require(` + type systemd_systemctl_exec_t; + role system_r; ++ attribute systemctl_domain; + ') + -+ type $1_systemctl_t; ++ type $1_systemctl_t, systemctl_domain; + domain_type($1_systemctl_t) + domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) + + role system_r types $1_systemctl_t; + + domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t) -+ -+ init_use_fds($1_t) +') + +######################################## @@ -65091,10 +65145,10 @@ index 0000000..7501ef8 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..0185280 +index 0000000..d079aca --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,319 @@ +@@ -0,0 +1,337 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -65103,6 +65157,8 @@ index 0000000..0185280 +# + +attribute systemd_unit_file_type; ++attribute systemd_domain; ++attribute systemctl_domain; + +# New in f16 +permissive systemd_logger_t; @@ -65414,6 +65470,22 @@ index 0000000..0185280 +logging_send_syslog_msg(systemd_logger_t) + +miscfiles_read_localization(systemd_logger_t) ++ ++ ++######################################## ++# ++# systemd_sysctl domains local policy ++# ++fs_list_cgroup_dirs(systemctl_domain) ++fs_read_cgroup_files(systemctl_domain) ++ ++# needed by systemctl ++init_stream_connect(systemctl_domain) ++init_read_state(systemctl_domain) ++init_list_pid_dirs(systemctl_domain) ++init_use_fds(systemctl_domain) ++ ++miscfiles_read_localization(systemctl_domain) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 0291685..7e94f4b 100644 --- a/policy/modules/system/udev.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index ee04699..1ac7e57 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 14%{?dist} +Release: 16%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Aug 4 2011 Miroslav Grepl 3.10.0-16 +- fetchmail can use kerberos +- ksmtuned reads in shell programs +- gnome_systemctl_t reads the process state of ntp +- dnsmasq_t asks the kernel to load multiple kernel modules +- Add rules for domains executing systemctl +- Bogus text within fc file + * Wed Aug 3 2011 Miroslav Grepl 3.10.0-14 - Add cfengine policy