From 1fd39e9da15128d3dd94088fee075dac967d149f Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Wed, 4 Feb 2015 17:02:02 +0100
Subject: [PATCH] * Wed Feb 04 2015 Lukas Vrabec
3.13.1-109 - Allow search all pid dirs when managing net_conf_t files.
---
policy-rawhide-base.patch | 296 +++++++++++++++-----------------------
selinux-policy.spec | 5 +-
2 files changed, 122 insertions(+), 179 deletions(-)
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 39e1baa9..dc3f83cb 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9812,7 +9812,7 @@ index b876c48..6bfb954 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..f39d066 100644
+index f962f76..6fab9e7 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12594,7 +12594,7 @@ index f962f76..f39d066 100644
########################################
##
## Do not audit attempts to search
-@@ -6025,6 +7381,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7381,43 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -12616,11 +12616,29 @@ index f962f76..f39d066 100644
+')
+
+########################################
++##
++## Allow search the all /var/run directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_search_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:dir search_dir_perms;
++')
++
++########################################
+##
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6039,7 +7414,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7432,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -12629,7 +12647,7 @@ index f962f76..f39d066 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7433,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7451,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -12638,7 +12656,7 @@ index f962f76..f39d066 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7453,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7471,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -12647,7 +12665,7 @@ index f962f76..f39d066 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7515,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7533,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -12655,7 +12673,7 @@ index f962f76..f39d066 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7543,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7561,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -12680,7 +12698,7 @@ index f962f76..f39d066 100644
## Read and write generic process ID files.
##
##
-@@ -6182,7 +7574,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7592,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -12689,7 +12707,7 @@ index f962f76..f39d066 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7641,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7659,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -12752,7 +12770,7 @@ index f962f76..f39d066 100644
##
##
##
-@@ -6305,42 +7685,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7703,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -12802,7 +12820,7 @@ index f962f76..f39d066 100644
##
##
##
-@@ -6348,18 +7721,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7739,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -12826,7 +12844,7 @@ index f962f76..f39d066 100644
##
##
##
-@@ -6367,37 +7740,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7758,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -12878,7 +12896,7 @@ index f962f76..f39d066 100644
##
##
##
-@@ -6405,18 +7781,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7799,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -12901,7 +12919,7 @@ index f962f76..f39d066 100644
##
##
##
-@@ -6424,18 +7799,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7817,18 @@ interface(`files_list_spool',`
##
##
#
@@ -12925,7 +12943,7 @@ index f962f76..f39d066 100644
##
##
##
-@@ -6443,19 +7818,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7836,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -12950,7 +12968,7 @@ index f962f76..f39d066 100644
##
##
##
-@@ -6463,55 +7837,43 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7855,130 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -12978,101 +12996,46 @@ index f962f76..f39d066 100644
##
##
-##
--##
--## Type to which the created node will be transitioned.
--##
--##
--##
--##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
+##
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_delete_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
++ ')
++
+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++##
+## Delete all process ID directories.
- ##
- ##
++##
++##
##
-@@ -6519,53 +7881,68 @@ interface(`files_spool_filetrans',`
+-## Type to which the created node will be transitioned.
++## Domain allowed access.
##
##
- #
--interface(`files_polyinstantiate_all',`
+-##
++#
+interface(`files_delete_all_pid_dirs',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
++ ')
++
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
++
+########################################
+##
+## Make the specified type a file
@@ -13105,59 +13068,76 @@ index f962f76..f39d066 100644
+##
+##
+##
-+##
+ ##
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+## Type of the file to be used as a
+## spool file.
-+##
-+##
+ ##
+ ##
+-##
+##
+#
+interface(`files_spool_file',`
+ gen_require(`
+ attribute spoolfile;
- ')
++ ')
+
+ files_type($1)
+ typeattribute $1 spoolfile;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
-+## Create all spool sockets
- ##
- ##
- ##
-@@ -6573,10 +7950,875 @@ interface(`files_polyinstantiate_all',`
- ##
- ##
- #
--interface(`files_unconfined',`
-+interface(`files_create_all_spool_sockets',`
- gen_require(`
-- attribute files_unconfined_type;
-+ attribute spoolfile;
- ')
-
-- typeattribute $1 files_unconfined_type;
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+##
-+## Delete all spool sockets
++## Create all spool sockets
+##
+##
-+##
+ ##
+-## The name of the object being created.
+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
+ ##
+ ##
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_create_all_spool_sockets',`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all spool sockets
+ ##
+ ##
+ ##
+@@ -6519,20 +7986,212 @@ interface(`files_spool_filetrans',`
+ ##
+ ##
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_spool_sockets',`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute spoolfile;
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
@@ -13359,53 +13339,13 @@ index f962f76..f39d066 100644
+
+ # Need to give access to the directories to be polyinstantiated
+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Unconfined access to files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_unconfined',`
-+ gen_require(`
-+ attribute files_unconfined_type;
-+ ')
-+
-+ typeattribute $1 files_unconfined_type;
-+')
+
+ # Need to give access to the polyinstantiated subdirectories
+ allow $1 polymember:dir search_dir_perms;
+@@ -6580,3 +8239,604 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+##
@@ -14006,7 +13946,7 @@ index f962f76..f39d066 100644
+ ')
+
+ allow $1 etc_t:service status;
- ')
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..32a40f8 100644
--- a/policy/modules/kernel/files.te
@@ -39216,7 +39156,7 @@ index 40edc18..963b974 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..fcd75c1 100644
+index 2cea692..07185cb 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39360,7 +39300,7 @@ index 2cea692..fcd75c1 100644
')
ifdef(`distro_redhat',`
-+ files_search_pids($1)
++ files_search_all_pids($1)
+ init_search_pid_dirs($1)
allow $1 net_conf_t:dir list_dir_perms;
+ allow $1 net_conf_t:lnk_file read_lnk_file_perms;
@@ -39423,13 +39363,13 @@ index 2cea692..fcd75c1 100644
')
ifdef(`distro_redhat',`
-+ files_search_pids($1)
++ files_search_all_pids($1)
+ init_search_pid_dirs($1)
+ allow $1 net_conf_t:dir list_dir_perms;
manage_files_pattern($1, net_conf_t, net_conf_t)
+ manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
++ sysnet_filetrans_named_content($1)
+ ')
-+ sysnet_filetrans_named_content($1)
+')
+
+#######################################
@@ -39455,7 +39395,7 @@ index 2cea692..fcd75c1 100644
+ ')
+
+ ifdef(`distro_redhat',`
-+ files_search_pids($1)
++ files_search_all_pids($1)
+ init_search_pid_dirs($1)
+ allow $1 net_conf_t:dir list_dir_perms;
+ manage_dirs_pattern($1, net_conf_t, net_conf_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0643b439..fa8c8079 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 108%{?dist}
+Release: 109%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -605,6 +605,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Feb 04 2015 Lukas Vrabec 3.13.1-109
+- Allow search all pid dirs when managing net_conf_t files.
+
* Wed Feb 04 2015 Lukas Vrabec 3.13.1-108
- Fix labels, improve sysnet_manage_config interface.
- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.