* Mon Jul 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264

- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)
2017-07-17 14:32:35 +02:00 · 2017-07-17 14:32:35 +02:00 · 3622c01896
commit 3622c01896
parent ab9bb05673
3 changed files with 29 additions and 25 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -30397,7 +30397,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..950a3dd 100644
+index 8b40377..e3436b4 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -30998,7 +30998,7 @@ index 8b40377..950a3dd 100644
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +650,47 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +650,48 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -31031,6 +31031,7 @@ index 8b40377..950a3dd 100644
 libs_exec_lib_files(xdm_t)
 +libs_exec_ldconfig(xdm_t)
 +libs_dontaudit_setattr_lib_files(xdm_t)
+libs_dontaudit_setattr_lib_dirs(xdm_t)
 
 logging_read_generic_logs(xdm_t)
 
@ -31050,7 +31051,7 @@ index 8b40377..950a3dd 100644
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +699,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +700,163 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -31220,7 +31221,7 @@ index 8b40377..950a3dd 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,12 +868,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +869,31 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
@ -31252,7 +31253,7 @@ index 8b40377..950a3dd 100644
 ')
 
 optional_policy(`
-@@ -518,8 +903,36 @@ optional_policy(`
+@@ -518,8 +904,36 @@ optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
 
@ -31290,7 +31291,7 @@ index 8b40377..950a3dd 100644
 	')
 ')
 
-@@ -530,6 +943,20 @@ optional_policy(`
+@@ -530,6 +944,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31311,7 +31312,7 @@ index 8b40377..950a3dd 100644
 	hostname_exec(xdm_t)
 ')
 
-@@ -547,28 +974,78 @@ optional_policy(`
+@@ -547,28 +975,78 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31399,7 +31400,7 @@ index 8b40377..950a3dd 100644
 ')
 
 optional_policy(`
-@@ -580,6 +1057,14 @@ optional_policy(`
+@@ -580,6 +1058,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31414,7 +31415,7 @@ index 8b40377..950a3dd 100644
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -594,7 +1079,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1080,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -31423,7 +31424,7 @@ index 8b40377..950a3dd 100644
 
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1089,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1090,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -31436,7 +31437,7 @@ index 8b40377..950a3dd 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1106,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1107,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -31452,7 +31453,7 @@ index 8b40377..950a3dd 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1122,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1123,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
 
@ -31463,7 +31464,7 @@ index 8b40377..950a3dd 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1137,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1138,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -31505,7 +31506,7 @@ index 8b40377..950a3dd 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1188,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1189,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -31537,7 +31538,7 @@ index 8b40377..950a3dd 100644
 
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1221,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1222,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
 
@ -31552,7 +31553,7 @@ index 8b40377..950a3dd 100644
 mls_xwin_read_to_clearance(xserver_t)
 
 selinux_validate_context(xserver_t)
-@@ -718,20 +1242,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1243,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
 
@ -31576,7 +31577,7 @@ index 8b40377..950a3dd 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1261,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1262,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
@ -31585,7 +31586,7 @@ index 8b40377..950a3dd 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1305,54 @@ optional_policy(`
+@@ -785,17 +1306,54 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31642,7 +31643,7 @@ index 8b40377..950a3dd 100644
 ')
 
 optional_policy(`
-@@ -803,6 +1360,10 @@ optional_policy(`
+@@ -803,6 +1361,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31653,7 +31654,7 @@ index 8b40377..950a3dd 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -818,18 +1379,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1380,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -31678,7 +31679,7 @@ index 8b40377..950a3dd 100644
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-@@ -842,26 +1402,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1403,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -31713,7 +31714,7 @@ index 8b40377..950a3dd 100644
 ')
 
 optional_policy(`
-@@ -912,7 +1467,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1468,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -31722,7 +31723,7 @@ index 8b40377..950a3dd 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
 
-@@ -966,11 +1521,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1522,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
@ -31754,7 +31755,7 @@ index 8b40377..950a3dd 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1567,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1568,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 263%{?dist}
+Release: 264%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -690,6 +690,9 @@ exit 0
 %endif

 %changelog
+* Mon Jul 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264
+- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)
+
 * Tue Jul 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263
 - Add new boolean gluster_use_execmem