rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Change hsperfdata_root to have as user_tmp_t

Browse Source 
- Allow rsyslog low-level network access
- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by li
- Allow conman to resolve DNS and use user ptys
- update pegasus_openlmi_admin_t policy
- nslcd wants chown capability
- Dontaudit exec insmod in boinc policy
This commit is contained in:
Miroslav Grepl 2014-04-08 07:25:43 +02:00
parent c14474eca6
commit 3f1341d528
3 changed files with 187 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

282
policy-rawhide-base.patch
View File

@ -8742,7 +8742,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..0b3704b 100644
index cf04cb5..806e1cc 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -8880,7 +8880,7 @@ index cf04cb5..0b3704b 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -166,5 +232,342 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
@@ -166,5 +232,346 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@ -9100,6 +9100,10 @@ index cf04cb5..0b3704b 100644
+')
+
+optional_policy(`
+ userdom_filetrans_named_user_tmp_files(named_filetrans_domain)
+')
+
+optional_policy(`
+ virt_filetrans_named_content(named_filetrans_domain)
+')
+
@ -9224,7 +9228,7 @@ index cf04cb5..0b3704b 100644
+ unconfined_server_stream_connect(domain)
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index b876c48..9cbe36a 100644
index b876c48..bbd0e79 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -9358,7 +9362,7 @@ index b876c48..9cbe36a 100644
#
# /selinux
#
@@ -178,25 +191,29 @@ ifdef(`distro_debian',`
@@ -178,13 +191,14 @@ ifdef(`distro_debian',`
#
# /srv
#
@ -9375,11 +9379,7 @@ index b876c48..9cbe36a 100644
/tmp/.* <<none>>
/tmp/\.journal <<none>>
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/tmp/lost\+found/.* <<none>>
+/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0)
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0)
@@ -194,9 +208,10 @@ ifdef(`distro_debian',`
#
# /usr
#
@ -9391,7 +9391,7 @@ index b876c48..9cbe36a 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -204,15 +221,9 @@ ifdef(`distro_debian',`
@@ -204,15 +219,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@ -9408,7 +9408,7 @@ index b876c48..9cbe36a 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
@@ -220,8 +231,6 @@ ifdef(`distro_debian',`
@@ -220,8 +229,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@ -9417,7 +9417,7 @@ index b876c48..9cbe36a 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
@@ -229,7 +238,7 @@ ifndef(`distro_redhat',`
@@ -229,7 +236,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@ -9426,7 +9426,7 @@ index b876c48..9cbe36a 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
@@ -237,11 +246,25 @@ ifndef(`distro_redhat',`
@@ -237,11 +244,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@ -9453,7 +9453,7 @@ index b876c48..9cbe36a 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
@@ -256,12 +279,14 @@ ifndef(`distro_redhat',`
@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@ -9468,14 +9468,14 @@ index b876c48..9cbe36a 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
@@ -271,3 +296,5 @@ ifdef(`distro_debian',`
@@ -271,3 +294,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f962f76..ae94e80 100644
index f962f76..337a00e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -12384,7 +12384,7 @@ index f962f76..ae94e80 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6573,10 +7835,785 @@ interface(`files_polyinstantiate_all',`
@@ -6573,10 +7835,784 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@ -13039,7 +13039,6 @@ index f962f76..ae94e80 100644
+ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
+ files_var_filetrans($1, var_run_t, dir, "run")
@ -24486,7 +24485,7 @@ index 6bf0ecc..bf98136 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b40377..2a244f6 100644
index 8b40377..f0e5cc0 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -25125,7 +25124,7 @@ index 8b40377..2a244f6 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -472,24 +693,153 @@ userdom_read_user_home_content_files(xdm_t)
@@ -472,24 +693,155 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@ -25148,12 +25147,14 @@ index 8b40377..2a244f6 100644
+ fs_manage_nfs_dirs(xdm_t)
+ fs_manage_nfs_files(xdm_t)
+ fs_manage_nfs_symlinks(xdm_t)
+ fs_append_nfs_files(xdm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(xdm_t)
+ fs_manage_cifs_files(xdm_t)
+ fs_manage_cifs_symlinks(xdm_t)
+ fs_append_cifs_files(xdm_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
@ -25285,7 +25286,7 @@ index 8b40377..2a244f6 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
@@ -503,11 +853,26 @@ tunable_policy(`xdm_sysadm_login',`
@@ -503,11 +855,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@ -25312,7 +25313,7 @@ index 8b40377..2a244f6 100644
')
optional_policy(`
@@ -517,9 +882,34 @@ optional_policy(`
@@ -517,9 +884,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@ -25348,7 +25349,7 @@ index 8b40377..2a244f6 100644
')
')
@@ -530,6 +920,20 @@ optional_policy(`
@@ -530,6 +922,20 @@ optional_policy(`
')
optional_policy(`
@ -25369,7 +25370,7 @@ index 8b40377..2a244f6 100644
hostname_exec(xdm_t)
')
@@ -547,28 +951,78 @@ optional_policy(`
@@ -547,28 +953,78 @@ optional_policy(`
')
optional_policy(`
@ -25457,7 +25458,7 @@ index 8b40377..2a244f6 100644
')
optional_policy(`
@@ -580,6 +1034,14 @@ optional_policy(`
@@ -580,6 +1036,14 @@ optional_policy(`
')
optional_policy(`
@ -25472,7 +25473,7 @@ index 8b40377..2a244f6 100644
xfs_stream_connect(xdm_t)
')
@@ -594,7 +1056,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
@@ -594,7 +1058,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -25481,7 +25482,7 @@ index 8b40377..2a244f6 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
@@ -604,8 +1066,11 @@ allow xserver_t input_xevent_t:x_event send;
@@ -604,8 +1068,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@ -25494,7 +25495,7 @@ index 8b40377..2a244f6 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
@@ -618,8 +1083,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -618,8 +1085,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@ -25510,7 +25511,7 @@ index 8b40377..2a244f6 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -627,6 +1099,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -627,6 +1101,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -25521,7 +25522,7 @@ index 8b40377..2a244f6 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -638,25 +1114,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -638,25 +1116,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@ -25558,7 +25559,7 @@ index 8b40377..2a244f6 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
@@ -677,23 +1160,28 @@ dev_rw_apm_bios(xserver_t)
@@ -677,23 +1162,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@ -25590,7 +25591,7 @@ index 8b40377..2a244f6 100644
# brought on by rhgb
files_search_mnt(xserver_t)
@@ -705,6 +1193,14 @@ fs_search_nfs(xserver_t)
@@ -705,6 +1195,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@ -25605,7 +25606,7 @@ index 8b40377..2a244f6 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
@@ -718,20 +1214,18 @@ init_getpgid(xserver_t)
@@ -718,20 +1216,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@ -25629,7 +25630,7 @@ index 8b40377..2a244f6 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
@@ -739,8 +1233,6 @@ userdom_setattr_user_ttys(xserver_t)
@@ -739,8 +1235,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@ -25638,7 +25639,7 @@ index 8b40377..2a244f6 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
@@ -785,17 +1277,44 @@ optional_policy(`
@@ -785,17 +1279,44 @@ optional_policy(`
')
optional_policy(`
@ -25685,7 +25686,7 @@ index 8b40377..2a244f6 100644
')
optional_policy(`
@@ -803,6 +1322,10 @@ optional_policy(`
@@ -803,6 +1324,10 @@ optional_policy(`
')
optional_policy(`
@ -25696,7 +25697,7 @@ index 8b40377..2a244f6 100644
xfs_stream_connect(xserver_t)
')
@@ -818,10 +1341,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
@@ -818,10 +1343,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@ -25710,7 +25711,7 @@ index 8b40377..2a244f6 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -829,7 +1352,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -829,7 +1354,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@ -25719,7 +25720,7 @@ index 8b40377..2a244f6 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
@@ -842,26 +1365,21 @@ init_use_fds(xserver_t)
@@ -842,26 +1367,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@ -25754,7 +25755,7 @@ index 8b40377..2a244f6 100644
')
optional_policy(`
@@ -912,7 +1430,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
@@ -912,7 +1432,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -25763,7 +25764,7 @@ index 8b40377..2a244f6 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@@ -966,11 +1484,31 @@ allow x_domain self:x_resource { read write };
@@ -966,11 +1486,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -25795,7 +25796,7 @@ index 8b40377..2a244f6 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
@@ -992,18 +1530,150 @@ tunable_policy(`! xserver_object_manager',`
@@ -992,18 +1532,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@ -33298,7 +33299,7 @@ index 4e94884..b144ffe 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1..cdc1c76 100644
index 59b04c1..1259fbd 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -33497,7 +33498,7 @@ index 59b04c1..cdc1c76 100644
# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid };
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 { syslog block_suspend };
# setpgid for metalog
@ -33509,15 +33510,18 @@ index 59b04c1..cdc1c76 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -371,6 +413,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
@@ -369,8 +411,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
+allow syslogd_t self:rawip_socket create_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:dir list_dir_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
@@ -389,30 +432,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
@@ -389,30 +433,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -33567,7 +33571,7 @@ index 59b04c1..cdc1c76 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
@@ -422,6 +481,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
@@ -422,6 +482,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@ -33576,7 +33580,7 @@ index 59b04c1..cdc1c76 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
@@ -432,9 +493,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
@@ -432,9 +494,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -33604,7 +33608,7 @@ index 59b04c1..cdc1c76 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -448,13 +526,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
@@ -448,13 +527,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@ -33622,7 +33626,7 @@ index 59b04c1..cdc1c76 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
@@ -466,11 +548,11 @@ init_use_fds(syslogd_t)
@@ -466,11 +549,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@ -33637,7 +33641,7 @@ index 59b04c1..cdc1c76 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
@@ -507,15 +589,40 @@ optional_policy(`
@@ -507,15 +590,40 @@ optional_policy(`
')
optional_policy(`
@ -33678,7 +33682,7 @@ index 59b04c1..cdc1c76 100644
')
optional_policy(`
@@ -526,3 +633,26 @@ optional_policy(`
@@ -526,3 +634,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@ -41857,10 +41861,10 @@ index 5fe902d..fcc9efe 100644
+ rpm_transition_script(unconfined_service_t, system_r)
')
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..e4eb903 100644
index db75976..4ca3a28 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,4 +1,24 @@
@@ -1,4 +1,28 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@ -41886,8 +41890,12 @@ index db75976..e4eb903 100644
+HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
+
+/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..b921b57 100644
index 9dc60c6..102478f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -44163,7 +44171,34 @@ index 9dc60c6..b921b57 100644
')
########################################
@@ -2661,6 +3341,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
@@ -2538,6 +3218,26 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_filetrans_named_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
## temporary symbolic links.
## </summary>
## <param name="domain">
@@ -2661,6 +3361,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@ -44189,7 +44224,7 @@ index 9dc60c6..b921b57 100644
########################################
## <summary>
## Read user tmpfs files.
@@ -2677,13 +3376,14 @@ interface(`userdom_read_user_tmpfs_files',`
@@ -2677,13 +3396,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -44205,7 +44240,7 @@ index 9dc60c6..b921b57 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2704,7 +3404,7 @@ interface(`userdom_rw_user_tmpfs_files',`
@@ -2704,7 +3424,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@ -44214,7 +44249,7 @@ index 9dc60c6..b921b57 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2712,14 +3412,30 @@ interface(`userdom_rw_user_tmpfs_files',`
@@ -2712,14 +3432,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@ -44249,7 +44284,7 @@ index 9dc60c6..b921b57 100644
')
########################################
@@ -2814,6 +3530,24 @@ interface(`userdom_use_user_ttys',`
@@ -2814,6 +3550,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@ -44274,7 +44309,7 @@ index 9dc60c6..b921b57 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
@@ -2832,22 +3566,34 @@ interface(`userdom_use_user_ptys',`
@@ -2832,22 +3586,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@ -44317,7 +44352,7 @@ index 9dc60c6..b921b57 100644
## </desc>
## <param name="domain">
## <summary>
@@ -2856,14 +3602,33 @@ interface(`userdom_use_user_ptys',`
@@ -2856,14 +3622,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@ -44355,7 +44390,7 @@ index 9dc60c6..b921b57 100644
')
########################################
@@ -2882,8 +3647,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
@@ -2882,8 +3667,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@ -44385,7 +44420,7 @@ index 9dc60c6..b921b57 100644
')
########################################
@@ -2955,69 +3739,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
@@ -2955,69 +3759,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@ -44486,7 +44521,7 @@ index 9dc60c6..b921b57 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3025,12 +3808,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
@@ -3025,12 +3828,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@ -44501,7 +44536,7 @@ index 9dc60c6..b921b57 100644
')
########################################
@@ -3094,7 +3877,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -3094,7 +3897,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@ -44510,7 +44545,7 @@ index 9dc60c6..b921b57 100644
allow unpriv_userdomain $1:process sigchld;
')
@@ -3110,29 +3893,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -3110,16 +3913,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@ -44521,11 +44556,33 @@ index 9dc60c6..b921b57 100644
files_list_home($1)
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
-## Send signull to unprivileged user domains.
+## Send general signals to unprivileged user domains.
## </summary>
## <param name="domain">
## <summary>
@@ -3127,30 +3932,12 @@ interface(`userdom_search_user_home_content',`
## </summary>
## </param>
#
-interface(`userdom_signull_unpriv_users',`
+interface(`userdom_signal_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
- allow $1 unpriv_userdomain:process signull;
-')
-
-########################################
-## <summary>
-## Send signull to unprivileged user domains.
-## Send general signals to unprivileged user domains.
-## </summary>
-## <param name="domain">
-## <summary>
@ -44533,75 +44590,44 @@ index 9dc60c6..b921b57 100644
-## </summary>
-## </param>
-#
-interface(`userdom_signull_unpriv_users',`
-interface(`userdom_signal_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:process signull;
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
- allow $1 unpriv_userdomain:process signal;
+ allow $1 unpriv_userdomain:process signal;
')
########################################
@@ -3214,31 +3981,49 @@ interface(`userdom_dontaudit_use_user_ptys',`
@@ -3214,7 +4001,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
')
########################################
## <summary>
-## Relabel files to unprivileged user pty types.
+## Do not audit attempts to open user ptys.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`userdom_relabelto_user_ptys',`
+interface(`userdom_dontaudit_open_user_ptys',`
gen_require(`
type user_devpts_t;
')
- allow $1 user_devpts_t:chr_file relabelto;
+ dontaudit $1 user_devpts_t:chr_file open;
')
########################################
## <summary>
-## Do not audit attempts to relabel files from
-## user pty types.
+## Relabel files to unprivileged user pty types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelto_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ allow $1 user_devpts_t:chr_file relabelto;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to relabel files from
+## user pty types.
## </summary>
## <param name="domain">
## <summary>
@@ -3269,7 +4054,83 @@ interface(`userdom_write_user_tmp_files',`
+## Do not audit attempts to open user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_open_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ dontaudit $1 user_devpts_t:chr_file open;
')
########################################
@@ -3269,7 +4074,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@ -44686,7 +44712,7 @@ index 9dc60c6..b921b57 100644
')
########################################
@@ -3287,7 +4148,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
@@ -3287,7 +4168,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@ -44695,7 +44721,7 @@ index 9dc60c6..b921b57 100644
')
########################################
@@ -3306,6 +4167,7 @@ interface(`userdom_read_all_users_state',`
@@ -3306,6 +4187,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@ -44703,7 +44729,7 @@ index 9dc60c6..b921b57 100644
kernel_search_proc($1)
')
@@ -3382,6 +4244,42 @@ interface(`userdom_signal_all_users',`
@@ -3382,6 +4264,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@ -44746,7 +44772,7 @@ index 9dc60c6..b921b57 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
@@ -3402,6 +4300,24 @@ interface(`userdom_sigchld_all_users',`
@@ -3402,6 +4320,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@ -44771,7 +44797,7 @@ index 9dc60c6..b921b57 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -3435,4 +4351,1680 @@ interface(`userdom_dbus_send_all_users',`
@@ -3435,4 +4371,1680 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@ -44940,7 +44966,7 @@ index 9dc60c6..b921b57 100644
+
+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:dir list_dir_perms;
+')
')
+
+########################################
+## <summary>
@ -44959,7 +44985,7 @@ index 9dc60c6..b921b57 100644
+
+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:dir search_dir_perms;
')
+')
+
+########################################
+## <summary>

37
policy-rawhide-contrib.patch
View File

@ -14431,10 +14431,10 @@ index 0000000..54b4b04
+')
diff --git a/conman.te b/conman.te
new file mode 100644
index 0000000..0de2d4d
index 0000000..d6b0314
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,45 @@
@@ -0,0 +1,49 @@
+policy_module(conman, 1.0.0)
+
+########################################
@ -14462,7 +14462,7 @@ index 0000000..0de2d4d
+
+allow conman_t self:fifo_file rw_fifo_file_perms;
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
+allow conman_t self:tcp_socket { listen create_socket_perms };
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
@ -14477,6 +14477,10 @@ index 0000000..0de2d4d
+
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
+
+userdom_use_user_ptys(conman_t)
+
+optional_policy(`
+ freeipmi_stream_connect(conman_t)
+')
@ -53622,7 +53626,7 @@ index 97df768..852d1c6 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
index 421bf1a..b80dbe5 100644
index 421bf1a..e3f91f6 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
@ -53636,7 +53640,7 @@ index 421bf1a..b80dbe5 100644
-allow nslcd_t self:capability { setgid setuid dac_override };
-allow nslcd_t self:process signal;
-allow nslcd_t self:unix_stream_socket { accept listen };
+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
+allow nslcd_t self:capability { chown dac_override setgid setuid sys_nice };
+allow nslcd_t self:process { setsched signal signull };
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
@ -60369,7 +60373,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
index 608f454..aa814c8 100644
index 608f454..6054e92 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -60388,7 +60392,7 @@ index 608f454..aa814c8 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
@@ -30,20 +29,324 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@ -60566,6 +60570,8 @@ index 608f454..aa814c8 100644
+# pegasus openlmi service local policy
+#
+
+fs_getattr_all_fs(pegasus_openlmi_admin_t)
+
+init_manage_transient_unit(pegasus_openlmi_admin_t)
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
@ -60580,6 +60586,9 @@ index 608f454..aa814c8 100644
+
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+
+logging_read_syslog_pid(pegasus_openlmi_admin_t)
+logging_read_generic_logs(pegasus_openlmi_admin_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
+
@ -60713,7 +60722,7 @@ index 608f454..aa814c8 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
@@ -54,22 +357,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -60744,7 +60753,7 @@ index 608f454..aa814c8 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
@@ -80,27 +383,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@ -60777,7 +60786,7 @@ index 608f454..aa814c8 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
@@ -114,9 +411,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@ -60789,7 +60798,7 @@ index 608f454..aa814c8 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
@@ -128,18 +427,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@ -60825,7 +60834,7 @@ index 608f454..aa814c8 100644
')
optional_policy(`
@@ -151,16 +456,24 @@ optional_policy(`
@@ -151,16 +461,24 @@ optional_policy(`
')
optional_policy(`
@ -60854,7 +60863,7 @@ index 608f454..aa814c8 100644
')
optional_policy(`
@@ -168,7 +481,7 @@ optional_policy(`
@@ -168,7 +486,7 @@ optional_policy(`
')
optional_policy(`
@ -60863,7 +60872,7 @@ index 608f454..aa814c8 100644
')
optional_policy(`
@@ -180,6 +493,7 @@ optional_policy(`
@@ -180,6 +498,7 @@ optional_policy(`
')
optional_policy(`

11
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 43%{?dist}
Release: 44%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -588,6 +588,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-44
- Change hsperfdata_root to have as user_tmp_t
- Allow rsyslog low-level network access
- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm
- Allow conman to resolve DNS and use user ptys
- update pegasus_openlmi_admin_t policy
- nslcd wants chown capability
- Dontaudit exec insmod in boinc policy
* Fri Apr 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-43
- Add labels for /var/named/chroot_sdb/dev devices
- Add support for strongimcv