* Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-109

- Allow search all pid dirs when managing net_conf_t files.
2015-02-04 17:02:02 +01:00 · 2015-02-04 17:02:02 +01:00 · 1fd39e9da1
commit 1fd39e9da1
parent 203031a6db
2 changed files with 122 additions and 179 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -9812,7 +9812,7 @@ index b876c48..6bfb954 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..f39d066 100644
+index f962f76..6fab9e7 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -12594,7 +12594,7 @@ index f962f76..f39d066 100644
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-@@ -6025,6 +7381,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7381,43 @@ interface(`files_dontaudit_search_pids',`
 ########################################
 ## <summary>
@ -12616,11 +12616,29 @@ index f962f76..f39d066 100644
 +')
 +
 +########################################
 +## <summary>
 +##	Allow search the all /var/run directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_search_all_pids',`
 +	gen_require(`
 +		attribute pidfile;
 +	')
 +
 +	allow $1 pidfile:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
 ##	List the contents of the runtime process
 ##	ID directories (/var/run).
 ## </summary>
-@@ -6039,7 +7414,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7432,7 @@ interface(`files_list_pids',`
 		type var_t, var_run_t;
 	')
@ -12629,7 +12647,7 @@ index f962f76..f39d066 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 ')
-@@ -6058,7 +7433,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7451,7 @@ interface(`files_read_generic_pids',`
 		type var_t, var_run_t;
 	')
@ -12638,7 +12656,7 @@ index f962f76..f39d066 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	read_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6078,7 +7453,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7471,7 @@ interface(`files_write_generic_pid_pipes',`
 		type var_run_t;
 	')
@ -12647,7 +12665,7 @@ index f962f76..f39d066 100644
 	allow $1 var_run_t:fifo_file write;
 ')
-@@ -6140,7 +7515,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7533,6 @@ interface(`files_pid_filetrans',`
 	')
 	allow $1 var_t:dir search_dir_perms;
@ -12655,7 +12673,7 @@ index f962f76..f39d066 100644
 	filetrans_pattern($1, var_run_t, $2, $3, $4)
 ')
-@@ -6169,6 +7543,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7561,24 @@ interface(`files_pid_filetrans_lock_dir',`
 ########################################
 ## <summary>
@ -12680,7 +12698,7 @@ index f962f76..f39d066 100644
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
-@@ -6182,7 +7574,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7592,7 @@ interface(`files_rw_generic_pids',`
 		type var_t, var_run_t;
 	')
@ -12689,7 +12707,7 @@ index f962f76..f39d066 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	rw_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6249,55 +7641,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7659,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
 ########################################
 ## <summary>
@ -12752,7 +12770,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6305,42 +7685,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7703,35 @@ interface(`files_delete_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -12802,7 +12820,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6348,18 +7721,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7739,18 @@ interface(`files_manage_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -12826,7 +12844,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6367,37 +7740,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7758,40 @@ interface(`files_mounton_all_poly_members',`
 ##	</summary>
 ## </param>
 #
@ -12878,7 +12896,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6405,18 +7781,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7799,17 @@ interface(`files_dontaudit_search_spool',`
 ##	</summary>
 ## </param>
 #
@ -12901,7 +12919,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6424,18 +7799,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7817,18 @@ interface(`files_list_spool',`
 ##	</summary>
 ## </param>
 #
@ -12925,7 +12943,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6443,19 +7818,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7836,18 @@ interface(`files_manage_generic_spool_dirs',`
 ##	</summary>
 ## </param>
 #
@ -12950,7 +12968,7 @@ index f962f76..f39d066 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6463,55 +7837,43 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7855,130 @@ interface(`files_read_generic_spool',`
 ##	</summary>
 ## </param>
 #
@ -12978,101 +12996,46 @@ index f962f76..f39d066 100644
 ##	</summary>
 ## </param>
 -## <param name="file">
 -##	<summary>
 -##	Type to which the created node will be transitioned.
 -##	</summary>
 -## </param>
 -## <param name="class">
 -##	<summary>
 -##	Object class(es) (single or set including {}) for which this
 -##	the transition will occur.
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
 -##	<summary>
 -##	The name of the object being created.
 -##	</summary>
 -## </param>
 +## <rolecap/>
- #
+#
 -interface(`files_spool_filetrans',`
 +interface(`files_delete_all_pids',`
- 	gen_require(`
+	gen_require(`
 -		type var_t, var_spool_t;
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
+	')
- 
+
 +	files_search_pids($1)
- 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_t:dir search_dir_perms;
 -	filetrans_pattern($1, var_spool_t, $2, $3, $4)
 +	allow $1 var_run_t:dir rmdir;
 +	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
 +	delete_files_pattern($1, pidfile, pidfile)
 +	delete_fifo_files_pattern($1, pidfile, pidfile)
 +	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Allow access to manage all polyinstantiated
 -##	directories on the system.
 +##	Delete all process ID directories.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
 ##	<summary>
-@@ -6519,53 +7881,68 @@ interface(`files_spool_filetrans',`
+-##	Type to which the created node will be transitioned.
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
- #
+-## <param name="class">
-interface(`files_polyinstantiate_all',`
+#
 +interface(`files_delete_all_pid_dirs',`
- 	gen_require(`
+	gen_require(`
 -		attribute polydir, polymember, polyparent;
 -		type poly_t;
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
+	')
- 
+
 -	# Need to give access to /selinux/member
 -	selinux_compute_member($1)
 -
 -	# Need sys_admin capability for mounting
 -	allow $1 self:capability { chown fsetid sys_admin fowner };
 -
 -	# Need to give access to the directories to be polyinstantiated
 -	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
 -
 -	# Need to give access to the polyinstantiated subdirectories
 -	allow $1 polymember:dir search_dir_perms;
 -
 -	# Need to give access to parent directories where original
 -	# is remounted for polyinstantiation aware programs (like gdm)
 -	allow $1 polyparent:dir { getattr mounton };
 -
 -	# Need to give permission to create directories where applicable
 -	allow $1 self:process setfscreate;
 -	allow $1 polymember: dir { create setattr relabelto };
 -	allow $1 polydir: dir { write add_name open };
 -	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
 -
 -	# Default type for mountpoints
 -	allow $1 poly_t:dir { create mounton };
 -	fs_unmount_xattr_fs($1)
 -
 -	fs_mount_tmpfs($1)
 -	fs_unmount_tmpfs($1)
 +	files_search_pids($1)
 +	allow $1 var_t:dir search_dir_perms;
 +	delete_dirs_pattern($1, pidfile, pidfile)
 +')
- 
+
 -	ifdef(`distro_redhat',`
 -		# namespace.init
 -		files_search_tmp($1)
 -		files_search_home($1)
 -		corecmd_exec_bin($1)
 -		seutil_domtrans_setfiles($1)
 +########################################
 +## <summary>
 +##	Make the specified type a file
@ -13105,59 +13068,76 @@ index f962f76..f39d066 100644
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
 -##	Object class(es) (single or set including {}) for which this
 -##	the transition will occur.
 +##	Type of the file to be used as a
 +##	spool file.
-+##	</summary>
+ ##	</summary>
-+## </param>
+ ## </param>
 -## <param name="name" optional="true">
 +## <infoflow type="none"/>
 +#
 +interface(`files_spool_file',`
 +	gen_require(`
 +		attribute spoolfile;
- 	')
+	')
 +
 +	files_type($1)
 +	typeattribute $1 spoolfile;
 ')
 ########################################
 ## <summary>
 -##	Unconfined access to files.
 +##	Create all spool sockets
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6573,10 +7950,875 @@ interface(`files_polyinstantiate_all',`
 ##	</summary>
 ## </param>
 #
 -interface(`files_unconfined',`
 +interface(`files_create_all_spool_sockets',`
 	gen_require(`
 -		attribute files_unconfined_type;
 +		attribute spoolfile;
 	')
 -	typeattribute $1 files_unconfined_type;
 +	allow $1 spoolfile:sock_file create_sock_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Delete all spool sockets
+##	Create all spool sockets
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
 -##	The name of the object being created.
 +##	Domain allowed access.
-+##	</summary>
+ ##	</summary>
-+## </param>
+ ## </param>
-+#
+ #
-+interface(`files_delete_all_spool_sockets',`
+-interface(`files_spool_filetrans',`
-+	gen_require(`
+interface(`files_create_all_spool_sockets',`
 	gen_require(`
 -		type var_t, var_spool_t;
 +		attribute spoolfile;
-+	')
+ 	')
-+
+ 
 -	allow $1 var_t:dir search_dir_perms;
 -	filetrans_pattern($1, var_spool_t, $2, $3, $4)
 +	allow $1 spoolfile:sock_file create_sock_file_perms;
 ')
 ########################################
 ## <summary>
 -##	Allow access to manage all polyinstantiated
 -##	directories on the system.
 +##	Delete all spool sockets
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6519,20 +7986,212 @@ interface(`files_spool_filetrans',`
 ##	</summary>
 ## </param>
 #
 -interface(`files_polyinstantiate_all',`
 +interface(`files_delete_all_spool_sockets',`
 	gen_require(`
 -		attribute polydir, polymember, polyparent;
 -		type poly_t;
 +		attribute spoolfile;
 	')
 -	# Need to give access to /selinux/member
 -	selinux_compute_member($1)
 -
 -	# Need sys_admin capability for mounting
 -	allow $1 self:capability { chown fsetid sys_admin fowner };
 -
 -	# Need to give access to the directories to be polyinstantiated
 -	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
 +	allow $1 spoolfile:sock_file delete_sock_file_perms;
 +')
 +
@ -13359,53 +13339,13 @@ index f962f76..f39d066 100644
 +
 +	# Need to give access to the directories to be polyinstantiated
 +	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
+ 
-+	# Need to give access to the polyinstantiated subdirectories
+ 	# Need to give access to the polyinstantiated subdirectories
-+	allow $1 polymember:dir search_dir_perms;
+ 	allow $1 polymember:dir search_dir_perms;
-+
+@@ -6580,3 +8239,604 @@ interface(`files_unconfined',`
-+	# Need to give access to parent directories where original
+ 
-+	# is remounted for polyinstantiation aware programs (like gdm)
+ 	typeattribute $1 files_unconfined_type;
-+	allow $1 polyparent:dir { getattr mounton };
+ ')
 +
 +	# Need to give permission to create directories where applicable
 +	allow $1 self:process setfscreate;
 +	allow $1 polymember: dir { create setattr relabelto };
 +	allow $1 polydir: dir { write add_name open };
 +	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
 +
 +	# Default type for mountpoints
 +	allow $1 poly_t:dir { create mounton };
 +	fs_unmount_xattr_fs($1)
 +
 +	fs_mount_tmpfs($1)
 +	fs_unmount_tmpfs($1)
 +
 +	ifdef(`distro_redhat',`
 +		# namespace.init
 +		files_search_tmp($1)
 +		files_search_home($1)
 +		corecmd_exec_bin($1)
 +		seutil_domtrans_setfiles($1)
 +	')
 +')
 +
 +########################################
 +## <summary>
 +##	Unconfined access to files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_unconfined',`
 +	gen_require(`
 +		attribute files_unconfined_type;
 +	')
 +
 +	typeattribute $1 files_unconfined_type;
 +')
 +
 +########################################
 +## <summary>
@ -14006,7 +13946,7 @@ index f962f76..f39d066 100644
 +	')
 +
 +	allow $1 etc_t:service status;
- ')
+')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 1a03abd..32a40f8 100644
 --- a/policy/modules/kernel/files.te
@ -39216,7 +39156,7 @@ index 40edc18..963b974 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..fcd75c1 100644
+index 2cea692..07185cb 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -39360,7 +39300,7 @@ index 2cea692..fcd75c1 100644
 	')
 	ifdef(`distro_redhat',`
-+        files_search_pids($1)
+        files_search_all_pids($1)
 +        init_search_pid_dirs($1)
 		allow $1 net_conf_t:dir list_dir_perms;
 +		allow $1 net_conf_t:lnk_file read_lnk_file_perms;
@ -39423,13 +39363,13 @@ index 2cea692..fcd75c1 100644
 	')
 	ifdef(`distro_redhat',`
-+        files_search_pids($1)
+        files_search_all_pids($1)
 +        init_search_pid_dirs($1)
 +		allow $1 net_conf_t:dir list_dir_perms;
 		manage_files_pattern($1, net_conf_t, net_conf_t)
 +		manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
 +        sysnet_filetrans_named_content($1)
 +	')
 +    sysnet_filetrans_named_content($1)
 +')
 +
 +#######################################
@ -39455,7 +39395,7 @@ index 2cea692..fcd75c1 100644
 +	')
 +
 +	ifdef(`distro_redhat',`
-+        files_search_pids($1)
+        files_search_all_pids($1)
 +        init_search_pid_dirs($1)
 +		allow $1 net_conf_t:dir list_dir_perms;
 +		manage_dirs_pattern($1, net_conf_t, net_conf_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 108%{?dist}
+Release: 109%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -605,6 +605,9 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-109
 - Allow search all pid dirs when managing net_conf_t files.
 * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108
 - Fix labels, improve sysnet_manage_config interface.
 - Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.