* Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-278

- Add couple rules related to map permissions
- Allow ddclient use nsswitch BZ(1456241)
- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
- Add interface dbus_manage_session_tmp_dirs()
- Dontaudit useradd_t sys_ptrace BZ(1480121)
- Allow ipsec_t can exec ipsec_exec_t
- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
This commit is contained in:
Lukas Vrabec 2017-08-31 17:55:58 +02:00
parent 0c6eef95d3
commit 313e17b74e
4 changed files with 176 additions and 82 deletions

Binary file not shown.

View File

@ -3182,7 +3182,7 @@ index 99e3903ea..fa68362ea 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1e7..121ace88e 100644 index 1d732f1e7..d698fdd02 100644
--- a/policy/modules/admin/usermanage.te --- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t; @@ -26,6 +26,7 @@ type chfn_exec_t;
@ -3502,7 +3502,7 @@ index 1d732f1e7..121ace88e 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t) userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search # user generally runs this from their home directory, so do not audit a search
# on user home dir # on user home dir
@@ -446,8 +492,9 @@ optional_policy(` @@ -446,8 +492,10 @@ optional_policy(`
# Useradd local policy # Useradd local policy
# #
@ -3511,10 +3511,11 @@ index 1d732f1e7..121ace88e 100644
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; +allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+ +
+dontaudit useradd_t self:capability { net_admin sys_tty_config }; +dontaudit useradd_t self:capability { net_admin sys_tty_config };
+dontaudit useradd_t self:cap_userns { sys_ptrace };
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate; allow useradd_t self:process setfscreate;
allow useradd_t self:fd use; allow useradd_t self:fd use;
@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; @@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto; allow useradd_t self:unix_stream_socket connectto;
@ -3525,7 +3526,7 @@ index 1d732f1e7..121ace88e 100644
# for getting the number of groups # for getting the number of groups
kernel_read_kernel_sysctls(useradd_t) kernel_read_kernel_sysctls(useradd_t)
@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t) @@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t) corecmd_exec_bin(useradd_t)
@ -3565,7 +3566,7 @@ index 1d732f1e7..121ace88e 100644
auth_run_chk_passwd(useradd_t, useradd_roles) auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t) auth_rw_lastlog(useradd_t)
@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t) @@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t) auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above # these may be unnecessary due to the above
# domtrans_chk_passwd() call. # domtrans_chk_passwd() call.
@ -3573,7 +3574,7 @@ index 1d732f1e7..121ace88e 100644
auth_manage_shadow(useradd_t) auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t) auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t)
@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t) @@ -508,35 +560,38 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t) logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t) logging_send_syslog_msg(useradd_t)
@ -3623,7 +3624,7 @@ index 1d732f1e7..121ace88e 100644
') ')
optional_policy(` optional_policy(`
@@ -545,14 +599,27 @@ optional_policy(` @@ -545,14 +600,27 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -3651,7 +3652,7 @@ index 1d732f1e7..121ace88e 100644
tunable_policy(`samba_domain_controller',` tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t) samba_append_log(useradd_t)
') ')
@@ -562,3 +629,12 @@ optional_policy(` @@ -562,3 +630,12 @@ optional_policy(`
rpm_use_fds(useradd_t) rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t) rpm_rw_pipes(useradd_t)
') ')
@ -38740,7 +38741,7 @@ index 0d4c8d35e..537aa4274 100644
+ ps_process_pattern($1, ipsec_mgmt_t) + ps_process_pattern($1, ipsec_mgmt_t)
+') +')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd0417..102b975de 100644 index 312cd0417..56961b493 100644
--- a/policy/modules/system/ipsec.te --- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -38802,7 +38803,15 @@ index 312cd0417..102b975de 100644
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) @@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
can_exec(ipsec_t, ipsec_mgmt_exec_t)
+can_exec(ipsec_t, ipsec_exec_t)
# pluto runs an updown script (by calling popen()!) as this is by default
# a shell script, we need to find a way to make things work without
@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@ -38815,7 +38824,7 @@ index 312cd0417..102b975de 100644
kernel_list_proc(ipsec_t) kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t) kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute; # allow pluto to access /proc/net/ipsec_eroute;
@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t) @@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t) corecmd_exec_bin(ipsec_t)
# Pluto needs network access # Pluto needs network access
@ -38847,7 +38856,7 @@ index 312cd0417..102b975de 100644
dev_read_sysfs(ipsec_t) dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t) dev_read_rand(ipsec_t)
@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t) @@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t) fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t) fs_search_auto_mountpoints(ipsec_t)
@ -38882,7 +38891,7 @@ index 312cd0417..102b975de 100644
optional_policy(` optional_policy(`
seutil_sigchld_newrole(ipsec_t) seutil_sigchld_newrole(ipsec_t)
@@ -182,19 +213,30 @@ optional_policy(` @@ -182,19 +214,30 @@ optional_policy(`
udev_read_db(ipsec_t) udev_read_db(ipsec_t)
') ')
@ -38917,7 +38926,7 @@ index 312cd0417..102b975de 100644
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) @@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -38933,7 +38942,7 @@ index 312cd0417..102b975de 100644
# _realsetup needs to be able to cat /var/run/pluto.pid, # _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file # run ps on that pid, and delete the file
@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) @@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t)
@ -38950,7 +38959,7 @@ index 312cd0417..102b975de 100644
files_read_kernel_symbol_table(ipsec_mgmt_t) files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) @@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t)
@ -38959,7 +38968,7 @@ index 312cd0417..102b975de 100644
dev_read_rand(ipsec_mgmt_t) dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t)
@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) @@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t)
@ -38967,7 +38976,7 @@ index 312cd0417..102b975de 100644
files_read_usr_files(ipsec_mgmt_t) files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) @@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t)
@ -38979,7 +38988,7 @@ index 312cd0417..102b975de 100644
init_read_utmp(ipsec_mgmt_t) init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t)
@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t) @@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@ -39013,7 +39022,7 @@ index 312cd0417..102b975de 100644
optional_policy(` optional_policy(`
consoletype_exec(ipsec_mgmt_t) consoletype_exec(ipsec_mgmt_t)
@@ -322,6 +391,10 @@ optional_policy(` @@ -322,6 +392,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39024,7 +39033,7 @@ index 312cd0417..102b975de 100644
modutils_domtrans_insmod(ipsec_mgmt_t) modutils_domtrans_insmod(ipsec_mgmt_t)
') ')
@@ -335,7 +408,7 @@ optional_policy(` @@ -335,7 +409,7 @@ optional_policy(`
# #
allow racoon_t self:capability { net_admin net_bind_service }; allow racoon_t self:capability { net_admin net_bind_service };
@ -39033,7 +39042,7 @@ index 312cd0417..102b975de 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:udp_socket create_socket_perms;
@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t) @@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t) corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t) corecmd_exec_bin(racoon_t)
@ -39053,7 +39062,7 @@ index 312cd0417..102b975de 100644
corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t) @@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t) logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t) logging_send_audit_msgs(racoon_t)
@ -39066,7 +39075,7 @@ index 312cd0417..102b975de 100644
auth_can_read_shadow_passwords(racoon_t) auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',` tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t) auth_tunable_read_shadow(racoon_t)
@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t) @@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t) locallogin_use_fds(setkey_t)
@ -49031,10 +49040,10 @@ index 000000000..634d9596a
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 000000000..35fc2b865 index 000000000..e7c2cc70b
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,1020 @@ @@ -0,0 +1,1021 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -49325,6 +49334,7 @@ index 000000000..35fc2b865
+optional_policy(` +optional_policy(`
+ dbus_connect_system_bus(systemd_logind_t) + dbus_connect_system_bus(systemd_logind_t)
+ dbus_system_bus_client(systemd_logind_t) + dbus_system_bus_client(systemd_logind_t)
+ dbus_manage_session_tmp_dirs(systemd_logind_t)
+') +')
+ +
+optional_policy(` +optional_policy(`

View File

@ -12512,7 +12512,7 @@ index 008f8ef26..144c0740a 100644
admin_pattern($1, certmonger_var_run_t) admin_pattern($1, certmonger_var_run_t)
') ')
diff --git a/certmonger.te b/certmonger.te diff --git a/certmonger.te b/certmonger.te
index 550b287ce..80de6d3b7 100644 index 550b287ce..c2433ff15 100644
--- a/certmonger.te --- a/certmonger.te
+++ b/certmonger.te +++ b/certmonger.te
@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t) @@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
@ -12611,7 +12611,7 @@ index 550b287ce..80de6d3b7 100644
') ')
optional_policy(` optional_policy(`
@@ -92,11 +116,73 @@ optional_policy(` @@ -92,11 +116,74 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -12645,6 +12645,7 @@ index 550b287ce..80de6d3b7 100644
+optional_policy(` +optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t) + pki_rw_tomcat_cert(certmonger_t)
+ pki_read_tomcat_lib_files(certmonger_t) + pki_read_tomcat_lib_files(certmonger_t)
+ pki_tomcat_systemctl(certmonger_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -22522,7 +22523,7 @@ index dda905b9c..558729530 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+') +')
diff --git a/dbus.if b/dbus.if diff --git a/dbus.if b/dbus.if
index 62d22cb46..77afd180d 100644 index 62d22cb46..c0c2ed47d 100644
--- a/dbus.if --- a/dbus.if
+++ b/dbus.if +++ b/dbus.if
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -22671,9 +22672,9 @@ index 62d22cb46..77afd180d 100644
- files_search_var_lib($1) - files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1) + files_search_var_lib($1)
+ dev_read_urand($1)
+ +
+ dev_read_urand($1)
+ # For connecting to the bus + # For connecting to the bus
files_search_pids($1) files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
@ -23383,7 +23384,7 @@ index 62d22cb46..77afd180d 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -597,28 +661,50 @@ interface(`dbus_use_system_bus_fds',` @@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -23441,6 +23442,24 @@ index 62d22cb46..77afd180d 100644
- typeattribute $1 dbusd_unconfined; - typeattribute $1 dbusd_unconfined;
+ allow $1 system_dbusd_t:dbus acquire_svc; + allow $1 system_dbusd_t:dbus acquire_svc;
+ +
+')
+
+########################################
+## <summary>
+## Manage session_dbusd tmp dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_manage_session_tmp_dirs',`
+ gen_require(`
+ type session_dbusd_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
') ')
diff --git a/dbus.te b/dbus.te diff --git a/dbus.te b/dbus.te
index c9998c80d..d8ef03416 100644 index c9998c80d..d8ef03416 100644
@ -24046,7 +24065,7 @@ index 5606b4069..cd18cf2a7 100644
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r; role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te diff --git a/ddclient.te b/ddclient.te
index a4caa1b5b..42f30662d 100644 index a4caa1b5b..f244f9a63 100644
--- a/ddclient.te --- a/ddclient.te
+++ b/ddclient.te +++ b/ddclient.te
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t) @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
@ -24091,7 +24110,7 @@ index a4caa1b5b..42f30662d 100644
fs_getattr_all_fs(ddclient_t) fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t) fs_search_auto_mountpoints(ddclient_t)
+auth_read_passwd(ddclient_t) +auth_use_nsswitch(ddclient_t)
+ +
logging_send_syslog_msg(ddclient_t) logging_send_syslog_msg(ddclient_t)
@ -25752,10 +25771,10 @@ index 000000000..b3784d85d
+') +')
diff --git a/dirsrv.te b/dirsrv.te diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644 new file mode 100644
index 000000000..cb6af79d7 index 000000000..22cafcd43
--- /dev/null --- /dev/null
+++ b/dirsrv.te +++ b/dirsrv.te
@@ -0,0 +1,205 @@ @@ -0,0 +1,207 @@
+policy_module(dirsrv,1.0.0) +policy_module(dirsrv,1.0.0)
+ +
+######################################## +########################################
@ -25818,11 +25837,13 @@ index 000000000..cb6af79d7
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) +manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) +manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file }) +fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+allow dirsrv_t dirsrv_tmpfs_t:file map;
+ +
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) +files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+allow dirsrv_t dirsrv_var_lib_t:file map;
+ +
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
@ -72978,10 +72999,10 @@ index 000000000..47cd0f8ba
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if diff --git a/pki.if b/pki.if
new file mode 100644 new file mode 100644
index 000000000..f18fcc68f index 000000000..f69ae0298
--- /dev/null --- /dev/null
+++ b/pki.if +++ b/pki.if
@@ -0,0 +1,479 @@ @@ -0,0 +1,503 @@
+ +
+## <summary>policy for pki</summary> +## <summary>policy for pki</summary>
+ +
@ -73461,9 +73482,33 @@ index 000000000..f18fcc68f
+ files_search_pids($1) + files_search_pids($1)
+ stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t) + stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
+') +')
+
+########################################
+## <summary>
+## Execute pki in the pkit_tomcat_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pki_tomcat_systemctl',`
+ gen_require(`
+ type pki_tomcat_t;
+ type pki_tomcat_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pki_tomcat_unit_file_t:file read_file_perms;
+ allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pki_tomcat_t)
+')
diff --git a/pki.te b/pki.te diff --git a/pki.te b/pki.te
new file mode 100644 new file mode 100644
index 000000000..cde75a219 index 000000000..9c27847b2
--- /dev/null --- /dev/null
+++ b/pki.te +++ b/pki.te
@@ -0,0 +1,285 @@ @@ -0,0 +1,285 @@
@ -73579,7 +73624,7 @@ index 000000000..cde75a219
+can_exec(pki_tomcat_t, pki_common_t) +can_exec(pki_tomcat_t, pki_common_t)
+init_stream_connect_script(pki_tomcat_t) +init_stream_connect_script(pki_tomcat_t)
+ +
+auth_read_passwd(pki_tomcat_t) +auth_use_nsswitch(pki_tomcat_t)
+ +
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t) +search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+ +
@ -93545,7 +93590,7 @@ index ebe91fc70..6ba4338cb 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
') ')
diff --git a/rpm.if b/rpm.if diff --git a/rpm.if b/rpm.if
index ef3b22507..d2b4c1697 100644 index ef3b22507..79518530e 100644
--- a/rpm.if --- a/rpm.if
+++ b/rpm.if +++ b/rpm.if
@@ -1,8 +1,8 @@ @@ -1,8 +1,8 @@
@ -93646,16 +93691,34 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -109,7 +116,7 @@ interface(`rpm_exec',` @@ -109,7 +116,25 @@ interface(`rpm_exec',`
######################################## ########################################
## <summary> ## <summary>
-## Send null signals to rpm. -## Send null signals to rpm.
+## Do not audit to execute a rpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_exec',`
+ gen_require(`
+ type rpm_exec_t;
+ ')
+
+ dontaudit $1 rpm_exec_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Send a null signal to rpm. +## Send a null signal to rpm.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -127,7 +134,7 @@ interface(`rpm_signull',` @@ -127,7 +152,7 @@ interface(`rpm_signull',`
######################################## ########################################
## <summary> ## <summary>
@ -93664,7 +93727,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -145,7 +152,7 @@ interface(`rpm_use_fds',` @@ -145,7 +170,7 @@ interface(`rpm_use_fds',`
######################################## ########################################
## <summary> ## <summary>
@ -93673,7 +93736,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -163,7 +170,7 @@ interface(`rpm_read_pipes',` @@ -163,7 +188,7 @@ interface(`rpm_read_pipes',`
######################################## ########################################
## <summary> ## <summary>
@ -93682,7 +93745,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -181,6 +188,60 @@ interface(`rpm_rw_pipes',` @@ -181,6 +206,60 @@ interface(`rpm_rw_pipes',`
######################################## ########################################
## <summary> ## <summary>
@ -93743,7 +93806,7 @@ index ef3b22507..d2b4c1697 100644
## Send and receive messages from ## Send and receive messages from
## rpm over dbus. ## rpm over dbus.
## </summary> ## </summary>
@@ -224,7 +285,7 @@ interface(`rpm_dontaudit_dbus_chat',` @@ -224,7 +303,7 @@ interface(`rpm_dontaudit_dbus_chat',`
######################################## ########################################
## <summary> ## <summary>
## Send and receive messages from ## Send and receive messages from
@ -93752,7 +93815,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -244,7 +305,7 @@ interface(`rpm_script_dbus_chat',` @@ -244,7 +323,7 @@ interface(`rpm_script_dbus_chat',`
######################################## ########################################
## <summary> ## <summary>
@ -93761,7 +93824,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -263,7 +324,8 @@ interface(`rpm_search_log',` @@ -263,7 +342,8 @@ interface(`rpm_search_log',`
##################################### #####################################
## <summary> ## <summary>
@ -93771,19 +93834,17 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -276,14 +338,30 @@ interface(`rpm_append_log',` @@ -276,14 +356,30 @@ interface(`rpm_append_log',`
type rpm_log_t; type rpm_log_t;
') ')
- logging_search_logs($1) - logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t) - append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms; + allow $1 rpm_log_t:file append_inherited_file_perms;
') +')
+
######################################## +########################################
## <summary> +## <summary>
-## Create, read, write, and delete
-## rpm log files.
+## Create, read, write, and delete the RPM log. +## Create, read, write, and delete the RPM log.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -93798,15 +93859,17 @@ index ef3b22507..d2b4c1697 100644
+ ') + ')
+ +
+ read_files_pattern($1, rpm_log_t, rpm_log_t) + read_files_pattern($1, rpm_log_t, rpm_log_t)
+') ')
+
+######################################## ########################################
+## <summary> ## <summary>
-## Create, read, write, and delete
-## rpm log files.
+## Create, read, write, and delete the RPM log. +## Create, read, write, and delete the RPM log.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -302,7 +380,32 @@ interface(`rpm_manage_log',` @@ -302,7 +398,32 @@ interface(`rpm_manage_log',`
######################################## ########################################
## <summary> ## <summary>
@ -93840,7 +93903,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -320,8 +423,8 @@ interface(`rpm_use_script_fds',` @@ -320,8 +441,8 @@ interface(`rpm_use_script_fds',`
######################################## ########################################
## <summary> ## <summary>
@ -93851,7 +93914,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -335,12 +438,15 @@ interface(`rpm_manage_script_tmp_files',` @@ -335,12 +456,15 @@ interface(`rpm_manage_script_tmp_files',`
') ')
files_search_tmp($1) files_search_tmp($1)
@ -93868,7 +93931,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -353,14 +459,13 @@ interface(`rpm_append_tmp_files',` @@ -353,14 +477,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t; type rpm_tmp_t;
') ')
@ -93886,7 +93949,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -374,12 +479,34 @@ interface(`rpm_manage_tmp_files',` @@ -374,12 +497,34 @@ interface(`rpm_manage_tmp_files',`
') ')
files_search_tmp($1) files_search_tmp($1)
@ -93922,7 +93985,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -399,7 +526,7 @@ interface(`rpm_read_script_tmp_files',` @@ -399,7 +544,7 @@ interface(`rpm_read_script_tmp_files',`
######################################## ########################################
## <summary> ## <summary>
@ -93931,7 +93994,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -420,8 +547,7 @@ interface(`rpm_read_cache',` @@ -420,8 +565,7 @@ interface(`rpm_read_cache',`
######################################## ########################################
## <summary> ## <summary>
@ -93941,7 +94004,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -442,7 +568,7 @@ interface(`rpm_manage_cache',` @@ -442,7 +586,7 @@ interface(`rpm_manage_cache',`
######################################## ########################################
## <summary> ## <summary>
@ -93950,7 +94013,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -459,11 +585,13 @@ interface(`rpm_read_db',` @@ -459,11 +603,13 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms; allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@ -93965,7 +94028,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -482,8 +610,7 @@ interface(`rpm_delete_db',` @@ -482,8 +628,7 @@ interface(`rpm_delete_db',`
######################################## ########################################
## <summary> ## <summary>
@ -93975,7 +94038,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -499,12 +626,33 @@ interface(`rpm_manage_db',` @@ -499,12 +644,33 @@ interface(`rpm_manage_db',`
files_search_var_lib($1) files_search_var_lib($1)
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@ -94010,7 +94073,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -517,9 +665,10 @@ interface(`rpm_dontaudit_manage_db',` @@ -517,9 +683,10 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t; type rpm_var_lib_t;
') ')
@ -94022,7 +94085,7 @@ index ef3b22507..d2b4c1697 100644
') ')
##################################### #####################################
@@ -543,8 +692,7 @@ interface(`rpm_read_pid_files',` @@ -543,8 +710,7 @@ interface(`rpm_read_pid_files',`
##################################### #####################################
## <summary> ## <summary>
@ -94032,7 +94095,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -563,8 +711,7 @@ interface(`rpm_manage_pid_files',` @@ -563,8 +729,7 @@ interface(`rpm_manage_pid_files',`
###################################### ######################################
## <summary> ## <summary>
@ -94042,7 +94105,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -573,43 +720,54 @@ interface(`rpm_manage_pid_files',` @@ -573,43 +738,54 @@ interface(`rpm_manage_pid_files',`
## </param> ## </param>
# #
interface(`rpm_pid_filetrans',` interface(`rpm_pid_filetrans',`
@ -94114,7 +94177,7 @@ index ef3b22507..d2b4c1697 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -617,22 +775,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` @@ -617,22 +793,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
## </summary> ## </summary>
## </param> ## </param>
## <param name="role"> ## <param name="role">
@ -94183,7 +94246,7 @@ index ef3b22507..d2b4c1697 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t) init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
@@ -641,9 +834,6 @@ interface(`rpm_admin',` @@ -641,9 +852,6 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_file_t) admin_pattern($1, rpm_file_t)
@ -108617,10 +108680,10 @@ index 000000000..a6e216c73
+ +
diff --git a/targetd.te b/targetd.te diff --git a/targetd.te b/targetd.te
new file mode 100644 new file mode 100644
index 000000000..681ec9f67 index 000000000..acdccbb18
--- /dev/null --- /dev/null
+++ b/targetd.te +++ b/targetd.te
@@ -0,0 +1,101 @@ @@ -0,0 +1,109 @@
+policy_module(targetd, 1.0.0) +policy_module(targetd, 1.0.0)
+ +
+######################################## +########################################
@ -108638,6 +108701,9 @@ index 000000000..681ec9f67
+type targetd_unit_file_t; +type targetd_unit_file_t;
+systemd_unit_file(targetd_unit_file_t) +systemd_unit_file(targetd_unit_file_t)
+ +
+type targetd_tmp_t;
+files_tmp_file(targetd_tmp_t)
+
+######################################## +########################################
+# +#
+# targetd local policy +# targetd local policy
@ -108655,6 +108721,10 @@ index 000000000..681ec9f67
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t) +manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file }) +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
+ +
+manage_dirs_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
+manage_files_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
+files_tmp_filetrans(targetd_t, targetd_tmp_t, { file dir })
+
+files_rw_isid_type_dirs(targetd_t) +files_rw_isid_type_dirs(targetd_t)
+ +
+fs_getattr_xattr_fs(targetd_t) +fs_getattr_xattr_fs(targetd_t)
@ -108716,6 +108786,7 @@ index 000000000..681ec9f67
+ +
+optional_policy(` +optional_policy(`
+ rpm_dontaudit_read_db(targetd_t) + rpm_dontaudit_read_db(targetd_t)
+ rpm_dontaudit_exec(targetd_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -110838,10 +110909,10 @@ index 000000000..9524b50aa
+') +')
diff --git a/thumb.te b/thumb.te diff --git a/thumb.te b/thumb.te
new file mode 100644 new file mode 100644
index 000000000..d366c8b37 index 000000000..2b15dca23
--- /dev/null --- /dev/null
+++ b/thumb.te +++ b/thumb.te
@@ -0,0 +1,168 @@ @@ -0,0 +1,172 @@
+policy_module(thumb, 1.0.0) +policy_module(thumb, 1.0.0)
+ +
+######################################## +########################################
@ -111010,6 +111081,10 @@ index 000000000..d366c8b37
+ corenet_dontaudit_udp_bind_all_ports(thumb_t) + corenet_dontaudit_udp_bind_all_ports(thumb_t)
+ corenet_dontaudit_udp_bind_generic_node(thumb_t) + corenet_dontaudit_udp_bind_generic_node(thumb_t)
+') +')
+
+optional_policy(`
+ storage_getattr_fixed_disk_dev(thumb_t)
+')
diff --git a/thunderbird.te b/thunderbird.te diff --git a/thunderbird.te b/thunderbird.te
index 5e867da56..b25ea6e08 100644 index 5e867da56..b25ea6e08 100644
--- a/thunderbird.te --- a/thunderbird.te

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 277%{?dist} Release: 278%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -681,6 +681,15 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-278
- Add couple rules related to map permissions
- Allow ddclient use nsswitch BZ(1456241)
- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
- Add interface dbus_manage_session_tmp_dirs()
- Dontaudit useradd_t sys_ptrace BZ(1480121)
- Allow ipsec_t can exec ipsec_exec_t
- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
* Mon Aug 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-277 * Mon Aug 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-277
- Allow cupsd_t to execute ld_so_cache - Allow cupsd_t to execute ld_so_cache
- Add cgroup_seclabel policycap. - Add cgroup_seclabel policycap.