From 0b215e82ae7a324b50e9138105f9eba69dcb4152 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Thu, 8 Aug 2013 20:46:58 +0200 Subject: [PATCH] Fix kdump_admi() interface --- policy-rawhide-contrib.patch | 69 ++++++++++++++++++++---------------- 1 file changed, 39 insertions(+), 30 deletions(-) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 8d0452b3..e9e41809 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -18672,7 +18672,7 @@ index afcf3a2..8c49f40 100644 + dontaudit system_bus_type $1:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 2c2e7e1..78bbb7d 100644 +index 2c2e7e1..493ab48 100644 --- a/dbus.te +++ b/dbus.te @@ -1,20 +1,18 @@ @@ -18797,7 +18797,7 @@ index 2c2e7e1..78bbb7d 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +118,155 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -18855,6 +18855,11 @@ index 2c2e7e1..78bbb7d 100644 +optional_policy(` + gnome_exec_gconf(system_dbusd_t) + gnome_read_inherited_home_icc_data_files(system_dbusd_t) + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) ++ nis_use_ypbind(system_dbusd_t) +') + +optional_policy(` @@ -18870,10 +18875,9 @@ index 2c2e7e1..78bbb7d 100644 + +optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(system_dbusd_t) ++') ++ ++optional_policy(` + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) @@ -18911,7 +18915,7 @@ index 2c2e7e1..78bbb7d 100644 +init_rw_stream_sockets(system_bus_type) + +ps_process_pattern(system_dbusd_t, system_bus_type) - ++ +userdom_dontaudit_search_admin_dir(system_bus_type) +userdom_read_all_users_state(system_bus_type) + @@ -18926,7 +18930,7 @@ index 2c2e7e1..78bbb7d 100644 +optional_policy(` + unconfined_dbus_send(system_bus_type) +') -+ + +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') @@ -18967,7 +18971,7 @@ index 2c2e7e1..78bbb7d 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +275,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -18992,7 +18996,7 @@ index 2c2e7e1..78bbb7d 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +294,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -19000,7 +19004,7 @@ index 2c2e7e1..78bbb7d 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +303,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -19042,7 +19046,7 @@ index 2c2e7e1..78bbb7d 100644 ') ######################################## -@@ -244,5 +340,6 @@ optional_policy(` +@@ -244,5 +344,6 @@ optional_policy(` # Unconfined access to this module # @@ -31423,7 +31427,7 @@ index a49ae4e..913a0e3 100644 -/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) +/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0) diff --git a/kdump.if b/kdump.if -index 3a00b3a..f6402dc 100644 +index 3a00b3a..b835e95 100644 --- a/kdump.if +++ b/kdump.if @@ -1,4 +1,4 @@ @@ -31494,7 +31498,7 @@ index 3a00b3a..f6402dc 100644 ## ## ## -@@ -56,10 +100,65 @@ interface(`kdump_read_config',` +@@ -56,10 +100,66 @@ interface(`kdump_read_config',` allow $1 kdump_etc_t:file read_file_perms; ') @@ -31517,6 +31521,7 @@ index 3a00b3a..f6402dc 100644 + read_files_pattern($1, kdump_crash_t, kdump_crash_t) +') + ++ +##################################### +## +## Read kdump crash files. @@ -31562,7 +31567,7 @@ index 3a00b3a..f6402dc 100644 ## ## ## -@@ -76,10 +175,31 @@ interface(`kdump_manage_config',` +@@ -76,10 +176,31 @@ interface(`kdump_manage_config',` allow $1 kdump_etc_t:file manage_file_perms; ') @@ -31596,7 +31601,7 @@ index 3a00b3a..f6402dc 100644 ## ## ## -@@ -88,19 +208,24 @@ interface(`kdump_manage_config',` +@@ -88,19 +209,24 @@ interface(`kdump_manage_config',` ## ## ## @@ -31613,7 +31618,7 @@ index 3a00b3a..f6402dc 100644 + type kdump_t, kdump_etc_t; + type kdump_initrc_exec_t; + type kdump_unit_file_t; -+ type kdump_crash_t ++ type kdump_crash_t; ') - allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; @@ -31626,7 +31631,7 @@ index 3a00b3a..f6402dc 100644 init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -110,6 +235,10 @@ interface(`kdump_admin',` +@@ -110,6 +236,10 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) @@ -74999,7 +75004,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..ea8d79d 100644 +index 57c034b..aa2be40 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -75973,7 +75978,11 @@ index 57c034b..ea8d79d 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -837,13 +841,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +@@ -834,16 +838,19 @@ optional_policy(` + # + + allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; ++allow winbind_t self:capability2 block_suspend; dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; @@ -75993,7 +76002,7 @@ index 57c034b..ea8d79d 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +859,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +860,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -76004,7 +76013,7 @@ index 57c034b..ea8d79d 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +870,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +871,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -76034,7 +76043,7 @@ index 57c034b..ea8d79d 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +893,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +894,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -76055,7 +76064,7 @@ index 57c034b..ea8d79d 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +911,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +912,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -76066,7 +76075,7 @@ index 57c034b..ea8d79d 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,18 +919,24 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,18 +920,24 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -76093,7 +76102,7 @@ index 57c034b..ea8d79d 100644 optional_policy(` ctdbd_stream_connect(winbind_t) -@@ -936,7 +944,12 @@ optional_policy(` +@@ -936,7 +945,12 @@ optional_policy(` ') optional_policy(` @@ -76106,7 +76115,7 @@ index 57c034b..ea8d79d 100644 ') optional_policy(` -@@ -952,31 +965,29 @@ optional_policy(` +@@ -952,31 +966,29 @@ optional_policy(` # Winbind helper local policy # @@ -76144,7 +76153,7 @@ index 57c034b..ea8d79d 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1001,38 @@ optional_policy(` +@@ -990,25 +1002,38 @@ optional_policy(` ######################################## # @@ -86226,7 +86235,7 @@ index 0000000..92b6843 +/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 -index 0000000..aa424d3 +index 0000000..8b2dfff --- /dev/null +++ b/thumb.if @@ -0,0 +1,130 @@ @@ -86283,7 +86292,7 @@ index 0000000..aa424d3 + dontaudit thumb_t $1:file read_file_perms; + dontaudit thumb_t $1:unix_stream_socket rw_socket_perms; + -+ allow thumb_t $1:shm rw_shm_perms; ++ allow thumb_t $1:shm create_shm_perms; + allow thumb_t $1:sem create_sem_perms; +') +