From 975370d58e510001241db65603aeb4f563f5de00 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 30 2011 15:55:41 +0000 Subject: - Change usbmuxd_t to dontaudit attempts to read chr_file - Add mysld_safe_exec_t for libra domains to be able to start private mysql dom - Allow pppd to search /var/lock dir - Add rhsmcertd policy --- diff --git a/modules-targeted.conf b/modules-targeted.conf index ff58950..d3569e1 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2410,3 +2410,10 @@ dspam = module # lldpad - Link Layer Discovery Protocol (LLDP) agent daemon # lldpad = module + +# Layer: services +# Module: rhsmcertd +# +# Subscription Management Certificate Daemon policy +# +rhsmcertd = module diff --git a/policy-F16.patch b/policy-F16.patch index e0f0e9c..d7e32b1 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -2359,7 +2359,7 @@ index d0604cf..3089f30 100644 ## ## diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te -index 8966ec9..f4e6c4b 100644 +index 8966ec9..8fbe943 100644 --- a/policy/modules/admin/shutdown.te +++ b/policy/modules/admin/shutdown.te @@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0) @@ -2406,7 +2406,7 @@ index 8966ec9..f4e6c4b 100644 init_stream_connect(shutdown_t) init_telinit(shutdown_t) -@@ -54,10 +58,20 @@ logging_send_audit_msgs(shutdown_t) +@@ -54,10 +58,24 @@ logging_send_audit_msgs(shutdown_t) miscfiles_read_localization(shutdown_t) optional_policy(` @@ -2424,6 +2424,10 @@ index 8966ec9..f4e6c4b 100644 +') + +optional_policy(` ++ rhev_sigchld_agentd(shutdown_t) ++') ++ ++optional_policy(` xserver_dontaudit_write_log(shutdown_t) + xserver_xdm_append_log(shutdown_t) ') @@ -8487,10 +8491,10 @@ index 0000000..6efdeca +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..d6d2f78 +index 0000000..61a5e86 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,492 @@ +@@ -0,0 +1,493 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8667,6 +8671,7 @@ index 0000000..d6d2f78 +allow sandbox_x_domain self:msgq create_msgq_perms; +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; ++allow sandbox_x_domain self:netlink_selinux_socket { create_socket_perms }; + +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; + @@ -9169,7 +9174,7 @@ index 7590165..9a7ebe5 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if -index 3cfb128..de71ea8 100644 +index 3cfb128..cfeed29 100644 --- a/policy/modules/apps/telepathy.if +++ b/policy/modules/apps/telepathy.if @@ -11,7 +11,6 @@ @@ -9197,7 +9202,18 @@ index 3cfb128..de71ea8 100644 gen_require(` attribute telepathy_domain; type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; -@@ -179,3 +179,75 @@ interface(`telepathy_salut_stream_connect', ` +@@ -78,6 +78,10 @@ template(`telepathy_role', ` + dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) + ') + ++ optional_policy(` ++ telepathy_dbus_chat($2) ++ ') ++ + ######################################## + ## + ## Stream connect to Telepathy Gabble +@@ -179,3 +183,75 @@ interface(`telepathy_salut_stream_connect', ` stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) files_search_tmp($1) ') @@ -9274,7 +9290,7 @@ index 3cfb128..de71ea8 100644 + ') +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..f41eb44 100644 +index 2533ea0..f605e0a 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t) @@ -9301,7 +9317,18 @@ index 2533ea0..f41eb44 100644 corenet_all_recvfrom_netlabel(telepathy_gabble_t) corenet_all_recvfrom_unlabeled(telepathy_gabble_t) corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) -@@ -168,6 +178,11 @@ tunable_policy(`use_samba_home_dirs',` +@@ -112,6 +122,10 @@ optional_policy(` + dbus_system_bus_client(telepathy_gabble_t) + ') + ++optional_policy(` ++ gnome_read_home_config(telepathy_gabble_t) ++') ++ + ####################################### + # + # Telepathy Idle local policy. +@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(telepathy_logger_t) ') @@ -9313,7 +9340,7 @@ index 2533ea0..f41eb44 100644 ####################################### # # Telepathy Mission-Control local policy. -@@ -176,6 +191,7 @@ tunable_policy(`use_samba_home_dirs',` +@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',` manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) @@ -9321,7 +9348,7 @@ index 2533ea0..f41eb44 100644 dev_read_rand(telepathy_mission_control_t) -@@ -194,6 +210,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -194,6 +214,12 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(telepathy_mission_control_t) ') @@ -9334,7 +9361,7 @@ index 2533ea0..f41eb44 100644 ####################################### # # Telepathy Butterfly and Haze local policy. -@@ -205,8 +227,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; +@@ -205,8 +231,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -9346,7 +9373,7 @@ index 2533ea0..f41eb44 100644 corenet_all_recvfrom_netlabel(telepathy_msn_t) corenet_all_recvfrom_unlabeled(telepathy_msn_t) -@@ -246,6 +271,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -246,6 +275,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ') optional_policy(` @@ -9357,7 +9384,15 @@ index 2533ea0..f41eb44 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -376,5 +405,23 @@ optional_policy(` +@@ -365,6 +398,7 @@ dev_read_urand(telepathy_domain) + + kernel_read_system_state(telepathy_domain) + ++fs_getattr_all_fs(telepathy_domain) + fs_search_auto_mountpoints(telepathy_domain) + + auth_use_nsswitch(telepathy_domain) +@@ -376,5 +410,23 @@ optional_policy(` ') optional_policy(` @@ -9374,13 +9409,13 @@ index 2533ea0..f41eb44 100644 ') + +# Just for F15 -+#optional_policy(` -+# gen_require(` -+# role unconfined_r; -+# ') -+# -+# role unconfined_r types telepathy_domain; -+#') ++optional_policy(` ++ gen_require(` ++ role unconfined_r; ++ ') ++ ++ role unconfined_r types telepathy_domain; ++') diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te index 11fe4f2..98bfbf3 100644 --- a/policy/modules/apps/tvtime.te @@ -18486,7 +18521,7 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..4b5f106 100644 +index e88b95f..0eb55db 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -18557,7 +18592,7 @@ index e88b95f..4b5f106 100644 ') ') -@@ -76,23 +87,98 @@ optional_policy(` +@@ -76,23 +87,102 @@ optional_policy(` ') optional_policy(` @@ -18575,10 +18610,9 @@ index e88b95f..4b5f106 100644 + +optional_policy(` + gnome_role(xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` + gnomeclock_dontaudit_dbus_chat(xguest_t) +') + @@ -18596,11 +18630,16 @@ index e88b95f..4b5f106 100644 + +optional_policy(` + nsplugin_role(xguest_r, xguest_t) + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) ++ pcscd_read_pub_files(xguest_usertype) ++ pcscd_stream_connect(xguest_usertype) +') + +optional_policy(` -+ pcscd_read_pub_files(xguest_usertype) -+ pcscd_stream_connect(xguest_usertype) ++ rhsmcertd_dontaudit_dbus_chat(xguest_t) ') optional_policy(` @@ -18643,7 +18682,7 @@ index e88b95f..4b5f106 100644 + corenet_tcp_connect_speech_port(xguest_usertype) + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) - ') ++ ') + + #optional_policy(` + # telepathy_dbus_session_role(xguest_r, xguest_t) @@ -18653,7 +18692,7 @@ index e88b95f..4b5f106 100644 +optional_policy(` + gen_require(` + type mozilla_t; -+ ') + ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; @@ -24050,14 +24089,17 @@ index 6077339..d10acd2 100644 dev_read_lvm_control(clogd_t) dev_manage_generic_blk_files(clogd_t) diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc -index 049e2b6..e500fa5 100644 +index 049e2b6..dcc7de8 100644 --- a/policy/modules/services/cmirrord.fc +++ b/policy/modules/services/cmirrord.fc -@@ -1,3 +1,4 @@ +@@ -1,5 +1,6 @@ + /etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) - /usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) +-/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) ++/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) + + /var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if index f8463c0..bed51fb 100644 --- a/policy/modules/services/cmirrord.if @@ -24536,12 +24578,15 @@ index 0258b48..8535cc6 100644 manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te -index 74505cc..101c266 100644 +index 74505cc..a58903f 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te -@@ -43,6 +43,7 @@ files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) +@@ -41,8 +41,9 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) + manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) + files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) - kernel_getattr_proc_files(colord_t) +-kernel_getattr_proc_files(colord_t) ++kernel_read_system_state(colord_t) kernel_read_device_sysctls(colord_t) +kernel_request_load_module(colord_t) @@ -24767,11 +24812,14 @@ index e67a003..192332a 100644 unconfined_stream_connect(consolekit_t) ') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc -index 3a6d7eb..2098ee9 100644 +index 3a6d7eb..3f0e601 100644 --- a/policy/modules/services/corosync.fc +++ b/policy/modules/services/corosync.fc -@@ -3,6 +3,7 @@ +@@ -1,8 +1,10 @@ + /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) + /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) ++/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) /usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) @@ -35836,7 +35884,7 @@ index f17583b..6b17513 100644 + +miscfiles_read_localization(munin_plugin_domain) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if -index e9c0982..f11e4f2 100644 +index e9c0982..14af30a 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -18,6 +18,24 @@ interface(`mysql_domtrans',` @@ -35897,7 +35945,7 @@ index e9c0982..f11e4f2 100644 stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) ') -@@ -252,7 +289,7 @@ interface(`mysql_write_log',` +@@ -252,12 +289,12 @@ interface(`mysql_write_log',` ') logging_search_logs($1) @@ -35906,7 +35954,38 @@ index e9c0982..f11e4f2 100644 ') ###################################### -@@ -329,10 +366,9 @@ interface(`mysql_search_pid_files',` + ## +-## Execute MySQL server in the mysql domain. ++## Execute MySQL safe script in the mysql safe domain. + ## + ## + ## +@@ -273,6 +310,24 @@ interface(`mysql_domtrans_mysql_safe',` + domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) + ') + ++###################################### ++## ++## Execute MySQL_safe in the coller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mysql_safe_exec',` ++ gen_require(` ++ type mysqld_safe_exec_t; ++ ') ++ ++ can_exec($1, mysqld_safe_exec_t) ++') ++ + ##################################### + ## + ## Read MySQL PID files. +@@ -329,10 +384,9 @@ interface(`mysql_search_pid_files',` # interface(`mysql_admin',` gen_require(` @@ -35920,7 +35999,7 @@ index e9c0982..f11e4f2 100644 ') allow $1 mysqld_t:process { ptrace signal_perms }; -@@ -343,13 +379,19 @@ interface(`mysql_admin',` +@@ -343,13 +397,19 @@ interface(`mysql_admin',` role_transition $2 mysqld_initrc_exec_t system_r; allow $2 system_r; @@ -39207,7 +39286,7 @@ index 69c331e..0555635 100644 auth_rw_login_records(portslave_t) diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc -index a3e85c9..cb05623 100644 +index a3e85c9..6b97fa5 100644 --- a/policy/modules/services/postfix.fc +++ b/policy/modules/services/postfix.fc @@ -1,5 +1,6 @@ @@ -39218,7 +39297,7 @@ index a3e85c9..cb05623 100644 ifdef(`distro_redhat', ` /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -@@ -16,22 +17,24 @@ ifdef(`distro_redhat', ` +@@ -16,22 +17,23 @@ ifdef(`distro_redhat', ` /usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) ', ` @@ -39252,11 +39331,10 @@ index a3e85c9..cb05623 100644 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) +/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -+') /usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -42,9 +45,10 @@ ifdef(`distro_redhat', ` +@@ -42,9 +44,10 @@ ifdef(`distro_redhat', ` /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -40352,7 +40430,7 @@ index b524673..9d90fb3 100644 admin_pattern($1, pptp_var_run_t) diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..79b1678 100644 +index 2af42e7..53f977a 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -40390,7 +40468,7 @@ index 2af42e7..79b1678 100644 allow pppd_t self:fifo_file rw_fifo_file_perms; allow pppd_t self:socket create_socket_perms; allow pppd_t self:unix_dgram_socket create_socket_perms; -@@ -84,28 +84,28 @@ allow pppd_t self:packet_socket create_socket_perms; +@@ -84,28 +84,29 @@ allow pppd_t self:packet_socket create_socket_perms; domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) @@ -40409,6 +40487,7 @@ index 2af42e7..79b1678 100644 -allow pppd_t pppd_lock_t:file manage_file_perms; -files_lock_filetrans(pppd_t, pppd_lock_t, file) +manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t) ++files_search_locks(pppd_t) -allow pppd_t pppd_log_t:file manage_file_perms; +manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t) @@ -40425,7 +40504,7 @@ index 2af42e7..79b1678 100644 allow pppd_t pptp_t:process signal; -@@ -166,6 +166,8 @@ init_dontaudit_write_utmp(pppd_t) +@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t) init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) @@ -40434,7 +40513,7 @@ index 2af42e7..79b1678 100644 logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) -@@ -176,7 +178,7 @@ sysnet_exec_ifconfig(pppd_t) +@@ -176,7 +179,7 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) @@ -40443,7 +40522,7 @@ index 2af42e7..79b1678 100644 userdom_dontaudit_use_unpriv_user_fds(pppd_t) userdom_search_user_home_dirs(pppd_t) -@@ -194,6 +196,8 @@ optional_policy(` +@@ -194,6 +197,8 @@ optional_policy(` optional_policy(` mta_send_mail(pppd_t) @@ -40452,7 +40531,7 @@ index 2af42e7..79b1678 100644 ') optional_policy(` -@@ -243,9 +247,10 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -43028,10 +43107,10 @@ index 0000000..4e7605a +/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) diff --git a/policy/modules/services/rhev.if b/policy/modules/services/rhev.if new file mode 100644 -index 0000000..88f6a9e +index 0000000..bf11e25 --- /dev/null +++ b/policy/modules/services/rhev.if -@@ -0,0 +1,58 @@ +@@ -0,0 +1,76 @@ +## rhev polic module contains policies for rhev apps + +##################################### @@ -43090,6 +43169,24 @@ index 0000000..88f6a9e + files_search_pids($1) + stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t) +') ++ ++###################################### ++## ++## Send sigchld to rhev-agentd ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`rhev_sigchld_agentd',` ++ gen_require(` ++ type rhev_agentd_t; ++ ') ++ ++ allow $1 rhev_agentd_t:process sigchld; ++') diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te new file mode 100644 index 0000000..bc97a21 @@ -43204,6 +43301,400 @@ index 0f262a7..4d10897 100644 term_create_pty(rhgb_t, rhgb_devpts_t) manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc +new file mode 100644 +index 0000000..5094d93 +--- /dev/null ++++ b/policy/modules/services/rhsmcertd.fc +@@ -0,0 +1,12 @@ ++ ++/etc/rc\.d/init\.d/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0) ++ ++/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) ++ ++/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) ++ ++/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) ++ ++/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) ++ ++/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) +diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if +new file mode 100644 +index 0000000..811c52e +--- /dev/null ++++ b/policy/modules/services/rhsmcertd.if +@@ -0,0 +1,305 @@ ++ ++## Subscription Management Certificate Daemon policy ++ ++######################################## ++## ++## Transition to rhsmcertd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhsmcertd_domtrans',` ++ gen_require(` ++ type rhsmcertd_t, rhsmcertd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t) ++') ++ ++ ++######################################## ++## ++## Execute rhsmcertd server in the rhsmcertd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_initrc_domtrans',` ++ gen_require(` ++ type rhsmcertd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t) ++') ++ ++ ++######################################## ++## ++## Read rhsmcertd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`rhsmcertd_read_log',` ++ gen_require(` ++ type rhsmcertd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) ++') ++ ++######################################## ++## ++## Append to rhsmcertd log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_append_log',` ++ gen_require(` ++ type rhsmcertd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) ++') ++ ++######################################## ++## ++## Manage rhsmcertd log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_manage_log',` ++ gen_require(` ++ type rhsmcertd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) ++ manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) ++ manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) ++') ++ ++######################################## ++## ++## Search rhsmcertd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_search_lib',` ++ gen_require(` ++ type rhsmcertd_var_lib_t; ++ ') ++ ++ allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read rhsmcertd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_read_lib_files',` ++ gen_require(` ++ type rhsmcertd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage rhsmcertd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_manage_lib_files',` ++ gen_require(` ++ type rhsmcertd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage rhsmcertd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_manage_lib_dirs',` ++ gen_require(` ++ type rhsmcertd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) ++') ++ ++ ++######################################## ++## ++## Read rhsmcertd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_read_pid_files',` ++ gen_require(` ++ type rhsmcertd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 rhsmcertd_var_run_t:file read_file_perms; ++') ++ ++#################################### ++## ++## Connect to rhsmcertd over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_stream_connect',` ++ gen_require(` ++ type rhsmcertd_t, rhsmcertd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t) ++') ++ ++####################################### ++## ++## Send and receive messages from ++## rhsmcertd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_dbus_chat',` ++ gen_require(` ++ type rhsmcertd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 rhsmcertd_t:dbus send_msg; ++ allow rhsmcertd_t $1:dbus send_msg; ++') ++ ++###################################### ++## ++## Dontaudit Send and receive messages from ++## rhsmcertd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhsmcertd_dontaudit_dbus_chat',` ++ gen_require(` ++ type rhsmcertd_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 rhsmcertd_t:dbus send_msg; ++ dontaudit rhsmcertd_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rhsmcertd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`rhsmcertd_admin',` ++ gen_require(` ++ type rhsmcertd_t; ++ type rhsmcertd_initrc_exec_t; ++ type rhsmcertd_log_t; ++ type rhsmcertd_var_lib_t; ++ type rhsmcertd_var_run_t; ++ ') ++ ++ allow $1 rhsmcertd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, rhsmcertd_t) ++ ++ rhsmcertd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 rhsmcertd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, rhsmcertd_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, rhsmcertd_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, rhsmcertd_var_run_t) ++ ++') ++ +diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te +new file mode 100644 +index 0000000..19fe6b0 +--- /dev/null ++++ b/policy/modules/services/rhsmcertd.te +@@ -0,0 +1,59 @@ ++policy_module(rhsmcertd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rhsmcertd_t; ++type rhsmcertd_exec_t; ++init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t) ++ ++permissive rhsmcertd_t; ++ ++type rhsmcertd_initrc_exec_t; ++init_script_file(rhsmcertd_initrc_exec_t) ++ ++type rhsmcertd_log_t; ++logging_log_file(rhsmcertd_log_t) ++ ++type rhsmcertd_lock_t; ++files_lock_file(rhsmcertd_lock_t) ++ ++type rhsmcertd_var_lib_t; ++files_type(rhsmcertd_var_lib_t) ++ ++type rhsmcertd_var_run_t; ++files_pid_file(rhsmcertd_var_run_t) ++ ++######################################## ++# ++# rhsmcertd local policy ++# ++ ++allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; ++allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) ++manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) ++ ++manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) ++files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) ++ ++manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) ++manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) ++ ++manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) ++manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) ++ ++kernel_read_system_state(rhsmcertd_t) ++ ++corecmd_exec_bin(rhsmcertd_t) ++ ++dev_read_urand(rhsmcertd_t) ++ ++files_read_etc_files(rhsmcertd_t) ++files_read_usr_files(rhsmcertd_t) ++ ++miscfiles_read_localization(rhsmcertd_t) ++miscfiles_read_certs(rhsmcertd_t) diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc index 5b08327..ed5dc05 100644 --- a/policy/modules/services/ricci.fc @@ -48137,6 +48628,18 @@ index c2cf97e..037a1e8 100644 allow uptimed_t uptimed_etc_t:file read_file_perms; files_search_etc(uptimed_t) +diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te +index 4440aa6..34ffbfd 100644 +--- a/policy/modules/services/usbmuxd.te ++++ b/policy/modules/services/usbmuxd.te +@@ -40,3 +40,7 @@ miscfiles_read_localization(usbmuxd_t) + auth_use_nsswitch(usbmuxd_t) + + logging_send_syslog_msg(usbmuxd_t) ++ ++optional_policy(` ++ virt_dontaudit_read_chr_dev(usbmuxd_t) ++') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index d4349e9..4d112ba 100644 --- a/policy/modules/services/uucp.te @@ -48497,7 +49000,7 @@ index 2124b6a..9682c44 100644 +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..7e8e54f 100644 +index 7c5d8d8..5c0a7a4 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -13,14 +13,15 @@ @@ -48765,7 +49268,7 @@ index 7c5d8d8..7e8e54f 100644 ') allow $1 virtd_t:process { ptrace signal_perms }; -@@ -515,4 +590,170 @@ interface(`virt_admin',` +@@ -515,4 +590,188 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -48935,6 +49438,24 @@ index 7c5d8d8..7e8e54f 100644 + + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") ++') ++ ++######################################## ++## ++## Dontaudit attempts to Read virt_image_type devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_dontaudit_read_chr_dev',` ++ gen_require(` ++ attribute virt_image_type; ++ ') ++ ++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 3eca020..4dec4ad 100644 @@ -52264,7 +52785,7 @@ index 7f88f5f..bd6493d 100644 sysnet_dns_name_resolve(zabbix_t) diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc -index 3defaa1..7fc57b2 100644 +index 3defaa1..2ad2488 100644 --- a/policy/modules/services/zarafa.fc +++ b/policy/modules/services/zarafa.fc @@ -8,7 +8,8 @@ @@ -52272,8 +52793,8 @@ index 3defaa1..7fc57b2 100644 /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) -/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) -+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) ++/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) ++/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) /var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) /var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) @@ -56143,7 +56664,7 @@ index 831b909..57064ad 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..7354066 100644 +index b6ec597..eedd444 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -20,6 +20,7 @@ files_security_file(auditd_log_t) @@ -56247,7 +56768,7 @@ index b6ec597..7354066 100644 # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; -+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; ++allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid }; dontaudit syslogd_t self:capability sys_tty_config; +allow syslogd_t self:capability2 syslog; # setpgid for metalog diff --git a/selinux-policy.spec b/selinux-policy.spec index 0675adf..3128019 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,12 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jun 30 2011 Miroslav Grepl 3.10.0-2 +- Change usbmuxd_t to dontaudit attempts to read chr_file +- Add mysld_safe_exec_t for libra domains to be able to start private mysql domains +- Allow pppd to search /var/lock dir +- Add rhsmcertd policy + * Mon Jun 27 2011 Miroslav Grepl 3.10.0-1 - Update to upstream