From b559c4ec49f2c63aec6fefd9c34fb37b8b2d1bb8 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 05 2011 10:08:57 +0000 Subject: - Add initial policy for system-setup-keyboard which is now daemon - Label /var/lock/subsys/shorewall as shorewall_lock_t - Allow users to communicate with the gpg_agent_t - Dontaudit mozilla_plugin_t using the inherited terminal - Allow sambagui to read files in /usr - webalizer manages squid log files - Allow unconfined domains to bind ports to raw_ip_sockets - Allow abrt to manage rpm logs when running yum - Need labels for /var/run/bittlebee - Label .ssh under amanda - Remove unused genrequires for virt_domain_template - Allow virt_domain to use fd inherited from virtd_t - Allow iptables to read shorewall config --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 5f04812..5fd759d 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2321,3 +2321,10 @@ pingd = module # milter = module +# Layer: services +# Module: keyboardd +# +# system-setup-keyboard is a keyboard layout daemon that monitors +# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet +# +keyboardd = module diff --git a/policy-F15.patch b/policy-F15.patch index a692a3a..af42ac2 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -1537,6 +1537,17 @@ index 47a8f7d..31f474e 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) +diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc +index 029cb7e..48d1363 100644 +--- a/policy/modules/admin/shorewall.fc ++++ b/policy/modules/admin/shorewall.fc +@@ -11,4 +11,6 @@ + /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + ++/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) ++ + /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if index 0948921..f198119 100644 --- a/policy/modules/admin/shorewall.if @@ -3442,10 +3453,10 @@ index e9853d4..717d163 100644 /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if -index 40e0a2a..13d939a 100644 +index 40e0a2a..f4a103c 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if -@@ -54,6 +54,8 @@ interface(`gpg_role',` +@@ -54,10 +54,13 @@ interface(`gpg_role',` manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) @@ -3454,7 +3465,12 @@ index 40e0a2a..13d939a 100644 optional_policy(` gpg_pinentry_dbus_chat($2) ') -@@ -85,6 +87,43 @@ interface(`gpg_domtrans',` + ++ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto }; + ifdef(`hide_broken_symptoms',` + #Leaked File Descriptors + dontaudit gpg_t $2:socket_class_set { getattr read write }; +@@ -85,6 +88,43 @@ interface(`gpg_domtrans',` domtrans_pattern($1, gpg_exec_t, gpg_t) ') @@ -3886,7 +3902,7 @@ index e6d84e8..b027189 100644 ######################################## diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te -index 167950d..97853ff 100644 +index 167950d..ef63b20 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -82,12 +82,12 @@ dev_read_urand(java_t) @@ -3903,7 +3919,7 @@ index 167950d..97853ff 100644 fs_getattr_xattr_fs(java_t) fs_dontaudit_rw_tmpfs_files(java_t) -@@ -143,12 +143,15 @@ optional_policy(` +@@ -143,14 +143,21 @@ optional_policy(` # execheap is needed for itanium/BEA jrocket allow unconfined_java_t self:process { execstack execmem execheap }; @@ -3919,6 +3935,12 @@ index 167950d..97853ff 100644 optional_policy(` rpm_domtrans(unconfined_java_t) + ') ++ ++ optional_policy(` ++ wine_domtrans(unconfined_java_t) ++ ') + ') diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te index f63c4c2..3812a46 100644 --- a/policy/modules/apps/kdumpgui.te @@ -4298,7 +4320,7 @@ index 9a6d67d..5ac3ea5 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..451a1c0 100644 +index 2a91fa8..593cefa 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -4380,7 +4402,7 @@ index 2a91fa8..451a1c0 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,149 @@ optional_policy(` +@@ -266,3 +291,151 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -4426,6 +4448,7 @@ index 2a91fa8..451a1c0 100644 +corecmd_exec_bin(mozilla_plugin_t) +corecmd_exec_shell(mozilla_plugin_t) + ++corenet_tcp_connect_generic_port(mozilla_plugin_t) +corenet_tcp_connect_flash_port(mozilla_plugin_t) +corenet_tcp_connect_streaming_port(mozilla_plugin_t) +corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) @@ -4471,6 +4494,7 @@ index 2a91fa8..451a1c0 100644 +userdom_delete_user_tmpfs_files(mozilla_plugin_t) +userdom_stream_connect(mozilla_plugin_t) +userdom_dontaudit_use_user_ptys(mozilla_plugin_t) ++userdom_dontaudit_use_user_terminals(mozilla_plugin_t) +userdom_manage_user_tmp_sockets(mozilla_plugin_t) + +userdom_list_user_tmp(mozilla_plugin_t) @@ -5993,11 +6017,14 @@ index c605046..15c17a0 100644 +miscfiles_read_localization(rssh_chroot_helper_t) + diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te -index 9ec1478..26bb71c 100644 +index 9ec1478..ceec04a 100644 --- a/policy/modules/apps/sambagui.te +++ b/policy/modules/apps/sambagui.te -@@ -29,7 +29,7 @@ dev_dontaudit_read_urand(sambagui_t) +@@ -27,9 +27,10 @@ corecmd_exec_bin(sambagui_t) + dev_dontaudit_read_urand(sambagui_t) + ++files_read_usr_files(sambagui_t) files_read_etc_files(sambagui_t) files_search_var_lib(sambagui_t) -files_search_usr(sambagui_t) @@ -6005,7 +6032,7 @@ index 9ec1478..26bb71c 100644 auth_use_nsswitch(sambagui_t) -@@ -39,6 +39,8 @@ miscfiles_read_localization(sambagui_t) +@@ -39,6 +40,8 @@ miscfiles_read_localization(sambagui_t) nscd_dontaudit_search_pid(sambagui_t) @@ -6014,7 +6041,7 @@ index 9ec1478..26bb71c 100644 # handling with samba conf files samba_append_log(sambagui_t) samba_manage_config(sambagui_t) -@@ -53,5 +55,9 @@ optional_policy(` +@@ -53,5 +56,9 @@ optional_policy(` ') optional_policy(` @@ -7701,6 +7728,18 @@ index c76ceb2..d7df452 100644 ') optional_policy(` +diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te +index f79314b..8325a8d 100644 +--- a/policy/modules/apps/webalizer.te ++++ b/policy/modules/apps/webalizer.te +@@ -103,3 +103,7 @@ optional_policy(` + optional_policy(` + nscd_socket_use(webalizer_t) + ') ++ ++optional_policy(` ++ squid_manage_logs(webalizer_t) ++') diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc index 9d24449..2666317 100644 --- a/policy/modules/apps/wine.fc @@ -8028,7 +8067,7 @@ index b06df19..c0763c2 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index edefaf3..7548158 100644 +index edefaf3..e9599e0 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -15,6 +15,7 @@ attribute rpc_port_type; @@ -8237,6 +8276,13 @@ index edefaf3..7548158 100644 network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) +@@ -274,5 +315,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn + allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; + + # Bind to any network address. +-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind; ++allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; + allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 3b2da10..7c29e17 100644 --- a/policy/modules/kernel/devices.fc @@ -8881,7 +8927,7 @@ index bc534c1..778d512 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 3517db2..4dd4bef 100644 +index 3517db2..ebf38e4 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -8906,17 +8952,19 @@ index 3517db2..4dd4bef 100644 /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) -@@ -74,7 +82,8 @@ ifdef(`distro_suse',` +@@ -74,7 +82,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) + +/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) ++ ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -95,7 +104,7 @@ ifdef(`distro_suse',` +@@ -95,7 +106,7 @@ ifdef(`distro_suse',` # HOME_ROOT # expanded by genhomedircon # @@ -8925,7 +8973,7 @@ index 3517db2..4dd4bef 100644 HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -159,6 +168,12 @@ HOME_ROOT/lost\+found/.* <> +@@ -159,6 +170,12 @@ HOME_ROOT/lost\+found/.* <> /proc -d <> /proc/.* <> @@ -8938,7 +8986,7 @@ index 3517db2..4dd4bef 100644 # # /selinux # -@@ -172,12 +187,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -172,12 +189,6 @@ HOME_ROOT/lost\+found/.* <> /srv/.* gen_context(system_u:object_r:var_t,s0) # @@ -8951,7 +8999,7 @@ index 3517db2..4dd4bef 100644 # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -@@ -217,7 +226,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -217,7 +228,6 @@ HOME_ROOT/lost\+found/.* <> ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) @@ -8959,7 +9007,7 @@ index 3517db2..4dd4bef 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -233,6 +241,8 @@ ifndef(`distro_redhat',` +@@ -233,6 +243,8 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -8968,7 +9016,7 @@ index 3517db2..4dd4bef 100644 /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -249,7 +259,7 @@ ifndef(`distro_redhat',` +@@ -249,7 +261,7 @@ ifndef(`distro_redhat',` /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -8977,7 +9025,7 @@ index 3517db2..4dd4bef 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -258,3 +268,7 @@ ifndef(`distro_redhat',` +@@ -258,3 +270,7 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -13521,7 +13569,7 @@ index 0b827c5..8961dba 100644 admin_pattern($1, abrt_tmp_t) ') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..7065b02 100644 +index 30861ec..d3996c8 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -13629,7 +13677,15 @@ index 30861ec..7065b02 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -178,12 +205,18 @@ optional_policy(` +@@ -167,6 +194,7 @@ optional_policy(` + rpm_exec(abrt_t) + rpm_dontaudit_manage_db(abrt_t) + rpm_manage_cache(abrt_t) ++ rpm_manage_log(abrt_t) + rpm_manage_pid_files(abrt_t) + rpm_read_db(abrt_t) + rpm_signull(abrt_t) +@@ -178,12 +206,18 @@ optional_policy(` ') optional_policy(` @@ -13649,7 +13705,7 @@ index 30861ec..7065b02 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -203,6 +236,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +@@ -203,6 +237,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) domain_read_all_domains_state(abrt_helper_t) files_read_etc_files(abrt_helper_t) @@ -13657,7 +13713,7 @@ index 30861ec..7065b02 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +250,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +251,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -13667,7 +13723,7 @@ index 30861ec..7065b02 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +259,18 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +260,18 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -16123,19 +16179,74 @@ index 4deca04..42aa033 100644 ') optional_policy(` +diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc +index 0197980..f8bce2c 100644 +--- a/policy/modules/services/bitlbee.fc ++++ b/policy/modules/services/bitlbee.fc +@@ -4,3 +4,6 @@ + /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) + + /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) ++ ++/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) ++/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te -index f4e7ad3..6591639 100644 +index f4e7ad3..68aebc4 100644 --- a/policy/modules/services/bitlbee.te +++ b/policy/modules/services/bitlbee.te -@@ -28,7 +28,7 @@ files_type(bitlbee_var_t) +@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t) + type bitlbee_var_t; + files_type(bitlbee_var_t) + ++type bitlbee_var_run_t; ++files_type(bitlbee_var_run_t) ++ + ######################################## + # + # Local policy # - allow bitlbee_t self:capability { setgid setuid }; +-allow bitlbee_t self:capability { setgid setuid }; -allow bitlbee_t self:process signal; ++allow bitlbee_t self:capability { setgid setuid sys_nice }; +allow bitlbee_t self:process { setsched signal }; ++ ++allow bitlbee_t self:fifo_file rw_fifo_file_perms; allow bitlbee_t self:udp_socket create_socket_perms; allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; +-allow bitlbee_t self:fifo_file rw_fifo_file_perms; ++allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms; + + bitlbee_read_config(bitlbee_t) + + # tmp files + manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) ++manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) ++files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) + + # user account information is read and edited at runtime; give the usual + # r/w access to bitlbee_var_t + manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) + files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) + ++manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) ++manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) ++manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) ++files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) ++ + kernel_read_system_state(bitlbee_t) + + corenet_all_recvfrom_unlabeled(bitlbee_t) +@@ -52,6 +63,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t) + corenet_udp_sendrecv_generic_node(bitlbee_t) + corenet_tcp_sendrecv_generic_if(bitlbee_t) + corenet_tcp_sendrecv_generic_node(bitlbee_t) ++corenet_tcp_bind_generic_node(bitlbee_t) + # Allow bitlbee to connect to jabber servers + corenet_tcp_connect_jabber_client_port(bitlbee_t) + corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 3e45431..fa57a6f 100644 --- a/policy/modules/services/bluetooth.if @@ -19695,10 +19806,34 @@ index 0f28095..cf33683 100644 logging_send_syslog_msg(hplip_t) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if -index c43ff4c..5bf3e60 100644 +index c43ff4c..a9783e3 100644 --- a/policy/modules/services/cvs.if +++ b/policy/modules/services/cvs.if -@@ -58,9 +58,8 @@ interface(`cvs_exec',` +@@ -1,5 +1,23 @@ + ## Concurrent versions system + ++###################################### ++## ++## Dontaudit Attempts to list the CVS data and metadata. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cvs_dontaudit_list_data',` ++ gen_require(` ++ type cvs_data_t; ++ ') ++ ++ dontaudit $1 cvs_data_t:dir list_dir_perms; ++') ++ + ######################################## + ## + ## Read the CVS data and metadata. +@@ -58,9 +76,8 @@ interface(`cvs_exec',` # interface(`cvs_admin',` gen_require(` @@ -24337,6 +24472,75 @@ index 835b16b..dd32883 100644 + files_list_tmp($1) admin_pattern($1, kerneloops_tmp_t) ') +diff --git a/policy/modules/services/keyboardd.fc b/policy/modules/services/keyboardd.fc +new file mode 100644 +index 0000000..485aacc +--- /dev/null ++++ b/policy/modules/services/keyboardd.fc +@@ -0,0 +1,2 @@ ++ ++/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0) +diff --git a/policy/modules/services/keyboardd.if b/policy/modules/services/keyboardd.if +new file mode 100644 +index 0000000..26391e6 +--- /dev/null ++++ b/policy/modules/services/keyboardd.if +@@ -0,0 +1,21 @@ ++ ++## policy for system-setup-keyboard daemon ++ ++######################################## ++## ++## Execute a domain transition to run keyboard setup daemon. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`keyboardd_domtrans',` ++ gen_require(` ++ type keyboardd_t, keyboardd_exec_t; ++ ') ++ ++ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t) ++') ++ +diff --git a/policy/modules/services/keyboardd.te b/policy/modules/services/keyboardd.te +new file mode 100644 +index 0000000..a2bf9c3 +--- /dev/null ++++ b/policy/modules/services/keyboardd.te +@@ -0,0 +1,28 @@ ++ ++policy_module(keyboardd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type keyboardd_t; ++type keyboardd_exec_t; ++init_daemon_domain(keyboardd_t, keyboardd_exec_t) ++ ++permissive keyboardd_t; ++ ++######################################## ++# ++# keyboardd local policy ++# ++ ++allow keyboardd_t self:fifo_file rw_fifo_file_perms; ++allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_rw_etc_runtime_files(keyboardd_t) ++files_etc_filetrans_etc_runtime(keyboardd_t, file) ++ ++files_read_etc_files(keyboardd_t) ++ ++miscfiles_read_localization(keyboardd_t) diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc index 9c0c835..8360166 100644 --- a/policy/modules/services/ksmtuned.fc @@ -35712,20 +35916,21 @@ index 4b2230e..d45dc67 100644 sysnet_dns_name_resolve(httpd_squid_script_t) diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 078bcd7..06da5f7 100644 +index 078bcd7..2d60774 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,4 +1,9 @@ +@@ -1,4 +1,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) + ++/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + +/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) -@@ -14,3 +19,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +@@ -14,3 +20,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) @@ -36023,7 +36228,7 @@ index 22adaca..784c363 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..4cdb5c2 100644 +index 2dad3c8..f4626c0 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -36243,7 +36448,7 @@ index 2dad3c8..4cdb5c2 100644 dev_read_urand(ssh_keysign_t) -@@ -232,33 +287,39 @@ optional_policy(` +@@ -232,33 +287,43 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -36289,10 +36494,14 @@ index 2dad3c8..4cdb5c2 100644 -',` - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) ++') ++ ++optional_policy(` ++ amanda_search_lib(sshd_t) ') optional_policy(` -@@ -266,11 +327,24 @@ optional_policy(` +@@ -266,11 +331,24 @@ optional_policy(` ') optional_policy(` @@ -36318,7 +36527,7 @@ index 2dad3c8..4cdb5c2 100644 ') optional_policy(` -@@ -284,6 +358,11 @@ optional_policy(` +@@ -284,6 +362,11 @@ optional_policy(` ') optional_policy(` @@ -36330,7 +36539,7 @@ index 2dad3c8..4cdb5c2 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +371,26 @@ optional_policy(` +@@ -292,26 +375,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -36376,7 +36585,7 @@ index 2dad3c8..4cdb5c2 100644 ') dnl endif TODO ######################################## -@@ -324,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',` +@@ -324,7 +407,6 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; @@ -36384,7 +36593,7 @@ index 2dad3c8..4cdb5c2 100644 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; -@@ -353,10 +431,6 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -353,10 +435,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -37483,13 +37692,14 @@ index 2124b6a..6546d6e 100644 /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..8822e63 100644 +index 7c5d8d8..5e2f264 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if -@@ -14,13 +14,14 @@ +@@ -13,14 +13,14 @@ + # template(`virt_domain_template',` gen_require(` - type virtd_t; +- type virtd_t; - attribute virt_image_type; - attribute virt_domain; + attribute virt_image_type, virt_domain; @@ -37503,7 +37713,7 @@ index 7c5d8d8..8822e63 100644 role system_r types $1_t; type $1_devpts_t; -@@ -35,17 +36,18 @@ template(`virt_domain_template',` +@@ -35,17 +35,18 @@ template(`virt_domain_template',` type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) @@ -37526,7 +37736,7 @@ index 7c5d8d8..8822e63 100644 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +59,6 @@ template(`virt_domain_template',` +@@ -57,18 +58,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -37545,7 +37755,7 @@ index 7c5d8d8..8822e63 100644 optional_policy(` xserver_rw_shm($1_t) ') -@@ -101,9 +91,9 @@ interface(`virt_image',` +@@ -101,9 +90,9 @@ interface(`virt_image',` ## Execute a domain transition to run virt. ## ## @@ -37557,7 +37767,7 @@ index 7c5d8d8..8822e63 100644 ## # interface(`virt_domtrans',` -@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',` +@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` @@ -37573,7 +37783,7 @@ index 7c5d8d8..8822e63 100644 ') ######################################## -@@ -185,13 +175,13 @@ interface(`virt_read_config',` +@@ -185,13 +174,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` @@ -37589,7 +37799,7 @@ index 7c5d8d8..8822e63 100644 ') ######################################## -@@ -231,6 +221,24 @@ interface(`virt_read_content',` +@@ -231,6 +220,24 @@ interface(`virt_read_content',` ######################################## ## @@ -37614,7 +37824,7 @@ index 7c5d8d8..8822e63 100644 ## Read virt PID files. ## ## -@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',` +@@ -269,6 +276,36 @@ interface(`virt_manage_pid_files',` ######################################## ## @@ -37651,7 +37861,7 @@ index 7c5d8d8..8822e63 100644 ## Search virt lib directories. ## ## -@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',` +@@ -308,6 +345,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -37676,7 +37886,7 @@ index 7c5d8d8..8822e63 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -352,9 +408,9 @@ interface(`virt_read_log',` +@@ -352,9 +407,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -37688,7 +37898,7 @@ index 7c5d8d8..8822e63 100644 ## # interface(`virt_append_log',` -@@ -424,6 +480,24 @@ interface(`virt_read_images',` +@@ -424,6 +479,24 @@ interface(`virt_read_images',` ######################################## ## @@ -37713,7 +37923,7 @@ index 7c5d8d8..8822e63 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -433,15 +507,15 @@ interface(`virt_read_images',` +@@ -433,15 +506,15 @@ interface(`virt_read_images',` ## ## # @@ -37734,7 +37944,7 @@ index 7c5d8d8..8822e63 100644 ') ######################################## -@@ -516,3 +590,51 @@ interface(`virt_admin',` +@@ -516,3 +589,51 @@ interface(`virt_admin',` virt_manage_log($1) ') @@ -37787,7 +37997,7 @@ index 7c5d8d8..8822e63 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..333a07f 100644 +index 3eca020..191efb7 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,80 +5,97 @@ policy_module(virt, 1.4.0) @@ -37986,7 +38196,7 @@ index 3eca020..333a07f 100644 xen_rw_image_files(svirt_t) ') -@@ -174,22 +209,28 @@ optional_policy(` +@@ -174,21 +209,28 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -38009,17 +38219,17 @@ index 3eca020..333a07f 100644 manage_files_pattern(virtd_t, virt_content_t, virt_content_t) allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; - ++allow virt_domain virtd_t:fd use; ++ +allow virtd_t qemu_var_run_t:file relabel_file_perms; +manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) -+ + read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) - -@@ -200,8 +241,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +242,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -38036,7 +38246,7 @@ index 3eca020..333a07f 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -220,6 +267,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +@@ -220,6 +268,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -38044,7 +38254,7 @@ index 3eca020..333a07f 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +287,32 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +288,32 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -38078,7 +38288,7 @@ index 3eca020..333a07f 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +320,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +321,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -38097,7 +38307,7 @@ index 3eca020..333a07f 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +355,30 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +356,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -38128,7 +38338,7 @@ index 3eca020..333a07f 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -365,6 +449,8 @@ optional_policy(` +@@ -365,6 +450,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -38137,7 +38347,7 @@ index 3eca020..333a07f 100644 ') optional_policy(` -@@ -396,12 +482,25 @@ optional_policy(` +@@ -396,12 +483,25 @@ optional_policy(` allow virt_domain self:capability { dac_read_search dac_override kill }; allow virt_domain self:process { execmem execstack signal getsched signull }; @@ -38164,7 +38374,7 @@ index 3eca020..333a07f 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +521,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +522,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -38172,7 +38382,7 @@ index 3eca020..333a07f 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +529,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +530,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -38185,7 +38395,7 @@ index 3eca020..333a07f 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +542,11 @@ files_search_all(virt_domain) +@@ -440,6 +543,11 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -38197,7 +38407,7 @@ index 3eca020..333a07f 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +564,117 @@ optional_policy(` +@@ -457,8 +565,117 @@ optional_policy(` ') optional_policy(` @@ -43730,7 +43940,7 @@ index 5c94dfe..59bfb17 100644 ######################################## diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index a3fdcb3..bce3aea 100644 +index a3fdcb3..96b3872 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -13,9 +13,6 @@ role system_r types iptables_t; @@ -43814,11 +44024,12 @@ index a3fdcb3..bce3aea 100644 ') optional_policy(` -@@ -124,6 +135,7 @@ optional_policy(` +@@ -124,6 +135,8 @@ optional_policy(` optional_policy(` shorewall_rw_lib_files(iptables_t) + shorewall_read_tmp_files(iptables_t) ++ shorewall_read_config(iptables_t) ') optional_policy(` @@ -44393,7 +44604,7 @@ index 3fb1915..26e9f79 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 571599b..3644f0f 100644 +index 571599b..b323b73 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -17,6 +17,10 @@ @@ -44439,7 +44650,7 @@ index 571599b..3644f0f 100644 /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+/var/stockmaniac/templates_cache gen_context(system_u:object_r:var_log_t,s0) ++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 7002d79..1669f5d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.12 -Release: 3%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,21 @@ exit 0 %endif %changelog +* Wed Jan 5 2011 Miroslav Grepl 3.9.12-5 +- Add initial policy for system-setup-keyboard which is now daemon +- Label /var/lock/subsys/shorewall as shorewall_lock_t +- Allow users to communicate with the gpg_agent_t +- Dontaudit mozilla_plugin_t using the inherited terminal +- Allow sambagui to read files in /usr +- webalizer manages squid log files +- Allow unconfined domains to bind ports to raw_ip_sockets +- Allow abrt to manage rpm logs when running yum +- Need labels for /var/run/bittlebee +- Label .ssh under amanda +- Remove unused genrequires for virt_domain_template +- Allow virt_domain to use fd inherited from virtd_t +- Allow iptables to read shorewall config + * Tue Dec 28 2010 Dan Walsh 3.9.12-4 - Gnome apps list config_home_t - mpd creates lnk files in homedir