From d42d1657e3cbb7bb85507ae76dcf10a85faffdd3 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 16 2013 11:24:49 +0000 Subject: - Fix description of deny_ptrace boolean - Remove allow for execmod lib_t for now - Allow quantum to connect to keystone port - Allow nova-console to talk with mysql over unix stream socket - Allow dirsrv to stream connect to uuidd - thumb_t needs to be able to create ~/.cache if it does not exist - virtd needs to be able to sys_ptrace when starting and stoping containers --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index cb989b3..93b86f0 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -765,14 +765,14 @@ index 66e85ea..d02654d 100644 ## user domains. ##

diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..11a1ae6 100644 +index 4705ab6..629fe1b 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -6,52 +6,59 @@ ## ##

-+## Allow sysadm to debug or ptrace all processes. ++## Deny any process from ptracing or debugging any other processes. +##

+## +gen_tunable(deny_ptrace, false) @@ -22234,7 +22234,7 @@ index d1f64a0..3be3d00 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..2706448 100644 +index 6bf0ecc..ab37b7e 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -23098,11 +23098,11 @@ index 6bf0ecc..2706448 100644 +## +# +interface(`xserver_dontaudit_xdm_rw_stream_sockets',` -+ gen_require(` -+ type xdm_t; -+ ') ++ gen_require(` ++ type xdm_t; ++ ') + -+ dontaudit $1 xdm_t:unix_stream_socket { read write }; ++ dontaudit $1 xdm_t:unix_stream_socket { ioctl read write }; +') + +######################################## @@ -30338,7 +30338,7 @@ index 73bb3c0..aadfba0 100644 + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..7b506f2 100644 +index 808ba93..9d8f729 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` @@ -30451,7 +30451,7 @@ index 808ba93..7b506f2 100644 ') ######################################## -@@ -440,9 +463,9 @@ interface(`libs_use_shared_libs',` +@@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',` ') files_search_usr($1) @@ -30461,10 +30461,11 @@ index 808ba93..7b506f2 100644 + allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms; + read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ++# allow $1 lib_t:file execmod; allow $1 textrel_shlib_t:file execmod; ') -@@ -483,7 +506,7 @@ interface(`libs_relabel_shared_libs',` +@@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',` type lib_t, textrel_shlib_t; ') @@ -30473,7 +30474,7 @@ index 808ba93..7b506f2 100644 ') ######################################## -@@ -534,3 +557,26 @@ interface(`lib_filetrans_shared_lib',` +@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',` interface(`files_lib_filetrans_shared_lib',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f3956ec..3f17fd2 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -19854,10 +19854,10 @@ index 0000000..b214253 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..217b0ef +index 0000000..8cf8ddd --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,190 @@ +@@ -0,0 +1,194 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -20005,6 +20005,10 @@ index 0000000..217b0ef + rpcbind_stream_connect(dirsrv_t) +') + ++optional_policy(` ++ uuidd_stream_connect_manager(dirsrv_t) ++') ++ +######################################## +# +# dirsrv-snmp local policy @@ -24581,7 +24585,7 @@ index e39de43..5818f74 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..b000017 100644 +index d03fd43..26023f7 100644 --- a/gnome.if +++ b/gnome.if @@ -1,123 +1,154 @@ @@ -25152,7 +25156,7 @@ index d03fd43..b000017 100644 ## -## Create, read, write, and delete -## generic gnome home content. -+## Set attributes of cache home dir (.cache) ++## Create generic cache home dir (.cache) ## ## ## @@ -25161,25 +25165,26 @@ index d03fd43..b000017 100644 ## # -interface(`gnome_manage_generic_home_content',` -+interface(`gnome_setattr_cache_home_dir',` ++interface(`gnome_create_generic_cache_dir',` gen_require(` - type gnome_home_t; + type cache_home_t; ') -+ setattr_dirs_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) +- userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir manage_dir_perms; - allow $1 gnome_home_t:file manage_file_perms; - allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; - allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; - allow $1 gnome_home_t:sock_file manage_sock_file_perms; ++ allow $1 cache_home_t:dir create_dir_perms; ++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") ') ######################################## ## -## Search generic gnome home directories. -+## Manage cache home dir (.cache) ++## Set attributes of cache home dir (.cache) ## ## ## @@ -25188,13 +25193,13 @@ index d03fd43..b000017 100644 ## # -interface(`gnome_search_generic_home',` -+interface(`gnome_manage_cache_home_dir',` ++interface(`gnome_setattr_cache_home_dir',` gen_require(` - type gnome_home_t; + type cache_home_t; ') -+ manage_dirs_pattern($1, cache_home_t, cache_home_t) ++ setattr_dirs_pattern($1, cache_home_t, cache_home_t) userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir search_dir_perms; ') @@ -25203,7 +25208,7 @@ index d03fd43..b000017 100644 ## -## Create objects in gnome user home -## directories with a private type. -+## append to generic cache home files (.cache) ++## Manage cache home dir (.cache) ## ## ## @@ -25227,13 +25232,13 @@ index d03fd43..b000017 100644 -## # -interface(`gnome_home_filetrans',` -+interface(`gnome_append_generic_cache_files',` ++interface(`gnome_manage_cache_home_dir',` gen_require(` - type gnome_home_t; + type cache_home_t; ') -+ append_files_pattern($1, cache_home_t, cache_home_t) ++ manage_dirs_pattern($1, cache_home_t, cache_home_t) userdom_search_user_home_dirs($1) - filetrans_pattern($1, gnome_home_t, $2, $3, $4) ') @@ -25241,7 +25246,7 @@ index d03fd43..b000017 100644 ######################################## ## -## Create generic gconf home directories. -+## write to generic cache home files (.cache) ++## append to generic cache home files (.cache) ## ## ## @@ -25250,93 +25255,127 @@ index d03fd43..b000017 100644 ## # -interface(`gnome_create_generic_gconf_home_dirs',` -+interface(`gnome_write_generic_cache_files',` ++interface(`gnome_append_generic_cache_files',` gen_require(` - type gconf_home_t; + type cache_home_t; ') - allow $1 gconf_home_t:dir create_dir_perms; -+ write_files_pattern($1, cache_home_t, cache_home_t) ++ append_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) ') ######################################## ## -## Read generic gconf home content. -+## Manage a sock_file in the generic cache home files (.cache) ++## write to generic cache home files (.cache) ## ## ## -@@ -449,46 +497,36 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -449,23 +497,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # -interface(`gnome_read_generic_gconf_home_content',` -+interface(`gnome_manage_generic_cache_sockets',` ++interface(`gnome_write_generic_cache_files',` gen_require(` - type gconf_home_t; + type cache_home_t; ') ++ write_files_pattern($1, cache_home_t, cache_home_t) userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir list_dir_perms; - allow $1 gconf_home_t:file read_file_perms; - allow $1 gconf_home_t:fifo_file read_fifo_file_perms; - allow $1 gconf_home_t:lnk_file read_lnk_file_perms; - allow $1 gconf_home_t:sock_file read_sock_file_perms; -+ manage_sock_files_pattern($1, cache_home_t, cache_home_t) ') ######################################## ## -## Create, read, write, and delete -## generic gconf home content. -+## Dontaudit read/write to generic cache home files (.cache) ++## Manage a sock_file in the generic cache home files (.cache) ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -473,82 +516,72 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # -interface(`gnome_manage_generic_gconf_home_content',` -+interface(`gnome_dontaudit_rw_generic_cache_files',` ++interface(`gnome_manage_generic_cache_sockets',` gen_require(` - type gconf_home_t; + type cache_home_t; ') -- userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir manage_dir_perms; - allow $1 gconf_home_t:file manage_file_perms; - allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; - allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; - allow $1 gconf_home_t:sock_file manage_sock_file_perms; -+ dontaudit $1 cache_home_t:file rw_inherited_file_perms; ++ manage_sock_files_pattern($1, cache_home_t, cache_home_t) ') ######################################## ## -## Search generic gconf home directories. -+## read gnome homedir content (.config) ++## Dontaudit read/write to generic cache home files (.cache) ## ## ## -@@ -496,29 +534,35 @@ interface(`gnome_manage_generic_gconf_home_content',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`gnome_search_generic_gconf_home',` -+interface(`gnome_read_config',` ++interface(`gnome_dontaudit_rw_generic_cache_files',` gen_require(` - type gconf_home_t; -+ attribute gnome_home_type; ++ type cache_home_t; ') - userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir search_dir_perms; ++ dontaudit $1 cache_home_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the generic gconf +-## home type. ++## read gnome homedir content (.config) + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`gnome_home_filetrans_gconf_home',` ++interface(`gnome_read_config',` + gen_require(` +- type gconf_home_t; ++ attribute gnome_home_type; + ') + +- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) + list_dirs_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) @@ -25345,7 +25384,7 @@ index d03fd43..b000017 100644 ######################################## ## -## Create objects in user home --## directories with the generic gconf +-## directories with the generic gnome -## home type. +## Create objects in a Gnome gconf home directory +## with an automatic type transition to @@ -25368,18 +25407,18 @@ index d03fd43..b000017 100644 ## ## ## -@@ -527,62 +571,125 @@ interface(`gnome_search_generic_gconf_home',` +@@ -557,52 +590,76 @@ interface(`gnome_home_filetrans_gconf_home',` ## ## # --interface(`gnome_home_filetrans_gconf_home',` +-interface(`gnome_home_filetrans_gnome_home',` +interface(`gnome_data_filetrans',` gen_require(` -- type gconf_home_t; +- type gnome_home_t; + type data_home_t; ') -- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) +- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) + filetrans_pattern($1, data_home_t, $2, $3, $4) + gnome_search_gconf($1) ') @@ -25387,9 +25426,8 @@ index d03fd43..b000017 100644 -######################################## +####################################### ## --## Create objects in user home --## directories with the generic gnome --## home type. +-## Create objects in gnome gconf home +-## directories with a private type. +## Read generic data home files. ## ## @@ -25397,7 +25435,15 @@ index d03fd43..b000017 100644 ## Domain allowed access. ## ## +-## +-## +-## Private file type. +-## +-## -## +-## +-## Class of the object being created. +-## +# +interface(`gnome_read_generic_data_home_files',` + gen_require(` @@ -25415,7 +25461,8 @@ index d03fd43..b000017 100644 +## +## Domain allowed access. +## -+## + ## +-## +# +interface(`gnome_read_generic_data_home_dirs',` + gen_require(` @@ -25431,44 +25478,46 @@ index d03fd43..b000017 100644 +## +## ## --## Class of the object being created. +-## The name of the object being created. +## Domain allowed access. ## ## --## -+# + # +-interface(`gnome_gconf_home_filetrans',` +interface(`gnome_manage_data',` -+ gen_require(` + gen_require(` + type data_home_t; -+ type gconf_home_t; -+ ') -+ + type gconf_home_t; + ') + +- userdom_search_user_home_dirs($1) +- filetrans_pattern($1, gconf_home_t, $2, $3, $4) + allow $1 gconf_home_t:dir search_dir_perms; + manage_dirs_pattern($1, data_home_t, data_home_t) + manage_files_pattern($1, data_home_t, data_home_t) + manage_lnk_files_pattern($1, data_home_t, data_home_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic gnome keyring home files. +## Read icc data home content. -+## -+## + ## + ## ## --## The name of the object being created. -+## Domain allowed access. +@@ -610,93 +667,126 @@ interface(`gnome_gconf_home_filetrans',` ## ## # --interface(`gnome_home_filetrans_gnome_home',` +-interface(`gnome_read_keyring_home_files',` +interface(`gnome_read_home_icc_data_content',` gen_require(` -- type gnome_home_t; +- type gnome_home_t, gnome_keyring_home_t; + type icc_data_home_t, gconf_home_t, data_home_t; ') -- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) -+ userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) +- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) + allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; + list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) + read_files_pattern($1, icc_data_home_t, icc_data_home_t) @@ -25477,110 +25526,113 @@ index d03fd43..b000017 100644 ######################################## ## --## Create objects in gnome gconf home --## directories with a private type. +-## Send and receive messages from +-## gnome keyring daemon over dbus. +## Read inherited icc data home files. ## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## ## ## ## Domain allowed access. ## ## --## -+# + # +-interface(`gnome_dbus_chat_gkeyringd',` +interface(`gnome_read_inherited_home_icc_data_files',` -+ gen_require(` + gen_require(` +- type $1_gkeyringd_t; +- class dbus send_msg; + type icc_data_home_t; -+ ') -+ + ') + +- allow $2 $1_gkeyringd_t:dbus send_msg; +- allow $1_gkeyringd_t $2:dbus send_msg; + allow $1 icc_data_home_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Send and receive messages from all +-## gnome keyring daemon over dbus. +## Create gconf_home_t objects in the /root directory -+## -+## + ## + ## ## --## Private file type. -+## Domain allowed access. + ## Domain allowed access. ## ## - ## - ## --## Class of the object being created. ++## ++## +## The class of the object to be created. - ## - ## - ## -@@ -591,65 +698,76 @@ interface(`gnome_home_filetrans_gnome_home',` - ## - ## ++## ++## ++## ++## ++## The name of the object being created. ++## ++## # --interface(`gnome_gconf_home_filetrans',` +-interface(`gnome_dbus_chat_all_gkeyringd',` +interface(`gnome_admin_home_gconf_filetrans',` gen_require(` - type gconf_home_t; +- attribute gkeyringd_domain; +- class dbus send_msg; ++ type gconf_home_t; ') -- userdom_search_user_home_dirs($1) -- filetrans_pattern($1, gconf_home_t, $2, $3, $4) +- allow $1 gkeyringd_domain:dbus send_msg; +- allow gkeyringd_domain $1:dbus send_msg; + userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) ') ######################################## ## --## Read generic gnome keyring home files. +-## Connect to gnome keyring daemon +-## with a unix stream socket. +## Do not audit attempts to read +## inherited gconf config files. ## - ## +-## ++## ## --## Domain allowed access. +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +## Domain to not audit. ## ## - # --interface(`gnome_read_keyring_home_files',` ++# +interface(`gnome_dontaudit_read_inherited_gconf_config_files',` - gen_require(` -- type gnome_home_t, gnome_keyring_home_t; ++ gen_require(` + type gconf_etc_t; - ') - -- userdom_search_user_home_dirs($1) -- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) ++ ') ++ + dontaudit $1 gconf_etc_t:file read_inherited_file_perms; - ') - - ######################################## - ## --## Send and receive messages from --## gnome keyring daemon over dbus. ++') ++ ++######################################## ++## +## read gconf config files - ## --## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## --## ++## ## ## ## Domain allowed access. ## ## # --interface(`gnome_dbus_chat_gkeyringd',` +-interface(`gnome_stream_connect_gkeyringd',` +interface(`gnome_read_gconf_config',` gen_require(` -- type $1_gkeyringd_t; -- class dbus send_msg; +- type $1_gkeyringd_t, gnome_keyring_tmp_t; + type gconf_etc_t; ') -- allow $2 $1_gkeyringd_t:dbus send_msg; -- allow $1_gkeyringd_t $2:dbus send_msg; +- files_search_tmp($2) +- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) + allow $1 gconf_etc_t:dir list_dir_perms; + read_files_pattern($1, gconf_etc_t, gconf_etc_t) + files_search_etc($1) @@ -25607,78 +25659,59 @@ index d03fd43..b000017 100644 ######################################## ## --## Send and receive messages from all --## gnome keyring daemon over dbus. +-## Connect to all gnome keyring daemon +-## with a unix stream socket. +## Execute gconf programs in +## in the caller domain. ## ## ## -@@ -657,46 +775,36 @@ interface(`gnome_dbus_chat_gkeyringd',` +@@ -704,12 +794,811 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # --interface(`gnome_dbus_chat_all_gkeyringd',` +-interface(`gnome_stream_connect_all_gkeyringd',` +interface(`gnome_exec_gconf',` gen_require(` - attribute gkeyringd_domain; -- class dbus send_msg; +- type gnome_keyring_tmp_t; + type gconfd_exec_t; - ') - -- allow $1 gkeyringd_domain:dbus send_msg; -- allow gkeyringd_domain $1:dbus send_msg; ++ ') ++ + can_exec($1, gconfd_exec_t) - ') - - ######################################## - ## --## Connect to gnome keyring daemon --## with a unix stream socket. ++') ++ ++######################################## ++## +## Execute gnome keyringd in the caller domain. - ## --## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## --## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`gnome_stream_connect_gkeyringd',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_exec_keyringd',` - gen_require(` -- type $1_gkeyringd_t, gnome_keyring_tmp_t; ++ gen_require(` + type gkeyringd_exec_t; - ') - -- files_search_tmp($2) -- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) ++ ') ++ + can_exec($1, gkeyringd_exec_t) + corecmd_search_bin($1) - ') - - ######################################## - ## --## Connect to all gnome keyring daemon --## with a unix stream socket. ++') ++ ++######################################## ++## +## Read gconf home files - ## - ## - ## -@@ -704,12 +812,774 @@ interface(`gnome_stream_connect_gkeyringd',` - ## - ## - # --interface(`gnome_stream_connect_all_gkeyringd',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_read_gconf_home_files',` - gen_require(` -- attribute gkeyringd_domain; -- type gnome_keyring_tmp_t; ++ gen_require(` + type gconf_home_t; + type data_home_t; + ') @@ -25705,10 +25738,9 @@ index d03fd43..b000017 100644 +interface(`gnome_search_gkeyringd_tmp_dirs',` + gen_require(` + type gkeyringd_tmp_t; - ') - - files_search_tmp($1) -- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ++ ') ++ ++ files_search_tmp($1) + allow $1 gkeyringd_tmp_t:dir search_dir_perms; +') + @@ -25725,9 +25757,10 @@ index d03fd43..b000017 100644 +interface(`gnome_list_gkeyringd_tmp_dirs',` + gen_require(` + type gkeyringd_tmp_t; -+ ') -+ -+ files_search_tmp($1) + ') + + files_search_tmp($1) +- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) + allow $1 gkeyringd_tmp_t:dir list_dir_perms; +') + @@ -44014,10 +44047,10 @@ index 0000000..7d11148 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..c3a9a89 +index 0000000..061a689 --- /dev/null +++ b/nova.te -@@ -0,0 +1,325 @@ +@@ -0,0 +1,329 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -44196,6 +44229,10 @@ index 0000000..c3a9a89 + +auth_use_nsswitch(nova_console_t) + ++optional_policy(` ++ mysql_stream_connect(nova_console_t) ++') ++ +####################################### +# +# nova direct local policy @@ -62034,7 +62071,7 @@ index afc0068..7616aa4 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..5bbd65f 100644 +index 769d1fd..bf3f16f 100644 --- a/quantum.te +++ b/quantum.te @@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t) @@ -62047,11 +62084,12 @@ index 769d1fd..5bbd65f 100644 ######################################## # # Local policy -@@ -61,11 +64,12 @@ corenet_tcp_sendrecv_generic_node(quantum_t) +@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t) corenet_tcp_sendrecv_all_ports(quantum_t) corenet_tcp_bind_generic_node(quantum_t) +corenet_tcp_bind_quantum_port(quantum_t) ++corenet_tcp_connect_keystone_port(quantum_t) +corenet_tcp_connect_mysqld_port(quantum_t) + dev_list_sysfs(quantum_t) @@ -62062,7 +62100,7 @@ index 769d1fd..5bbd65f 100644 auth_use_nsswitch(quantum_t) libs_exec_ldconfig(quantum_t) -@@ -73,8 +77,6 @@ libs_exec_ldconfig(quantum_t) +@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t) logging_send_audit_msgs(quantum_t) logging_send_syslog_msg(quantum_t) @@ -62071,7 +62109,7 @@ index 769d1fd..5bbd65f 100644 sysnet_domtrans_ifconfig(quantum_t) optional_policy(` -@@ -94,3 +96,12 @@ optional_policy(` +@@ -94,3 +97,12 @@ optional_policy(` postgresql_tcp_connect(quantum_t) ') @@ -81934,10 +81972,10 @@ index 0000000..bfcd2c7 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..797d761 +index 0000000..4e9dc5e --- /dev/null +++ b/thumb.te -@@ -0,0 +1,142 @@ +@@ -0,0 +1,143 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -82060,6 +82098,7 @@ index 0000000..797d761 + gnome_manage_gstreamer_home_files(thumb_t) + gnome_manage_gstreamer_home_dirs(thumb_t) + gnome_exec_gstreamer_home_files(thumb_t) ++ gnome_create_generic_cache_dir(thumb_t) + gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails") + gnome_cache_filetrans(thumb_t, thumb_home_t, file) +') @@ -84231,10 +84270,24 @@ index 380902c..75545d6 100644 + postfix_rw_inherited_master_pipes(uux_t) +') diff --git a/uuidd.if b/uuidd.if -index 6e48653..29e3648 100644 +index 6e48653..6abf74a 100644 --- a/uuidd.if +++ b/uuidd.if -@@ -180,6 +180,9 @@ interface(`uuidd_admin',` +@@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',` + # + interface(`uuidd_stream_connect_manager',` + gen_require(` +- type uuidd_t, uuidd_var_run_t; ++ type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) ++ stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t) + ') + + ######################################## +@@ -180,6 +181,9 @@ interface(`uuidd_admin',` allow $1 uuidd_t:process signal_perms; ps_process_pattern($1, uuidd_t) @@ -86320,7 +86373,7 @@ index 9dec06c..fa2c674 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 1f22fba..64e638c 100644 +index 1f22fba..f42e134 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -86526,7 +86579,7 @@ index 1f22fba..64e638c 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -155,251 +165,82 @@ type virt_qmf_exec_t; +@@ -155,290 +165,125 @@ type virt_qmf_exec_t; init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) type virt_bridgehelper_t; @@ -86616,9 +86669,7 @@ index 1f22fba..64e638c 100644 -append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - -kernel_read_system_state(virt_domain) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -fs_getattr_xattr_fs(virt_domain) - -corecmd_exec_bin(virt_domain) @@ -86736,17 +86787,15 @@ index 1f22fba..64e638c 100644 - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_read_xdm_pid(virt_domain) - xserver_stream_connect(virt_domain) - ') -') -- --optional_policy(` -- dbus_read_lib_files(virt_domain) --') +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) @@ -86756,20 +86805,24 @@ index 1f22fba..64e638c 100644 +corenet_tcp_connect_all_ports(svirt_t) -optional_policy(` -- nscd_use(virt_domain) +- dbus_read_lib_files(virt_domain) -') +miscfiles_read_generic_certs(svirt_t) optional_policy(` -- samba_domtrans_smbd(virt_domain) +- nscd_use(virt_domain) + xen_rw_image_files(svirt_t) ') optional_policy(` -- xen_rw_image_files(virt_domain) +- samba_domtrans_smbd(virt_domain) + nscd_use(svirt_t) ') +-optional_policy(` +- xen_rw_image_files(virt_domain) +-') +- -######################################## +####################################### # @@ -86787,11 +86840,11 @@ index 1f22fba..64e638c 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -- --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +allow svirt_tcg_t self:process { execmem execstack }; +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) @@ -86826,15 +86879,16 @@ index 1f22fba..64e638c 100644 ######################################## # -@@ -407,38 +248,42 @@ corenet_tcp_connect_all_ports(svirt_t) + # virtd local policy # - allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; +-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; ++allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +allow virtd_t self:capability2 compromise_kernel; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code -+ dontaudit virtd_t self:capability { sys_module sys_ptrace }; ++ dontaudit virtd_t self:capability { sys_module }; +') + allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; diff --git a/selinux-policy.spec b/selinux-policy.spec index d07c798..a27233b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 30%{?dist} +Release: 31%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 16 2013 Miroslav Grepl 3.12.1-31 +- Fix description of deny_ptrace boolean +- Remove allow for execmod lib_t for now +- Allow quantum to connect to keystone port +- Allow nova-console to talk with mysql over unix stream socket +- Allow dirsrv to stream connect to uuidd +- thumb_t needs to be able to create ~/.cache if it does not exist +- virtd needs to be able to sys_ptrace when starting and stoping containers + * Mon Apr 15 2013 Miroslav Grepl 3.12.1-30 - Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets