From 1fd39e9da15128d3dd94088fee075dac967d149f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 4 Feb 2015 17:02:02 +0100 Subject: [PATCH] * Wed Feb 04 2015 Lukas Vrabec 3.13.1-109 - Allow search all pid dirs when managing net_conf_t files. --- policy-rawhide-base.patch | 296 +++++++++++++++----------------------- selinux-policy.spec | 5 +- 2 files changed, 122 insertions(+), 179 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 39e1baa9..dc3f83cb 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9812,7 +9812,7 @@ index b876c48..6bfb954 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..f39d066 100644 +index f962f76..6fab9e7 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -12594,7 +12594,7 @@ index f962f76..f39d066 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7381,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,6 +7381,43 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -12616,11 +12616,29 @@ index f962f76..f39d066 100644 +') + +######################################## ++## ++## Allow search the all /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_search_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## +## ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6039,7 +7414,7 @@ interface(`files_list_pids',` +@@ -6039,7 +7432,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -12629,7 +12647,7 @@ index f962f76..f39d066 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6058,7 +7433,7 @@ interface(`files_read_generic_pids',` +@@ -6058,7 +7451,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -12638,7 +12656,7 @@ index f962f76..f39d066 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7453,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7471,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -12647,7 +12665,7 @@ index f962f76..f39d066 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7515,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7533,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -12655,7 +12673,7 @@ index f962f76..f39d066 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7543,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7561,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -12680,7 +12698,7 @@ index f962f76..f39d066 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7574,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7592,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -12689,7 +12707,7 @@ index f962f76..f39d066 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7641,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7659,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -12752,7 +12770,7 @@ index f962f76..f39d066 100644 ## ## ## -@@ -6305,42 +7685,35 @@ interface(`files_delete_all_pids',` +@@ -6305,42 +7703,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -12802,7 +12820,7 @@ index f962f76..f39d066 100644 ## ## ## -@@ -6348,18 +7721,18 @@ interface(`files_manage_all_pids',` +@@ -6348,18 +7739,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -12826,7 +12844,7 @@ index f962f76..f39d066 100644 ## ## ## -@@ -6367,37 +7740,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,37 +7758,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -12878,7 +12896,7 @@ index f962f76..f39d066 100644 ## ## ## -@@ -6405,18 +7781,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6405,18 +7799,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -12901,7 +12919,7 @@ index f962f76..f39d066 100644 ## ## ## -@@ -6424,18 +7799,18 @@ interface(`files_list_spool',` +@@ -6424,18 +7817,18 @@ interface(`files_list_spool',` ## ## # @@ -12925,7 +12943,7 @@ index f962f76..f39d066 100644 ## ## ## -@@ -6443,19 +7818,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6443,19 +7836,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -12950,7 +12968,7 @@ index f962f76..f39d066 100644 ## ## ## -@@ -6463,55 +7837,43 @@ interface(`files_read_generic_spool',` +@@ -6463,55 +7855,130 @@ interface(`files_read_generic_spool',` ## ## # @@ -12978,101 +12996,46 @@ index f962f76..f39d066 100644 ## ## -## --## --## Type to which the created node will be transitioned. --## --## --## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## --## --## --## The name of the object being created. --## --## +## - # --interface(`files_spool_filetrans',` ++# +interface(`files_delete_all_pids',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; + type var_t, var_run_t; - ') - ++ ') ++ + files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) + delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. ++') ++ ++######################################## ++## +## Delete all process ID directories. - ## - ## ++## ++## ## -@@ -6519,53 +7881,68 @@ interface(`files_spool_filetrans',` +-## Type to which the created node will be transitioned. ++## Domain allowed access. ## ## - # --interface(`files_polyinstantiate_all',` +-## ++# +interface(`files_delete_all_pid_dirs',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; ++ gen_require(` + attribute pidfile; + type var_t, var_run_t; - ') - -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) ++ ') ++ + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') - -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) ++ +######################################## +## +## Make the specified type a file @@ -13105,59 +13068,76 @@ index f962f76..f39d066 100644 +##

+## +## -+## + ## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +## Type of the file to be used as a +## spool file. -+## -+## + ## + ## +-## +## +# +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; - ') ++ ') + + files_type($1) + typeattribute $1 spoolfile; - ') - - ######################################## - ## --## Unconfined access to files. -+## Create all spool sockets - ## - ## - ## -@@ -6573,10 +7950,875 @@ interface(`files_polyinstantiate_all',` - ## - ## - # --interface(`files_unconfined',` -+interface(`files_create_all_spool_sockets',` - gen_require(` -- attribute files_unconfined_type; -+ attribute spoolfile; - ') - -- typeattribute $1 files_unconfined_type; -+ allow $1 spoolfile:sock_file create_sock_file_perms; +') + +######################################## +## -+## Delete all spool sockets ++## Create all spool sockets +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_spool_sockets',` -+ gen_require(` + ## + ## + # +-interface(`files_spool_filetrans',` ++interface(`files_create_all_spool_sockets',` + gen_require(` +- type var_t, var_spool_t; + attribute spoolfile; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 spoolfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. ++## Delete all spool sockets + ## + ## + ## +@@ -6519,20 +7986,212 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` ++interface(`files_delete_all_spool_sockets',` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; ++ attribute spoolfile; + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + @@ -13359,53 +13339,13 @@ index f962f76..f39d066 100644 + + # Need to give access to the directories to be polyinstantiated + allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) -+ allow $1 polyparent:dir { getattr mounton }; -+ -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; -+ allow $1 polydir: dir { write add_name open }; -+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ -+ # Default type for mountpoints -+ allow $1 poly_t:dir { create mounton }; -+ fs_unmount_xattr_fs($1) -+ -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ -+ ifdef(`distro_redhat',` -+ # namespace.init -+ files_search_tmp($1) -+ files_search_home($1) -+ corecmd_exec_bin($1) -+ seutil_domtrans_setfiles($1) -+ ') -+') -+ -+######################################## -+## -+## Unconfined access to files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_unconfined',` -+ gen_require(` -+ attribute files_unconfined_type; -+ ') -+ -+ typeattribute $1 files_unconfined_type; -+') + + # Need to give access to the polyinstantiated subdirectories + allow $1 polymember:dir search_dir_perms; +@@ -6580,3 +8239,604 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') + +######################################## +## @@ -14006,7 +13946,7 @@ index f962f76..f39d066 100644 + ') + + allow $1 etc_t:service status; - ') ++') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abd..32a40f8 100644 --- a/policy/modules/kernel/files.te @@ -39216,7 +39156,7 @@ index 40edc18..963b974 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..fcd75c1 100644 +index 2cea692..07185cb 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -39360,7 +39300,7 @@ index 2cea692..fcd75c1 100644 ') ifdef(`distro_redhat',` -+ files_search_pids($1) ++ files_search_all_pids($1) + init_search_pid_dirs($1) allow $1 net_conf_t:dir list_dir_perms; + allow $1 net_conf_t:lnk_file read_lnk_file_perms; @@ -39423,13 +39363,13 @@ index 2cea692..fcd75c1 100644 ') ifdef(`distro_redhat',` -+ files_search_pids($1) ++ files_search_all_pids($1) + init_search_pid_dirs($1) + allow $1 net_conf_t:dir list_dir_perms; manage_files_pattern($1, net_conf_t, net_conf_t) + manage_lnk_files_pattern($1, net_conf_t, net_conf_t) ++ sysnet_filetrans_named_content($1) + ') -+ sysnet_filetrans_named_content($1) +') + +####################################### @@ -39455,7 +39395,7 @@ index 2cea692..fcd75c1 100644 + ') + + ifdef(`distro_redhat',` -+ files_search_pids($1) ++ files_search_all_pids($1) + init_search_pid_dirs($1) + allow $1 net_conf_t:dir list_dir_perms; + manage_dirs_pattern($1, net_conf_t, net_conf_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 0643b439..fa8c8079 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 108%{?dist} +Release: 109%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -605,6 +605,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Feb 04 2015 Lukas Vrabec 3.13.1-109 +- Allow search all pid dirs when managing net_conf_t files. + * Wed Feb 04 2015 Lukas Vrabec 3.13.1-108 - Fix labels, improve sysnet_manage_config interface. - Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.