From eead2a6f25a9c9b1b0b19243a550ec5e2475e8f5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 20 2009 17:28:24 +0000 Subject: - Allow fprintd to access sys_ptrace - Add sandbox policy --- diff --git a/modules-targeted.conf b/modules-targeted.conf index f01957a..1078d16 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1188,6 +1188,13 @@ rwho = module samba = module # Layer: apps +# Module: sandbox +# +# Experimental policy for running apps within a sandbox +# +sandbox = module + +# Layer: apps # Module: sambagui # # policy for system-config-samba diff --git a/policy-20090105.patch b/policy-20090105.patch index 3673569..27f4622 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -4578,6 +4578,134 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive sambagui_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.12/policy/modules/apps/sandbox.fc +--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/sandbox.fc 2009-05-20 13:18:54.000000000 -0400 +@@ -0,0 +1 @@ ++# No types are sandbox_exec_t +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if +--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if 2009-05-20 13:19:04.000000000 -0400 +@@ -0,0 +1,75 @@ ++ ++## policy for sandbox ++ ++######################################## ++## ++## Execute a domain transition to run sandbox. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sandbox_domtrans',` ++ gen_require(` ++ type sandbox_t; ++ type sandbox_exec_t; ++ ') ++ ++ domtrans_pattern($1,sandbox_exec_t,sandbox_t) ++') ++ ++ ++######################################## ++## ++## Execute sandbox in the sandbox domain, and ++## allow the specified role the sandbox domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ++## ++## ++# ++interface(`sandbox_run',` ++ gen_require(` ++ type sandbox_t; ++ ') ++ ++ sandbox_domtrans($1) ++ role $2 types sandbox_t; ++') ++ ++######################################## ++## ++## Role access for sandbox ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`sandbox_role',` ++ gen_require(` ++ type sandbox_t; ++ ') ++ ++ role $2 types sandbox_t; ++ ++ sandbox_domtrans($1) ++ ++ ps_process_pattern($2, sandbox_t) ++ allow $2 sandbox_t:process signal; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te +--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-05-20 13:27:01.000000000 -0400 +@@ -0,0 +1,40 @@ ++policy_module(sandbox,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type sandbox_t; ++type sandbox_exec_t; ++application_domain(sandbox_t, sandbox_exec_t) ++init_daemon_domain(sandbox_t, sandbox_exec_t) ++role system_r types sandbox_t; ++ ++type sandbox_file_t; ++files_type(sandbox_file_t) ++ ++######################################## ++# ++# sandbox local policy ++# ++ ++## internal communication is often done using fifo and unix sockets. ++allow sandbox_t self:fifo_file rw_file_perms; ++allow sandbox_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) ++manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) ++manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) ++manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) ++manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) ++ ++files_rw_all_inherited_files(sandbox_t) ++files_entrypoint_all_files(sandbox_t) ++ ++libs_use_ld_so(sandbox_t) ++libs_use_shared_libs(sandbox_t) ++ ++miscfiles_read_localization(sandbox_t) ++ ++userdom_use_user_ptys(sandbox_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-12 15:30:13.000000000 -0400 @@ -5575,7 +5703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-14 08:50:17.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-20 13:26:43.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5857,7 +5985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4921,3 +5078,132 @@ +@@ -4921,3 +5078,172 @@ typeattribute $1 files_unconfined_type; ') @@ -5990,6 +6118,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 security_file_type:file read_file_perms; +') ++ ++######################################## ++## ++## rw any files inherited from another process ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_rw_all_inherited_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ allow $1 file_type:file { getattr read write append lock }; ++ allow $1 file_type:fifo_file { getattr read write append ioctl lock }; ++ allow $1 file_type:sock_file { getattr read write append ioctl lock }; ++ allow $1 file_type:chr_file { getattr read write append ioctl lock }; ++') ++ ++######################################## ++## ++## Allow any file point to be the entrypoint of this domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_entrypoint_all_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ allow $1 file_type:file entrypoint; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.12/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/files.te 2009-05-12 15:30:13.000000000 -0400 @@ -7727,8 +7895,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-12 15:30:13.000000000 -0400 -@@ -0,0 +1,397 @@ ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-20 13:21:29.000000000 -0400 +@@ -0,0 +1,401 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -8008,6 +8176,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ sandbox_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + sendmail_run_unconfined(unconfined_t, unconfined_r) +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index f4434aa..f15dfde 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 38%{?dist} +Release: 39%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -473,6 +473,10 @@ exit 0 %endif %changelog +* Wed May 20 2009 Dan Walsh 3.6.12-39 +- Allow fprintd to access sys_ptrace +- Add sandbox policy + * Mon May 18 2009 Dan Walsh 3.6.12-38 - Add varnishd policy @@ -484,7 +488,6 @@ exit 0 * Mon May 11 2009 Dan Walsh 3.6.12-35 - Add /usr/share/selinux/packages -- Turn on nsplugin boolean * Mon May 11 2009 Dan Walsh 3.6.12-34 - Allow rpcd_t to send signals to kernel threads