diff --git a/policy-F16.patch b/policy-F16.patch index bb248881..e205a613 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -14902,23 +14902,31 @@ index 6cf8784..2354089 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..d5892cc 100644 +index f820f3b..85b04c0 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if -@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` - relabelfrom_dirs_pattern($1, device_t, device_node) - relabelfrom_files_pattern($1, device_t, device_node) - relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) +@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` + type device_t; + ') + +- relabelfrom_dirs_pattern($1, device_t, device_node) +- relabelfrom_files_pattern($1, device_t, device_node) +- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_fifo_files_pattern($1, device_t, device_node) - relabelfrom_sock_files_pattern($1, device_t, device_node) -+ relabel_fifo_files_pattern($1, device_t, { device_t device_node }) -+ relabel_sock_files_pattern($1, device_t, { device_t device_node }) - relabel_blk_files_pattern($1, device_t, { device_t device_node }) - relabel_chr_files_pattern($1, device_t, { device_t device_node }) - ') - - ######################################## - ## +- relabel_blk_files_pattern($1, device_t, { device_t device_node }) +- relabel_chr_files_pattern($1, device_t, { device_t device_node }) ++ relabel_dirs_pattern($1, device_t, device_node) ++ relabel_files_pattern($1, device_t, device_node) ++ relabel_lnk_files_pattern($1, device_t, device_node) ++ relabel_fifo_files_pattern($1, device_t, device_node) ++ relabel_sock_files_pattern($1, device_t, device_node) ++ relabel_blk_files_pattern($1, device_t, device_node) ++ relabel_chr_files_pattern($1, device_t, device_node) ++') ++ ++######################################## ++## +## Allow full relabeling (to and from) of all device files. +## +## @@ -14934,13 +14942,9 @@ index f820f3b..d5892cc 100644 + ') + + relabel_files_pattern($1, device_t, device_t) -+') -+ -+######################################## -+## - ## List all of the device nodes in a device directory. - ## - ## + ') + + ######################################## @@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',` ######################################## @@ -15416,7 +15420,7 @@ index f820f3b..d5892cc 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3902,21 +4177,26 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3902,23 +4177,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -15437,18 +15441,40 @@ index f820f3b..d5892cc 100644 # -interface(`dev_manage_sysfs_dirs',` +interface(`dev_read_cpu_online',` - gen_require(` -- type sysfs_t; ++ gen_require(` + type cpu_online_t; ++ ') ++ ++ dev_search_sysfs($1) ++ read_files_pattern($1, cpu_online_t, cpu_online_t) ++') ++ ++######################################## ++## ++## Relabel cpu online hardware state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_cpu_online',` + gen_require(` ++ type cpu_online_t; + type sysfs_t; ') - manage_dirs_pattern($1, sysfs_t, sysfs_t) + dev_search_sysfs($1) -+ read_files_pattern($1, cpu_online_t, cpu_online_t) ++ allow $1 cpu_online_t:file relabel_file_perms; ') ++ ######################################## -@@ -3972,6 +4252,42 @@ interface(`dev_rw_sysfs',` + ## + ## Read hardware state information. +@@ -3972,6 +4273,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -15470,6 +15496,26 @@ index f820f3b..d5892cc 100644 + +######################################## +## ++## Relabel hardware state files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_all_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ relabel_files_pattern($1, sysfs_t, sysfs_t) ++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## +## Allow caller to modify hardware state information. +## +## @@ -15491,7 +15537,7 @@ index f820f3b..d5892cc 100644 ## Read and write the TPM device. ## ## -@@ -4069,6 +4385,25 @@ interface(`dev_write_urand',` +@@ -4069,6 +4426,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -15517,7 +15563,7 @@ index f820f3b..d5892cc 100644 ## Getattr generic the USB devices. ## ## -@@ -4103,6 +4438,24 @@ interface(`dev_setattr_generic_usb_dev',` +@@ -4103,6 +4479,24 @@ interface(`dev_setattr_generic_usb_dev',` setattr_chr_files_pattern($1, device_t, usb_device_t) ') @@ -15542,7 +15588,7 @@ index f820f3b..d5892cc 100644 ######################################## ## ## Read generic the USB devices. -@@ -4495,6 +4848,24 @@ interface(`dev_rw_vhost',` +@@ -4495,6 +4889,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -15567,7 +15613,7 @@ index f820f3b..d5892cc 100644 ## Read and write VMWare devices. ## ## -@@ -4695,6 +5066,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4695,6 +5107,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -15594,7 +15640,7 @@ index f820f3b..d5892cc 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4784,3 +5175,822 @@ interface(`dev_unconfined',` +@@ -4784,3 +5216,822 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -21894,7 +21940,7 @@ index be4de58..7e8b6ec 100644 init_exec(secadm_t) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..8ea3385 100644 +index 2be17d2..cdcc621 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,55 @@ policy_module(staff, 2.2.0) @@ -21953,13 +21999,17 @@ index 2be17d2..8ea3385 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,23 +66,115 @@ optional_policy(` +@@ -23,23 +66,119 @@ optional_policy(` ') optional_policy(` + blueman_dbus_chat(staff_t) +') + ++optional_policy(` ++ bluetooth_role(staff_r, staff_t) ++') ++ +optional_policy(` dbadm_role_change(staff_r) ') @@ -22071,7 +22121,7 @@ index 2be17d2..8ea3385 100644 ') optional_policy(` -@@ -48,10 +183,52 @@ optional_policy(` +@@ -48,10 +187,52 @@ optional_policy(` ') optional_policy(` @@ -22124,6 +22174,17 @@ index 2be17d2..8ea3385 100644 xserver_role(staff_r, staff_t) ') +@@ -61,10 +242,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- bluetooth_role(staff_r, staff_t) +- ') +- +- optional_policy(` + cdrecord_role(staff_r, staff_t) + ') + @@ -89,18 +266,10 @@ ifndef(`distro_redhat',` ') @@ -23672,10 +23733,10 @@ index 0000000..692ef0d +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..77967bd 100644 +index e5bfdd4..7e0ea58 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,101 @@ role user_r; +@@ -12,15 +12,105 @@ role user_r; userdom_unpriv_user_template(user) @@ -23702,6 +23763,10 @@ index e5bfdd4..77967bd 100644 +') + +optional_policy(` ++ bluetooth_role(user_r, user_t) ++') ++ ++optional_policy(` + colord_dbus_chat(user_t) +') + @@ -23777,7 +23842,7 @@ index e5bfdd4..77967bd 100644 vlock_run(user_t, user_r) ') -@@ -62,19 +148,11 @@ ifndef(`distro_redhat',` +@@ -62,19 +152,11 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23798,7 +23863,7 @@ index e5bfdd4..77967bd 100644 ') optional_policy(` -@@ -98,10 +176,6 @@ ifndef(`distro_redhat',` +@@ -98,10 +180,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23809,7 +23874,7 @@ index e5bfdd4..77967bd 100644 postgresql_role(user_r, user_t) ') -@@ -118,11 +192,7 @@ ifndef(`distro_redhat',` +@@ -118,11 +196,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23822,7 +23887,7 @@ index e5bfdd4..77967bd 100644 ') optional_policy(` -@@ -157,3 +227,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +231,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -24945,10 +25010,18 @@ index 0370dba..feea7e5 100644 domain_system_change_exemption($1) role_transition $2 aisexec_initrc_exec_t system_r; diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te -index 64953f7..99a750b 100644 +index 64953f7..244259f 100644 --- a/policy/modules/services/aisexec.te +++ b/policy/modules/services/aisexec.te -@@ -89,6 +89,10 @@ optional_policy(` +@@ -64,6 +64,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) + kernel_read_system_state(aisexec_t) + + corecmd_exec_bin(aisexec_t) ++corecmd_exec_shell(aisexec_t) + + corenet_udp_bind_netsupport_port(aisexec_t) + corenet_tcp_bind_reserved_port(aisexec_t) +@@ -89,6 +90,10 @@ optional_policy(` ') optional_policy(` @@ -25227,7 +25300,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..90a9e33 100644 +index 9e39aa5..13de2fb 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -25348,7 +25421,7 @@ index 9e39aa5..90a9e33 100644 /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -104,8 +127,24 @@ ifdef(`distro_debian', ` +@@ -104,8 +127,26 @@ ifdef(`distro_debian', ` /var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -25366,6 +25439,8 @@ index 9e39aa5..90a9e33 100644 + +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + ++/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++ +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -28307,10 +28382,10 @@ index 0000000..d694c0a +') diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te new file mode 100644 -index 0000000..12ef44c +index 0000000..bccefc9 --- /dev/null +++ b/policy/modules/services/blueman.te -@@ -0,0 +1,38 @@ +@@ -0,0 +1,42 @@ +policy_module(blueman, 1.0.0) + +######################################## @@ -28349,6 +28424,10 @@ index 0000000..12ef44c +optional_policy(` + avahi_domtrans(blueman_t) +') ++ ++optional_policy(` ++ gnome_search_gconf(blueman_t) ++') diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 3e45431..a726c09 100644 --- a/policy/modules/services/bluetooth.if @@ -31022,10 +31101,10 @@ index 0000000..7f55959 +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..4f0bd8d +index 0000000..2be12fd --- /dev/null +++ b/policy/modules/services/cloudform.te -@@ -0,0 +1,218 @@ +@@ -0,0 +1,220 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -31098,6 +31177,8 @@ index 0000000..4f0bd8d +# deltacloudd local policy +# + ++allow deltacloudd_t self:capability { dac_override setuid setgid }; ++ +allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; +allow deltacloudd_t self:udp_socket create_socket_perms; + @@ -36170,7 +36251,7 @@ index 5e2cea8..8eec089 100644 + dhcpd_systemctl($1) ') diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te -index d4424ad..f90959a 100644 +index d4424ad..5d01064 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te @@ -12,6 +12,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -36188,7 +36269,7 @@ index d4424ad..f90959a 100644 # -allow dhcpd_t self:capability { net_raw sys_resource }; -+allow dhcpd_t self:capability { sys_chroot net_raw setgid setuid sys_resource }; ++allow dhcpd_t self:capability { dac_override sys_chroot net_raw setgid setuid sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; -allow dhcpd_t self:process signal_perms; +allow dhcpd_t self:process { getcap setcap signal_perms }; @@ -38336,10 +38417,10 @@ index 0000000..67906f0 +## Generate entropy from audio input diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te new file mode 100644 -index 0000000..b6ac808 +index 0000000..053caed --- /dev/null +++ b/policy/modules/services/entropyd.te -@@ -0,0 +1,80 @@ +@@ -0,0 +1,82 @@ +policy_module(entropyd, 1.7.0) + +######################################## @@ -38394,6 +38475,8 @@ index 0000000..b6ac808 + +logging_send_syslog_msg(entropyd_t) + ++auth_use_nsswitch(entropyd_t) ++ +miscfiles_read_localization(entropyd_t) + +userdom_dontaudit_use_unpriv_user_fds(entropyd_t) @@ -62492,7 +62575,7 @@ index 22adaca..6ec295a 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..12ad27c 100644 +index 2dad3c8..cf94c2b 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0) @@ -62897,22 +62980,25 @@ index 2dad3c8..12ad27c 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,15 +408,86 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,9 +408,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +userdom_use_user_terminals(ssh_keygen_t) - optional_policy(` +-optional_policy(` - nscd_socket_use(ssh_keygen_t) -+ seutil_sigchld_newrole(ssh_keygen_t) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files(ssh_keygen_t) ++ fs_manage_nfs_dirs(ssh_keygen_t) ') optional_policy(` -- seutil_sigchld_newrole(ssh_keygen_t) -+ udev_read_db(ssh_keygen_t) +@@ -363,3 +422,77 @@ optional_policy(` + optional_policy(` + udev_read_db(ssh_keygen_t) ') - ++ +#################################### +# +# ssh_dyntransition domain local policy @@ -62922,8 +63008,7 @@ index 2dad3c8..12ad27c 100644 + +allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; + - optional_policy(` -- udev_read_db(ssh_keygen_t) ++optional_policy(` + ssh_rw_stream_sockets(ssh_dyntransition_domain) + ssh_rw_tcp_sockets(ssh_dyntransition_domain) +') @@ -62986,7 +63071,7 @@ index 2dad3c8..12ad27c 100644 + +optional_policy(` + ssh_rw_dgram_sockets(chroot_user_t) - ') ++') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 941380a..e1095f0 100644 --- a/policy/modules/services/sssd.if @@ -64641,7 +64726,7 @@ index 32a3c13..e3d91ad 100644 optional_policy(` diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc -index 2124b6a..49c15d1 100644 +index 2124b6a..246df1a 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -1,5 +1,6 @@ @@ -64653,7 +64738,7 @@ index 2124b6a..49c15d1 100644 HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +13,39 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t +@@ -12,18 +13,43 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -64696,6 +64781,10 @@ index 2124b6a..49c15d1 100644 + +# support for nova-stack +/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 7c5d8d8..e6bb21e 100644 --- a/policy/modules/services/virt.if @@ -74729,7 +74818,7 @@ index a0b379d..2291a13 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..170e2e0 100644 +index 02f4c97..3bdf89f 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -17,12 +17,27 @@ @@ -74770,7 +74859,15 @@ index 02f4c97..170e2e0 100644 /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -@@ -66,6 +81,7 @@ ifdef(`distro_redhat',` +@@ -46,6 +61,7 @@ ifdef(`distro_suse', ` + /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) + /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) ++/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) + + ifndef(`distro_gentoo',` + /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) +@@ -66,6 +82,7 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) @@ -74778,7 +74875,7 @@ index 02f4c97..170e2e0 100644 /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) -@@ -73,4 +89,9 @@ ifdef(`distro_redhat',` +@@ -73,4 +90,9 @@ ifdef(`distro_redhat',` /var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -75044,7 +75141,7 @@ index 831b909..118f708 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..5684c8a 100644 +index b6ec597..688f59a 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -5,6 +5,13 @@ policy_module(logging, 1.17.2) @@ -75162,7 +75259,7 @@ index b6ec597..5684c8a 100644 # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; -+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid }; ++allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid }; dontaudit syslogd_t self:capability sys_tty_config; +allow syslogd_t self:capability2 syslog; # setpgid for metalog @@ -75196,7 +75293,7 @@ index b6ec597..5684c8a 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -426,10 +466,21 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -75208,6 +75305,7 @@ index b6ec597..5684c8a 100644 dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) +dev_read_rand(syslogd_t) ++dev_read_urand(syslogd_t) +# relating to systemd-kmsg-syslogd +dev_write_kmsg(syslogd_t) @@ -75217,15 +75315,17 @@ index b6ec597..5684c8a 100644 files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -448,6 +498,7 @@ term_write_console(syslogd_t) +@@ -447,7 +498,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and + term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) ++term_use_generic_ptys(syslogd_t) +init_stream_connect(syslogd_t) # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -459,6 +510,7 @@ init_use_fds(syslogd_t) +@@ -459,6 +512,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -75233,7 +75333,7 @@ index b6ec597..5684c8a 100644 miscfiles_read_localization(syslogd_t) -@@ -496,11 +548,20 @@ optional_policy(` +@@ -496,11 +550,20 @@ optional_policy(` ') optional_policy(` @@ -78272,7 +78372,7 @@ index ff80d0a..22c9f0d 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..8aa3908 100644 +index 34d0ec5..58f8e6e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -78381,9 +78481,12 @@ index 34d0ec5..8aa3908 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -130,13 +151,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) +@@ -129,14 +150,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) + term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) ++auth_use_nsswitch(dhcpc_t) ++ init_rw_utmp(dhcpc_t) +init_stream_connect(dhcpc_t) +init_stream_send(dhcpc_t) @@ -78398,7 +78501,7 @@ index 34d0ec5..8aa3908 100644 userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -151,7 +173,18 @@ ifdef(`distro_ubuntu',` +@@ -151,7 +175,18 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -78418,7 +78521,7 @@ index 34d0ec5..8aa3908 100644 ') optional_policy(` -@@ -171,6 +204,8 @@ optional_policy(` +@@ -171,6 +206,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -78427,7 +78530,7 @@ index 34d0ec5..8aa3908 100644 ') optional_policy(` -@@ -192,17 +227,31 @@ optional_policy(` +@@ -192,17 +229,31 @@ optional_policy(` ') optional_policy(` @@ -78459,7 +78562,7 @@ index 34d0ec5..8aa3908 100644 ') optional_policy(` -@@ -213,6 +262,11 @@ optional_policy(` +@@ -213,6 +264,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -78471,7 +78574,7 @@ index 34d0ec5..8aa3908 100644 ') optional_policy(` -@@ -255,6 +309,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -255,6 +311,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -78479,24 +78582,34 @@ index 34d0ec5..8aa3908 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,8 +331,11 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +333,12 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) + ++files_dontaudit_read_root_files(ifconfig_t) files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) +files_read_usr_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -301,11 +359,12 @@ logging_send_syslog_msg(ifconfig_t) +@@ -290,7 +351,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) + term_dontaudit_use_ptmx(ifconfig_t) + term_dontaudit_use_generic_ptys(ifconfig_t) + +-files_dontaudit_read_root_files(ifconfig_t) ++auth_use_nsswitch(ifconfig_t) + + init_use_fds(ifconfig_t) + init_use_script_ptys(ifconfig_t) +@@ -301,11 +362,11 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) -modutils_domtrans_insmod(ifconfig_t) - +- seutil_use_runinit_fds(ifconfig_t) -userdom_use_user_terminals(ifconfig_t) @@ -78506,7 +78619,7 @@ index 34d0ec5..8aa3908 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +373,18 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +375,18 @@ ifdef(`distro_ubuntu',` ') ') @@ -78525,7 +78638,7 @@ index 34d0ec5..8aa3908 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +395,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +397,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -78540,10 +78653,11 @@ index 34d0ec5..8aa3908 100644 ') optional_policy(` -@@ -335,6 +411,18 @@ optional_policy(` +@@ -335,7 +413,15 @@ optional_policy(` ') optional_policy(` +- nis_use_ypbind(ifconfig_t) + kdump_dontaudit_read_config(ifconfig_t) +') + @@ -78553,13 +78667,10 @@ index 34d0ec5..8aa3908 100644 + +optional_policy(` + netutils_domtrans(dhcpc_t) -+') -+ -+optional_policy(` - nis_use_ypbind(ifconfig_t) ') -@@ -356,3 +444,9 @@ optional_policy(` + optional_policy(` +@@ -356,3 +442,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -78605,10 +78716,10 @@ index 0000000..0d3e625 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..7581e7d +index 0000000..19ba4e1 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,543 @@ +@@ -0,0 +1,546 @@ +## SELinux policy for systemd components + +####################################### @@ -78662,6 +78773,9 @@ index 0000000..7581e7d + init_list_pid_dirs($1) + init_read_state($1) + init_stream_send($1) ++ ++ systemd_login_list_pid_dirs($1) ++ systemd_login_read_pid_files($1) +') + +####################################### @@ -79154,10 +79268,10 @@ index 0000000..7581e7d + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..9e08125 +index 0000000..115f05e --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,381 @@ +@@ -0,0 +1,387 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -79271,6 +79385,7 @@ index 0000000..9e08125 +init_dbus_chat_script(systemd_logind_t) +init_read_script_state(systemd_logind_t) +init_read_state(systemd_logind_t) ++init_rw_stream_sockets(systemd_logind_t) + +logging_send_syslog_msg(systemd_logind_t) + @@ -79358,6 +79473,9 @@ index 0000000..9e08125 +files_delete_kernel_modules(systemd_tmpfiles_t) + +dev_write_kmsg(systemd_tmpfiles_t) ++dev_relabel_all_sysfs(systemd_tmpfiles_t) ++dev_relabel_cpu_online(systemd_tmpfiles_t) ++dev_read_cpu_online(systemd_tmpfiles_t) + +domain_obj_id_change_exemption(systemd_tmpfiles_t) + @@ -79482,6 +79600,8 @@ index 0000000..9e08125 + +auth_use_nsswitch(systemd_notify_t) + ++init_rw_stream_sockets(systemd_notify_t) ++ +miscfiles_read_localization(systemd_notify_t) + +optional_policy(` @@ -79780,7 +79900,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..6a93c64 100644 +index d88f7c3..5ff6beb 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -79990,6 +80110,14 @@ index d88f7c3..6a93c64 100644 unconfined_signal(udev_t) ') +@@ -285,6 +333,7 @@ optional_policy(` + kernel_read_xen_state(udev_t) + xen_manage_log(udev_t) + xen_read_image_files(udev_t) ++ xen_stream_connect_xenstore(udev_t) + ') + + optional_policy(` diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index ce2fbb9..8b34dbc 100644 --- a/policy/modules/system/unconfined.fc @@ -84528,7 +84656,7 @@ index 9b4a930..ced52ff 100644 +') + diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc -index a865da7..a5ed06e 100644 +index a865da7..f22f770 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc @@ -1,12 +1,10 @@ @@ -84541,7 +84669,7 @@ index a865da7..a5ed06e 100644 /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) -/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) -+/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) ++#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) ifdef(`distro_debian',` /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) @@ -84657,7 +84785,7 @@ index 77d41b6..138efd8 100644 files_search_pids($1) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te -index 4350ba0..5d6dbad 100644 +index 4350ba0..9ab107b 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1) @@ -84688,7 +84816,18 @@ index 4350ba0..5d6dbad 100644 ######################################## # # blktap local policy -@@ -208,8 +205,7 @@ tunable_policy(`xend_run_qemu',` +@@ -170,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) + # + # qemu-dm local policy + # ++ ++# TODO: This part of policy should be removed ++# qemu-dm should run in xend_t domain ++ + # Do we need to allow execution of qemu-dm? + tunable_policy(`xend_run_qemu',` + allow qemu_dm_t self:capability sys_resource; +@@ -208,9 +209,13 @@ tunable_policy(`xend_run_qemu',` # xend local policy # @@ -84696,9 +84835,15 @@ index 4350ba0..5d6dbad 100644 -dontaudit xend_t self:capability { sys_ptrace }; +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw }; allow xend_t self:process { signal sigkill }; ++ ++# needed by qemu_dm ++allow xend_t self:capability sys_resource; ++allow xend_t self:process setrlimit; ++ dontaudit xend_t self:process ptrace; # internal communication is often done using fifo and unix sockets. -@@ -320,12 +316,9 @@ locallogin_dontaudit_use_fds(xend_t) + allow xend_t self:fifo_file rw_fifo_file_perms; +@@ -320,13 +325,9 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -84708,10 +84853,11 @@ index 4350ba0..5d6dbad 100644 miscfiles_read_hwdata(xend_t) -mount_domtrans(xend_t) - +- sysnet_domtrans_dhcpc(xend_t) sysnet_signal_dhcpc(xend_t) -@@ -339,8 +332,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) + sysnet_domtrans_ifconfig(xend_t) +@@ -339,8 +340,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) xen_stream_connect_xenstore(xend_t) @@ -84720,7 +84866,7 @@ index 4350ba0..5d6dbad 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -349,6 +340,22 @@ optional_policy(` +@@ -349,6 +348,22 @@ optional_policy(` consoletype_exec(xend_t) ') @@ -84743,7 +84889,7 @@ index 4350ba0..5d6dbad 100644 ######################################## # # Xen console local policy -@@ -413,9 +420,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -84755,7 +84901,7 @@ index 4350ba0..5d6dbad 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,9 +450,11 @@ files_read_etc_files(xenstored_t) +@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -84767,7 +84913,7 @@ index 4350ba0..5d6dbad 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -457,96 +467,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +475,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -84864,7 +85010,7 @@ index 4350ba0..5d6dbad 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +482,4 @@ optional_policy(` +@@ -559,8 +490,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 016c60ca..884a15ef 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,13 +16,12 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 74.2%{?dist} +Release: 75%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-F16.patch patch1: unconfined_permissive.patch -patch2: policy-systemd.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -239,7 +238,6 @@ Based off of reference policy: Checked out revision 2.20091117 %setup -n serefpolicy-%{version} -q %patch -p1 %patch1 -p1 -b .unconfined -%patch2 -p1 -b .systemd %install mkdir selinux_config @@ -473,6 +471,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jan 16 2012 Miroslav Grepl 3.10.0-75 +- Merge systemd patch +- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online +- Allow deltacloudd dac_override, setuid, setgid caps +- Allow aisexec to execute shell +- Add use_nfs_home_dirs boolean for ssh-keygen + * Fri Jan 13 2012 Dan Walsh 3.10.0-74.2 - Fixes to make rawhide boot in enforcing mode with latest systemd changes