From 36d3f31dcfd5dfbc35aefa31a6eb86c07f2948bc Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 25 Mar 2011 14:54:13 +0000 Subject: [PATCH] - Allow $1_sudo_t and $1_su_t open access to user terminals - Allow initrc_t to use generic terminals - Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs -systemd is going to be useing /run and /run/lock for early bootup files. - Fix some comments in rlogin.if - Add policy for KDE backlighthelper - sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems - sssd wants to read .k5login file in users homedir - setroubleshoot reads executables to see if they have TEXTREL - Add /var/spool/audit support for new version of audit - Remove kerberos_connect_524() interface calling - Combine kerberos_master_port_t and kerberos_port_t - systemd has setup /dev/kmsg as stderr for apps it executes - Need these access so that init can impersonate sockets on unix_dgram_socket --- policy-F16.patch | 520 ++++++++++++++++++++++++++++++-------------- selinux-policy.spec | 18 +- 2 files changed, 376 insertions(+), 162 deletions(-) diff --git a/policy-F16.patch b/policy-F16.patch index 72900942..2da558c1 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1,8 +1,16 @@ diff --git a/Makefile b/Makefile -index b8486a0..bec48d7 100644 +index b8486a0..72a53cc 100644 --- a/Makefile +++ b/Makefile -@@ -248,7 +248,7 @@ seusers := $(appconf)/seusers +@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule + SEMOD_PKG ?= $(tc_usrbindir)/semodule_package + SEMOD_LNK ?= $(tc_usrbindir)/semodule_link + SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand ++SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen + LOADPOLICY ?= $(tc_usrsbindir)/load_policy + SETFILES ?= $(tc_sbindir)/setfiles + XMLLINT ?= $(BINDIR)/xmllint +@@ -248,7 +249,7 @@ seusers := $(appconf)/seusers appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) @@ -11,6 +19,18 @@ index b8486a0..bec48d7 100644 net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +diff --git a/Rules.modular b/Rules.modular +index 168a14f..c2bf491 100644 +--- a/Rules.modular ++++ b/Rules.modular +@@ -207,6 +207,7 @@ validate: $(base_pkg) $(mod_pkgs) + @echo "Validating policy linking." + $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ + $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin ++ $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output + @echo "Success." + + ######################################## diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 index 16e8b13..87925e6 100644 --- a/man/man8/httpd_selinux.8 @@ -2471,7 +2491,7 @@ index fe1c377..7660180 100644 ') diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 8c5fa3c..5fdb122 100644 +index 8c5fa3c..1a46f56 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -210,7 +210,7 @@ template(`su_role_template',` @@ -2483,12 +2503,9 @@ index 8c5fa3c..5fdb122 100644 auth_rw_faillog($1_su_t) corecmd_search_bin($1_su_t) -@@ -232,8 +232,9 @@ template(`su_role_template',` +@@ -234,6 +234,7 @@ template(`su_role_template',` - miscfiles_read_localization($1_su_t) - -- userdom_use_user_terminals($1_su_t) -+ userdom_use_inherited_user_terminals($1_su_t) + userdom_use_user_terminals($1_su_t) userdom_search_user_home_dirs($1_su_t) + userdom_search_admin_dir($1_su_t) @@ -2504,7 +2521,7 @@ index 7bddc02..2b59ed0 100644 + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 975af1a..37d1013 100644 +index 975af1a..bae65ee 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -2550,12 +2567,10 @@ index 975af1a..37d1013 100644 init_rw_utmp($1_sudo_t) logging_send_audit_msgs($1_sudo_t) -@@ -134,14 +143,19 @@ template(`sudo_role_template',` - userdom_manage_user_home_content_symlinks($1_sudo_t) +@@ -135,13 +144,18 @@ template(`sudo_role_template',` userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) -- userdom_use_user_terminals($1_sudo_t) -+ userdom_use_inherited_user_terminals($1_sudo_t) + userdom_use_user_terminals($1_sudo_t) + userdom_signal_all_users($1_sudo_t) # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content($1_sudo_t) @@ -5455,6 +5470,92 @@ index 167950d..ef63b20 100644 + wine_domtrans(unconfined_java_t) + ') ') +diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc +new file mode 100644 +index 0000000..25e4b68 +--- /dev/null ++++ b/policy/modules/apps/kde.fc +@@ -0,0 +1 @@ ++#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0) +diff --git a/policy/modules/apps/kde.if b/policy/modules/apps/kde.if +new file mode 100644 +index 0000000..cf65577 +--- /dev/null ++++ b/policy/modules/apps/kde.if +@@ -0,0 +1,22 @@ ++## Policy for KDE components ++ ++####################################### ++## ++## Send and receive messages from ++## firewallgui over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kde_dbus_chat_backlighthelper',` ++ gen_require(` ++ type kdebacklighthelper_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 kdebacklighthelper_t:dbus send_msg; ++ allow kdebacklighthelper_t $1:dbus send_msg; ++') +diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te +new file mode 100644 +index 0000000..bb02f40 +--- /dev/null ++++ b/policy/modules/apps/kde.te +@@ -0,0 +1,45 @@ ++policy_module(kde,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type kdebacklighthelper_t; ++type kdebacklighthelper_exec_t; ++dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t) ++ ++permissive kdebacklighthelper_t; ++ ++######################################## ++# ++# backlighthelper local policy ++# ++ ++dontaudit kdebacklighthelper_t self:capability sys_ptrace; ++ ++allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms; ++ ++kernel_read_system_state(kdebacklighthelper_t) ++ ++# r/w brightness values ++dev_rw_sysfs(kdebacklighthelper_t) ++ ++files_read_etc_files(kdebacklighthelper_t) ++files_read_etc_runtime_files(kdebacklighthelper_t) ++files_read_usr_files(kdebacklighthelper_t) ++ ++fs_getattr_all_fs(kdebacklighthelper_t) ++ ++logging_send_syslog_msg(kdebacklighthelper_t) ++ ++miscfiles_read_localization(kdebacklighthelper_t) ++ ++optional_policy(` ++ consolekit_dbus_chat(kdebacklighthelper_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(kdebacklighthelper_t) ++') ++ diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te index f63c4c2..bf59895 100644 --- a/policy/modules/apps/kdumpgui.te @@ -11191,7 +11292,7 @@ index bc534c1..b70ea07 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 16108f6..33ea07b 100644 +index 16108f6..0f1470f 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -11237,7 +11338,7 @@ index 16108f6..33ea07b 100644 HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -153,6 +164,12 @@ HOME_ROOT/lost\+found/.* <> +@@ -153,6 +164,17 @@ HOME_ROOT/lost\+found/.* <> /proc -d <> /proc/.* <> @@ -11246,11 +11347,16 @@ index 16108f6..33ea07b 100644 +/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) +/rhev/[^/]*/.* <> +') ++ ++/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) ++/run/.* gen_context(system_u:object_r:var_run_t,s0) ++/run/.*\.*pid <> ++/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) + # # /selinux # -@@ -166,12 +183,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -166,12 +188,6 @@ HOME_ROOT/lost\+found/.* <> /srv/.* gen_context(system_u:object_r:var_t,s0) # @@ -11263,7 +11369,7 @@ index 16108f6..33ea07b 100644 # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -@@ -211,7 +222,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -211,7 +227,6 @@ HOME_ROOT/lost\+found/.* <> ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) @@ -11271,7 +11377,7 @@ index 16108f6..33ea07b 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -227,6 +237,8 @@ ifndef(`distro_redhat',` +@@ -227,6 +242,8 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -11280,7 +11386,7 @@ index 16108f6..33ea07b 100644 /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -243,7 +255,7 @@ ifndef(`distro_redhat',` +@@ -243,7 +260,7 @@ ifndef(`distro_redhat',` /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -11289,12 +11395,12 @@ index 16108f6..33ea07b 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -252,3 +264,7 @@ ifndef(`distro_redhat',` +@@ -252,3 +269,7 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') -+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) -+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) ++/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if @@ -15906,10 +16012,10 @@ index 0000000..77c513d +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..df42caf 100644 +index e5bfdd4..10d03a3 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,68 @@ role user_r; +@@ -12,15 +12,67 @@ role user_r; userdom_unpriv_user_template(user) @@ -15933,7 +16039,6 @@ index e5bfdd4..df42caf 100644 + +optional_policy(` + gnome_role(user_r, user_t) -+ #gnome_role_gkeyringd(user, user_r, user_t) +') + +optional_policy(` @@ -15978,7 +16083,7 @@ index e5bfdd4..df42caf 100644 vlock_run(user_t, user_r) ') -@@ -62,10 +115,6 @@ ifndef(`distro_redhat',` +@@ -62,10 +114,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -15989,7 +16094,7 @@ index e5bfdd4..df42caf 100644 gpg_role(user_r, user_t) ') -@@ -118,7 +167,7 @@ ifndef(`distro_redhat',` +@@ -118,7 +166,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -15998,7 +16103,7 @@ index e5bfdd4..df42caf 100644 ') optional_policy(` -@@ -157,3 +206,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +205,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -16016,7 +16121,7 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..95e5a6e 100644 +index e88b95f..9d37855 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -16087,7 +16192,7 @@ index e88b95f..95e5a6e 100644 ') ') -@@ -76,23 +87,99 @@ optional_policy(` +@@ -76,23 +87,98 @@ optional_policy(` ') optional_policy(` @@ -16105,7 +16210,6 @@ index e88b95f..95e5a6e 100644 + +optional_policy(` + gnome_role(xguest_r, xguest_t) -+ #gnome_role_gkeyringd(xguest, xguest_r, xguest_t) +') + +optional_policy(` @@ -28221,7 +28325,7 @@ index 3525d24..e5db539 100644 /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if -index 604f67b..74d0c2a 100644 +index 604f67b..9026661 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -26,9 +26,9 @@ @@ -28342,7 +28446,7 @@ index 604f67b..74d0c2a 100644 ') allow $1 kadmind_t:process { ptrace signal_perms }; -@@ -378,3 +373,22 @@ interface(`kerberos_admin',` +@@ -378,3 +373,41 @@ interface(`kerberos_admin',` admin_pattern($1, krb5kdc_var_run_t) ') @@ -28365,6 +28469,25 @@ index 604f67b..74d0c2a 100644 + + files_tmp_filetrans($1, krb5_host_rcache_t, file) +') ++ ++######################################## ++## ++## read kerberos homedir content (.k5login) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`kerberos_read_home_content',` ++ gen_require(` ++ type krb5_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, krb5_home_t, krb5_home_t) ++') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index 8edc29b..09dac65 100644 --- a/policy/modules/services/kerberos.te @@ -38780,6 +38903,31 @@ index 2785337..c3c2775 100644 /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) +diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if +index 63e78c6..ffa4f37 100644 +--- a/policy/modules/services/rlogin.if ++++ b/policy/modules/services/rlogin.if +@@ -21,17 +21,11 @@ interface(`rlogin_domtrans',` + + ######################################## + ## +-## read rlogin homedir content (.config) ++## read rlogin homedir content (.rlogin) + ## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## +-## ++## + ## +-## The type of the user domain. ++## Domain allowed access. + ## + ## + # diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te index 779fa44..cdfebe3 100644 --- a/policy/modules/services/rlogin.te @@ -40293,7 +40441,7 @@ index bcdd16c..7c379a8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te -index 086cd5f..43350e6 100644 +index 086cd5f..610a762 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t) @@ -40305,7 +40453,7 @@ index 086cd5f..43350e6 100644 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -49,14 +51,17 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble +@@ -49,17 +51,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) # pid file @@ -40324,7 +40472,11 @@ index 086cd5f..43350e6 100644 corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -112,8 +117,6 @@ logging_send_audit_msgs(setroubleshootd_t) ++corecmd_read_all_executables(setroubleshootd_t) + + corenet_all_recvfrom_unlabeled(setroubleshootd_t) + corenet_all_recvfrom_netlabel(setroubleshootd_t) +@@ -112,8 +118,6 @@ logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) @@ -40333,7 +40485,7 @@ index 086cd5f..43350e6 100644 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) seutil_read_bin_policy(setroubleshootd_t) -@@ -121,6 +124,18 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -121,6 +125,18 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -40352,7 +40504,7 @@ index 086cd5f..43350e6 100644 dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -@@ -152,6 +167,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -152,6 +168,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) @@ -40360,7 +40512,7 @@ index 086cd5f..43350e6 100644 files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +180,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +181,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -42139,7 +42291,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..44cbef4 100644 +index 8ffa257..4ecf377 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -42208,10 +42360,12 @@ index 8ffa257..44cbef4 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -88,3 +101,11 @@ optional_policy(` +@@ -87,4 +100,28 @@ optional_policy(` + optional_policy(` kerberos_manage_host_rcache(sssd_t) - ') ++ kerberos_read_home_content(sssd_t) ++') + +optional_policy(` + dirsrv_stream_connect(sssd_t) @@ -42219,7 +42373,22 @@ index 8ffa257..44cbef4 100644 + +optional_policy(` + ldap_stream_connect(sssd_t) + ') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(sssd_t) +') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(sssd_t) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_read_fusefs_files(sssd_t) ++') ++ ++ ++ diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if index 6073656..eaf49b2 100644 --- a/policy/modules/services/stunnel.if @@ -48829,7 +48998,7 @@ index cc83689..84c0fb7 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..9ebc12e 100644 +index ea29513..25c25b3 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -49263,12 +49432,7 @@ index ea29513..9ebc12e 100644 selinux_get_enforce_mode(initrc_t) -@@ -370,10 +553,11 @@ storage_getattr_fixed_disk_dev(initrc_t) - storage_setattr_fixed_disk_dev(initrc_t) - storage_setattr_removable_dev(initrc_t) - --term_use_all_terms(initrc_t) -+term_use_all_inherited_terms(initrc_t) +@@ -374,6 +557,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -50698,7 +50862,7 @@ index 2b7e5f3..76b4ce1 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 571599b..9effaeb 100644 +index 571599b..ddaf246 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -17,6 +17,13 @@ @@ -50739,7 +50903,7 @@ index 571599b..9effaeb 100644 ifndef(`distro_gentoo',` /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -@@ -54,18 +63,24 @@ ifdef(`distro_redhat',` +@@ -54,18 +63,25 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') @@ -50764,9 +50928,10 @@ index 571599b..9effaeb 100644 -/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) +/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) - -+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) + ++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -50918,10 +51083,22 @@ index c7cfb62..6160239 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 9b5a9ed..5ce2b02 100644 +index 9b5a9ed..13d15e0 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -55,11 +55,12 @@ type klogd_var_run_t; +@@ -19,6 +19,11 @@ type auditd_log_t; + files_security_file(auditd_log_t) + files_security_mountpoint(auditd_log_t) + ++type audit_spool_t; ++files_type(audit_spool_t) ++files_security_file(audit_spool_t) ++files_security_mountpoint(audit_spool_t) ++ + type auditd_t; + type auditd_exec_t; + init_daemon_domain(auditd_t, auditd_exec_t) +@@ -55,11 +60,12 @@ type klogd_var_run_t; files_pid_file(klogd_var_run_t) type syslog_conf_t; @@ -50935,7 +51112,7 @@ index 9b5a9ed..5ce2b02 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -107,7 +108,7 @@ domain_use_interactive_fds(auditctl_t) +@@ -107,7 +113,7 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -50944,7 +51121,7 @@ index 9b5a9ed..5ce2b02 100644 init_dontaudit_use_fds(auditctl_t) -@@ -179,6 +180,8 @@ logging_send_syslog_msg(auditd_t) +@@ -179,6 +185,8 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -50953,7 +51130,7 @@ index 9b5a9ed..5ce2b02 100644 miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) -@@ -188,7 +191,7 @@ seutil_dontaudit_read_config(auditd_t) +@@ -188,7 +196,7 @@ seutil_dontaudit_read_config(auditd_t) sysnet_dns_name_resolve(auditd_t) @@ -50962,7 +51139,7 @@ index 9b5a9ed..5ce2b02 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -234,7 +237,12 @@ domain_use_interactive_fds(audisp_t) +@@ -234,7 +242,12 @@ domain_use_interactive_fds(audisp_t) files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) @@ -50975,7 +51152,7 @@ index 9b5a9ed..5ce2b02 100644 logging_send_syslog_msg(audisp_t) -@@ -244,14 +252,22 @@ sysnet_dns_name_resolve(audisp_t) +@@ -244,14 +257,26 @@ sysnet_dns_name_resolve(audisp_t) optional_policy(` dbus_system_bus_client(audisp_t) @@ -50995,11 +51172,15 @@ index 9b5a9ed..5ce2b02 100644 allow audisp_remote_t self:tcp_socket create_socket_perms; +allow audisp_remote_t var_log_t:dir search_dir_perms; + ++manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) ++manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) ++files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) ++ +corecmd_exec_bin(audisp_remote_t) corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) -@@ -266,9 +282,16 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -266,9 +291,16 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) logging_send_syslog_msg(audisp_remote_t) @@ -51016,7 +51197,7 @@ index 9b5a9ed..5ce2b02 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -338,11 +361,12 @@ optional_policy(` +@@ -338,11 +370,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -51031,7 +51212,7 @@ index 9b5a9ed..5ce2b02 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -360,6 +384,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -360,6 +393,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -51039,7 +51220,7 @@ index 9b5a9ed..5ce2b02 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -369,9 +394,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -369,9 +403,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -51055,7 +51236,7 @@ index 9b5a9ed..5ce2b02 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -412,6 +443,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) +@@ -412,6 +452,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) @@ -51065,7 +51246,7 @@ index 9b5a9ed..5ce2b02 100644 domain_use_interactive_fds(syslogd_t) -@@ -480,6 +514,10 @@ optional_policy(` +@@ -480,6 +523,10 @@ optional_policy(` ') optional_policy(` @@ -51076,7 +51257,7 @@ index 9b5a9ed..5ce2b02 100644 postgresql_stream_connect(syslogd_t) ') -@@ -488,6 +526,10 @@ optional_policy(` +@@ -488,6 +535,10 @@ optional_policy(` ') optional_policy(` @@ -55198,7 +55379,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..c68006d 100644 +index 28b88de..59d7c2d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -55769,7 +55950,7 @@ index 28b88de..c68006d 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +650,118 @@ template(`userdom_common_user_template',` +@@ -574,67 +650,122 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -55845,47 +56026,51 @@ index 28b88de..c68006d 100644 optional_policy(` - cups_dbus_chat_config($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ kde_dbus_chat_backlighthelper($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) ++ modemmanager_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpn_dbus_chat($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) ') ++ ++ optional_policy(` ++ vpn_dbus_chat($1_usertype) ++ ') ++ ') ++ ++ optional_policy(` ++ git_session_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) -+ git_session_role($1_r, $1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ lircd_stream_connect($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) -+ ') -+ -+ optional_policy(` -+ lircd_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + locate_read_lib_files($1_usertype) ') @@ -55906,7 +56091,7 @@ index 28b88de..c68006d 100644 ') optional_policy(` -@@ -650,41 +777,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +781,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -55938,53 +56123,53 @@ index 28b88de..c68006d 100644 + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ rpcbind_stream_connect($1_usertype) - ') - - optional_policy(` -- samba_stream_connect_winbind($1_t) + samba_stream_connect_winbind($1_usertype) ') optional_policy(` -- slrnpull_search_spool($1_t) +- samba_stream_connect_winbind($1_t) + sandbox_transition($1_usertype, $1_r) ') optional_policy(` -- usernetctl_run($1_t,$1_r) +- slrnpull_search_spool($1_t) + seunshare_role_template($1, $1_r, $1_t) ') -+ -+ optional_policy(` + + optional_policy(` +- usernetctl_run($1_t,$1_r) + slrnpull_search_spool($1_usertype) -+ ') + ') + ') ####################################### -@@ -712,13 +848,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +852,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) - -- userdom_manage_tmp_role($1_r, $1_t) -- userdom_manage_tmpfs_role($1_r, $1_t) ++ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) +- userdom_manage_tmp_role($1_r, $1_t) +- userdom_manage_tmpfs_role($1_r, $1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -56000,7 +56185,7 @@ index 28b88de..c68006d 100644 userdom_change_password_template($1) -@@ -736,72 +885,70 @@ template(`userdom_login_user_template', ` +@@ -736,72 +889,70 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -56067,10 +56252,10 @@ index 28b88de..c68006d 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) ++ ++ seutil_read_config($1_usertype) - seutil_read_config($1_t) -+ seutil_read_config($1_usertype) -+ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -56108,7 +56293,7 @@ index 28b88de..c68006d 100644 ') ') -@@ -833,6 +980,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +984,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -56118,7 +56303,7 @@ index 28b88de..c68006d 100644 ############################## # # Local policy -@@ -874,45 +1024,113 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1028,113 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -56243,7 +56428,7 @@ index 28b88de..c68006d 100644 ') ') -@@ -947,7 +1165,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1169,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -56252,7 +56437,7 @@ index 28b88de..c68006d 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1174,83 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1178,83 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -56366,7 +56551,7 @@ index 28b88de..c68006d 100644 ') ') -@@ -1039,7 +1286,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1290,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -56375,7 +56560,7 @@ index 28b88de..c68006d 100644 ') ############################## -@@ -1066,6 +1313,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1317,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -56383,7 +56568,7 @@ index 28b88de..c68006d 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1322,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1326,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -56393,7 +56578,7 @@ index 28b88de..c68006d 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1339,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1343,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -56401,7 +56586,7 @@ index 28b88de..c68006d 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1357,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1361,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -56415,7 +56600,7 @@ index 28b88de..c68006d 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1374,21 @@ template(`userdom_admin_user_template',` +@@ -1119,17 +1378,21 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -56438,7 +56623,7 @@ index 28b88de..c68006d 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1400,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1404,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -56450,7 +56635,7 @@ index 28b88de..c68006d 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1472,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1476,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -56459,7 +56644,7 @@ index 28b88de..c68006d 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1486,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1490,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -56467,7 +56652,7 @@ index 28b88de..c68006d 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1502,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1506,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -56475,7 +56660,7 @@ index 28b88de..c68006d 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1545,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1549,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -56513,7 +56698,7 @@ index 28b88de..c68006d 100644 ubac_constrained($1) ') -@@ -1395,6 +1687,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1691,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -56521,7 +56706,7 @@ index 28b88de..c68006d 100644 files_search_home($1) ') -@@ -1441,6 +1734,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1738,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -56536,7 +56721,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -1456,9 +1757,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1761,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -56548,7 +56733,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -1515,10 +1818,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1822,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -56561,7 +56746,7 @@ index 28b88de..c68006d 100644 ## ## ## -@@ -1526,25 +1829,61 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,22 +1833,58 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -56585,9 +56770,6 @@ index 28b88de..c68006d 100644 ## -## -##

--## Do a domain transition to the specified --## domain when executing a program in the --## user home directory. +## +##

+## Domain allowed access. @@ -56629,13 +56811,10 @@ index 28b88de..c68006d 100644 +## +## +##

-+## Do a domain transition to the specified -+## domain when executing a program in the -+## user home directory. - ##

- ##

- ## No interprocess communication (signals, pipes, -@@ -1589,6 +1928,8 @@ interface(`userdom_dontaudit_search_user_home_content',` + ## Do a domain transition to the specified + ## domain when executing a program in the + ## user home directory. +@@ -1589,6 +1932,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -56644,7 +56823,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -1603,10 +1944,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1948,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -56659,7 +56838,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -1649,6 +1992,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1996,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ##

@@ -56685,7 +56864,7 @@ index 28b88de..c68006d 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2062,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2066,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -56718,7 +56897,7 @@ index 28b88de..c68006d 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2098,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2102,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -56736,7 +56915,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -1810,8 +2195,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2199,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -56746,7 +56925,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -1827,21 +2211,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2215,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -56760,19 +56939,18 @@ index 28b88de..c68006d 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. -@@ -2182,7 +2560,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2564,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -56781,7 +56959,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -2435,13 +2813,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2817,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -56797,7 +56975,7 @@ index 28b88de..c68006d 100644 ## ## ## -@@ -2462,26 +2841,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2845,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -56824,7 +57002,7 @@ index 28b88de..c68006d 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,6 +2931,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +2935,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -56849,7 +57027,7 @@ index 28b88de..c68006d 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +2967,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +2971,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -56892,7 +57070,7 @@ index 28b88de..c68006d 100644 ## ## ## -@@ -2614,14 +3003,13 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3007,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -56907,10 +57085,30 @@ index 28b88de..c68006d 100644 - term_list_ptys($1) + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; ++') ++ ++####################################### ++## ++## Allow attempts to read and write ++## a user domain tty and pty. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_use_user_terminals',` ++ gen_require(` ++ type user_tty_device_t, user_devpts_t; ++ ') ++ ++ allow $1 user_tty_device_t:chr_file rw_term_perms; ++ allow $1 user_devpts_t:chr_file rw_term_perms; ') ######################################## -@@ -2815,7 +3203,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3227,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -56919,7 +57117,7 @@ index 28b88de..c68006d 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3219,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3243,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -56935,7 +57133,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -2917,7 +3307,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3331,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -56944,7 +57142,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -2972,7 +3362,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3386,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -56991,7 +57189,7 @@ index 28b88de..c68006d 100644 ') ######################################## -@@ -3009,6 +3437,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3461,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -56999,7 +57197,7 @@ index 28b88de..c68006d 100644 kernel_search_proc($1) ') -@@ -3139,3 +3568,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3592,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ba5a03dd..4938235d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,22 @@ exit 0 %endif %changelog +* Fri Mar 25 2011 Miroslav Grepl 3.9.16-7 +- Allow $1_sudo_t and $1_su_t open access to user terminals +- Allow initrc_t to use generic terminals +- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs +-systemd is going to be useing /run and /run/lock for early bootup files. +- Fix some comments in rlogin.if +- Add policy for KDE backlighthelper +- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems +- sssd wants to read .k5login file in users homedir +- setroubleshoot reads executables to see if they have TEXTREL +- Add /var/spool/audit support for new version of audit +- Remove kerberos_connect_524() interface calling +- Combine kerberos_master_port_t and kerberos_port_t +- systemd has setup /dev/kmsg as stderr for apps it executes +- Need these access so that init can impersonate sockets on unix_dgram_socket + * Wed Mar 23 2011 Miroslav Grepl 3.9.16-6 - Remove some unconfined domains - Remove permissive domains