* Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-109

- Allow search all pid dirs when managing net_conf_t files.
2015-02-04 17:02:02 +01:00 · 2015-02-04 17:02:02 +01:00 · 1fd39e9da1
commit 1fd39e9da1
parent 203031a6db
2 changed files with 122 additions and 179 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -9812,7 +9812,7 @@ index b876c48..6bfb954 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..f39d066 100644
+index f962f76..6fab9e7 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -12594,7 +12594,7 @@ index f962f76..f39d066 100644
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-@@ -6025,6 +7381,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7381,43 @@ interface(`files_dontaudit_search_pids',`
 
 ########################################
 ## <summary>
@ -12616,11 +12616,29 @@ index f962f76..f39d066 100644
 +')
 +
 +########################################
+## <summary>
+##	Allow search the all /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_search_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:dir search_dir_perms;
+')
+
+########################################
 +## <summary>
 ##	List the contents of the runtime process
 ##	ID directories (/var/run).
 ## </summary>
-@@ -6039,7 +7414,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7432,7 @@ interface(`files_list_pids',`
 		type var_t, var_run_t;
 	')
 
@ -12629,7 +12647,7 @@ index f962f76..f39d066 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 ')
 
-@@ -6058,7 +7433,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7451,7 @@ interface(`files_read_generic_pids',`
 		type var_t, var_run_t;
 	')
 
@ -12638,7 +12656,7 @@ index f962f76..f39d066 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	read_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6078,7 +7453,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7471,7 @@ interface(`files_write_generic_pid_pipes',`
 		type var_run_t;
 	')
 
@ -12647,7 +12665,7 @@ index f962f76..f39d066 100644
 	allow $1 var_run_t:fifo_file write;
 ')
 
-@@ -6140,7 +7515,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7533,6 @@ interface(`files_pid_filetrans',`
 	')
 
 	allow $1 var_t:dir search_dir_perms;
@ -12655,7 +12673,7 @@ index f962f76..f39d066 100644
 	filetrans_pattern($1, var_run_t, $2, $3, $4)
 ')
 
-@@ -6169,6 +7543,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7561,24 @@ interface(`files_pid_filetrans_lock_dir',`
 
 ########################################
 ## <summary>
@ -12680,7 +12698,7 @@ index f962f76..f39d066 100644
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
-@@ -6182,7 +7574,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7592,7 @@ interface(`files_rw_generic_pids',`
 		type var_t, var_run_t;
 	')
 
@ -12689,7 +12707,7 @@ index f962f76..f39d066 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	rw_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6249,55 +7641,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7659,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 ########################################
 ## <summary>
@ -12752,7 +12770,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6305,42 +7685,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7703,35 @@ interface(`files_delete_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -12802,7 +12820,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6348,18 +7721,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7739,18 @@ interface(`files_manage_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -12826,7 +12844,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6367,37 +7740,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7758,40 @@ interface(`files_mounton_all_poly_members',`
 ##	</summary>
 ## </param>
 #
@ -12878,7 +12896,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6405,18 +7781,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7799,17 @@ interface(`files_dontaudit_search_spool',`
 ##	</summary>
 ## </param>
 #
@ -12901,7 +12919,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6424,18 +7799,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7817,18 @@ interface(`files_list_spool',`
 ##	</summary>
 ## </param>
 #
@ -12925,7 +12943,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6443,19 +7818,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7836,18 @@ interface(`files_manage_generic_spool_dirs',`
 ##	</summary>
 ## </param>
 #
@ -12950,7 +12968,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6463,55 +7837,43 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7855,130 @@ interface(`files_read_generic_spool',`
 ##	</summary>
 ## </param>
 #
@ -12978,101 +12996,46 @@ index f962f76..f39d066 100644
 ##	</summary>
 ## </param>
 -## <param name="file">
-##	<summary>
-##	Type to which the created node will be transitioned.
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Object class(es) (single or set including {}) for which this
-##	the transition will occur.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 +## <rolecap/>
- #
-interface(`files_spool_filetrans',`
+#
 +interface(`files_delete_all_pids',`
- 	gen_require(`
-		type var_t, var_spool_t;
+	gen_require(`
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
- 
+	')
+
 +	files_search_pids($1)
- 	allow $1 var_t:dir search_dir_perms;
-	filetrans_pattern($1, var_spool_t, $2, $3, $4)
+	allow $1 var_t:dir search_dir_perms;
 +	allow $1 var_run_t:dir rmdir;
 +	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
 +	delete_files_pattern($1, pidfile, pidfile)
 +	delete_fifo_files_pattern($1, pidfile, pidfile)
 +	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
- 
- ########################################
- ## <summary>
-##	Allow access to manage all polyinstantiated
-##	directories on the system.
+')
+
+########################################
+## <summary>
 +##	Delete all process ID directories.
- ## </summary>
- ## <param name="domain">
+## </summary>
+## <param name="domain">
 ##	<summary>
-@@ -6519,53 +7881,68 @@ interface(`files_spool_filetrans',`
+-##	Type to which the created node will be transitioned.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
- #
-interface(`files_polyinstantiate_all',`
+-## <param name="class">
+#
 +interface(`files_delete_all_pid_dirs',`
- 	gen_require(`
-		attribute polydir, polymember, polyparent;
-		type poly_t;
+	gen_require(`
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
- 
-	# Need to give access to /selinux/member
-	selinux_compute_member($1)
-
-	# Need sys_admin capability for mounting
-	allow $1 self:capability { chown fsetid sys_admin fowner };
-
-	# Need to give access to the directories to be polyinstantiated
-	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-
-	# Need to give access to the polyinstantiated subdirectories
-	allow $1 polymember:dir search_dir_perms;
-
-	# Need to give access to parent directories where original
-	# is remounted for polyinstantiation aware programs (like gdm)
-	allow $1 polyparent:dir { getattr mounton };
-
-	# Need to give permission to create directories where applicable
-	allow $1 self:process setfscreate;
-	allow $1 polymember: dir { create setattr relabelto };
-	allow $1 polydir: dir { write add_name open };
-	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-
-	# Default type for mountpoints
-	allow $1 poly_t:dir { create mounton };
-	fs_unmount_xattr_fs($1)
-
-	fs_mount_tmpfs($1)
-	fs_unmount_tmpfs($1)
+	')
+
 +	files_search_pids($1)
 +	allow $1 var_t:dir search_dir_perms;
 +	delete_dirs_pattern($1, pidfile, pidfile)
 +')
- 
-	ifdef(`distro_redhat',`
-		# namespace.init
-		files_search_tmp($1)
-		files_search_home($1)
-		corecmd_exec_bin($1)
-		seutil_domtrans_setfiles($1)
+
 +########################################
 +## <summary>
 +##	Make the specified type a file
@ -13105,59 +13068,76 @@ index f962f76..f39d066 100644
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Object class(es) (single or set including {}) for which this
+-##	the transition will occur.
 +##	Type of the file to be used as a
 +##	spool file.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
 +## <infoflow type="none"/>
 +#
 +interface(`files_spool_file',`
 +	gen_require(`
 +		attribute spoolfile;
- 	')
+	')
 +
 +	files_type($1)
 +	typeattribute $1 spoolfile;
- ')
- 
- ########################################
- ## <summary>
-##	Unconfined access to files.
-+##	Create all spool sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6573,10 +7950,875 @@ interface(`files_polyinstantiate_all',`
- ##	</summary>
- ## </param>
- #
-interface(`files_unconfined',`
-+interface(`files_create_all_spool_sockets',`
- 	gen_require(`
-		attribute files_unconfined_type;
-+		attribute spoolfile;
- 	')
- 
-	typeattribute $1 files_unconfined_type;
-+	allow $1 spoolfile:sock_file create_sock_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Delete all spool sockets
+##	Create all spool sockets
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The name of the object being created.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_delete_all_spool_sockets',`
-+	gen_require(`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_create_all_spool_sockets',`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute spoolfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	filetrans_pattern($1, var_spool_t, $2, $3, $4)
+	allow $1 spoolfile:sock_file create_sock_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow access to manage all polyinstantiated
+-##	directories on the system.
+##	Delete all spool sockets
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6519,20 +7986,212 @@ interface(`files_spool_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_delete_all_spool_sockets',`
+ 	gen_require(`
+-		attribute polydir, polymember, polyparent;
+-		type poly_t;
+		attribute spoolfile;
+ 	')
+ 
+-	# Need to give access to /selinux/member
+-	selinux_compute_member($1)
+-
+-	# Need sys_admin capability for mounting
+-	allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+-	# Need to give access to the directories to be polyinstantiated
+-	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
 +	allow $1 spoolfile:sock_file delete_sock_file_perms;
 +')
 +
@ -13359,53 +13339,13 @@ index f962f76..f39d066 100644
 +
 +	# Need to give access to the directories to be polyinstantiated
 +	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+	# Need to give access to the polyinstantiated subdirectories
-+	allow $1 polymember:dir search_dir_perms;
-+
-+	# Need to give access to parent directories where original
-+	# is remounted for polyinstantiation aware programs (like gdm)
-+	allow $1 polyparent:dir { getattr mounton };
-+
-+	# Need to give permission to create directories where applicable
-+	allow $1 self:process setfscreate;
-+	allow $1 polymember: dir { create setattr relabelto };
-+	allow $1 polydir: dir { write add_name open };
-+	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+	# Default type for mountpoints
-+	allow $1 poly_t:dir { create mounton };
-+	fs_unmount_xattr_fs($1)
-+
-+	fs_mount_tmpfs($1)
-+	fs_unmount_tmpfs($1)
-+
-+	ifdef(`distro_redhat',`
-+		# namespace.init
-+		files_search_tmp($1)
-+		files_search_home($1)
-+		corecmd_exec_bin($1)
-+		seutil_domtrans_setfiles($1)
-+	')
-+')
-+
-+########################################
-+## <summary>
-+##	Unconfined access to files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_unconfined',`
-+	gen_require(`
-+		attribute files_unconfined_type;
-+	')
-+
-+	typeattribute $1 files_unconfined_type;
-+')
+ 
+ 	# Need to give access to the polyinstantiated subdirectories
+ 	allow $1 polymember:dir search_dir_perms;
+@@ -6580,3 +8239,604 @@ interface(`files_unconfined',`
+ 
+ 	typeattribute $1 files_unconfined_type;
+ ')
 +
 +########################################
 +## <summary>
@ -14006,7 +13946,7 @@ index f962f76..f39d066 100644
 +	')
 +
 +	allow $1 etc_t:service status;
- ')
+')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 1a03abd..32a40f8 100644
 --- a/policy/modules/kernel/files.te
@ -39216,7 +39156,7 @@ index 40edc18..963b974 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..fcd75c1 100644
+index 2cea692..07185cb 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -39360,7 +39300,7 @@ index 2cea692..fcd75c1 100644
 	')
 
 	ifdef(`distro_redhat',`
-+        files_search_pids($1)
+        files_search_all_pids($1)
 +        init_search_pid_dirs($1)
 		allow $1 net_conf_t:dir list_dir_perms;
 +		allow $1 net_conf_t:lnk_file read_lnk_file_perms;
@ -39423,13 +39363,13 @@ index 2cea692..fcd75c1 100644
 	')
 
 	ifdef(`distro_redhat',`
-+        files_search_pids($1)
+        files_search_all_pids($1)
 +        init_search_pid_dirs($1)
 +		allow $1 net_conf_t:dir list_dir_perms;
 		manage_files_pattern($1, net_conf_t, net_conf_t)
 +		manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
+        sysnet_filetrans_named_content($1)
 +	')
-+    sysnet_filetrans_named_content($1)
 +')
 +
 +#######################################
@ -39455,7 +39395,7 @@ index 2cea692..fcd75c1 100644
 +	')
 +
 +	ifdef(`distro_redhat',`
-+        files_search_pids($1)
+        files_search_all_pids($1)
 +        init_search_pid_dirs($1)
 +		allow $1 net_conf_t:dir list_dir_perms;
 +		manage_dirs_pattern($1, net_conf_t, net_conf_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 108%{?dist}
+Release: 109%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -605,6 +605,9 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-109
+- Allow search all pid dirs when managing net_conf_t files.
+
 * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108
 - Fix labels, improve sysnet_manage_config interface.
 - Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.