From ea3b7b5dff00170fa23dc553acd429756867b149 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Sep 16 2010 22:00:00 +0000 Subject: - Add vnstat policy - allow libvirt to send audit messages - Allow chrome-sandbox to search nfs_t --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 2f6490c..9973c32 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -1,14 +1,14 @@ # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # -allow_execmem = false +allow_execmem = true # Allow making a modified private filemapping executable (text relocation). # -allow_execmod = false +allow_execmod = true # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = false +allow_execstack = true # Allow ftpd to read cifs directories. # diff --git a/modules-targeted.conf b/modules-targeted.conf index 23d9eb7..4c32c94 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1825,6 +1825,13 @@ varnishd = module # virt = module +# Layer: services +# Module: vnstatd +# +# Network traffic Monitor +# +vnstatd = module + # Layer: apps # Module: qemu # diff --git a/policy-F14.patch b/policy-F14.patch index be8c885..0e002d9 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -349,10 +349,10 @@ index 66e486e..bfda8e9 100644 ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 0b6123e..dd4cd30 100644 +index 0b6123e..d64682f 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -119,6 +119,7 @@ seutil_dontaudit_read_config(logrotate_t) +@@ -119,14 +119,20 @@ seutil_dontaudit_read_config(logrotate_t) userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) @@ -360,8 +360,14 @@ index 0b6123e..dd4cd30 100644 cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) -@@ -126,7 +127,7 @@ cron_search_spool(logrotate_t) - mta_send_mail(logrotate_t) + +-mta_send_mail(logrotate_t) ++#mta_send_mail(logrotate_t) ++mta_base_mail_template(logrotate) ++mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) ++role system_r types logrotate_mail_t; ++logging_read_all_logs(logrotate_mail_t) ++manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; @@ -9504,7 +9510,7 @@ index ebe6a9c..e3a1987 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 1854002..b0d95d4 100644 +index 1854002..571c76e 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,46 @@ policy_module(staff, 2.1.2) @@ -9590,7 +9596,7 @@ index 1854002..b0d95d4 100644 oident_manage_user_content(staff_t) oident_relabel_user_content(staff_t) ') -@@ -36,21 +99,62 @@ optional_policy(` +@@ -36,21 +99,66 @@ optional_policy(` ') optional_policy(` @@ -9650,12 +9656,16 @@ index 1854002..b0d95d4 100644 +') + +optional_policy(` ++ vnstatd_read_lib_files(staff_t) ++') ++ ++optional_policy(` + webadm_role_change(staff_r) +') optional_policy(` xserver_role(staff_r, staff_t) -@@ -138,10 +242,6 @@ ifndef(`distro_redhat',` +@@ -138,10 +246,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -15636,7 +15646,7 @@ index 35241ed..9822074 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f35b243..ff1a1c9 100644 +index f35b243..45f5a6f 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t) @@ -15772,7 +15782,17 @@ index f35b243..ff1a1c9 100644 ') optional_policy(` -@@ -290,6 +334,8 @@ optional_policy(` +@@ -284,12 +328,18 @@ optional_policy(` + udev_read_db(crond_t) + ') + ++optional_policy(` ++ vnstatd_search_lib(crond_t) ++') ++ + ######################################## + # + # System cron process domain # allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; @@ -15781,7 +15801,7 @@ index f35b243..ff1a1c9 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -301,10 +347,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -301,10 +351,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -15800,7 +15820,7 @@ index f35b243..ff1a1c9 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -324,6 +377,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -324,6 +381,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -15808,7 +15828,7 @@ index f35b243..ff1a1c9 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -335,9 +389,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -335,9 +393,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -15823,7 +15843,7 @@ index f35b243..ff1a1c9 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -360,6 +418,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -360,6 +422,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -15831,7 +15851,7 @@ index f35b243..ff1a1c9 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -386,6 +445,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -386,6 +449,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -15839,7 +15859,7 @@ index f35b243..ff1a1c9 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -410,6 +470,8 @@ seutil_read_config(system_cronjob_t) +@@ -410,6 +474,8 @@ seutil_read_config(system_cronjob_t) ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files @@ -15848,7 +15868,7 @@ index f35b243..ff1a1c9 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -434,6 +496,8 @@ optional_policy(` +@@ -434,6 +500,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -15857,7 +15877,7 @@ index f35b243..ff1a1c9 100644 ') optional_policy(` -@@ -441,6 +505,14 @@ optional_policy(` +@@ -441,6 +509,14 @@ optional_policy(` ') optional_policy(` @@ -15872,7 +15892,7 @@ index f35b243..ff1a1c9 100644 ftp_read_log(system_cronjob_t) ') -@@ -451,15 +523,24 @@ optional_policy(` +@@ -451,15 +527,24 @@ optional_policy(` ') optional_policy(` @@ -15897,7 +15917,7 @@ index f35b243..ff1a1c9 100644 ') optional_policy(` -@@ -475,7 +556,7 @@ optional_policy(` +@@ -475,7 +560,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -15906,7 +15926,7 @@ index f35b243..ff1a1c9 100644 ') optional_policy(` -@@ -490,6 +571,7 @@ optional_policy(` +@@ -490,6 +575,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -15914,7 +15934,7 @@ index f35b243..ff1a1c9 100644 ') optional_policy(` -@@ -497,7 +579,13 @@ optional_policy(` +@@ -497,7 +583,13 @@ optional_policy(` ') optional_policy(` @@ -15928,7 +15948,7 @@ index f35b243..ff1a1c9 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -590,7 +678,10 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -590,7 +682,10 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -16152,7 +16172,7 @@ index e182bf4..f80e725 100644 snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 39e901a..87fc055 100644 +index 39e901a..7852441 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -42,8 +42,10 @@ template(`dbus_role_template',` @@ -16184,7 +16204,7 @@ index 39e901a..87fc055 100644 allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -149,13 +151,20 @@ template(`dbus_role_template',` +@@ -149,17 +151,25 @@ template(`dbus_role_template',` term_use_all_terms($1_dbusd_t) @@ -16206,7 +16226,12 @@ index 39e901a..87fc055 100644 hal_dbus_chat($1_dbusd_t) ') -@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',` + optional_policy(` ++ xserver_search_xdm_lib($1_dbusd_t) + xserver_use_xdm_fds($1_dbusd_t) + xserver_rw_xdm_pipes($1_dbusd_t) + ') +@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -16219,7 +16244,7 @@ index 39e901a..87fc055 100644 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -431,13 +442,26 @@ interface(`dbus_system_domain',` +@@ -431,13 +443,26 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -16246,7 +16271,7 @@ index 39e901a..87fc055 100644 ifdef(`hide_broken_symptoms', ` dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') -@@ -479,3 +503,22 @@ interface(`dbus_unconfined',` +@@ -479,3 +504,22 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -23987,10 +24012,10 @@ index 00fa514..9ab1d80 100644 mysql_stream_connect(rgmanager_t) ') diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc -index c2ba53b..a8676c7 100644 +index c2ba53b..d862e7e 100644 --- a/policy/modules/services/rhcs.fc +++ b/policy/modules/services/rhcs.fc -@@ -1,6 +1,7 @@ +@@ -1,14 +1,17 @@ /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) @@ -23998,8 +24023,10 @@ index c2ba53b..a8676c7 100644 /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) -@@ -9,6 +10,7 @@ + /var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) + ++/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) +/var/log/cluster/.*\.*log <> @@ -27997,7 +28024,7 @@ index 7c5d8d8..e584e21 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..fec701f 100644 +index 3eca020..8dac607 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -4,6 +4,7 @@ policy_module(virt, 1.4.0) @@ -28239,9 +28266,11 @@ index 3eca020..fec701f 100644 mcs_process_set_categories(virtd_t) -@@ -286,15 +351,24 @@ modutils_manage_module_config(virtd_t) +@@ -285,16 +350,26 @@ modutils_read_module_config(virtd_t) + modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) ++logging_send_audit_msgs(virtd_t) +selinux_validate_context(virtd_t) + @@ -28264,7 +28293,7 @@ index 3eca020..fec701f 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -365,6 +439,8 @@ optional_policy(` +@@ -365,6 +440,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -28273,7 +28302,7 @@ index 3eca020..fec701f 100644 ') optional_policy(` -@@ -402,6 +478,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms; +@@ -402,6 +479,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms; allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; @@ -28293,7 +28322,7 @@ index 3eca020..fec701f 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +511,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +512,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -28301,7 +28330,7 @@ index 3eca020..fec701f 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +519,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +520,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -28314,7 +28343,7 @@ index 3eca020..fec701f 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +532,11 @@ files_search_all(virt_domain) +@@ -440,6 +533,11 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -28326,7 +28355,7 @@ index 3eca020..fec701f 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +554,121 @@ optional_policy(` +@@ -457,8 +555,121 @@ optional_policy(` ') optional_policy(` @@ -28448,6 +28477,249 @@ index 3eca020..fec701f 100644 + userdom_search_admin_dir(virsh_ssh_t) +') + +diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc +new file mode 100644 +index 0000000..7667c31 +--- /dev/null ++++ b/policy/modules/services/vnstatd.fc +@@ -0,0 +1,6 @@ ++ ++/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) ++ ++/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) ++ ++/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) +diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if +new file mode 100644 +index 0000000..85dba86 +--- /dev/null ++++ b/policy/modules/services/vnstatd.if +@@ -0,0 +1,150 @@ ++ ++## policy for vnstatd ++ ++ ++######################################## ++## ++## Execute a domain transition to run vnstatd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vnstatd_domtrans',` ++ gen_require(` ++ type vnstatd_t, vnstatd_exec_t; ++ ') ++ ++ domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) ++') ++ ++ ++ ++######################################## ++## ++## Execute a domain transition to run vnstat. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vnstatd_domtrans_vnstat',` ++ gen_require(` ++ type vnstat_t, vnstat_exec_t; ++ ') ++ ++ domtrans_pattern($1, vnstat_exec_t, vnstat_t) ++') ++ ++######################################## ++## ++## Search vnstatd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vnstatd_search_lib',` ++ gen_require(` ++ type vnstatd_var_lib_t; ++ ') ++ ++ allow $1 vnstatd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read vnstatd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vnstatd_read_lib_files',` ++ gen_require(` ++ type vnstatd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## vnstatd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vnstatd_manage_lib_files',` ++ gen_require(` ++ type vnstatd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage vnstatd lib dirs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vnstatd_manage_lib_dirs',` ++ gen_require(` ++ type vnstatd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an vnstatd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`vnstatd_admin',` ++ gen_require(` ++ type vnstatd_t; ++ type vnstatd_var_lib_t; ++ ') ++ ++ allow $1 vnstatd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, vnstatd_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, vnstatd_var_lib_t) ++ ++') +diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te +new file mode 100644 +index 0000000..db526e6 +--- /dev/null ++++ b/policy/modules/services/vnstatd.te +@@ -0,0 +1,69 @@ ++policy_module(vnstatd,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type vnstatd_t; ++type vnstatd_exec_t; ++init_daemon_domain(vnstatd_t, vnstatd_exec_t) ++ ++permissive vnstatd_t; ++ ++type vnstatd_var_lib_t; ++files_type(vnstatd_var_lib_t) ++ ++type vnstat_t; ++type vnstat_exec_t; ++application_domain(vnstat_t, vnstat_exec_t) ++cron_system_entry(vnstat_t, vnstat_exec_t) ++ ++######################################## ++# ++# vnstatd local policy ++# ++allow vnstatd_t self:process { fork signal }; ++ ++allow vnstatd_t self:fifo_file rw_fifo_file_perms; ++allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) ++manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) ++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } ) ++ ++domain_use_interactive_fds(vnstatd_t) ++ ++files_read_etc_files(vnstatd_t) ++ ++logging_send_syslog_msg(vnstatd_t) ++ ++miscfiles_read_localization(vnstatd_t) ++ ++######################################## ++# ++# vnstat local policy ++# ++allow vnstat_t self:process { signal }; ++ ++allow vnstat_t self:fifo_file rw_fifo_file_perms; ++allow vnstat_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) ++manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) ++files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } ) ++ ++kernel_read_network_state(vnstat_t) ++kernel_read_system_state(vnstat_t) ++ ++domain_use_interactive_fds(vnstat_t) ++ ++files_read_etc_files(vnstat_t) ++ ++fs_getattr_xattr_fs(vnstat_t) ++ ++logging_send_syslog_msg(vnstat_t) ++ ++miscfiles_read_localization(vnstat_t) ++ ++ diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te index 1174ad8..f4c4c1b 100644 --- a/policy/modules/services/w3c.te @@ -29441,7 +29713,7 @@ index da2601a..f34a53f 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index e226da4..5fbf38f 100644 +index e226da4..29d5384 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false) @@ -29616,7 +29888,7 @@ index e226da4..5fbf38f 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -246,30 +292,64 @@ tunable_policy(`use_samba_home_dirs',` +@@ -246,50 +292,105 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(iceauth_t) ') @@ -29683,8 +29955,13 @@ index e226da4..5fbf38f 100644 +fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) - # cjp: why? -@@ -279,17 +359,37 @@ auth_use_nsswitch(xauth_t) +-# cjp: why? +-term_use_ptmx(xauth_t) ++# Probably a leak ++term_dontaudit_use_ptmx(xauth_t) ++term_dontaudit_use_console(xauth_t) + + auth_use_nsswitch(xauth_t) userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -29722,7 +29999,7 @@ index e226da4..5fbf38f 100644 optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -301,20 +401,33 @@ optional_policy(` +@@ -301,20 +402,33 @@ optional_policy(` # XDM Local policy # @@ -29759,7 +30036,7 @@ index e226da4..5fbf38f 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -322,32 +435,55 @@ can_exec(xdm_t, xdm_exec_t) +@@ -322,32 +436,55 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -29820,7 +30097,7 @@ index e226da4..5fbf38f 100644 allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -355,10 +491,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; +@@ -355,10 +492,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -29834,7 +30111,7 @@ index e226da4..5fbf38f 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -367,15 +506,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -367,15 +507,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -29858,7 +30135,7 @@ index e226da4..5fbf38f 100644 corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) -@@ -390,18 +536,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -390,18 +537,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -29882,7 +30159,7 @@ index e226da4..5fbf38f 100644 dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -410,18 +560,23 @@ dev_setattr_xserver_misc_dev(xdm_t) +@@ -410,18 +561,23 @@ dev_setattr_xserver_misc_dev(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -29909,7 +30186,7 @@ index e226da4..5fbf38f 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -432,9 +587,17 @@ files_list_mnt(xdm_t) +@@ -432,9 +588,17 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -29927,7 +30204,7 @@ index e226da4..5fbf38f 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -443,28 +606,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -443,28 +607,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -29966,7 +30243,7 @@ index e226da4..5fbf38f 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -473,6 +644,13 @@ userdom_read_user_home_content_files(xdm_t) +@@ -473,6 +645,13 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -29980,7 +30257,7 @@ index e226da4..5fbf38f 100644 xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,11 +682,17 @@ tunable_policy(`xdm_sysadm_login',` +@@ -504,11 +683,17 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -29998,7 +30275,7 @@ index e226da4..5fbf38f 100644 ') optional_policy(` -@@ -516,12 +700,51 @@ optional_policy(` +@@ -516,12 +701,51 @@ optional_policy(` ') optional_policy(` @@ -30050,7 +30327,7 @@ index e226da4..5fbf38f 100644 hostname_exec(xdm_t) ') -@@ -539,20 +762,64 @@ optional_policy(` +@@ -539,20 +763,64 @@ optional_policy(` ') optional_policy(` @@ -30117,7 +30394,7 @@ index e226da4..5fbf38f 100644 ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -561,7 +828,6 @@ optional_policy(` +@@ -561,7 +829,6 @@ optional_policy(` ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -30125,7 +30402,7 @@ index e226da4..5fbf38f 100644 optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -572,6 +838,10 @@ optional_policy(` +@@ -572,6 +839,10 @@ optional_policy(` ') optional_policy(` @@ -30136,7 +30413,7 @@ index e226da4..5fbf38f 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +866,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +867,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -30145,7 +30422,7 @@ index e226da4..5fbf38f 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +880,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,6 +881,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -30164,7 +30441,7 @@ index e226da4..5fbf38f 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +911,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -629,12 +912,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -30186,7 +30463,7 @@ index e226da4..5fbf38f 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +931,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -642,6 +932,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -30194,7 +30471,7 @@ index e226da4..5fbf38f 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +958,6 @@ dev_rw_apm_bios(xserver_t) +@@ -668,7 +959,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -30202,7 +30479,7 @@ index e226da4..5fbf38f 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,8 +967,13 @@ dev_wx_raw_memory(xserver_t) +@@ -678,8 +968,13 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -30216,7 +30493,7 @@ index e226da4..5fbf38f 100644 files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) files_read_usr_files(xserver_t) -@@ -693,8 +987,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -693,8 +988,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -30230,7 +30507,7 @@ index e226da4..5fbf38f 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1015,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1016,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -30245,7 +30522,7 @@ index e226da4..5fbf38f 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1075,28 @@ optional_policy(` +@@ -773,12 +1076,28 @@ optional_policy(` ') optional_policy(` @@ -30275,7 +30552,7 @@ index e226da4..5fbf38f 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1105,10 @@ optional_policy(` +@@ -787,6 +1106,10 @@ optional_policy(` ') optional_policy(` @@ -30286,7 +30563,7 @@ index e226da4..5fbf38f 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1124,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -30299,7 +30576,7 @@ index e226da4..5fbf38f 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -826,6 +1148,13 @@ init_use_fds(xserver_t) +@@ -826,6 +1149,13 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -30313,7 +30590,7 @@ index e226da4..5fbf38f 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -841,11 +1170,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -30330,7 +30607,7 @@ index e226da4..5fbf38f 100644 ') optional_policy(` -@@ -991,3 +1323,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; +@@ -991,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; diff --git a/selinux-policy.spec b/selinux-policy.spec index e2f8051..cf315b4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.5 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,11 @@ exit 0 %endif %changelog +* Thu Sep 16 2010 Dan Walsh 3.9.5-2 +- Add vnstat policy +- allow libvirt to send audit messages +- Allow chrome-sandbox to search nfs_t + * Thu Sep 16 2010 Dan Walsh 3.9.5-1 - Update to upstream