From af3cfa7b5c2d707a498f4932020e47c0ce4d92f4 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 29 2014 10:24:42 +0000 Subject: * Wed Oct 29 2014 Lukas Vrabec 3.13.1-89 - Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424) - Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld - Allow rabbitmq to read nfs state data. BZ(1122412) - Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t. - Add rolekit policy - ALlow rolekit domtrans to sssd_t. - Add kerberos_tmp_filetrans_kadmin() interface. - rolekit should be noaudit. - Add rolekit_manage_keys(). - Need to label rpmnew file correctly - Allow modemmanger to connectto itself --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 828da9c..612563b 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5481,7 +5481,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..57afd42 100644 +index b191055..2f2f2b9 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5555,11 +5555,13 @@ index b191055..57afd42 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -83,56 +106,70 @@ network_port(agentx, udp,705,s0, tcp,705,s0) + network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) - network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) +-network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) -network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) ++network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0) +network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) +network_port(apc, tcp,3052,s0, udp,3052,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) @@ -8936,7 +8938,7 @@ index 6a1e4d1..1b9b0b5 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..16c88de 100644 +index cf04cb5..c2776d0 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -9085,7 +9087,7 @@ index cf04cb5..16c88de 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +238,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +238,352 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9380,6 +9382,10 @@ index cf04cb5..16c88de 100644 +') + +optional_policy(` ++ rolekit_dbus_chat(domain) ++') ++ ++optional_policy(` + ssh_rw_pipes(domain) +') + @@ -15685,7 +15691,7 @@ index 7be4ddf..71e675a 100644 +/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0) +/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..227ae89 100644 +index e100d88..85da370 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -15823,10 +15829,29 @@ index e100d88..227ae89 100644 ') ######################################## -@@ -1025,6 +1094,25 @@ interface(`kernel_write_proc_files',` +@@ -1025,6 +1094,44 @@ interface(`kernel_write_proc_files',` ######################################## ## ++## Do not audit attempts to write the ++## file in /proc. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kernel_dontaudit_write_proc_files',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ dontaudit $1 proc_t:file write; ++') ++ ++######################################## ++## +## Do not audit attempts to check the +## access on generic proc entries. +## @@ -15849,7 +15874,7 @@ index e100d88..227ae89 100644 ## Do not audit attempts by caller to ## read system state information in proc. ## -@@ -1208,6 +1296,24 @@ interface(`kernel_read_messages',` +@@ -1208,6 +1315,24 @@ interface(`kernel_read_messages',` ######################################## ## @@ -15874,7 +15899,7 @@ index e100d88..227ae89 100644 ## Allow caller to get the attributes of kernel message ## interface (/proc/kmsg). ## -@@ -1458,6 +1564,25 @@ interface(`kernel_list_all_proc',` +@@ -1458,6 +1583,25 @@ interface(`kernel_list_all_proc',` ######################################## ## @@ -15900,7 +15925,7 @@ index e100d88..227ae89 100644 ## Do not audit attempts to list all proc directories. ## ## -@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1477,6 +1621,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -15925,7 +15950,7 @@ index e100d88..227ae89 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',` +@@ -1672,7 +1834,7 @@ interface(`kernel_read_net_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -15934,7 +15959,7 @@ index e100d88..227ae89 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',` +@@ -1693,7 +1855,7 @@ interface(`kernel_rw_net_sysctls',` ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -15943,7 +15968,7 @@ index e100d88..227ae89 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',` +@@ -1715,7 +1877,6 @@ interface(`kernel_read_unix_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) @@ -15951,7 +15976,7 @@ index e100d88..227ae89 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1750,16 +1892,9 @@ interface(`kernel_rw_unix_sysctls',` +@@ -1750,16 +1911,9 @@ interface(`kernel_rw_unix_sysctls',` ## Domain allowed access. ## ## @@ -15969,7 +15994,7 @@ index e100d88..227ae89 100644 ') ######################################## -@@ -1771,16 +1906,9 @@ interface(`kernel_read_hotplug_sysctls',` +@@ -1771,16 +1925,9 @@ interface(`kernel_read_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -15987,7 +16012,7 @@ index e100d88..227ae89 100644 ') ######################################## -@@ -1792,16 +1920,9 @@ interface(`kernel_rw_hotplug_sysctls',` +@@ -1792,16 +1939,9 @@ interface(`kernel_rw_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -16005,7 +16030,7 @@ index e100d88..227ae89 100644 ') ######################################## -@@ -1813,16 +1934,9 @@ interface(`kernel_read_modprobe_sysctls',` +@@ -1813,16 +1953,9 @@ interface(`kernel_read_modprobe_sysctls',` ## Domain allowed access. ## ## @@ -16023,7 +16048,7 @@ index e100d88..227ae89 100644 ') ######################################## -@@ -2085,9 +2199,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,9 +2218,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -16053,7 +16078,7 @@ index e100d88..227ae89 100644 ######################################## ## ## Allow caller to read all sysctls. -@@ -2282,6 +2415,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2434,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -16079,7 +16104,7 @@ index e100d88..227ae89 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2458,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2477,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -16088,7 +16113,7 @@ index e100d88..227ae89 100644 ## ## # -@@ -2488,6 +2640,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2659,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -16113,7 +16138,7 @@ index e100d88..227ae89 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2695,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2714,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -16138,7 +16163,7 @@ index e100d88..227ae89 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2667,6 +2855,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,6 +2874,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -16163,13 +16188,23 @@ index e100d88..227ae89 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +2900,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,18 +2919,37 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## +-## Do not audit attempts to receive TCP packets from an unlabeled +## Do not audit attempts to receive DCCP packets from an unlabeled -+## connection. -+## + ## connection. + ## +-## +-##

+-## Do not audit attempts to receive TCP packets from an unlabeled +-## connection. +-##

+-##

+-## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() +-## should be used instead of this one. +-##

+## +## +## Domain to not audit. @@ -16186,29 +16221,34 @@ index e100d88..227ae89 100644 + +######################################## +## - ## Do not audit attempts to receive TCP packets from an unlabeled - ## connection. - ## -@@ -2803,20 +3028,47 @@ interface(`kernel_raw_recvfrom_unlabeled',` ++## Do not audit attempts to receive TCP packets from an unlabeled ++## connection. ++## ++## ++##

++## Do not audit attempts to receive TCP packets from an unlabeled ++## connection. ++##

++##

++## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() ++## should be used instead of this one. ++##

+ ## + ## + ## +@@ -2803,6 +3047,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') -- - ######################################## - ## --## Do not audit attempts to receive Raw IP packets from an unlabeled --## connection. ++######################################## ++## +## Read/Write Raw IP packets from an unlabeled connection. - ## - ## - ##

--## Do not audit attempts to receive Raw IP packets from an unlabeled --## connection. ++##

++## ++##

+## Receive Raw IP packets from an unlabeled connection. - ##

- ##

--## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() --## should be used instead of this one. ++##

++##

+## The corenetwork interface corenet_raw_recv_unlabeled() should +## be used instead of this one. +##

@@ -16227,24 +16267,10 @@ index e100d88..227ae89 100644 + allow $1 unlabeled_t:rawip_socket rw_socket_perms; +') + -+ -+######################################## -+## -+## Do not audit attempts to receive Raw IP packets from an unlabeled -+## connection. -+## -+## -+##

-+## Do not audit attempts to receive Raw IP packets from an unlabeled -+## connection. -+##

-+##

-+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() -+## should be used instead of this one. - ##

- ## - ## -@@ -2958,6 +3210,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` + + ######################################## + ## +@@ -2958,6 +3229,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -16269,7 +16295,7 @@ index e100d88..227ae89 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3242,565 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3261,565 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -28059,7 +28085,7 @@ index 3efd5b6..12dca57 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..dbf639e 100644 +index 09b791d..03657db 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -28337,12 +28363,12 @@ index 09b791d..dbf639e 100644 +systemd_hostnamed_read_config(nsswitch_domain) + + - tunable_policy(`authlogin_nsswitch_use_ldap',` -- files_list_var_lib(nsswitch_domain) ++tunable_policy(`authlogin_nsswitch_use_ldap',` + allow nsswitch_domain self:tcp_socket create_socket_perms; +') + -+tunable_policy(`authlogin_nsswitch_use_ldap',` + tunable_policy(`authlogin_nsswitch_use_ldap',` +- files_list_var_lib(nsswitch_domain) + corenet_tcp_sendrecv_generic_if(nsswitch_domain) + corenet_tcp_sendrecv_generic_node(nsswitch_domain) + corenet_tcp_sendrecv_ldap_port(nsswitch_domain) @@ -28383,7 +28409,7 @@ index 09b791d..dbf639e 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,10 +520,151 @@ optional_policy(` +@@ -456,10 +520,155 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -28395,6 +28421,10 @@ index 09b791d..dbf639e 100644 +userdom_manage_all_users_keys(nsswitch_domain) +optional_policy(` + sssd_manage_keys(nsswitch_domain) ++') ++ ++optional_policy(` ++ rolekit_manage_keys(nsswitch_domain) ') optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 4917f25..9696771 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9232,7 +9232,7 @@ index 531a8f2..67b6c3d 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..88edc92 100644 +index 1241123..a3d3001 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9308,15 +9308,17 @@ index 1241123..88edc92 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,6 +198,7 @@ optional_policy(` +@@ -187,7 +198,9 @@ optional_policy(` ') optional_policy(` + kerberos_filetrans_named_content(named_t) kerberos_read_keytab(named_t) ++ kerberos_read_host_rcache(named_t) kerberos_use(named_t) ') -@@ -215,7 +227,8 @@ optional_policy(` + +@@ -215,7 +228,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -9326,7 +9328,7 @@ index 1241123..88edc92 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +242,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +243,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -9338,7 +9340,7 @@ index 1241123..88edc92 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +254,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +255,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -9348,7 +9350,7 @@ index 1241123..88edc92 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +272,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +273,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -10803,10 +10805,10 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..1076e6a +index 0000000..cccf2f7 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,60 @@ +@@ -0,0 +1,61 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10842,6 +10844,7 @@ index 0000000..1076e6a + +kernel_read_system_state(bumblebee_t) +kernel_dontaudit_access_check_proc(bumblebee_t) ++kernel_dontaudit_write_proc_files(bumblebee_t) +kernel_manage_debugfs(bumblebee_t) + +corecmd_exec_shell(bumblebee_t) @@ -12300,10 +12303,12 @@ index 0000000..f50b201 + gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) +') diff --git a/chronyd.fc b/chronyd.fc -index 4e4143e..a665b32 100644 +index 4e4143e..d5e0260 100644 --- a/chronyd.fc +++ b/chronyd.fc -@@ -2,6 +2,8 @@ +@@ -1,7 +1,9 @@ +-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) ++/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0) /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) @@ -23050,7 +23055,7 @@ index c697edb..31d45bf 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 98a24b9..5b576ff 100644 +index 98a24b9..401ddbc 100644 --- a/dhcp.te +++ b/dhcp.te @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -23063,6 +23068,15 @@ index 98a24b9..5b576ff 100644 type dhcpd_state_t; files_type(dhcpd_state_t) +@@ -34,7 +37,7 @@ files_pid_file(dhcpd_var_run_t) + # Local policy + # + +-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; ++allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid setpcap sys_resource }; + dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; + allow dhcpd_t self:process { getcap setcap signal_perms }; + allow dhcpd_t self:fifo_file rw_fifo_file_perms; @@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t) kernel_read_kernel_sysctls(dhcpd_t) kernel_read_network_state(dhcpd_t) @@ -28460,7 +28474,7 @@ index 0000000..dc94853 + diff --git a/freeipmi.te b/freeipmi.te new file mode 100644 -index 0000000..65fb9b8 +index 0000000..0ca4fc3 --- /dev/null +++ b/freeipmi.te @@ -0,0 +1,79 @@ @@ -28514,7 +28528,7 @@ index 0000000..65fb9b8 +# bmc-watchdog local policy +# + -+allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem { unix_read unix_write }; ++allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms; + +files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid") + @@ -38620,7 +38634,7 @@ index 4fe75fd..b05128a 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index f6c00d8..59923df 100644 +index f6c00d8..7b777ab 100644 --- a/kerberos.if +++ b/kerberos.if @@ -1,27 +1,29 @@ @@ -38801,119 +38815,62 @@ index f6c00d8..59923df 100644 ## ## ## -@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',` +@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',` ######################################## ## -## Create, read, write, and delete -## kerberos home files. --## --## --## --## Domain allowed access. --## --## --# --interface(`kerberos_manage_krb5_home_files',` -- gen_require(` -- type krb5_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 krb5_home_t:file manage_file_perms; --') -- --######################################## --## --## Relabel kerberos home files. --## --## --## --## Domain allowed access. --## --## --# --interface(`kerberos_relabel_krb5_home_files',` -- gen_require(` -- type krb5_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 krb5_home_t:file relabel_file_perms; --') -- --######################################## --## --## Create objects in user home --## directories with the krb5 home type. --## --## --## --## Domain allowed access. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## --# --interface(`kerberos_home_filetrans_krb5_home',` -- gen_require(` -- type krb5_home_t; -- ') -- -- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) --') -- --######################################## --## --## Read kerberos key table files. +## Read the kerberos key table. ## ## ## -@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',` + ## Domain allowed access. + ## + ## ++## + # +-interface(`kerberos_manage_krb5_home_files',` ++interface(`kerberos_read_keytab',` + gen_require(` +- type krb5_home_t; ++ type krb5_keytab_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 krb5_home_t:file manage_file_perms; ++ files_search_etc($1) ++ allow $1 krb5_keytab_t:file read_file_perms; + ') ######################################## ## --## Read and write kerberos key table files. +-## Relabel kerberos home files. +## Read/Write the kerberos key table. ## ## ## -@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',` +@@ -210,47 +206,63 @@ interface(`kerberos_manage_krb5_home_files',` + ## + ## + # +-interface(`kerberos_relabel_krb5_home_files',` ++interface(`kerberos_rw_keytab',` + gen_require(` +- type krb5_home_t; ++ type krb5_keytab_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 krb5_home_t:file relabel_file_perms; ++ files_search_etc($1) ++ allow $1 krb5_keytab_t:file rw_file_perms; + ') ######################################## ## --## Create, read, write, and delete --## kerberos key table files. --## --## --## --## Domain allowed access. --## --## --# --interface(`kerberos_manage_keytab_files',` -- gen_require(` -- type krb5_keytab_t; -- ') -- -- files_search_etc($1) -- allow $1 krb5_keytab_t:file manage_file_perms; --') -- --######################################## --## --## Create specified objects in generic --## etc directories with the kerberos --## keytab file type. +-## Create objects in user home +-## directories with the krb5 home type. +## Create keytab file in /etc ## ## @@ -38929,97 +38886,167 @@ index f6c00d8..59923df 100644 ## ## ## The name of the object being created. -@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',` - type krb5_keytab_t; + ## + ## + # +-interface(`kerberos_home_filetrans_krb5_home',` ++interface(`kerberos_etc_filetrans_keytab',` + gen_require(` +- type krb5_home_t; ++ type krb5_keytab_t; ') -- files_etc_filetrans($1, krb5_keytab_t, $2, $3) +- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) + allow $1 krb5_keytab_t:file manage_file_perms; + files_etc_filetrans($1, krb5_keytab_t, file, $2) ++') ++ ++######################################## ++## ++## Create a derived type for kerberos keytab ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`kerberos_keytab_template',` ++ refpolicywarn(`$0($*) has been deprecated.') ++ kerberos_read_keytab($2) ++ kerberos_use($2) ') ######################################## ## --## Create a derived type for kerberos --## keytab files. -+## Create a derived type for kerberos keytab +-## Read kerberos key table files. ++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## - ## + ## ## -@@ -361,7 +262,7 @@ template(`kerberos_keytab_template',` +@@ -259,18 +271,18 @@ interface(`kerberos_home_filetrans_krb5_home',` + ## + ## + # +-interface(`kerberos_read_keytab',` ++interface(`kerberos_read_kdc_config',` + gen_require(` +- type krb5_keytab_t; ++ type krb5kdc_conf_t; + ') + + files_search_etc($1) +- allow $1 krb5_keytab_t:file read_file_perms; ++ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) + ') ######################################## ## --## Read kerberos kdc configuration files. +-## Read and write kerberos key table files. +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## -@@ -381,8 +282,7 @@ interface(`kerberos_read_kdc_config',` +@@ -278,254 +290,255 @@ interface(`kerberos_read_keytab',` + ## + ## + # +-interface(`kerberos_rw_keytab',` ++interface(`kerberos_read_host_rcache',` + gen_require(` +- type krb5_keytab_t; ++ type krb5_host_rcache_t; + ') +- +- files_search_etc($1) +- allow $1 krb5_keytab_t:file rw_file_perms; ++ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) + ') ######################################## ## -## Create, read, write, and delete --## kerberos host rcache files. +-## kerberos key table files. +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## -@@ -396,34 +296,99 @@ interface(`kerberos_manage_host_rcache',` - type krb5_host_rcache_t; + ## Domain allowed access. + ## + ## ++## + # +-interface(`kerberos_manage_keytab_files',` ++interface(`kerberos_manage_host_rcache',` + gen_require(` +- type krb5_keytab_t; ++ type krb5_host_rcache_t; ') +- files_search_etc($1) +- allow $1 krb5_keytab_t:file manage_file_perms; + # creates files as system_u no matter what the selinux user + # cjp: should be in the below tunable but typeattribute + # does not work in conditionals - domain_obj_id_change_exemption($1) - -- tunable_policy(`allow_kerberos',` ++ domain_obj_id_change_exemption($1) ++ + tunable_policy(`kerberos_enabled',` - allow $1 self:process setfscreate; - - selinux_validate_context($1) - - seutil_read_file_contexts($1) - ++ allow $1 self:process setfscreate; ++ ++ selinux_validate_context($1) ++ ++ seutil_read_file_contexts($1) ++ + files_rw_generic_tmp_dir($1) + manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) - files_search_tmp($1) -- allow $1 krb5_host_rcache_t:file manage_file_perms; - ') ++ files_search_tmp($1) ++ ') ') ######################################## ## --## Create objects in generic temporary --## directories with the kerberos host --## rcache type. +-## Create specified objects in generic +-## etc directories with the kerberos +-## keytab file type. +## All of the rules required to administrate +## an kerberos environment ## ## ## --## Domain allowed to transition. -+## Domain allowed access. + ## Domain allowed access. ## ## -## +-## +-## Class of the object being created. +-## +-## +-## +## -+## + ## +-## The name of the object being created. +## The role to be allowed to manage the kerberos domain. -+## -+## + ## + ## +## -+# + # +-interface(`kerberos_etc_filetrans_keytab',` +interface(`kerberos_admin',` -+ gen_require(` + gen_require(` +- type krb5_keytab_t; + type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; + type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; + type krb5kdc_var_run_t, krb5_host_rcache_t; -+ ') -+ + ') + +- files_etc_filetrans($1, krb5_keytab_t, $2, $3) + allow $1 kadmind_t:process signal_perms; + ps_process_pattern($1, kadmind_t) + tunable_policy(`deny_ptrace',`',` @@ -39059,37 +39086,156 @@ index f6c00d8..59923df 100644 + admin_pattern($1, krb5kdc_tmp_t) + + admin_pattern($1, krb5kdc_var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create a derived type for kerberos +-## keytab files. +## Type transition files created in /tmp +## to the krb5_host_rcache type. -+## + ## +-## +## ## +-## The prefix to be used for deriving type names. ++## Domain allowed access. + ## + ## +-## ++## + ## +-## Domain allowed access. ++## The name of the object being created. + ## + ## + # +-template(`kerberos_keytab_template',` +- refpolicywarn(`$0($*) has been deprecated.') +- kerberos_read_keytab($2) +- kerberos_use($2) ++interface(`kerberos_tmp_filetrans_host_rcache',` ++ gen_require(` ++ type krb5_host_rcache_t; ++ ') ++ ++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) ++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) + ') + + ######################################## + ## +-## Read kerberos kdc configuration files. ++## Type transition files created in /tmp ++## to the kadmind_tmp type. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`kerberos_read_kdc_config',` ++interface(`kerberos_tmp_filetrans_kadmin',` + gen_require(` +- type krb5kdc_conf_t; ++ type kadmind_tmp_t; + ') + +- files_search_etc($1) +- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) ++ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t) ++ files_tmp_filetrans($1, kadmind_tmp_t, file, $2) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## kerberos host rcache files. ++## read kerberos homedir content (.k5login) + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`kerberos_manage_host_rcache',` ++interface(`kerberos_read_home_content',` + gen_require(` +- type krb5_host_rcache_t; ++ type krb5_home_t; + ') + +- domain_obj_id_change_exemption($1) +- +- tunable_policy(`allow_kerberos',` +- allow $1 self:process setfscreate; +- +- selinux_validate_context($1) +- +- seutil_read_file_contexts($1) +- +- files_search_tmp($1) +- allow $1 krb5_host_rcache_t:file manage_file_perms; +- ') ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, krb5_home_t, krb5_home_t) + ') + + ######################################## + ## +-## Create objects in generic temporary +-## directories with the kerberos host +-## rcache type. ++## create kerberos content in the in the /root directory ++## with an correct label. + ## + ## + ## +-## Domain allowed to transition. +-## +-## +-## +-## -## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +## Domain allowed access. ## ## - ## -@@ -437,12 +402,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',` - type krb5_host_rcache_t; + # +-interface(`kerberos_tmp_filetrans_host_rcache',` ++interface(`kerberos_filetrans_admin_home_content',` + gen_require(` +- type krb5_host_rcache_t; ++ type krb5_home_t; ') - files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3) -+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) -+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) ++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login") ++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users") ') ######################################## ## -## Connect to krb524 service. -+## read kerberos homedir content (.k5login) ++## Transition to kerberos named content ## ## ## -@@ -450,82 +416,87 @@ interface(`kerberos_tmp_filetrans_host_rcache',` +-## Domain allowed access. ++## Domain allowed access. ## ## # @@ -39104,44 +39250,28 @@ index f6c00d8..59923df 100644 - - corenet_sendrecv_kerberos_master_client_packets($1) - corenet_udp_sendrecv_kerberos_master_port($1) -+interface(`kerberos_read_home_content',` ++interface(`kerberos_filetrans_home_content',` + gen_require(` + type krb5_home_t; ') + -+ userdom_search_user_home_dirs($1) -+ read_files_pattern($1, krb5_home_t, krb5_home_t) ++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") ++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users") ') ######################################## ## -## All of the rules required to -## administrate an kerberos environment. -+## create kerberos content in the in the /root directory -+## with an correct label. ++## Transition to kerberos named content ## ## ## - ## Domain allowed access. - ## - ## +-## Domain allowed access. +-## +-## -## -+# -+interface(`kerberos_filetrans_admin_home_content',` -+ gen_require(` -+ type krb5_home_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login") -+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users") -+') -+ -+######################################## -+## -+## Transition to kerberos named content -+## -+## - ## +-## -## Role allowed access. +## Domain allowed access. ## @@ -39149,14 +39279,14 @@ index f6c00d8..59923df 100644 -## # -interface(`kerberos_admin',` -+interface(`kerberos_filetrans_home_content',` ++interface(`kerberos_filetrans_named_content',` gen_require(` - type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; - type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; -- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; - type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; - type krb5kdc_var_run_t, krb5_host_rcache_t; -+ type krb5_home_t; ++ type krb5kdc_principal_t; ') - allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms }; @@ -39184,28 +39314,10 @@ index f6c00d8..59923df 100644 - - files_list_pids($1) - admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t }) -+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") -+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users") -+') - +- - files_list_etc($1) - admin_pattern($1, krb5_conf_t) -+######################################## -+## -+## Transition to kerberos named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kerberos_filetrans_named_content',` -+ gen_require(` -+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; -+ type krb5kdc_principal_t; -+ ') - +- files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") - - admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t }) @@ -39946,7 +40058,7 @@ index e88fb16..f20248c 100644 + ') ') diff --git a/keystone.te b/keystone.te -index 9929647..4a4ccf1 100644 +index 9929647..3144a89 100644 --- a/keystone.te +++ b/keystone.te @@ -18,13 +18,20 @@ logging_log_file(keystone_log_t) @@ -40034,8 +40146,8 @@ index 9929647..4a4ccf1 100644 + + read_files_pattern(keystone_cgi_script_t, keystone_log_t, keystone_log_t) + -+ corenet_tcp_bind_commplex_main_port(keystone_t) -+ corenet_tcp_sendrecv_commplex_main_port(keystone_t) ++ corenet_tcp_bind_commplex_main_port(keystone_cgi_script_t) ++ corenet_tcp_sendrecv_commplex_main_port(keystone_cgi_script_t) ') diff --git a/kismet.if b/kismet.if index aa2a337..7ff229f 100644 @@ -46092,7 +46204,7 @@ index b1ac8b5..9b22bea 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..6af07aa 100644 +index d15eb5b..25f2cfe 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -46105,7 +46217,13 @@ index d15eb5b..6af07aa 100644 ######################################## # # Local policy -@@ -24,15 +27,17 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; + allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; + allow modemmanager_t self:process { getsched signal }; + allow modemmanager_t self:fifo_file rw_fifo_file_perms; +-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; ++allow modemmanager_t self:unix_stream_socket {connectto create_stream_socket_perms}; + allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; kernel_read_system_state(modemmanager_t) @@ -77132,7 +77250,7 @@ index 2c3d338..7d49554 100644 init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..42203ed 100644 +index dc3b0ed..0675a9c 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2) @@ -77166,7 +77284,7 @@ index dc3b0ed..42203ed 100644 type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -@@ -27,98 +31,82 @@ files_pid_file(rabbitmq_var_run_t) +@@ -27,98 +31,86 @@ files_pid_file(rabbitmq_var_run_t) ###################################### # @@ -77339,6 +77457,10 @@ index dc3b0ed..42203ed 100644 +optional_policy(` + dbus_system_bus_client(rabbitmq_t) +') ++ ++optional_policy(` ++ rpc_read_nfs_state_data(rabbitmq_t) ++') -miscfiles_read_localization(rabbitmq_epmd_t) diff --git a/radius.fc b/radius.fc @@ -83300,6 +83422,194 @@ index a7b7717..861aa31 100644 logging_send_syslog_msg(rngd_t) -miscfiles_read_localization(rngd_t) +diff --git a/rolekit.fc b/rolekit.fc +new file mode 100644 +index 0000000..504b6e1 +--- /dev/null ++++ b/rolekit.fc +@@ -0,0 +1,3 @@ ++/usr/lib/systemd/system/rolekit.* -- gen_context(system_u:object_r:rolekit_unit_file_t,s0) ++ ++/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0) +diff --git a/rolekit.if b/rolekit.if +new file mode 100644 +index 0000000..8d833ed +--- /dev/null ++++ b/rolekit.if +@@ -0,0 +1,124 @@ ++## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. ++ ++######################################## ++## ++## Execute rolekit in the rolekit domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rolekit_domtrans',` ++ gen_require(` ++ type rolekit_t, rolekit_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, rolekit_exec_t, rolekit_t) ++') ++ ++######################################## ++## ++## Execute rolekit server in the rolekit domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rolekit_systemctl',` ++ gen_require(` ++ type rolekit_t; ++ type rolekit_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 rolekit_unit_file_t:file read_file_perms; ++ allow $1 rolekit_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rolekit_t) ++') ++####################################### ++## ++## Manage rolekit kernel keyrings. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rolekit_manage_keys',` ++ gen_require(` ++ type rolekit_t; ++ ') ++ ++ allow $1 rolekit_t:key manage_key_perms; ++ allow rolekit_t $1:key manage_key_perms; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## policykit over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rolekit_dbus_chat',` ++ gen_require(` ++ type rolekit_t; ++ class dbus send_msg; ++ ') ++ ++ ps_process_pattern(rolekit_t, $1) ++ ++ allow $1 rolekit_t:dbus send_msg; ++ allow rolekit_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rolekit environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`rolekit_admin',` ++ gen_require(` ++ type rolekit_t; ++ type rolekit_unit_file_t; ++ ') ++ ++ allow $1 rolekit_t:process { signal_perms }; ++ ps_process_pattern($1, rolekit_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rolekit_t:process ptrace; ++ ') ++ ++ rolekit_systemctl($1) ++ admin_pattern($1, rolekit_unit_file_t) ++ allow $1 rolekit_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/rolekit.te b/rolekit.te +new file mode 100644 +index 0000000..da7bd10 +--- /dev/null ++++ b/rolekit.te +@@ -0,0 +1,43 @@ ++policy_module(rolekit, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rolekit_t; ++type rolekit_exec_t; ++init_daemon_domain(rolekit_t, rolekit_exec_t) ++ ++type rolekit_tmp_t; ++files_tmp_file(rolekit_tmp_t) ++ ++type rolekit_unit_file_t; ++systemd_unit_file(rolekit_unit_file_t) ++ ++######################################## ++# ++# rolekit local policy ++# ++ ++allow rolekit_t self:fifo_file rw_fifo_file_perms; ++allow rolekit_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t) ++manage_dirs_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t) ++files_tmp_filetrans(rolekit_t, rolekit_tmp_t, { file dir }) ++ ++kernel_read_system_state(rolekit_t) ++ ++auth_use_nsswitch(rolekit_t) ++ ++optional_policy(` ++ sssd_domtrans(rolekit_t) ++') ++ ++optional_policy(` ++ unconfined_domain_noaudit(rolekit_t) ++ #should be changed for debugging ++ #unconfined_domain(rolekit_t) ++ domain_named_filetrans(rolekit_t) ++') diff --git a/roundup.if b/roundup.if index 975bb6a..ce4f5ea 100644 --- a/roundup.if diff --git a/selinux-policy.spec b/selinux-policy.spec index c4549f8..1e58600 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 88%{?dist} +Release: 89%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -604,6 +604,19 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Oct 29 2014 Lukas Vrabec 3.13.1-89 +- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424) +- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld +- Allow rabbitmq to read nfs state data. BZ(1122412) +- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t. +- Add rolekit policy +- ALlow rolekit domtrans to sssd_t. +- Add kerberos_tmp_filetrans_kadmin() interface. +- rolekit should be noaudit. +- Add rolekit_manage_keys(). +- Need to label rpmnew file correctly +- Allow modemmanger to connectto itself + * Tue Oct 21 2014 Lukas Vrabec 3.13.1-88 - Allow couchdb read sysctl_fs_t files. BZ(1154327) - Allow osad to connect to jabber client port. BZ (1154242)