diff --git a/policy-F16.patch b/policy-F16.patch index 0baf745..ddcdebf 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -32460,7 +32460,7 @@ index 9bd812b..2385a2c 100644 ## an dnsmasq environment ## diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te -index fdaeeba..d707dde 100644 +index fdaeeba..06021d4 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) @@ -32487,7 +32487,7 @@ index fdaeeba..d707dde 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -96,7 +100,16 @@ optional_policy(` +@@ -96,7 +100,20 @@ optional_policy(` ') optional_policy(` @@ -32500,11 +32500,15 @@ index fdaeeba..d707dde 100644 +') + +optional_policy(` ++ networkmanager_read_pid_files(dnsmasq_t) ++') ++ ++optional_policy(` + ppp_read_pid_files(dnsmasq_t) ') optional_policy(` -@@ -114,4 +127,5 @@ optional_policy(` +@@ -114,4 +131,5 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) virt_read_pid_files(dnsmasq_t) @@ -53589,7 +53593,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..ba5d941 100644 +index 22adaca..d9c1d90 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -53811,7 +53815,7 @@ index 22adaca..ba5d941 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) -@@ -477,8 +493,9 @@ interface(`ssh_read_pipes',` +@@ -477,8 +493,27 @@ interface(`ssh_read_pipes',` type sshd_t; ') @@ -53819,10 +53823,28 @@ index 22adaca..ba5d941 100644 + allow $1 sshd_t:fifo_file read_fifo_file_perms; ') + ++###################################### ++## ++## Read and write ssh server unix dgram sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_rw_dgram_sockets',` ++ gen_require(` ++ type sshd_t; ++ ') ++ ++ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; ++') ++ ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -494,7 +511,7 @@ interface(`ssh_rw_pipes',` +@@ -494,7 +529,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -53831,7 +53853,7 @@ index 22adaca..ba5d941 100644 ') ######################################## -@@ -586,6 +603,24 @@ interface(`ssh_domtrans',` +@@ -586,6 +621,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -53856,7 +53878,7 @@ index 22adaca..ba5d941 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -618,7 +653,7 @@ interface(`ssh_setattr_key_files',` +@@ -618,7 +671,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -53865,7 +53887,7 @@ index 22adaca..ba5d941 100644 files_search_pids($1) ') -@@ -680,6 +715,32 @@ interface(`ssh_domtrans_keygen',` +@@ -680,6 +733,32 @@ interface(`ssh_domtrans_keygen',` domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') @@ -53898,7 +53920,7 @@ index 22adaca..ba5d941 100644 ######################################## ## ## Read ssh server keys -@@ -695,7 +756,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +774,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -53907,7 +53929,7 @@ index 22adaca..ba5d941 100644 ') ###################################### -@@ -735,3 +796,62 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +814,81 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -53930,6 +53952,25 @@ index 22adaca..ba5d941 100644 + allow $1 sshd_t:process signull; +') + ++##################################### ++## ++## Allow domain dyntransition to chroot_user_t domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_dyntransition_chroot_user',` ++ gen_require(` ++ type chroot_user_t; ++ ') ++ ++ allow $1 chroot_user_t:process dyntransition; ++ allow chroot_user_t $1:process sigchld; ++') ++ +######################################## +## +## Create .ssh directory in the /root directory @@ -53971,10 +54012,10 @@ index 22adaca..ba5d941 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..24f8d90 100644 +index 2dad3c8..28ef6ae 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) +@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0) # ## @@ -53988,15 +54029,12 @@ index 2dad3c8..24f8d90 100644 gen_tunable(allow_ssh_keysign, false) ## --##

--## Allow ssh logins as sysadm_r:sysadm_t --##

+##

+## Allow ssh logins as sysadm_r:sysadm_t +##

- ## - gen_tunable(ssh_sysadm_login, false) - ++## ++gen_tunable(ssh_sysadm_login, false) ++ +## +##

+## allow sshd to forward port connections @@ -54004,9 +54042,23 @@ index 2dad3c8..24f8d90 100644 +## +gen_tunable(sshd_forward_ports, false) + ++## + ##

+-## Allow ssh logins as sysadm_r:sysadm_t ++## Allow ssh with chroot env to read and write files ++## in the user home directories + ##

+ ## +-gen_tunable(ssh_sysadm_login, false) ++gen_tunable(ssh_chroot_rw_homedirs, false) + attribute ssh_server; attribute ssh_agent_type; ++type chroot_user_t; ++domain_type(chroot_user_t) ++role system_r types chroot_user_t; ++ type ssh_keygen_t; type ssh_keygen_exec_t; init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) @@ -54014,7 +54066,7 @@ index 2dad3c8..24f8d90 100644 type sshd_exec_t; corecmd_executable_file(sshd_exec_t) -@@ -33,17 +39,12 @@ corecmd_executable_file(sshd_exec_t) +@@ -33,17 +51,12 @@ corecmd_executable_file(sshd_exec_t) ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -54035,7 +54087,7 @@ index 2dad3c8..24f8d90 100644 type ssh_t; type ssh_exec_t; typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; -@@ -76,8 +77,12 @@ ubac_constrained(ssh_tmpfs_t) +@@ -76,8 +89,12 @@ ubac_constrained(ssh_tmpfs_t) type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; @@ -54049,7 +54101,7 @@ index 2dad3c8..24f8d90 100644 ############################## # -@@ -95,15 +100,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -95,15 +112,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -54066,7 +54118,7 @@ index 2dad3c8..24f8d90 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -113,20 +114,25 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -113,20 +126,25 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -54095,7 +54147,7 @@ index 2dad3c8..24f8d90 100644 kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -138,7 +144,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t) +@@ -138,7 +156,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -54107,7 +54159,7 @@ index 2dad3c8..24f8d90 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -162,21 +172,28 @@ logging_read_generic_logs(ssh_t) +@@ -162,21 +184,28 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) miscfiles_read_localization(ssh_t) @@ -54142,7 +54194,7 @@ index 2dad3c8..24f8d90 100644 ') tunable_policy(`use_nfs_home_dirs',` -@@ -196,10 +213,15 @@ tunable_policy(`user_tcp_server',` +@@ -196,10 +225,15 @@ tunable_policy(`user_tcp_server',` ') optional_policy(` @@ -54158,7 +54210,7 @@ index 2dad3c8..24f8d90 100644 ############################## # # ssh_keysign_t local policy -@@ -209,19 +231,14 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,19 +243,14 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -54180,7 +54232,7 @@ index 2dad3c8..24f8d90 100644 ################################# # # sshd local policy -@@ -232,33 +249,43 @@ optional_policy(` +@@ -232,33 +261,44 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -54209,6 +54261,7 @@ index 2dad3c8..24f8d90 100644 +userdom_manage_tmp_role(system_r, sshd_t) +userdom_spec_domtrans_unpriv_users(sshd_t) +userdom_signal_unpriv_users(sshd_t) ++userdom_dyntransition_unpriv_users(sshd_t) + +tunable_policy(`sshd_forward_ports',` + corenet_tcp_bind_all_unreserved_ports(sshd_t) @@ -54233,7 +54286,7 @@ index 2dad3c8..24f8d90 100644 ') optional_policy(` -@@ -266,11 +293,24 @@ optional_policy(` +@@ -266,11 +306,24 @@ optional_policy(` ') optional_policy(` @@ -54259,10 +54312,14 @@ index 2dad3c8..24f8d90 100644 ') optional_policy(` -@@ -284,6 +324,15 @@ optional_policy(` +@@ -284,6 +337,19 @@ optional_policy(` ') optional_policy(` ++ ssh_dyntransition_chroot_user(sshd_t) ++') ++ ++optional_policy(` + systemd_exec_systemctl(sshd_t) +') + @@ -54275,7 +54332,7 @@ index 2dad3c8..24f8d90 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +341,26 @@ optional_policy(` +@@ -292,26 +358,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -54321,7 +54378,7 @@ index 2dad3c8..24f8d90 100644 ') dnl endif TODO ######################################## -@@ -322,19 +371,26 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +388,26 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -54349,18 +54406,73 @@ index 2dad3c8..24f8d90 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,10 +407,7 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,15 +424,63 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -- --optional_policy(` -- nscd_socket_use(ssh_keygen_t) --') +userdom_use_user_terminals(ssh_keygen_t) optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) +- nscd_socket_use(ssh_keygen_t) ++ seutil_sigchld_newrole(ssh_keygen_t) + ') + + optional_policy(` +- seutil_sigchld_newrole(ssh_keygen_t) ++ udev_read_db(ssh_keygen_t) ++') ++ ++###################################### ++# ++# chroot_user_t local policy ++# ++ ++allow chroot_user_t self:capability { setuid sys_chroot setgid }; ++ ++allow chroot_user_t self:fifo_file rw_fifo_file_perms; ++ ++userdom_read_user_home_content_files(chroot_user_t) ++userdom_read_inherited_user_home_content_files(chroot_user_t) ++userdom_read_user_home_content_symlinks(chroot_user_t) ++userdom_exec_user_home_content_files(chroot_user_t) ++ ++tunable_policy(`ssh_chroot_rw_homedirs',` ++ files_list_home(chroot_user_t) ++ userdom_read_user_home_content_files(chroot_user_t) ++ userdom_manage_user_home_content(chroot_user_t) ++', ` ++ ++ userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file }) ++') ++ ++tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(chroot_user_t) ++ fs_manage_nfs_files(chroot_user_t) ++ fs_manage_nfs_symlinks(chroot_user_t) ++') ++ ++tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',` ++ fs_manage_cifs_dirs(chroot_user_t) ++ fs_manage_cifs_files(chroot_user_t) ++ fs_manage_cifs_symlinks(chroot_user_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(chroot_user_t) ++ fs_read_cifs_symlinks(chroot_user_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(chroot_user_t) ++ fs_read_nfs_symlinks(chroot_user_t) + ') + + optional_policy(` +- udev_read_db(ssh_keygen_t) ++ ssh_rw_stream_sockets(chroot_user_t) ++ ssh_rw_tcp_sockets(chroot_user_t) ++ ssh_rw_dgram_sockets(chroot_user_t) + ') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 941380a..6dbfc01 100644 --- a/policy/modules/services/sssd.if @@ -61212,7 +61324,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..3e8f08e 100644 +index 94fd8dd..f4a1020 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,42 @@ interface(`init_script_domain',` @@ -61587,7 +61699,7 @@ index 94fd8dd..3e8f08e 100644 ') ') -@@ -800,23 +933,45 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +933,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -61610,11 +61722,11 @@ index 94fd8dd..3e8f08e 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -61627,16 +61739,12 @@ index 94fd8dd..3e8f08e 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; -+ ') + ') + + corecmd_bin_domtrans($1, initrc_t) -+') -+ -+######################################## -+## - ## Execute a init script in a specified domain. - ## - ## + ') + + ######################################## @@ -868,9 +1023,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` @@ -61933,7 +62041,7 @@ index 94fd8dd..3e8f08e 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2120,156 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2120,175 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -62049,6 +62157,25 @@ index 94fd8dd..3e8f08e 100644 + +######################################## +## ++## Send a message to init over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_stream_send',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_stream_socket sendto; ++') ++ ++######################################## ++## +## Create a file type used for init socket files. +## +## @@ -62091,7 +62218,7 @@ index 94fd8dd..3e8f08e 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..7902fbb 100644 +index 29a9565..cd829ed 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -62899,7 +63026,7 @@ index 29a9565..7902fbb 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1163,24 @@ optional_policy(` +@@ -815,11 +1163,26 @@ optional_policy(` ') optional_policy(` @@ -62922,10 +63049,12 @@ index 29a9565..7902fbb 100644 + mcs_socket_write_all_levels(initrc_t) + mcs_killall(initrc_t) + mcs_ptrace_all(initrc_t) ++ ++ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1190,25 @@ optional_policy(` +@@ -829,6 +1192,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -62951,7 +63080,7 @@ index 29a9565..7902fbb 100644 ') optional_policy(` -@@ -844,6 +1224,10 @@ optional_policy(` +@@ -844,6 +1226,10 @@ optional_policy(` ') optional_policy(` @@ -62962,7 +63091,7 @@ index 29a9565..7902fbb 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1238,149 @@ optional_policy(` +@@ -854,3 +1240,149 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -67130,7 +67259,7 @@ index 694fd94..334e80e 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index ff80d0a..b1395dc 100644 +index ff80d0a..be800df 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',` @@ -67317,7 +67446,7 @@ index ff80d0a..b1395dc 100644 ') ######################################## -@@ -731,3 +850,72 @@ interface(`sysnet_use_portmap',` +@@ -731,3 +850,73 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -67384,6 +67513,7 @@ index ff80d0a..b1395dc 100644 + ') + + files_etc_filetrans($1, net_conf_t, file, "resolv.conf") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") + files_etc_filetrans($1, net_conf_t, file, "denyhosts") + files_etc_filetrans($1, net_conf_t, file, "hosts") + files_etc_filetrans($1, net_conf_t, file, "hosts.deny") @@ -67391,7 +67521,7 @@ index ff80d0a..b1395dc 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..2c1578e 100644 +index 34d0ec5..7e4782d 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -67485,11 +67615,12 @@ index 34d0ec5..2c1578e 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -130,13 +148,13 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) +@@ -130,13 +148,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) init_rw_utmp(dhcpc_t) +init_stream_connect(dhcpc_t) ++init_stream_send(dhcpc_t) logging_send_syslog_msg(dhcpc_t) @@ -67501,7 +67632,7 @@ index 34d0ec5..2c1578e 100644 userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -155,6 +173,16 @@ optional_policy(` +@@ -155,6 +174,16 @@ optional_policy(` ') optional_policy(` @@ -67518,7 +67649,7 @@ index 34d0ec5..2c1578e 100644 init_dbus_chat_script(dhcpc_t) dbus_system_bus_client(dhcpc_t) -@@ -171,6 +199,8 @@ optional_policy(` +@@ -171,6 +200,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -67527,7 +67658,7 @@ index 34d0ec5..2c1578e 100644 ') optional_policy(` -@@ -192,7 +222,19 @@ optional_policy(` +@@ -192,7 +223,19 @@ optional_policy(` ') optional_policy(` @@ -67547,7 +67678,7 @@ index 34d0ec5..2c1578e 100644 ') optional_policy(` -@@ -213,6 +255,11 @@ optional_policy(` +@@ -213,6 +256,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -67559,7 +67690,7 @@ index 34d0ec5..2c1578e 100644 ') optional_policy(` -@@ -255,6 +302,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -255,6 +303,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -67567,7 +67698,7 @@ index 34d0ec5..2c1578e 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,8 +324,11 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +325,11 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -67579,7 +67710,7 @@ index 34d0ec5..2c1578e 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -301,11 +352,12 @@ logging_send_syslog_msg(ifconfig_t) +@@ -301,11 +353,12 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -67594,7 +67725,7 @@ index 34d0ec5..2c1578e 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +366,18 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +367,18 @@ ifdef(`distro_ubuntu',` ') ') @@ -67613,7 +67744,7 @@ index 34d0ec5..2c1578e 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +388,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +389,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -67628,7 +67759,7 @@ index 34d0ec5..2c1578e 100644 ') optional_policy(` -@@ -335,6 +404,18 @@ optional_policy(` +@@ -335,6 +405,18 @@ optional_policy(` ') optional_policy(` @@ -67647,7 +67778,7 @@ index 34d0ec5..2c1578e 100644 nis_use_ypbind(ifconfig_t) ') -@@ -356,3 +437,9 @@ optional_policy(` +@@ -356,3 +438,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -68125,10 +68256,10 @@ index 0000000..fc8cac1 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..3b03294 +index 0000000..ce732b0 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,353 @@ +@@ -0,0 +1,358 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -68313,6 +68444,7 @@ index 0000000..3b03294 +# + +allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid }; ++allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; + @@ -68350,7 +68482,12 @@ index 0000000..3b03294 +files_relabel_all_tmp_files(systemd_tmpfiles_t) +files_list_lost_found(systemd_tmpfiles_t) + -+init_dgram_send(systemd_tmpfiles_t) ++mcs_file_read_all(systemd_tmpfiles_t) ++mcs_file_write_all(systemd_tmpfiles_t) ++mls_file_read_all_levels(systemd_tmpfiles_t) ++mls_file_write_all_levels(systemd_tmpfiles_t) ++ ++selinux_get_enforce_mode(systemd_tmpfiles_t) + +auth_manage_faillog(systemd_tmpfiles_t) +auth_relabel_faillog(systemd_tmpfiles_t) @@ -68360,12 +68497,8 @@ index 0000000..3b03294 +auth_setattr_login_records(systemd_tmpfiles_t) +auth_use_nsswitch(systemd_tmpfiles_t) + -+seutil_read_file_contexts(systemd_tmpfiles_t) -+ -+mcs_file_read_all(systemd_tmpfiles_t) -+mcs_file_write_all(systemd_tmpfiles_t) -+mls_file_read_all_levels(systemd_tmpfiles_t) -+mls_file_write_all_levels(systemd_tmpfiles_t) ++init_dgram_send(systemd_tmpfiles_t) ++init_rw_stream_sockets(systemd_tmpfiles_t) + +logging_create_devlog_dev(systemd_tmpfiles_t) +logging_send_syslog_msg(systemd_tmpfiles_t) @@ -68374,6 +68507,9 @@ index 0000000..3b03294 +miscfiles_relabel_man_pages(systemd_tmpfiles_t) +miscfiles_read_localization(systemd_tmpfiles_t) + ++seutil_read_config(systemd_tmpfiles_t) ++seutil_read_file_contexts(systemd_tmpfiles_t) ++ +ifdef(`distro_redhat',` + userdom_list_user_home_content(systemd_tmpfiles_t) + userdom_delete_user_home_content_dirs(systemd_tmpfiles_t) @@ -69674,7 +69810,7 @@ index db75976..cca4cd1 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..022f6e7 100644 +index 4b2878a..efc9525 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -71795,7 +71931,32 @@ index 4b2878a..022f6e7 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2736,24 +3373,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2713,6 +3350,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` + allow unpriv_userdomain $1:process sigchld; + ') + ++##################################### ++## ++## Allow domain dyntrans to unpriv userdomain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dyntransition_unpriv_users',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') ++ ++ allow $1 unpriv_userdomain:process dyntransition; ++') ++ + ######################################## + ## + ## Execute an Xserver session in all unprivileged user domains. This +@@ -2736,24 +3391,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -71820,7 +71981,7 @@ index 4b2878a..022f6e7 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3391,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3409,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -71846,7 +72007,7 @@ index 4b2878a..022f6e7 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3452,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3470,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -71855,7 +72016,7 @@ index 4b2878a..022f6e7 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3468,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3486,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -71889,7 +72050,7 @@ index 4b2878a..022f6e7 100644 ') ######################################## -@@ -2972,7 +3556,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3574,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -71898,7 +72059,7 @@ index 4b2878a..022f6e7 100644 ') ######################################## -@@ -3027,7 +3611,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3629,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -71945,7 +72106,7 @@ index 4b2878a..022f6e7 100644 ') ######################################## -@@ -3064,6 +3686,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3704,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -71953,7 +72114,7 @@ index 4b2878a..022f6e7 100644 kernel_search_proc($1) ') -@@ -3142,6 +3765,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3783,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -71978,7 +72139,7 @@ index 4b2878a..022f6e7 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3835,1076 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3853,1076 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 8e66361..552b758 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Sep 13 2011 Miroslav Grepl 3.10.0-28 +- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files +- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t + * Tue Sep 13 2011 Miroslav Grepl 3.10.0-27 - Allow collectd to read hardware state information - Add loop_control_device_t