* Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.+- Allow system_bus_types to use stream_sockets inherited

- Allow system_bus_types to use stream_sockets inherited - Allow journalctl to call getpw - New access needed by dbus to talk to kernel stream - Label sm-notifypid files correctly - contrib: Add KMSCon policy module
2014-06-17 07:24:58 +02:00 · 2014-06-17 07:24:58 +02:00 · 1c0c710fe4
parent 1dda0950c8
commit 1c0c710fe4
2 changed files with 167 additions and 19 deletions
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -20798,7 +20798,7 @@ index 62d22cb..89671dd 100644
 +    files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
 ')
 diff --git a/dbus.te b/dbus.te
-index c9998c8..8b8b691 100644
+index c9998c8..9c12159 100644
 --- a/dbus.te
 +++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@ -20842,7 +20842,7 @@ index c9998c8..8b8b691 100644
 
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,61 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,62 @@ ifdef(`enable_mls',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
 ')
 
@ -20890,12 +20890,13 @@ index c9998c8..8b8b691 100644
 
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
- 
+-
 -corecmd_list_bin(system_dbusd_t)
 -corecmd_read_bin_pipes(system_dbusd_t)
 -corecmd_read_bin_sockets(system_dbusd_t)
 -corecmd_exec_shell(system_dbusd_t)
-
+kernel_stream_connect(system_dbusd_t)
+ 
 dev_read_urand(system_dbusd_t)
 dev_read_sysfs(system_dbusd_t)
 
@ -20921,7 +20922,7 @@ index c9998c8..8b8b691 100644
 mls_fd_use_all_levels(system_dbusd_t)
 mls_rangetrans_target(system_dbusd_t)
 mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +121,160 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +122,162 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
 
@ -21028,6 +21029,8 @@ index c9998c8..8b8b691 100644
 +role system_r types system_bus_type;
 +dontaudit system_bus_type self:capability net_admin;
 +
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
+
 +fs_search_all(system_bus_type)
 +
 +dbus_system_bus_client(system_bus_type)
@ -21040,7 +21043,7 @@ index c9998c8..8b8b691 100644
 +init_rw_stream_sockets(system_bus_type)
 +
 +ps_process_pattern(system_dbusd_t, system_bus_type)
-+
+ 
 +userdom_dontaudit_search_admin_dir(system_bus_type)
 +userdom_read_all_users_state(system_bus_type)
 +
@ -21055,7 +21058,7 @@ index c9998c8..8b8b691 100644
 +optional_policy(`
 +	unconfined_dbus_send(system_bus_type)
 +')
- 
+
 +ifdef(`hide_broken_symptoms',`
 +	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
 +')
@ -21096,7 +21099,7 @@ index c9998c8..8b8b691 100644
 kernel_read_kernel_sysctls(session_bus_type)
 
 corecmd_list_bin(session_bus_type)
-@@ -191,23 +283,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +286,18 @@ corecmd_read_bin_files(session_bus_type)
 corecmd_read_bin_pipes(session_bus_type)
 corecmd_read_bin_sockets(session_bus_type)
 
@ -21121,7 +21124,7 @@ index c9998c8..8b8b691 100644
 files_dontaudit_search_var(session_bus_type)
 
 fs_getattr_romfs(session_bus_type)
-@@ -215,7 +302,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +305,6 @@ fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
 
@ -21129,7 +21132,7 @@ index c9998c8..8b8b691 100644
 selinux_validate_context(session_bus_type)
 selinux_compute_access_vector(session_bus_type)
 selinux_compute_create_context(session_bus_type)
-@@ -225,18 +311,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +314,36 @@ selinux_compute_user_contexts(session_bus_type)
 auth_read_pam_console_data(session_bus_type)
 
 logging_send_audit_msgs(session_bus_type)
@ -21171,7 +21174,7 @@ index c9998c8..8b8b691 100644
 ')
 
 ########################################
-@@ -244,5 +348,6 @@ optional_policy(`
+@@ -244,5 +351,9 @@ optional_policy(`
 # Unconfined access to this module
 #
 
@ -21180,6 +21183,9 @@ index c9998c8..8b8b691 100644
 +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
 +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
 +allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+kernel_stream_connect(session_bus_type)
+systemd_login_read_pid_files(session_bus_type)
 diff --git a/dcc.fc b/dcc.fc
 index 62d3c4e..cef59a7 100644
 --- a/dcc.fc
@ -36317,10 +36323,10 @@ index 0000000..9d32f23
 +')
 diff --git a/journalctl.te b/journalctl.te
 new file mode 100644
-index 0000000..5de3229
+index 0000000..1b313e8
 --- /dev/null
 +++ b/journalctl.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,47 @@
 +policy_module(journalctl, 1.0.0)
 +
 +########################################
@ -36356,15 +36362,18 @@ index 0000000..5de3229
 +
 +fs_getattr_all_fs(journalctl_t)
 +
+auth_use_nsswitch(journalctl_t)
+
+miscfiles_read_localization(journalctl_t)
+
+logging_read_generic_logs(journalctl_t)
+
 +userdom_list_user_home_dirs(journalctl_t)
 +userdom_read_user_home_content_files(journalctl_t)
 +userdom_use_inherited_user_ptys(journalctl_t)
 +userdom_write_inherited_user_tmp_files(journalctl_t)
 +userdom_rw_inherited_user_tmpfs_files(journalctl_t)
 +userdom_rw_inherited_user_home_content_files(journalctl_t)
-+
-+miscfiles_read_localization(journalctl_t)
-+logging_read_generic_logs(journalctl_t)
 diff --git a/kde.fc b/kde.fc
 new file mode 100644
 index 0000000..25e4b68
@ -38747,6 +38756,137 @@ index 8ad0d4d..c070420 100644
 
 optional_policy(`
 	dbus_system_bus_client(kismet_t)
+diff --git a/kmscon.fc b/kmscon.fc
+new file mode 100644
+index 0000000..ccd29c0
+--- /dev/null
+++ b/kmscon.fc
+@@ -0,0 +1,3 @@
+/usr/bin/kmscon              --      gen_context(system_u:object_r:kmscon_exec_t,s0)
+/usr/lib/systemd/system/kmscon.*\.*      --      gen_context(system_u:object_r:kmscon_unit_file_t,s0)
+/etc/kmscon(/.*)?                                      gen_context(system_u:object_r:kmscon_conf_t,s0)
+diff --git a/kmscon.if b/kmscon.if
+new file mode 100644
+index 0000000..ab52e25
+--- /dev/null
+++ b/kmscon.if
+@@ -0,0 +1,24 @@
+## <summary>Terminal emulator for Linux graphical console</summary>
+
+########################################
+## <summary>
+##     Execute kmscon in the kmscon domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`kmscon_systemctl',`
+       gen_require(`
+               type kmscon_unit_file_t;
+               type kmscon_t;
+       ')
+
+       systemd_exec_systemctl($1)
+       allow $1 kmscon_unit_file_t:file read_file_perms;
+       allow $1 kmscon_unit_file_t:service manage_service_perms;
+
+       ps_process_pattern($1, kmscon_t)
+')
+diff --git a/kmscon.te b/kmscon.te
+new file mode 100644
+index 0000000..be3d5d6
+--- /dev/null
+++ b/kmscon.te
+@@ -0,0 +1,86 @@
+# KMSCon SELinux policy module
+# Contributed by Lubomir Rintel <lkundrak@v3.sk>
+
+########################################
+#
+# Declarations
+#
+policy_module(kmscon, 1.0)
+
+type kmscon_t;
+type kmscon_exec_t;
+init_daemon_domain(kmscon_t, kmscon_exec_t)
+
+type kmscon_conf_t;
+files_config_file(kmscon_conf_t)
+
+type kmscon_unit_file_t;
+systemd_unit_file(kmscon_unit_file_t)
+
+type kmscon_devpts_t;
+term_pty(kmscon_devpts_t)
+# Label this as t, so that login_t can read our terminal with use_all_ttys()
+term_tty(kmscon_devpts_t)
+
+########################################
+#
+# zoneminder local policy
+#
+
+# Switch the VT into a graphics mode ; Set DRM master
+allow kmscon_t self:capability {sys_admin sys_tty_config};
+
+dontaudit kmscon_t self:capability2 block_suspend;
+
+# Create an udev monitor
+allow kmscon_t self:netlink_kobject_uevent_socket { bind create setopt getattr };
+
+allow kmscon_t kmscon_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(kmscon_t, kmscon_devpts_t)
+
+list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+
+auth_read_passwd(kmscon_t)
+
+dev_rw_dri(kmscon_t)
+dev_read_sysfs(kmscon_t)
+dev_read_framebuffer(kmscon_t)
+dev_write_framebuffer(kmscon_t)
+dev_rw_input_dev(kmscon_t)
+
+# Get allowed path length for directory with modules
+fs_getattr_xattr_fs(kmscon_t)
+
+locallogin_domtrans(kmscon_t)
+
+miscfiles_read_fonts(kmscon_t)
+miscfiles_manage_fonts_cache(kmscon_t)
+
+# Open the tty, so that it can be handed over to the seat manager
+term_use_unallocated_ttys(kmscon_t)
+
+optional_policy(`
+    # Learn about the input devices
+    udev_read_db(kmscon_t)
+')
+
+optional_policy(`
+    # Fontconfig and Pango configuration
+    gnome_read_home_config(kmscon_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(kmscon_t)
+    init_dbus_chat(kmscon_t)
+
+    optional_policy(`
+        systemd_dbus_chat_logind(kmscon_t)
+
+        # List seats
+        systemd_login_list_pid_dirs(kmscon_t)
+        systemd_login_read_pid_files(kmscon_t)
+
+        kmscon_systemctl(systemd_logind_t)
+    ')
+')
 diff --git a/ksmtuned.fc b/ksmtuned.fc
 index e736c45..4b1e1e4 100644
 --- a/ksmtuned.fc
@ -80482,7 +80622,7 @@ index ccb5991..189ac01 100644
 
 userdom_dontaudit_use_unpriv_user_fds(roundup_t)
 diff --git a/rpc.fc b/rpc.fc
-index a6fb30c..b0c22f7 100644
+index a6fb30c..38a2f09 100644
 --- a/rpc.fc
 +++ b/rpc.fc
@@ -1,12 +1,23 @@
@ -80515,7 +80655,7 @@ index a6fb30c..b0c22f7 100644
 /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
-@@ -16,7 +27,11 @@
+@@ -16,7 +27,12 @@
 /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
 /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 
@ -80525,6 +80665,7 @@ index a6fb30c..b0c22f7 100644
 +#
 +/var/lib/nfs(/.*)?		gen_context(system_u:object_r:var_lib_nfs_t,s0)
 
+/var/run/sm-notify.*		gen_context(system_u:object_r:rpcd_var_run_t,s0)
 /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 -/var/run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 58%{?dist}
+Release: 59%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -588,6 +588,13 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-59
+- Allow system_bus_types to use stream_sockets inherited from system_dbusd
+- Allow journalctl to call getpw
+- New access needed by dbus to talk to kernel stream
+- Label sm-notifypid files correctly
+- contrib: Add KMSCon policy module
+
 * Wed Jun 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-58
 - Add mozilla_plugin_use_bluejeans boolean
 - Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean