Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain

Allow init process to setrlimit on itself Take away transition rules for users executing ssh-keygen Allow setroubleshoot_fixit_t to read /dev/urand Allow sshd to relbale tunnel sockets Allow fail2ban domtrans to shorewall in the same way as with iptables Add support for lnk files in the /var/lib/sssd directory Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-18 10:12:22 -04:00 · 2011-10-18 10:12:22 -04:00 · 1414f9f3a7
commit 1414f9f3a7
parent 9bf3aa2c96
2 changed files with 223 additions and 103 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -852,7 +852,7 @@ index 5e062bc..3cbfffb 100644
 +	modutils_read_module_deps(ddcprobe_t)
 +')
 diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..9b39fcd 100644
+index 72bc6d8..1f55eba 100644
 --- a/policy/modules/admin/dmesg.te
 +++ b/policy/modules/admin/dmesg.te
@@ -19,6 +19,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
@ -863,7 +863,7 @@ index 72bc6d8..9b39fcd 100644
 kernel_read_kernel_sysctls(dmesg_t)
 kernel_read_ring_buffer(dmesg_t)
 kernel_clear_ring_buffer(dmesg_t)
-@@ -47,7 +48,13 @@ logging_write_generic_logs(dmesg_t)
+@@ -47,7 +48,11 @@ logging_write_generic_logs(dmesg_t)
 miscfiles_read_localization(dmesg_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
@ -871,8 +871,6 @@ index 72bc6d8..9b39fcd 100644
 +userdom_use_inherited_user_terminals(dmesg_t)
 +
 +optional_policy(`
-+	abrt_cache_append(dmesg_t)
-+	abrt_rw_fifo_file(dmesg_t)
 +	abrt_manage_pid_files(dmesg_t)
 +')
 
@ -1232,7 +1230,7 @@ index 4f7bd3c..a29af21 100644
 -	unconfined_domain(kudzu_t)
 ')
 diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..db17bbe 100644
+index 7090dae..98f0a2e 100644
 --- a/policy/modules/admin/logrotate.te
 +++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
@ -1294,6 +1292,15 @@ index 7090dae..db17bbe 100644
 	# for savelog
 	can_exec(logrotate_t, logrotate_exec_t)
 
+@@ -138,7 +139,7 @@ ifdef(`distro_debian', `
+ ')
+ 
+ optional_policy(`
+-	abrt_cache_manage(logrotate_t)
+	abrt_manage_cache(logrotate_t)
+ ')
+ 
+ optional_policy(`
@@ -154,6 +155,10 @@ optional_policy(`
 ')
 
@ -3364,6 +3371,14 @@ index bc00875..2efc0d7 100644
 	dbus_system_bus_client(smoltclient_t)
 ')
 
+diff --git a/policy/modules/admin/sosreport.fc b/policy/modules/admin/sosreport.fc
+index a40478e..050f521 100644
+--- a/policy/modules/admin/sosreport.fc
+++ b/policy/modules/admin/sosreport.fc
+@@ -1 +1,3 @@
+ /usr/sbin/sosreport	--	gen_context(system_u:object_r:sosreport_exec_t,s0)
+
+/.ismount-test-file 	--	gen_context(system_u:object_r:sosreport_tmp_t,s0)
 diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if
 index 94c01b5..f64bd93 100644
 --- a/policy/modules/admin/sosreport.if
@ -3378,11 +3393,21 @@ index 94c01b5..f64bd93 100644
 
 ########################################
 diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
-index fe1c377..557e37f 100644
+index fe1c377..bedbb9b 100644
 --- a/policy/modules/admin/sosreport.te
 +++ b/policy/modules/admin/sosreport.te
-@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
+@@ -74,13 +74,17 @@ files_read_all_symlinks(sosreport_t)
+ # for blkid.tab
+ files_manage_etc_runtime_files(sosreport_t)
+ files_etc_filetrans_etc_runtime(sosreport_t, file)
+files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
 
+ fs_getattr_all_fs(sosreport_t)
+ fs_list_inotifyfs(sosreport_t)
+ 
+storage_dontaudit_read_fixed_disk(sosreport_t)
+storage_dontaudit_read_removable_device(sosreport_t)
+
 # some config files do not have configfile attribute
 # sosreport needs to read various files on system
 -auth_read_all_files_except_shadow(sosreport_t)
@ -3390,7 +3415,7 @@ index fe1c377..557e37f 100644
 auth_use_nsswitch(sosreport_t)
 
 init_domtrans_script(sosreport_t)
-@@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t)
+@@ -92,13 +96,11 @@ logging_send_syslog_msg(sosreport_t)
 
 miscfiles_read_localization(sosreport_t)
 
@ -3400,7 +3425,12 @@ index fe1c377..557e37f 100644
 sysnet_read_config(sosreport_t)
 
 optional_policy(`
-@@ -110,6 +107,11 @@ optional_policy(`
+ 	abrt_manage_pid_files(sosreport_t)
+	abrt_manage_cache(sosreport_t)
+ ')
+ 
+ optional_policy(`
+@@ -110,6 +112,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -15362,7 +15392,7 @@ index 6a1e4d1..3ded83e 100644
 +	dontaudit $1 domain:socket_class_set { read write };
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..02cf550 100644
+index fae1ab1..b949cfb 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@ -15455,7 +15485,7 @@ index fae1ab1..02cf550 100644
 # Act upon any other process.
 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
 
-@@ -160,3 +197,120 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,122 @@ allow unconfined_domain_type domain:key *;
 
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
@ -15487,6 +15517,8 @@ index fae1ab1..02cf550 100644
 +	abrt_read_pid_files(domain)
 +	abrt_read_state(domain)
 +	abrt_signull(domain)
+	abrt_append_cache(domain)
+	abrt_rw_fifo_file(domain)
 +')
 +
 +optional_policy(`
@ -20261,7 +20293,7 @@ index be4de58..7e8b6ec 100644
 init_exec(secadm_t)
 
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..bfabe3f 100644
+index 2be17d2..2c588ca 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@ -20314,7 +20346,7 @@ index 2be17d2..bfabe3f 100644
 +')
 +
 +optional_policy(`
-+	abrt_cache_read(staff_t)
+	abrt_read_cache(staff_t)
 +')
 +
 optional_policy(`
@ -22216,7 +22248,7 @@ index 0000000..49f2c54
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 +
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..e5a8559 100644
+index e5bfdd4..50e49e6 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,93 @@ role user_r;
@ -22234,7 +22266,7 @@ index e5bfdd4..e5a8559 100644
 +')
 +
 +optional_policy(`
-+	abrt_cache_read(user_t)
+	abrt_read_cache(user_t)
 +')
 +
 optional_policy(`
@ -22597,7 +22629,7 @@ index 1bd5812..0d7d8d1 100644
 +/var/cache/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +/var/spool/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..bfb68b2 100644
+index 0b827c5..46e3aa9 100644
 --- a/policy/modules/services/abrt.if
 +++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@ -22608,21 +22640,22 @@ index 0b827c5..bfb68b2 100644
 	ps_process_pattern($1, abrt_t)
 ')
 
-@@ -160,8 +161,44 @@ interface(`abrt_run_helper',`
+@@ -160,8 +161,7 @@ interface(`abrt_run_helper',`
 
 ########################################
 ## <summary>
 -##	Send and receive messages from
 -##	abrt over dbus.
 +##	Read abrt cache
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`abrt_cache_read',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -169,7 +169,45 @@ interface(`abrt_run_helper',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`abrt_cache_manage',`
+interface(`abrt_read_cache',`
 +	gen_require(`
 +		type abrt_var_cache_t;
 +	')
@ -22641,21 +22674,30 @@ index 0b827c5..bfb68b2 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`abrt_cache_append',`
+interface(`abrt_append_cache',`
 +	gen_require(`
 +		type abrt_var_cache_t;
 +	')
 +
-+	append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+	
+	allow $1 abrt_var_cache_t:file append_inherited_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Manage abrt cache
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -253,6 +290,24 @@ interface(`abrt_manage_pid_files',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_manage_cache',`
+ 	gen_require(`
+ 		type abrt_var_cache_t;
+ 	')
+@@ -253,6 +291,24 @@ interface(`abrt_manage_pid_files',`
 	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
 ')
 
@ -22680,7 +22722,7 @@ index 0b827c5..bfb68b2 100644
 #####################################
 ## <summary>
 ##	All of the rules required to administrate
-@@ -286,18 +341,116 @@ interface(`abrt_admin',`
+@@ -286,18 +342,116 @@ interface(`abrt_admin',`
 	role_transition $2 abrt_initrc_exec_t system_r;
 	allow $2 system_r;
 
@ -29885,7 +29927,7 @@ index 01d31f1..8e2754b 100644
 
 /var/lib/courier(/.*)?				gen_context(system_u:object_r:courier_var_lib_t,s0)
 diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
-index 9971337..870265d 100644
+index 9971337..7481ccc 100644
 --- a/policy/modules/services/courier.if
 +++ b/policy/modules/services/courier.if
@@ -90,7 +90,7 @@ template(`courier_domain_template',`
@ -29897,7 +29939,31 @@ index 9971337..870265d 100644
 ##	<summary>
 ##	Domain allowed to transition.
 ##	</summary>
-@@ -109,7 +109,7 @@ interface(`courier_domtrans_authdaemon',`
+@@ -104,12 +104,31 @@ interface(`courier_domtrans_authdaemon',`
+ 	domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
+ ')
+ 
+#######################################
+## <summary>
+##  Connect to courier-authdaemon over an unix stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`courier_stream_connect_authdaemon',`
+    gen_require(`
+        type courier_authdaemon_t, courier_spool_t;
+    ')
+
+	files_search_spool($1)
+    stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+')
+
+ ########################################
+ ## <summary>
 ##	Execute the courier POP3 and IMAP server with
 ##	a domain transition.
 ## </summary>
@ -29906,7 +29972,7 @@ index 9971337..870265d 100644
 ##	<summary>
 ##	Domain allowed to transition.
 ##	</summary>
-@@ -127,7 +127,7 @@ interface(`courier_domtrans_pop',`
+@@ -127,7 +146,7 @@ interface(`courier_domtrans_pop',`
 ## <summary>
 ##	Read courier config files
 ## </summary>
@ -29915,7 +29981,7 @@ index 9971337..870265d 100644
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
-@@ -138,6 +138,7 @@ interface(`courier_read_config',`
+@@ -138,6 +157,7 @@ interface(`courier_read_config',`
 		type courier_etc_t;
 	')
 
@ -29923,7 +29989,7 @@ index 9971337..870265d 100644
 	read_files_pattern($1, courier_etc_t, courier_etc_t)
 ')
 
-@@ -146,7 +147,7 @@ interface(`courier_read_config',`
+@@ -146,7 +166,7 @@ interface(`courier_read_config',`
 ##	Create, read, write, and delete courier
 ##	spool directories.
 ## </summary>
@ -29932,7 +29998,7 @@ index 9971337..870265d 100644
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
-@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
+@@ -157,6 +177,7 @@ interface(`courier_manage_spool_dirs',`
 		type courier_spool_t;
 	')
 
@ -29940,7 +30006,7 @@ index 9971337..870265d 100644
 	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
-@@ -165,7 +167,7 @@ interface(`courier_manage_spool_dirs',`
+@@ -165,7 +186,7 @@ interface(`courier_manage_spool_dirs',`
 ##	Create, read, write, and delete courier
 ##	spool files.
 ## </summary>
@ -29949,7 +30015,7 @@ index 9971337..870265d 100644
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
-@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
+@@ -176,6 +197,7 @@ interface(`courier_manage_spool_files',`
 		type courier_spool_t;
 	')
 
@ -29957,7 +30023,7 @@ index 9971337..870265d 100644
 	manage_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
-@@ -183,7 +186,7 @@ interface(`courier_manage_spool_files',`
+@@ -183,7 +205,7 @@ interface(`courier_manage_spool_files',`
 ## <summary>
 ##	Read courier spool files.
 ## </summary>
@ -29966,7 +30032,7 @@ index 9971337..870265d 100644
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
-@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
+@@ -194,6 +216,7 @@ interface(`courier_read_spool',`
 		type courier_spool_t;
 	')
 
@ -35673,7 +35739,7 @@ index f590a1f..338e5bf 100644
 +	admin_pattern($1, fail2ban_tmp_t)
 ')
 diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..35a2c0b 100644
+index 2a69e5e..2599f96 100644
 --- a/policy/modules/services/fail2ban.te
 +++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
@ -35727,7 +35793,7 @@ index 2a69e5e..35a2c0b 100644
 
 files_read_etc_files(fail2ban_t)
 files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +107,34 @@ optional_policy(`
+@@ -94,5 +107,38 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -35742,6 +35808,10 @@ index 2a69e5e..35a2c0b 100644
 +	libs_exec_ldconfig(fail2ban_t)
 +')
 +
+optional_policy(`
+	shorewall_domtrans(fail2ban_t)
+')
+
 +########################################
 +#
 +# fail2ban client local policy
@ -37908,7 +37978,7 @@ index a627b34..c4cfc6d 100644
 optional_policy(`
 	seutil_sigchld_newrole(gpm_t)
 diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..b28c4f9 100644
+index 03742d8..d5795a5 100644
 --- a/policy/modules/services/gpsd.te
 +++ b/policy/modules/services/gpsd.te
@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
@ -37923,7 +37993,7 @@ index 03742d8..b28c4f9 100644
 allow gpsd_t self:shm create_shm_perms;
 allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,14 +39,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+@@ -38,16 +39,24 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
 manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
 files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
 
@ -37945,8 +38015,11 @@ index 03742d8..b28c4f9 100644
 +
 term_use_unallocated_ttys(gpsd_t)
 term_setattr_unallocated_ttys(gpsd_t)
+term_use_usb_ttys(gpsd_t)
 
-@@ -56,6 +64,12 @@ logging_send_syslog_msg(gpsd_t)
+ auth_use_nsswitch(gpsd_t)
+ 
+@@ -56,6 +65,12 @@ logging_send_syslog_msg(gpsd_t)
 miscfiles_read_localization(gpsd_t)
 
 optional_policy(`
@ -42958,7 +43031,7 @@ index 343cee3..fff3a52 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..4e45f74 100644
+index 64268e4..d46b314 100644
 --- a/policy/modules/services/mta.te
 +++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@ -43047,7 +43120,14 @@ index 64268e4..4e45f74 100644
 ')
 
 optional_policy(`
-@@ -111,6 +116,8 @@ optional_policy(`
+@@ -108,9 +113,15 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	courier_stream_connect_authdaemon(system_mail_t)
+')
+
+optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
 	cron_dontaudit_write_pipes(system_mail_t)
 	cron_rw_system_job_stream_sockets(system_mail_t)
@ -43056,7 +43136,7 @@ index 64268e4..4e45f74 100644
 ')
 
 optional_policy(`
-@@ -124,12 +131,9 @@ optional_policy(`
+@@ -124,12 +135,9 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -43071,7 +43151,7 @@ index 64268e4..4e45f74 100644
 ')
 
 optional_policy(`
-@@ -146,6 +150,10 @@ optional_policy(`
+@@ -146,6 +154,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -43082,7 +43162,7 @@ index 64268e4..4e45f74 100644
 	nagios_read_tmp_files(system_mail_t)
 ')
 
-@@ -158,22 +166,13 @@ optional_policy(`
+@@ -158,22 +170,13 @@ optional_policy(`
 	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
 
 	domain_use_interactive_fds(system_mail_t)
@ -43108,7 +43188,7 @@ index 64268e4..4e45f74 100644
 ')
 
 optional_policy(`
-@@ -189,9 +188,17 @@ optional_policy(`
+@@ -189,6 +192,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -43119,13 +43199,6 @@ index 64268e4..4e45f74 100644
 	smartmon_read_tmp_files(system_mail_t)
 ')
 
-+optional_policy(`
-+	abrt_rw_fifo_file(mta_user_agent)
-+')
-+
- # should break this up among sections:
- 
- optional_policy(`
@@ -199,15 +206,16 @@ optional_policy(`
 	arpwatch_search_data(mailserver_delivery)
 	arpwatch_manage_tmp_files(mta_user_agent)
@ -55301,7 +55374,7 @@ index bcdd16c..7c379a8 100644
 	files_list_var_lib($1)
 	admin_pattern($1, setroubleshoot_var_lib_t)
 diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..79347e7 100644
+index 086cd5f..a181f01 100644
 --- a/policy/modules/services/setroubleshoot.te
 +++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@ -55381,15 +55454,19 @@ index 086cd5f..79347e7 100644
 	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
 ')
 
-@@ -152,6 +171,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -151,7 +170,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+ corecmd_exec_bin(setroubleshoot_fixit_t)
 corecmd_exec_shell(setroubleshoot_fixit_t)
 
+dev_read_sysfs(setroubleshoot_fixit_t)
+dev_read_urand(setroubleshoot_fixit_t)
+
 seutil_domtrans_setfiles(setroubleshoot_fixit_t)
 +seutil_domtrans_setsebool(setroubleshoot_fixit_t)
 
 files_read_usr_files(setroubleshoot_fixit_t)
 files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +184,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +187,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
 
 miscfiles_read_localization(setroubleshoot_fixit_t)
 
@ -56569,7 +56646,7 @@ index 078bcd7..2d60774 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..be6e1fa 100644
+index 22adaca..b13cd67 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@ -56682,7 +56759,7 @@ index 22adaca..be6e1fa 100644
 +	allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
-+	allow $1_t self:tun_socket create_socket_perms;
+	allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 	# ssh agent connections:
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_t self:shm create_shm_perms;
@ -56822,7 +56899,7 @@ index 22adaca..be6e1fa 100644
 -	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
 -	allow $3 $1_ssh_agent_t:process sigchld;
 +
-+	ssh_run_keygen($3,$2)
+	ssh_exec_keygen($3)
 
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_files($1_ssh_agent_t)
@ -56832,7 +56909,7 @@ index 22adaca..be6e1fa 100644
 
 -	allow $1 sshd_t:fifo_file { getattr read };
 +	allow $1 sshd_t:fifo_file read_fifo_file_perms;
- ')
+')
 +
 +######################################
 +## <summary>
@ -56850,7 +56927,7 @@ index 22adaca..be6e1fa 100644
 +    ')
 +
 +    allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
-+')
+ ')
 +
 ########################################
 ## <summary>
@ -56923,10 +57000,26 @@ index 22adaca..be6e1fa 100644
 ##	Read ssh home directory content
 ## </summary>
 ## <param name="domain">
-@@ -680,6 +776,32 @@ interface(`ssh_domtrans_keygen',`
- 	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
- ')
+@@ -682,6 +778,50 @@ interface(`ssh_domtrans_keygen',`
 
+ ########################################
+ ## <summary>
+##	Execute the ssh key generator in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ssh_exec_keygen',`
+	gen_require(`
+		type ssh_keygen_exec_t;
+	')
+
+	can_exec($1, ssh_keygen_exec_t)
+')
+
 +#######################################
 +## <summary>
 +##  Execute ssh-keygen in the iptables domain, and
@ -56953,10 +57046,12 @@ index 22adaca..be6e1fa 100644
 +	ssh_domtrans_keygen($1)
 +')
 +
- ########################################
- ## <summary>
+########################################
+## <summary>
 ##	Read ssh server keys
-@@ -695,7 +817,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+ ## </summary>
+ ## <param name="domain">
+@@ -695,7 +835,7 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')
 
@ -56965,7 +57060,7 @@ index 22adaca..be6e1fa 100644
 ')
 
 ######################################
-@@ -735,3 +857,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +875,81 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
@ -57543,7 +57638,7 @@ index 2dad3c8..02e70c9 100644
 +    ssh_rw_dgram_sockets(chroot_user_t)
 ')
 diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
-index 941380a..6dbfc01 100644
+index 941380a..ce8c972 100644
 --- a/policy/modules/services/sssd.if
 +++ b/policy/modules/services/sssd.if
@@ -5,9 +5,9 @@
@ -57574,7 +57669,23 @@ index 941380a..6dbfc01 100644
 ')
 
 ########################################
-@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
+@@ -148,6 +148,7 @@ interface(`sssd_read_lib_files',`
+ 
+ 	files_search_var_lib($1)
+ 	read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+	read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+ 
+ ########################################
+@@ -168,6 +169,7 @@ interface(`sssd_manage_lib_files',`
+ 
+ 	files_search_var_lib($1)
+ 	manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+	manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+ 
+ ########################################
+@@ -225,21 +227,15 @@ interface(`sssd_stream_connect',`
 ##	The role to be allowed to manage the sssd domain.
 ##	</summary>
 ## </param>
@ -57600,7 +57711,7 @@ index 941380a..6dbfc01 100644
 	# Allow sssd_t to restart the apache service
 	sssd_initrc_domtrans($1)
 diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..7d5a298 100644
+index 8ffa257..bd55865 100644
 --- a/policy/modules/services/sssd.te
 +++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@ -57617,16 +57728,18 @@ index 8ffa257..7d5a298 100644
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -39,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+@@ -38,8 +40,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+ 
 manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 -files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
 +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
 
 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
 logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,11 +50,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,11 +51,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
 
@ -57643,7 +57756,7 @@ index 8ffa257..7d5a298 100644
 
 domain_read_all_domains_state(sssd_t)
 domain_obj_id_change_exemption(sssd_t)
-@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t)
+@@ -60,6 +68,7 @@ domain_obj_id_change_exemption(sssd_t)
 files_list_tmp(sssd_t)
 files_read_etc_files(sssd_t)
 files_read_usr_files(sssd_t)
@ -57651,7 +57764,7 @@ index 8ffa257..7d5a298 100644
 
 fs_list_inotifyfs(sssd_t)
 
-@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t)
+@@ -69,7 +78,7 @@ seutil_read_file_contexts(sssd_t)
 
 mls_file_read_to_clearance(sssd_t)
 
@ -57660,7 +57773,7 @@ index 8ffa257..7d5a298 100644
 auth_domtrans_chk_passwd(sssd_t)
 auth_domtrans_upd_passwd(sssd_t)
 
-@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +88,12 @@ logging_send_syslog_msg(sssd_t)
 logging_send_audit_msgs(sssd_t)
 
 miscfiles_read_localization(sssd_t)
@ -57673,7 +57786,7 @@ index 8ffa257..7d5a298 100644
 
 optional_policy(`
 	dbus_system_bus_client(sssd_t)
-@@ -87,4 +101,28 @@ optional_policy(`
+@@ -87,4 +102,28 @@ optional_policy(`
 
 optional_policy(`
 	kerberos_manage_host_rcache(sssd_t)
@ -59622,7 +59735,7 @@ index 7c5d8d8..d711fd5 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..75d8556 100644
+index 3eca020..ea9593c 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@ -60166,7 +60279,7 @@ index 3eca020..75d8556 100644
 logging_send_syslog_msg(virt_domain)
 
 miscfiles_read_localization(virt_domain)
-@@ -457,8 +635,324 @@ optional_policy(`
+@@ -457,8 +635,325 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -60306,6 +60419,7 @@ index 3eca020..75d8556 100644
 +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
 +allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 +
+allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
 +manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 +manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 +manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
@ -60395,8 +60509,8 @@ index 3eca020..75d8556 100644
 +manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+rw_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+rw_blk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 +can_exec(svirt_lxc_domain, svirt_lxc_file_t)
 +
 +kernel_getattr_proc(svirt_lxc_domain)
@ -65558,7 +65672,7 @@ index 94fd8dd..b5e5c70 100644
 +	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..f69ea00 100644
+index 29a9565..29930e4 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@ -65754,7 +65868,7 @@ index 29a9565..f69ea00 100644
 +
 +tunable_policy(`init_systemd',`
 +	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-+	allow init_t self:process { setsockcreate setfscreate };
+	allow init_t self:process { setsockcreate setfscreate setrlimit };
 +	allow init_t self:process { getcap setcap };
 +	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +	allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
@ -67643,12 +67757,12 @@ index e5836d3..eae9427 100644
 -	unconfined_domain(ldconfig_t)
 -')
 diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
-index be6a81b..ddae53a 100644
+index be6a81b..9a27055 100644
 --- a/policy/modules/system/locallogin.fc
 +++ b/policy/modules/system/locallogin.fc
@@ -1,3 +1,5 @@
 +HOME_DIR/\.hushlogin	--	gen_context(system_u:object_r:local_login_home_t,s0)
-+/root/.\.hushlogin   --      gen_context(system_u:object_r:local_login_home_t,s0)
+/root/\.hushlogin   --      gen_context(system_u:object_r:local_login_home_t,s0)
 
 /sbin/sulogin		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
 /sbin/sushell		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
@ -69271,7 +69385,7 @@ index 8b5c196..da41726 100644
 +    role $2 types showmount_t;
 ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..2e0bdd4 100644
+index 15832c7..b9e7b60 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
@ -69451,20 +69565,16 @@ index 15832c7..2e0bdd4 100644
 
 logging_send_syslog_msg(mount_t)
 
-@@ -126,6 +185,12 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +185,8 @@ sysnet_use_portmap(mount_t)
 seutil_read_config(mount_t)
 
 userdom_use_all_users_fds(mount_t)
 +userdom_manage_user_home_content_dirs(mount_t)
 +userdom_read_user_home_content_symlinks(mount_t)
-+
-+optional_policy(`
-+	abrt_rw_fifo_file(mount_t)
-+')
 
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +202,28 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
@ -69503,7 +69613,7 @@ index 15832c7..2e0bdd4 100644
 	corenet_tcp_bind_generic_port(mount_t)
 	corenet_udp_bind_generic_port(mount_t)
 	corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +241,8 @@ optional_policy(`
+@@ -174,6 +237,8 @@ optional_policy(`
 	fs_search_rpc(mount_t)
 
 	rpc_stub(mount_t)
@ -69512,7 +69622,7 @@ index 15832c7..2e0bdd4 100644
 ')
 
 optional_policy(`
-@@ -181,6 +250,28 @@ optional_policy(`
+@@ -181,6 +246,28 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -69541,7 +69651,7 @@ index 15832c7..2e0bdd4 100644
 	ifdef(`hide_broken_symptoms',`
 		# for a bug in the X server
 		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +279,83 @@ optional_policy(`
+@@ -188,21 +275,83 @@ optional_policy(`
 	')
 ')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 40.2%{?dist}
+Release: 41%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -482,6 +482,16 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Oct 18 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-41
+- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
+- Allow init process to setrlimit on itself
+- Take away transition rules for users executing ssh-keygen
+- Allow setroubleshoot_fixit_t to read /dev/urand
+- Allow sshd to relbale tunnel sockets
+- Allow fail2ban domtrans to shorewall in the same way as with iptables
+- Add support for lnk files in the /var/lib/sssd directory
+- Allow system mail to connect to courier-authdaemon over an unix stream socket
+
 * Mon Oct 17 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-40.2
 - Add passwd_file_t for /etc/ptmptmp