rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Modify xdm_write_home to allow create files/links in /root with xdm_home_t 

- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
- Add xserver_dbus_chat() interface
- Add sysnet_filetrans_named_content_ifconfig() interface
- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-
- Turn on cron_userdomain_transition by default for now. Until we get a fix for #1
- Allow lscpu running as rhsmcertd_t to read sysinfo
- Allow virt domains to read network state
- Added pcp rules
- Allow ctdbd to connect own ports
- Fix samba_export_all_rw booleanto cover also non security dirs
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
- Allow neutron to create /run/netns with correct labeling
- Allow to run ip cmd in neutron_t domain
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
This commit is contained in:
Miroslav Grepl 2014-03-07 16:53:11 +01:00
parent 08fe2e457e
commit 2d6801ddad
3 changed files with 188 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
policy-rawhide-base.patch
View File

@ -22720,7 +22720,7 @@ index 8274418..0069d82 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..0d55916 100644
index 6bf0ecc..bf98136 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@ -23704,7 +23704,7 @@ index 6bf0ecc..0d55916 100644
')
########################################
@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',`
@@ -1284,10 +1679,664 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@ -23850,6 +23850,27 @@ index 6bf0ecc..0d55916 100644
+
+########################################
+## <summary>
+## Send and receive messages from
+## xdm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_dbus_chat',`
+ gen_require(`
+ type xserver_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xserver_t:dbus send_msg;
+ allow xserver_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read xserver files created in /var/run
+## </summary>
+## <param name="domain">
@ -24351,7 +24372,7 @@ index 6bf0ecc..0d55916 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b40377..a02343f 100644
index 8b40377..c52fbe6 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -24986,7 +25007,7 @@ index 8b40377..a02343f 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -472,24 +689,148 @@ userdom_read_user_home_content_files(xdm_t)
@@ -472,24 +689,149 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@ -24999,6 +25020,7 @@ index 8b40377..a02343f 100644
+#userdom_home_manager(xdm_t)
+tunable_policy(`xdm_write_home',`
+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
+ userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
+',`
+ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
+')
@ -25141,7 +25163,7 @@ index 8b40377..a02343f 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
@@ -503,11 +844,26 @@ tunable_policy(`xdm_sysadm_login',`
@@ -503,11 +845,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@ -25168,7 +25190,7 @@ index 8b40377..a02343f 100644
')
optional_policy(`
@@ -517,9 +873,34 @@ optional_policy(`
@@ -517,9 +874,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@ -25204,7 +25226,7 @@ index 8b40377..a02343f 100644
')
')
@@ -530,6 +911,20 @@ optional_policy(`
@@ -530,6 +912,20 @@ optional_policy(`
')
optional_policy(`
@ -25225,7 +25247,7 @@ index 8b40377..a02343f 100644
hostname_exec(xdm_t)
')
@@ -547,28 +942,78 @@ optional_policy(`
@@ -547,28 +943,78 @@ optional_policy(`
')
optional_policy(`
@ -25313,7 +25335,7 @@ index 8b40377..a02343f 100644
')
optional_policy(`
@@ -580,6 +1025,14 @@ optional_policy(`
@@ -580,6 +1026,14 @@ optional_policy(`
')
optional_policy(`
@ -25328,7 +25350,7 @@ index 8b40377..a02343f 100644
xfs_stream_connect(xdm_t)
')
@@ -594,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
@@ -594,7 +1048,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -25337,7 +25359,7 @@ index 8b40377..a02343f 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
@@ -604,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
@@ -604,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@ -25350,7 +25372,7 @@ index 8b40377..a02343f 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
@@ -618,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -618,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@ -25366,7 +25388,7 @@ index 8b40377..a02343f 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -627,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -627,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -25377,7 +25399,7 @@ index 8b40377..a02343f 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -638,25 +1105,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -638,25 +1106,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@ -25414,7 +25436,7 @@ index 8b40377..a02343f 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
@@ -677,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
@@ -677,23 +1152,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@ -25446,7 +25468,7 @@ index 8b40377..a02343f 100644
# brought on by rhgb
files_search_mnt(xserver_t)
@@ -705,6 +1184,14 @@ fs_search_nfs(xserver_t)
@@ -705,6 +1185,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@ -25461,7 +25483,7 @@ index 8b40377..a02343f 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
@@ -718,20 +1205,18 @@ init_getpgid(xserver_t)
@@ -718,20 +1206,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@ -25485,7 +25507,7 @@ index 8b40377..a02343f 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
@@ -739,8 +1224,6 @@ userdom_setattr_user_ttys(xserver_t)
@@ -739,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@ -25494,7 +25516,7 @@ index 8b40377..a02343f 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
@@ -785,17 +1268,44 @@ optional_policy(`
@@ -785,17 +1269,44 @@ optional_policy(`
')
optional_policy(`
@ -25541,7 +25563,7 @@ index 8b40377..a02343f 100644
')
optional_policy(`
@@ -803,6 +1313,10 @@ optional_policy(`
@@ -803,6 +1314,10 @@ optional_policy(`
')
optional_policy(`
@ -25552,7 +25574,7 @@ index 8b40377..a02343f 100644
xfs_stream_connect(xserver_t)
')
@@ -818,10 +1332,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
@@ -818,10 +1333,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@ -25566,7 +25588,7 @@ index 8b40377..a02343f 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -829,7 +1343,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -829,7 +1344,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@ -25575,7 +25597,7 @@ index 8b40377..a02343f 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
@@ -842,26 +1356,21 @@ init_use_fds(xserver_t)
@@ -842,26 +1357,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@ -25610,7 +25632,7 @@ index 8b40377..a02343f 100644
')
optional_policy(`
@@ -912,7 +1421,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
@@ -912,7 +1422,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -25619,7 +25641,7 @@ index 8b40377..a02343f 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@@ -966,11 +1475,31 @@ allow x_domain self:x_resource { read write };
@@ -966,11 +1476,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -25651,7 +25673,7 @@ index 8b40377..a02343f 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
@@ -992,18 +1521,150 @@ tunable_policy(`! xserver_object_manager',`
@@ -992,18 +1522,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@ -37265,7 +37287,7 @@ index 40edc18..7cc0c8a 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 2cea692..f1e2130 100644
index 2cea692..9f54e7c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -37552,7 +37574,7 @@ index 2cea692..f1e2130 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -796,3 +949,76 @@ interface(`sysnet_use_portmap',`
@@ -796,3 +949,94 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@ -37629,6 +37651,24 @@ index 2cea692..f1e2130 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
+
+########################################
+## <summary>
+## Transition to sysnet ifconfig named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_filetrans_named_content_ifconfig',`
+ gen_require(`
+ type ifconfig_var_run_t;
+ ')
+
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..b0a854f 100644
--- a/policy/modules/system/sysnetwork.te
@ -39513,10 +39553,10 @@ index 0000000..8bca1d7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..e0c3372
index 0000000..c9ea962
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,638 @@
@@ -0,0 +1,640 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -39599,7 +39639,7 @@ index 0000000..e0c3372
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config sys_admin };
+allow systemd_logind_t self:capability2 block_suspend;
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -39693,6 +39733,8 @@ index 0000000..e0c3372
+userdom_use_user_ttys(systemd_logind_t)
+userdom_manage_all_user_tmp_content(systemd_logind_t)
+
+xserver_dbus_chat(systemd_logind_t)
+
+optional_policy(`
+ apache_read_tmp_files(systemd_logind_t)
+')
@ -39763,7 +39805,7 @@ index 0000000..e0c3372
+logging_send_syslog_msg(systemd_passwd_agent_t)
+
+userdom_use_user_ptys(systemd_passwd_agent_t)
+userdom_use_inherited_user_ttys(systemd_passwd_agent_t)
+userdom_use_user_ttys(systemd_passwd_agent_t)
+
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)

147
policy-rawhide-contrib.patch
View File

@ -16529,7 +16529,7 @@ index 1303b30..72481a7 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
index 7de3859..4e6ebcd 100644
index 7de3859..23baf47 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(`
@ -16557,7 +16557,8 @@ index 7de3859..4e6ebcd 100644
+## the generic cronjob domain.
+## </p>
## </desc>
gen_tunable(cron_userdomain_transition, false)
-gen_tunable(cron_userdomain_transition, false)
+gen_tunable(cron_userdomain_transition, true)
## <desc>
## <p>
@ -17781,7 +17782,7 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
index 001b502..83fb1f9 100644
index 001b502..3ceae52 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@ -17828,7 +17829,7 @@ index 001b502..83fb1f9 100644
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
kernel_read_network_state(ctdbd_t)
@@ -72,9 +84,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
@@ -72,9 +84,12 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
@ -17837,10 +17838,11 @@ index 001b502..83fb1f9 100644
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
+corenet_tcp_connect_ctdb_port(ctdbd_t)
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
@@ -85,12 +99,14 @@ dev_read_urand(ctdbd_t)
@@ -85,12 +100,14 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
@ -17857,7 +17859,7 @@ index 001b502..83fb1f9 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
@@ -109,6 +125,7 @@ optional_policy(`
@@ -109,6 +126,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@ -56198,10 +56200,10 @@ index 0000000..cf03270
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
index 0000000..a66bb69
index 0000000..db64c6a
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,574 @@
@@ -0,0 +1,576 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@ -56718,6 +56720,8 @@ index 0000000..a66bb69
+kernel_read_network_state(openshift_cron_t)
+kernel_read_system_state(openshift_cron_t)
+
+files_dontaudit_search_all_mountpoints(openshift_cron_t)
+
+corecmd_exec_bin(openshift_cron_t)
+corecmd_exec_shell(openshift_cron_t)
+
@ -59086,10 +59090,10 @@ index 0000000..d9296b1
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
index 0000000..3bd4aa3
index 0000000..fc9dd48
--- /dev/null
+++ b/pcp.te
@@ -0,0 +1,196 @@
@@ -0,0 +1,215 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@ -59143,11 +59147,12 @@ index 0000000..3bd4aa3
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+files_pid_filetrans(pcp_domain, pcp_var_run_t, { file sock_file })
+files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file })
+manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
+manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
@ -59172,10 +59177,11 @@ index 0000000..3bd4aa3
+
+allow pcp_pmcd_t self:process { setsched };
+allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;;
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
+
+auth_use_nsswitch(pcp_pmcd_t)
+
+kernel_get_sysvipc_info(pcp_pmcd_t)
+kernel_read_network_state(pcp_pmcd_t)
+kernel_read_system_state(pcp_pmcd_t)
+kernel_read_state(pcp_pmcd_t)
@ -59184,9 +59190,13 @@ index 0000000..3bd4aa3
+
+corecmd_exec_bin(pcp_pmcd_t)
+
+corenet_tcp_bind_amqp_port(pcp_pmcd_t)
+corenet_tcp_connect_amqp_port(pcp_pmcd_t)
+
+dev_read_sysfs(pcp_pmcd_t)
+
+domain_read_all_domains_state(pcp_pmcd_t)
+domain_getattr_all_domains(pcp_pmcd_t)
+
+dev_getattr_all_blk_files(pcp_pmcd_t)
+dev_getattr_all_chr_files(pcp_pmcd_t)
@ -59198,10 +59208,14 @@ index 0000000..3bd4aa3
+fs_list_cgroup_dirs(pcp_pmcd_t)
+fs_read_cgroup_files(pcp_pmcd_t)
+
+init_read_utmp(pcp_pmcd_t)
+
+logging_send_syslog_msg(pcp_pmcd_t)
+
+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+
+userdom_read_user_tmp_files(pcp_pmcd_t)
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t)
+
@ -59269,10 +59283,16 @@ index 0000000..3bd4aa3
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
+kernel_read_system_state(pcp_pmie_t)
+
+corecmd_exec_bin(pcp_pmie_t)
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
+
+logging_send_syslog_msg(pcp_pmie_t)
+
+userdom_read_user_tmp_files(pcp_pmie_t)
+
+########################################
+#
+# pcp_pmlogger local policy
@ -59284,8 +59304,11 @@ index 0000000..3bd4aa3
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+
+corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
+corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmlogger_t)
+
diff --git a/pcscd.if b/pcscd.if
index 43d50f9..6b1544f 100644
--- a/pcscd.if
@ -71877,10 +71900,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
index 8644d8b..9a3a093 100644
index 8644d8b..c93b852 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,119 @@ policy_module(quantum, 1.1.0)
@@ -5,92 +5,121 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@ -71931,6 +71954,7 @@ index 8644d8b..9a3a093 100644
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen };
+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
@ -72010,6 +72034,7 @@ index 8644d8b..9a3a093 100644
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
+sysnet_exec_ifconfig(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
-miscfiles_read_localization(quantum_t)
+optional_policy(`
@ -77700,7 +77725,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
index d32e1a2..a87ab50 100644
index d32e1a2..c4cf8a7 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@ -77721,8 +77746,11 @@ index d32e1a2..a87ab50 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
@@ -52,23 +51,45 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
@@ -50,25 +49,48 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
+kernel_read_sysctl(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
+corenet_tcp_connect_http_port(rhsmcertd_t)
@ -82618,7 +82646,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
index 2b7c441..e411600 100644
index 2b7c441..706b3a4 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@ -83197,7 +83225,7 @@ index 2b7c441..e411600 100644
rpc_search_nfs_state_data(smbd_t)
')
@@ -499,9 +503,33 @@ optional_policy(`
@@ -499,9 +503,36 @@ optional_policy(`
udev_read_db(smbd_t)
')
@ -83220,9 +83248,12 @@ index 2b7c441..e411600 100644
+ allow nmbd_t self:capability { dac_read_search dac_override };
+ fs_manage_noxattr_fs_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
+ files_manage_non_security_dirs(smbd_t)
+ fs_manage_noxattr_fs_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
+ files_manage_non_security_dirs(nmbd_t)
+')
+
+userdom_filetrans_home_content(nmbd_t)
+
########################################
@ -83232,7 +83263,7 @@ index 2b7c441..e411600 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
@@ -512,9 +540,11 @@ allow nmbd_t self:msg { send receive };
@@ -512,9 +543,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@ -83247,7 +83278,7 @@ index 2b7c441..e411600 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
@@ -526,20 +556,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -526,20 +559,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -83271,7 +83302,7 @@ index 2b7c441..e411600 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
@@ -548,52 +573,42 @@ kernel_read_network_state(nmbd_t)
@@ -548,52 +576,42 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@ -83338,7 +83369,7 @@ index 2b7c441..e411600 100644
')
optional_policy(`
@@ -606,16 +621,22 @@ optional_policy(`
@@ -606,16 +624,22 @@ optional_policy(`
########################################
#
@ -83365,7 +83396,7 @@ index 2b7c441..e411600 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
@@ -627,16 +648,11 @@ domain_use_interactive_fds(smbcontrol_t)
@@ -627,16 +651,11 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@ -83383,7 +83414,7 @@ index 2b7c441..e411600 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
@@ -644,22 +660,23 @@ optional_policy(`
@@ -644,22 +663,23 @@ optional_policy(`
########################################
#
@ -83415,7 +83446,7 @@ index 2b7c441..e411600 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -668,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
@@ -668,26 +688,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@ -83451,7 +83482,7 @@ index 2b7c441..e411600 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
@@ -699,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
@@ -699,58 +715,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@ -83543,7 +83574,7 @@ index 2b7c441..e411600 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@@ -759,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
@@ -759,17 +794,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@ -83567,7 +83598,7 @@ index 2b7c441..e411600 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -777,36 +805,25 @@ kernel_read_network_state(swat_t)
@@ -777,36 +808,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@ -83610,7 +83641,7 @@ index 2b7c441..e411600 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
@@ -818,10 +835,11 @@ logging_send_syslog_msg(swat_t)
@@ -818,10 +838,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@ -83624,7 +83655,7 @@ index 2b7c441..e411600 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
@@ -840,17 +858,20 @@ optional_policy(`
@@ -840,17 +861,20 @@ optional_policy(`
# Winbind local policy
#
@ -83650,7 +83681,7 @@ index 2b7c441..e411600 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -860,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
@@ -860,9 +884,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -83661,7 +83692,7 @@ index 2b7c441..e411600 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
@@ -873,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
@@ -873,23 +895,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@ -83691,7 +83722,7 @@ index 2b7c441..e411600 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
@@ -898,13 +915,17 @@ kernel_read_system_state(winbind_t)
@@ -898,13 +918,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@ -83712,7 +83743,7 @@ index 2b7c441..e411600 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -912,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -912,10 +936,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@ -83723,7 +83754,7 @@ index 2b7c441..e411600 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -924,26 +941,39 @@ auth_domtrans_chk_passwd(winbind_t)
@@ -924,26 +944,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@ -83765,7 +83796,7 @@ index 2b7c441..e411600 100644
')
optional_policy(`
@@ -959,31 +989,29 @@ optional_policy(`
@@ -959,31 +992,29 @@ optional_policy(`
# Winbind helper local policy
#
@ -83803,7 +83834,7 @@ index 2b7c441..e411600 100644
optional_policy(`
apache_append_log(winbind_helper_t)
@@ -997,25 +1025,38 @@ optional_policy(`
@@ -997,25 +1028,38 @@ optional_policy(`
########################################
#
@ -92278,10 +92309,10 @@ index 0000000..df82c36
+')
diff --git a/swift.te b/swift.te
new file mode 100644
index 0000000..c7b2bf6
index 0000000..7bef550
--- /dev/null
+++ b/swift.te
@@ -0,0 +1,69 @@
@@ -0,0 +1,80 @@
+policy_module(swift, 1.0.0)
+
+########################################
@ -92293,6 +92324,9 @@ index 0000000..c7b2bf6
+type swift_exec_t;
+init_daemon_domain(swift_t, swift_exec_t)
+
+type swift_tmp_t;
+files_tmpfs_file(swift_tmp_t)
+
+type swift_var_cache_t;
+files_type(swift_var_cache_t)
+
@ -92317,6 +92351,10 @@ index 0000000..c7b2bf6
+allow swift_t self:unix_stream_socket create_stream_socket_perms;
+allow swift_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
@ -92351,6 +92389,10 @@ index 0000000..c7b2bf6
+logging_send_syslog_msg(swift_t)
+
+userdom_dontaudit_search_user_home_dirs(swift_t)
+
+optional_policy(`
+ rpm_exec(swift_t)
+')
diff --git a/swift_alias.fc b/swift_alias.fc
new file mode 100644
index 0000000..b7db254
@ -99350,7 +99392,7 @@ index facdee8..fddb027 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..2a43838 100644
index f03dcf5..7a02075 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,197 @@
@ -100286,7 +100328,7 @@ index f03dcf5..2a43838 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -746,44 +626,276 @@ optional_policy(`
@@ -746,44 +626,277 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@ -100323,6 +100365,7 @@ index f03dcf5..2a43838 100644
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+kernel_read_net_sysctls(virt_domain)
+kernel_read_network_state(virt_domain)
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@ -100585,7 +100628,7 @@ index f03dcf5..2a43838 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
@@ -794,25 +906,18 @@ kernel_write_xen_state(virsh_t)
@@ -794,25 +907,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@ -100612,7 +100655,7 @@ index f03dcf5..2a43838 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
@@ -821,23 +926,25 @@ fs_search_auto_mountpoints(virsh_t)
@@ -821,23 +927,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@ -100646,7 +100689,7 @@ index f03dcf5..2a43838 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
@@ -856,14 +963,20 @@ optional_policy(`
@@ -856,14 +964,20 @@ optional_policy(`
')
optional_policy(`
@ -100668,7 +100711,7 @@ index f03dcf5..2a43838 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
@@ -888,49 +1001,65 @@ optional_policy(`
@@ -888,49 +1002,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@ -100752,7 +100795,7 @@ index f03dcf5..2a43838 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
@@ -942,17 +1071,16 @@ dev_read_urand(virtd_lxc_t)
@@ -942,17 +1072,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@ -100772,7 +100815,7 @@ index f03dcf5..2a43838 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -964,8 +1092,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
@@ -964,8 +1093,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -100796,7 +100839,7 @@ index f03dcf5..2a43838 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1117,275 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1118,275 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -101210,7 +101253,7 @@ index f03dcf5..2a43838 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1398,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1399,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -101225,7 +101268,7 @@ index f03dcf5..2a43838 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,9 +1416,8 @@ optional_policy(`
@@ -1192,9 +1417,8 @@ optional_policy(`
########################################
#
@ -101236,7 +101279,7 @@ index f03dcf5..2a43838 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1207,5 +1430,206 @@ kernel_read_network_state(virt_bridgehelper_t)
@@ -1207,5 +1431,206 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)

20
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 29%{?dist}
Release: 30%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -580,6 +580,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-31
- Modify xdm_write_home to allow create files/links in /root with xdm_home_t
- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
- Add xserver_dbus_chat() interface
- Add sysnet_filetrans_named_content_ifconfig() interface
- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask
- Turn on cron_userdomain_transition by default for now. Until we get a fix for #1063503
- Allow lscpu running as rhsmcertd_t to read sysinfo
- Allow virt domains to read network state
- Added pcp rules
- Allow ctdbd to connect own ports
- Fix samba_export_all_rw booleanto cover also non security dirs
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
- Allow neutron to create /run/netns with correct labeling
- Allow to run ip cmd in neutron_t domain
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
* Tue Mar 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-30
- Allow block_suspend cap2 for systemd-logind and rw dri device
- Add labeling for /usr/libexec/nm-libreswan-service