From fbd9ca071a9e9286ca36dad30f4883d79ae141b4 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 01 2010 16:06:09 +0000 Subject: - Turn off default transition to mozilla_plugin and telepathy domains from unconfined user - Turn off iptables from unconfined user - Allow sudo to send signals to any domains the user could have transitioned to. - Passwd in single user mode needs to talk to console_device_t - Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio - locate tried to read a symbolic link, will dontaudit - New labels for telepathy-sunshine content in homedir - Google is storing other binaries under /opt/google/talkplugin - bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug - Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 - modemmanger and bluetooth send dbus messages to devicekit_power - Samba needs to getquota on filesystems labeld samba_share_t --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 50c1fe5..404e587 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -251,6 +251,14 @@ allow_nsplugin_execmem=true # allow_unconfined_nsplugin_transition=true +# Allow unconfined domain to transition to confined domain +# +unconfined_mozilla_plugin_transition=true + +# Allow unconfined domain to transition to confined domain +# +unconfined_telepathy_transition=true + # System uses init upstart program # init_upstart = true diff --git a/policy-F14.patch b/policy-F14.patch index 89cff5d..456fd99 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -1467,7 +1467,7 @@ index 7bddc02..2b59ed0 100644 + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 5f44f1b..2993130 100644 +index 5f44f1b..bb95e79 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -1497,7 +1497,7 @@ index 5f44f1b..2993130 100644 allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_file_perms; allow $3 $1_sudo_t:process signal_perms; -@@ -111,6 +117,7 @@ template(`sudo_role_template',` +@@ -111,12 +117,15 @@ template(`sudo_role_template',` term_relabel_all_ttys($1_sudo_t) term_relabel_all_ptys($1_sudo_t) @@ -1505,7 +1505,15 @@ index 5f44f1b..2993130 100644 auth_run_chk_passwd($1_sudo_t, $2) # sudo stores a token in the pam_pid directory -@@ -133,13 +140,18 @@ template(`sudo_role_template',` + auth_manage_pam_pid($1_sudo_t) + auth_use_nsswitch($1_sudo_t) + ++ application_signal($1_sudo_t) ++ + init_rw_utmp($1_sudo_t) + + logging_send_audit_msgs($1_sudo_t) +@@ -133,13 +142,18 @@ template(`sudo_role_template',` userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) @@ -1606,7 +1614,7 @@ index aecbf1c..0b5e634 100644 optional_policy(` diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index c35d801..961424f 100644 +index c35d801..b1a841a 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t) @@ -1620,11 +1628,13 @@ index c35d801..961424f 100644 # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) -@@ -295,15 +293,18 @@ selinux_compute_user_contexts(passwd_t) +@@ -293,17 +291,18 @@ selinux_compute_create_context(passwd_t) + selinux_compute_relabel_context(passwd_t) + selinux_compute_user_contexts(passwd_t) - term_use_all_ttys(passwd_t) - term_use_all_ptys(passwd_t) -+term_use_generic_ptys(passwd_t) +-term_use_all_ttys(passwd_t) +-term_use_all_ptys(passwd_t) ++term_use_all_terms(passwd_t) -auth_domtrans_chk_passwd(passwd_t) auth_manage_shadow(passwd_t) @@ -1641,7 +1651,7 @@ index c35d801..961424f 100644 domain_use_interactive_fds(passwd_t) -@@ -334,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -334,6 +333,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -1649,7 +1659,7 @@ index c35d801..961424f 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -428,7 +430,7 @@ optional_policy(` +@@ -428,7 +428,7 @@ optional_policy(` # Useradd local policy # @@ -1658,7 +1668,7 @@ index c35d801..961424f 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -500,12 +502,8 @@ seutil_domtrans_setfiles(useradd_t) +@@ -500,12 +500,8 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -3701,7 +3711,7 @@ index 9a6d67d..47aa143 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index cbf4bec..3ecd99b 100644 +index cbf4bec..70d899d 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -3774,7 +3784,7 @@ index cbf4bec..3ecd99b 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,108 @@ optional_policy(` +@@ -266,3 +291,121 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -3815,8 +3825,18 @@ index cbf4bec..3ecd99b 100644 +corecmd_exec_bin(mozilla_plugin_t) +corecmd_exec_shell(mozilla_plugin_t) + ++corenet_tcp_connect_flash_port(mozilla_plugin_t) ++corenet_tcp_connect_streaming_port(mozilla_plugin_t) ++corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) ++corenet_tcp_connect_http_port(mozilla_plugin_t) ++corenet_tcp_connect_http_cache_port(mozilla_plugin_t) ++corenet_tcp_connect_squid_port(mozilla_plugin_t) ++corenet_tcp_connect_ipp_port(mozilla_plugin_t) ++corenet_tcp_connect_speech_port(mozilla_plugin_t) ++ +dev_read_urand(mozilla_plugin_t) +dev_read_video_dev(mozilla_plugin_t) ++dev_write_video_dev(mozilla_plugin_t) +dev_read_sysfs(mozilla_plugin_t) +dev_read_sound(mozilla_plugin_t) +dev_write_sound(mozilla_plugin_t) @@ -3852,6 +3872,7 @@ index cbf4bec..3ecd99b 100644 + +optional_policy(` + alsa_read_rw_config(mozilla_plugin_t) ++ alsa_read_home_files(mozilla_plugin_t) +') + +optional_policy(` @@ -3874,8 +3895,10 @@ index cbf4bec..3ecd99b 100644 +') + +optional_policy(` ++ pulseaudio_exec(mozilla_plugin_t) ++ pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) -+ pulseaudio_rw_home_files(mozilla_plugin_t) ++ pulseaudio_manage_home_files(mozilla_plugin_t) +') + +optional_policy(` @@ -6088,15 +6111,28 @@ index 7590165..e5ef7b3 100644 ') ') + +diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te +index e9134f0..3d2ef30 100644 +--- a/policy/modules/apps/slocate.te ++++ b/policy/modules/apps/slocate.te +@@ -38,6 +38,7 @@ dev_getattr_all_blk_files(locate_t) + dev_getattr_all_chr_files(locate_t) + + files_list_all(locate_t) ++files_dontaudit_read_all_symlinks(locate_t) + files_getattr_all_files(locate_t) + files_getattr_all_pipes(locate_t) + files_getattr_all_sockets(locate_t) diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc new file mode 100644 -index 0000000..1e47b96 +index 0000000..809bb65 --- /dev/null +++ b/policy/modules/apps/telepathy.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,15 @@ +HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) +HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) -+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) ++HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) ++HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) + +/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) + @@ -6304,10 +6340,10 @@ index 0000000..3d12484 +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..c4fe796 +index 0000000..34a2b48 --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,320 @@ +@@ -0,0 +1,327 @@ + +policy_module(telepathy, 1.0.0) + @@ -6341,6 +6377,9 @@ index 0000000..c4fe796 +type telepathy_mission_control_cache_home_t; +userdom_user_home_content(telepathy_mission_control_cache_home_t) + ++type telepathy_sunshine_home_t; ++userdom_user_home_content(telepathy_sunshine_home_t) ++ +telepathy_domain_template(msn) +telepathy_domain_template(salut) +telepathy_domain_template(sofiasip) @@ -6561,12 +6600,16 @@ index 0000000..c4fe796 +# +# Telepathy Sunshine local policy. +# ++manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) ++manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) ++userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file }) ++userdom_search_user_home_dirs(telepathy_sunshine_t) + +manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) +exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) +files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) + -+corecmd_list_bin(telepathy_sunshine_t) ++corecmd_exec_bin(telepathy_sunshine_t) + +dev_read_urand(telepathy_sunshine_t) + @@ -6984,7 +7027,7 @@ index 82842a0..369c3b5 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 0eb1d97..38d675c 100644 +index 0eb1d97..46af2a4 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -9,8 +9,11 @@ @@ -7040,7 +7083,7 @@ index 0eb1d97..38d675c 100644 /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/opt/google/talkplugin/cron(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + @@ -8061,7 +8104,7 @@ index 3517db2..bd4c23d 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 5302dac..000c53a 100644 +index 5302dac..a738502 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -8506,7 +8549,7 @@ index 5302dac..000c53a 100644 ') ######################################## -@@ -5826,3 +6137,229 @@ interface(`files_unconfined',` +@@ -5826,3 +6137,247 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -8623,6 +8666,24 @@ index 5302dac..000c53a 100644 + +######################################## +## ++## Allow read write all tmpfs files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_rw_tmpfs_files',` ++ gen_require(` ++ attribute tmpfsfile; ++ ') ++ ++ allow $1 tmpfsfile:file { read write }; ++') ++ ++######################################## ++## +## Do not audit attempts to read security files +## +## @@ -9214,7 +9275,7 @@ index 0dff98e..a09ab47 100644 # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index ed7667a..46e9859 100644 +index ed7667a..10c14fe 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -698,6 +698,46 @@ interface(`kernel_read_debugfs',` @@ -9273,7 +9334,32 @@ index ed7667a..46e9859 100644 ') ######################################## -@@ -2845,6 +2885,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2380,6 +2420,24 @@ interface(`kernel_rw_unlabeled_blk_files',` + + ######################################## + ## ++## Read and write unlabeled sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_rw_unlabeled_socket',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:socket rw_socket_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts by caller to get attributes for + ## unlabeled character devices. + ## +@@ -2845,6 +2903,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -9298,7 +9384,7 @@ index ed7667a..46e9859 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2860,3 +2918,23 @@ interface(`kernel_unconfined',` +@@ -2860,3 +2936,23 @@ interface(`kernel_unconfined',` typeattribute $1 kern_unconfined; ') @@ -10947,10 +11033,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..a09ca52 +index 0000000..0e47a85 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,478 @@ +@@ -0,0 +1,492 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -10961,13 +11047,27 @@ index 0000000..a09ca52 + +## +##

-+## Transition to confined nsplugin domains from unconfined user ++## Transition unconfined user to the nsplugin domains when running nspluginviewer +##

+## +gen_tunable(allow_unconfined_nsplugin_transition, false) + +## +##

++## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container. ++##

++## ++gen_tunable(unconfined_mozilla_plugin_transition, false) ++ ++## ++##

++## Transition unconfined user to telepathy confined domains. ++##

++## ++gen_tunable(unconfined_telepathy_transition, false) ++ ++## ++##

+## Allow vidio playing tools to tun unconfined +##

+## @@ -11113,10 +11213,6 @@ index 0000000..a09ca52 + ') + + optional_policy(` -+ iptables_run(unconfined_usertype, unconfined_r) -+ ') -+ -+ optional_policy(` + networkmanager_dbus_chat(unconfined_usertype) + ') + @@ -11282,8 +11378,11 @@ index 0000000..a09ca52 + role system_r types unconfined_mono_t; +') + ++ +optional_policy(` -+ mozilla_run_plugin(unconfined_usertype, unconfined_r) ++ tunable_policy(`unconfined_mozilla_plugin_transition', ` ++ mozilla_run_plugin(unconfined_usertype, unconfined_r) ++ ') +') + +optional_policy(` @@ -11344,7 +11443,9 @@ index 0000000..a09ca52 +') + +optional_policy(` -+ telepathy_dbus_session_role(unconfined_r, unconfined_t) ++ tunable_policy(`unconfined_telepathy_transition', ` ++ telepathy_dbus_session_role(unconfined_r, unconfined_t) ++ ') +') + +optional_policy(` @@ -11428,7 +11529,6 @@ index 0000000..a09ca52 +# + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -+ diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 9b55b00..2932c13 100644 --- a/policy/modules/roles/unprivuser.te @@ -11917,7 +12017,7 @@ index 98646c4..5be7dc8 100644 + allow abrt_t domain:process setrlimit; ') diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if -index c0f858d..fe060aa 100644 +index c0f858d..d639ae0 100644 --- a/policy/modules/services/accountsd.if +++ b/policy/modules/services/accountsd.if @@ -5,9 +5,9 @@ @@ -11932,6 +12032,15 @@ index c0f858d..fe060aa 100644 ## # interface(`accountsd_domtrans',` +@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # @@ -138,7 +138,7 @@ interface(`accountsd_admin',` type accountsd_t; ') @@ -14463,7 +14572,7 @@ index 3e45431..fa57a6f 100644 admin_pattern($1, bluetooth_var_lib_t) diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te -index 215b86b..08afbb9 100644 +index 215b86b..67818fe 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0) @@ -14474,6 +14583,28 @@ index 215b86b..08afbb9 100644 type bluetooth_t; type bluetooth_exec_t; init_daemon_domain(bluetooth_t, bluetooth_exec_t) +@@ -99,6 +100,10 @@ kernel_request_load_module(bluetooth_t) + #search debugfs - redhat bug 548206 + kernel_search_debugfs(bluetooth_t) + ++ifdef(`hide_broken_symptoms', ` ++ kernel_rw_unlabeled_socket(bluetooth_t) ++') ++ + corenet_all_recvfrom_unlabeled(bluetooth_t) + corenet_all_recvfrom_netlabel(bluetooth_t) + corenet_tcp_sendrecv_generic_if(bluetooth_t) +@@ -147,6 +152,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) + userdom_dontaudit_search_user_home_dirs(bluetooth_t) + + optional_policy(` ++ devicekit_dbus_chat_power(bluetooth_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(bluetooth_t) + dbus_connect_system_bus(bluetooth_t) + diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc new file mode 100644 index 0000000..c095160 @@ -16429,7 +16560,7 @@ index 0258b48..c4d678b 100644 ######################################## diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if -index 42c6bd7..53b10e3 100644 +index 42c6bd7..ac43a92 100644 --- a/policy/modules/services/consolekit.if +++ b/policy/modules/services/consolekit.if @@ -5,9 +5,9 @@ @@ -16444,7 +16575,32 @@ index 42c6bd7..53b10e3 100644 ## # interface(`consolekit_domtrans',` -@@ -95,3 +95,22 @@ interface(`consolekit_read_pid_files',` +@@ -41,6 +41,24 @@ interface(`consolekit_dbus_chat',` + + ######################################## + ## ++## Dontaudit attempts to read consolekit log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`consolekit_dontaudit_read_log',` ++ gen_require(` ++ type consolekit_log_t; ++ ') ++ ++ dontaudit $1 consolekit_log_t:file read_file_perms; ++') ++ ++######################################## ++## + ## Read consolekit log files. + ## + ## +@@ -95,3 +113,22 @@ interface(`consolekit_read_pid_files',` files_search_pids($1) read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) ') @@ -18120,7 +18276,7 @@ index f706b99..ab2edfc 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..58416a0 100644 +index f231f17..184b4b5 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) @@ -18215,7 +18371,18 @@ index f231f17..58416a0 100644 hal_domtrans_mac(devicekit_power_t) hal_manage_log(devicekit_power_t) hal_manage_pid_dirs(devicekit_power_t) -@@ -280,5 +303,9 @@ optional_policy(` +@@ -269,6 +292,10 @@ optional_policy(` + ') + + optional_policy(` ++ networkmanager_domtrans(devicekit_power_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(devicekit_power_t) + policykit_domtrans_auth(devicekit_power_t) + policykit_read_lib(devicekit_power_t) +@@ -280,5 +307,9 @@ optional_policy(` ') optional_policy(` @@ -22168,7 +22335,7 @@ index 3368699..7a7fc02 100644 # interface(`modemmanager_domtrans',` diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te -index b3ace16..3dd940c 100644 +index b3ace16..7f18c33 100644 --- a/policy/modules/services/modemmanager.te +++ b/policy/modules/services/modemmanager.te @@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; @@ -22189,10 +22356,14 @@ index b3ace16..3dd940c 100644 term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -@@ -37,5 +39,9 @@ logging_send_syslog_msg(modemmanager_t) +@@ -37,5 +39,13 @@ logging_send_syslog_msg(modemmanager_t) networkmanager_dbus_chat(modemmanager_t) optional_policy(` ++ devicekit_dbus_chat_power(modemmanager_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(modemmanager_t) +') + @@ -30503,7 +30674,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..85203da 100644 +index e30bb63..e4334a6 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -30525,6 +30696,15 @@ index e30bb63..85203da 100644 dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; +@@ -263,7 +260,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) + manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) + manage_files_pattern(smbd_t, samba_share_t, samba_share_t) + manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) +-allow smbd_t samba_share_t:filesystem getattr; ++allow smbd_t samba_share_t:filesystem { getattr quotaget }; + + manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) + manage_files_pattern(smbd_t, samba_var_t, samba_var_t) @@ -279,7 +276,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -35850,7 +36030,7 @@ index da2601a..f963642 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index e226da4..69093aa 100644 +index e226da4..f37e8ae 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,43 @@ gen_require(` @@ -36652,7 +36832,7 @@ index e226da4..69093aa 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,8 +959,13 @@ dev_wx_raw_memory(xserver_t) +@@ -678,11 +959,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -36666,7 +36846,11 @@ index e226da4..69093aa 100644 files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) files_read_usr_files(xserver_t) -@@ -693,8 +979,13 @@ fs_getattr_xattr_fs(xserver_t) ++files_rw_tmpfs_files(xserver_t) + + # brought on by rhgb + files_search_mnt(xserver_t) +@@ -693,8 +980,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -36680,7 +36864,7 @@ index e226da4..69093aa 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1007,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1008,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -36695,7 +36879,7 @@ index e226da4..69093aa 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1067,28 @@ optional_policy(` +@@ -773,12 +1068,28 @@ optional_policy(` ') optional_policy(` @@ -36725,7 +36909,7 @@ index e226da4..69093aa 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1097,10 @@ optional_policy(` +@@ -787,6 +1098,10 @@ optional_policy(` ') optional_policy(` @@ -36736,7 +36920,7 @@ index e226da4..69093aa 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1116,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1117,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -36750,7 +36934,7 @@ index e226da4..69093aa 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -813,7 +1127,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -813,7 +1128,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -36759,7 +36943,7 @@ index e226da4..69093aa 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -826,6 +1140,9 @@ init_use_fds(xserver_t) +@@ -826,6 +1141,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -36769,7 +36953,7 @@ index e226da4..69093aa 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -841,11 +1158,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1159,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -36786,7 +36970,7 @@ index e226da4..69093aa 100644 ') optional_policy(` -@@ -853,6 +1173,10 @@ optional_policy(` +@@ -853,6 +1174,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -36797,7 +36981,7 @@ index e226da4..69093aa 100644 ######################################## # # Rules common to all X window domains -@@ -896,7 +1220,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -896,7 +1221,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -36806,7 +36990,7 @@ index e226da4..69093aa 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -950,11 +1274,31 @@ allow x_domain self:x_resource { read write }; +@@ -950,11 +1275,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -36838,7 +37022,7 @@ index e226da4..69093aa 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -976,18 +1320,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -976,18 +1321,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -37374,7 +37558,7 @@ index 1c4b1e7..2997dd7 100644 /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..c411b5e 100644 +index bea0ade..149e383 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -37566,7 +37750,33 @@ index bea0ade..c411b5e 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -1500,6 +1586,8 @@ interface(`auth_manage_login_records',` +@@ -1346,6 +1432,25 @@ interface(`auth_read_login_records',` + + ######################################## + ## ++## Read login records files (/var/log/wtmp). ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`auth_dontaudit_read_login_records',` ++ gen_require(` ++ type wtmp_t; ++ ') ++ ++ dontaudit $1 wtmp_t:file read_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read login records + ## files (/var/log/wtmp). + ## +@@ -1500,6 +1605,8 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -37575,7 +37785,7 @@ index bea0ade..c411b5e 100644 files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1619,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1638,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -43603,7 +43813,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 2aa8928..b4d758b 100644 +index 2aa8928..54365f8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -44509,12 +44719,13 @@ index 2aa8928..b4d758b 100644 ############################## # # Local policy -@@ -867,45 +1005,103 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -867,45 +1005,105 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) ++ auth_dontaudit_read_login_records($1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) @@ -44573,6 +44784,7 @@ index 2aa8928..b4d758b 100644 + ') + + optional_policy(` ++ consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') + @@ -44624,7 +44836,7 @@ index 2aa8928..b4d758b 100644 ') ') -@@ -940,7 +1136,7 @@ template(`userdom_unpriv_user_template', ` +@@ -940,7 +1138,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -44633,7 +44845,7 @@ index 2aa8928..b4d758b 100644 userdom_common_user_template($1) ############################## -@@ -949,54 +1145,77 @@ template(`userdom_unpriv_user_template', ` +@@ -949,54 +1147,77 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -44741,7 +44953,7 @@ index 2aa8928..b4d758b 100644 ') ') -@@ -1032,7 +1251,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1032,7 +1253,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -44750,7 +44962,7 @@ index 2aa8928..b4d758b 100644 ') ############################## -@@ -1067,6 +1286,9 @@ template(`userdom_admin_user_template',` +@@ -1067,6 +1288,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -44760,7 +44972,7 @@ index 2aa8928..b4d758b 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1081,6 +1303,7 @@ template(`userdom_admin_user_template',` +@@ -1081,6 +1305,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -44768,7 +44980,7 @@ index 2aa8928..b4d758b 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1112,10 +1335,13 @@ template(`userdom_admin_user_template',` +@@ -1112,10 +1337,13 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -44782,7 +44994,7 @@ index 2aa8928..b4d758b 100644 fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1135,6 +1361,7 @@ template(`userdom_admin_user_template',` +@@ -1135,6 +1363,7 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -44790,7 +45002,7 @@ index 2aa8928..b4d758b 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1203,6 +1430,8 @@ template(`userdom_security_admin_template',` +@@ -1203,6 +1432,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -44799,7 +45011,7 @@ index 2aa8928..b4d758b 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1230,6 +1459,7 @@ template(`userdom_security_admin_template',` +@@ -1230,6 +1461,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -44807,7 +45019,7 @@ index 2aa8928..b4d758b 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1268,12 +1498,15 @@ template(`userdom_security_admin_template',` +@@ -1268,12 +1500,15 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -44824,7 +45036,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -1384,6 +1617,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1384,6 +1619,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -44832,7 +45044,7 @@ index 2aa8928..b4d758b 100644 files_search_home($1) ') -@@ -1430,6 +1664,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1430,6 +1666,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -44847,7 +45059,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -1445,9 +1687,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1445,9 +1689,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -44859,7 +45071,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -1504,6 +1748,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1504,6 +1750,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -44902,7 +45114,7 @@ index 2aa8928..b4d758b 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1578,6 +1858,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1578,6 +1860,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -44911,7 +45123,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -1592,10 +1874,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1592,10 +1876,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -44926,7 +45138,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -1638,34 +1922,53 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1638,34 +1924,53 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -44988,7 +45200,7 @@ index 2aa8928..b4d758b 100644 gen_require(` type user_home_dir_t, user_home_t; ') -@@ -1689,12 +1992,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1689,12 +1994,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -45021,7 +45233,7 @@ index 2aa8928..b4d758b 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1705,11 +2028,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1705,11 +2030,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -45039,7 +45251,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -1799,8 +2125,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1799,8 +2127,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -45049,7 +45261,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -1816,20 +2141,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1816,20 +2143,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -45074,7 +45286,7 @@ index 2aa8928..b4d758b 100644 ######################################## ## -@@ -2171,7 +2490,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2171,7 +2492,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -45083,7 +45295,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -2424,13 +2743,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2424,13 +2745,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -45099,7 +45311,7 @@ index 2aa8928..b4d758b 100644 ## ## ## -@@ -2451,26 +2771,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2451,26 +2773,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -45126,7 +45338,7 @@ index 2aa8928..b4d758b 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2804,7 +3104,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2804,7 +3106,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -45135,7 +45347,7 @@ index 2aa8928..b4d758b 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2820,11 +3120,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2820,11 +3122,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -45151,7 +45363,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -2906,7 +3208,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2906,7 +3210,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -45160,7 +45372,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -2961,7 +3263,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2961,7 +3265,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -45207,7 +45419,7 @@ index 2aa8928..b4d758b 100644 ') ######################################## -@@ -2998,6 +3338,7 @@ interface(`userdom_read_all_users_state',` +@@ -2998,6 +3340,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -45215,7 +45427,7 @@ index 2aa8928..b4d758b 100644 kernel_search_proc($1) ') -@@ -3128,3 +3469,854 @@ interface(`userdom_dbus_send_all_users',` +@@ -3128,3 +3471,854 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index c224b8f..c261d67 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.5 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,20 @@ exit 0 %endif %changelog +* Thu Sep 30 2010 Dan Walsh 3.9.5-9 +- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user +- Turn off iptables from unconfined user +- Allow sudo to send signals to any domains the user could have transitioned to. +- Passwd in single user mode needs to talk to console_device_t +- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio +- locate tried to read a symbolic link, will dontaudit +- New labels for telepathy-sunshine content in homedir +- Google is storing other binaries under /opt/google/talkplugin +- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug +- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 +- modemmanger and bluetooth send dbus messages to devicekit_power +- Samba needs to getquota on filesystems labeld samba_share_t + * Wed Sep 29 2010 Dan Walsh 3.9.5-8 - Dontaudit attempts by xdm_t to write to bin_t for kdm - Allow initrc_t to manage system_conf_t