rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308 

- Make working SELinux sandbox with Wayland. BZ(1474082)
- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)
- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)
- Allow collectd to connect to lmtp_port_t BZ(1304029)
- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)
- Allow thumb_t to mmap removable_t files. BZ(1522724)
- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)
- Add interface fs_mmap_removable_files()
This commit is contained in:
Lukas Vrabec 2018-01-04 13:06:00 +01:00
parent d319e75862
commit 46f9f9c36a
4 changed files with 255 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
container-selinux.tgz
View File

Binary file not shown.

324
policy-rawhide-base.patch
View File

@ -17543,7 +17543,7 @@ index d7c11a0b3..f521a50f8 100644
/var/run/shm/.* <<none>> /var/run/shm/.* <<none>>
-') -')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb43..1cc0d9ad9 100644 index 8416beb43..a7af809a0 100644
--- a/policy/modules/kernel/filesystem.if --- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if
@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', ` @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
@ -18307,7 +18307,7 @@ index 8416beb43..1cc0d9ad9 100644
## Read files on a DOS filesystem. ## Read files on a DOS filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1793,137 +2162,336 @@ interface(`fs_read_eventpollfs',` @@ -1793,161 +2162,986 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
@ -18679,14 +18679,17 @@ index 8416beb43..1cc0d9ad9 100644
+ ') + ')
+ +
+ dontaudit $1 fusefs_t:dir manage_dir_perms; + dontaudit $1 fusefs_t:dir manage_dir_perms;
') +')
+
######################################## +########################################
@@ -1935,19 +2503,645 @@ interface(`fs_dontaudit_manage_fusefs_dirs',` +## <summary>
## Domain allowed access. +## Read, a FUSEFS filesystem.
## </summary> +## </summary>
## </param> +## <param name="domain">
-## <rolecap/> +## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/> +## <rolecap/>
+# +#
+interface(`fs_read_fusefs_files',` +interface(`fs_read_fusefs_files',`
@ -19301,18 +19304,20 @@ index 8416beb43..1cc0d9ad9 100644
+ ') + ')
+ +
+ allow $1 iso9660_t:filesystem remount; + allow $1 iso9660_t:filesystem remount;
+') ')
+
+######################################## ########################################
+## <summary> ## <summary>
-## Read, a FUSEFS filesystem.
+## Unmount an iso9660 filesystem, which +## Unmount an iso9660 filesystem, which
+## is usually used on CDs. +## is usually used on CDs.
+## </summary> ## </summary>
+## <param name="domain"> ## <param name="domain">
+## <summary> ## <summary>
+## Domain allowed access. ## Domain allowed access.
+## </summary> ## </summary>
+## </param> ## </param>
-## <rolecap/>
# #
-interface(`fs_read_fusefs_files',` -interface(`fs_read_fusefs_files',`
+interface(`fs_unmount_iso9660_fs',` +interface(`fs_unmount_iso9660_fs',`
@ -19860,43 +19865,18 @@ index 8416beb43..1cc0d9ad9 100644
allow $1 nfs_t:dir list_dir_perms; allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t) read_files_pattern($1, nfs_t, nfs_t)
') ')
@@ -2518,73 +3731,148 @@ interface(`fs_dontaudit_read_nfs_files',` @@ -2523,6 +3736,7 @@ interface(`fs_write_nfs_files',`
## </summary> type nfs_t;
## </param> ')
#
-interface(`fs_write_nfs_files',`
+interface(`fs_write_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ fs_search_auto_mountpoints($1) + fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms; allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t) write_files_pattern($1, nfs_t, nfs_t)
+') ')
+ @@ -2549,6 +3763,44 @@ interface(`fs_exec_nfs_files',`
+########################################
+## <summary> ########################################
+## Execute files on a NFS filesystem. ## <summary>
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_exec_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir list_dir_perms;
+ exec_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## Make general progams in nfs an entrypoint for +## Make general progams in nfs an entrypoint for
+## the specified domain. +## the specified domain.
+## </summary> +## </summary>
@ -19935,65 +19915,52 @@ index 8416beb43..1cc0d9ad9 100644
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Append files ## Append files
## on a NFS filesystem.
## </summary>
@@ -2559,32 +3811,68 @@ interface(`fs_exec_nfs_files',`
## </param>
## <rolecap/>
#
-interface(`fs_append_nfs_files',`
+interface(`fs_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ append_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append files
+## on a NFS filesystem. +## on a NFS filesystem.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
+## <summary> +## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_dontaudit_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Read inherited files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access. +## Domain allowed access.
+## </summary> +## </summary>
+## </param> +## </param>
+## <rolecap/>
+# +#
+interface(`fs_append_nfs_files',`
gen_require(`
type nfs_t;
')
- allow $1 nfs_t:dir list_dir_perms;
- write_files_pattern($1, nfs_t, nfs_t)
+ append_files_pattern($1, nfs_t, nfs_t)
')
########################################
## <summary>
-## Execute files on a NFS filesystem.
+## Do not audit attempts to append files
+## on a NFS filesystem.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
-interface(`fs_exec_nfs_files',`
+interface(`fs_dontaudit_append_nfs_files',`
gen_require(`
type nfs_t;
')
- allow $1 nfs_t:dir list_dir_perms;
- exec_files_pattern($1, nfs_t, nfs_t)
+ dontaudit $1 nfs_t:file append_file_perms;
')
########################################
## <summary>
-## Append files
-## on a NFS filesystem.
+## Read inherited files on a NFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`fs_append_nfs_files',`
+interface(`fs_read_inherited_nfs_files',` +interface(`fs_read_inherited_nfs_files',`
gen_require(` gen_require(`
type nfs_t; type nfs_t;
@ -20121,7 +20088,33 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -2777,7 +4124,7 @@ interface(`fs_read_removable_files',` @@ -2771,13 +4118,33 @@ interface(`fs_read_removable_files',`
read_files_pattern($1, removable_t, removable_t)
')
+
+########################################
+## <summary>
+## mmap files on a removable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_mmap_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:file map;
+')
+
########################################
## <summary>
## Do not audit attempts to read removable storage files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -20130,7 +20123,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -2970,6 +4317,7 @@ interface(`fs_manage_nfs_dirs',` @@ -2970,6 +4337,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t; type nfs_t;
') ')
@ -20138,7 +20131,7 @@ index 8416beb43..1cc0d9ad9 100644
allow $1 nfs_t:dir manage_dir_perms; allow $1 nfs_t:dir manage_dir_perms;
') ')
@@ -3010,11 +4358,31 @@ interface(`fs_manage_nfs_files',` @@ -3010,11 +4378,31 @@ interface(`fs_manage_nfs_files',`
type nfs_t; type nfs_t;
') ')
@ -20170,7 +20163,7 @@ index 8416beb43..1cc0d9ad9 100644
## Do not audit attempts to create, ## Do not audit attempts to create,
## read, write, and delete files ## read, write, and delete files
## on a NFS filesystem. ## on a NFS filesystem.
@@ -3050,6 +4418,7 @@ interface(`fs_manage_nfs_symlinks',` @@ -3050,6 +4438,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t; type nfs_t;
') ')
@ -20178,7 +20171,7 @@ index 8416beb43..1cc0d9ad9 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t) manage_lnk_files_pattern($1, nfs_t, nfs_t)
') ')
@@ -3137,6 +4506,24 @@ interface(`fs_nfs_domtrans',` @@ -3137,6 +4526,24 @@ interface(`fs_nfs_domtrans',`
######################################## ########################################
## <summary> ## <summary>
@ -20203,7 +20196,7 @@ index 8416beb43..1cc0d9ad9 100644
## Mount a NFS server pseudo filesystem. ## Mount a NFS server pseudo filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3239,15 +4626,198 @@ interface(`fs_search_nfsd_fs',` @@ -3239,15 +4646,198 @@ interface(`fs_search_nfsd_fs',`
# #
interface(`fs_list_nfsd_fs',` interface(`fs_list_nfsd_fs',`
gen_require(` gen_require(`
@ -20405,7 +20398,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3255,35 +4825,35 @@ interface(`fs_list_nfsd_fs',` @@ -3255,35 +4845,35 @@ interface(`fs_list_nfsd_fs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20450,7 +20443,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="type"> ## <param name="type">
## <summary> ## <summary>
@@ -3291,12 +4861,12 @@ interface(`fs_rw_nfsd_fs',` @@ -3291,12 +4881,12 @@ interface(`fs_rw_nfsd_fs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20466,7 +20459,7 @@ index 8416beb43..1cc0d9ad9 100644
') ')
######################################## ########################################
@@ -3392,7 +4962,7 @@ interface(`fs_search_ramfs',` @@ -3392,7 +4982,7 @@ interface(`fs_search_ramfs',`
######################################## ########################################
## <summary> ## <summary>
@ -20475,7 +20468,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3429,7 +4999,7 @@ interface(`fs_manage_ramfs_dirs',` @@ -3429,7 +5019,7 @@ interface(`fs_manage_ramfs_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -20484,7 +20477,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3447,7 +5017,7 @@ interface(`fs_dontaudit_read_ramfs_files',` @@ -3447,7 +5037,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -20493,7 +20486,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3779,6 +5349,24 @@ interface(`fs_mount_tmpfs',` @@ -3779,6 +5369,24 @@ interface(`fs_mount_tmpfs',`
######################################## ########################################
## <summary> ## <summary>
@ -20518,7 +20511,7 @@ index 8416beb43..1cc0d9ad9 100644
## Remount a tmpfs filesystem. ## Remount a tmpfs filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3815,6 +5403,24 @@ interface(`fs_unmount_tmpfs',` @@ -3815,6 +5423,24 @@ interface(`fs_unmount_tmpfs',`
######################################## ########################################
## <summary> ## <summary>
@ -20543,7 +20536,7 @@ index 8416beb43..1cc0d9ad9 100644
## Get the attributes of a tmpfs ## Get the attributes of a tmpfs
## filesystem. ## filesystem.
## </summary> ## </summary>
@@ -3908,7 +5514,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` @@ -3908,7 +5534,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -20552,7 +20545,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3916,17 +5522,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` @@ -3916,17 +5542,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20573,7 +20566,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3934,17 +5540,17 @@ interface(`fs_mounton_tmpfs',` @@ -3934,17 +5560,17 @@ interface(`fs_mounton_tmpfs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20594,7 +20587,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3952,17 +5558,36 @@ interface(`fs_setattr_tmpfs_dirs',` @@ -3952,17 +5578,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20634,7 +20627,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3970,31 +5595,48 @@ interface(`fs_search_tmpfs',` @@ -3970,31 +5615,48 @@ interface(`fs_search_tmpfs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20690,7 +20683,7 @@ index 8416beb43..1cc0d9ad9 100644
') ')
######################################## ########################################
@@ -4057,23 +5699,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` @@ -4057,23 +5719,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
## </param> ## </param>
## <param name="name" optional="true"> ## <param name="name" optional="true">
## <summary> ## <summary>
@ -20867,7 +20860,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4081,18 +5870,18 @@ interface(`fs_tmpfs_filetrans',` @@ -4081,18 +5890,18 @@ interface(`fs_tmpfs_filetrans',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20890,7 +20883,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4100,54 +5889,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` @@ -4100,54 +5909,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20957,7 +20950,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4155,17 +5943,18 @@ interface(`fs_read_tmpfs_files',` @@ -4155,17 +5963,18 @@ interface(`fs_read_tmpfs_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20979,7 +20972,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4173,17 +5962,18 @@ interface(`fs_rw_tmpfs_files',` @@ -4173,17 +5982,18 @@ interface(`fs_rw_tmpfs_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -21001,7 +20994,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4191,37 +5981,36 @@ interface(`fs_read_tmpfs_symlinks',` @@ -4191,37 +6001,36 @@ interface(`fs_read_tmpfs_symlinks',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -21047,7 +21040,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4229,18 +6018,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` @@ -4229,18 +6038,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -21069,7 +21062,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4248,18 +6037,19 @@ interface(`fs_relabel_tmpfs_chr_file',` @@ -4248,18 +6057,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -21093,7 +21086,7 @@ index 8416beb43..1cc0d9ad9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4267,32 +6057,31 @@ interface(`fs_rw_tmpfs_blk_files',` @@ -4267,32 +6077,31 @@ interface(`fs_rw_tmpfs_blk_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -21132,7 +21125,7 @@ index 8416beb43..1cc0d9ad9 100644
') ')
######################################## ########################################
@@ -4407,6 +6196,25 @@ interface(`fs_search_xenfs',` @@ -4407,6 +6216,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms; allow $1 xenfs_t:dir search_dir_perms;
') ')
@ -21158,7 +21151,7 @@ index 8416beb43..1cc0d9ad9 100644
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete directories ## Create, read, write, and delete directories
@@ -4503,6 +6311,8 @@ interface(`fs_mount_all_fs',` @@ -4503,6 +6331,8 @@ interface(`fs_mount_all_fs',`
') ')
allow $1 filesystem_type:filesystem mount; allow $1 filesystem_type:filesystem mount;
@ -21167,7 +21160,7 @@ index 8416beb43..1cc0d9ad9 100644
') ')
######################################## ########################################
@@ -4549,7 +6359,7 @@ interface(`fs_unmount_all_fs',` @@ -4549,7 +6379,7 @@ interface(`fs_unmount_all_fs',`
## <desc> ## <desc>
## <p> ## <p>
## Allow the specified domain to ## Allow the specified domain to
@ -21176,7 +21169,7 @@ index 8416beb43..1cc0d9ad9 100644
## Example attributes: ## Example attributes:
## </p> ## </p>
## <ul> ## <ul>
@@ -4596,6 +6406,26 @@ interface(`fs_dontaudit_getattr_all_fs',` @@ -4596,6 +6426,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
######################################## ########################################
## <summary> ## <summary>
@ -21203,7 +21196,7 @@ index 8416beb43..1cc0d9ad9 100644
## Get the quotas of all filesystems. ## Get the quotas of all filesystems.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4671,6 +6501,25 @@ interface(`fs_getattr_all_dirs',` @@ -4671,6 +6521,25 @@ interface(`fs_getattr_all_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -21229,7 +21222,7 @@ index 8416beb43..1cc0d9ad9 100644
## Search all directories with a filesystem type. ## Search all directories with a filesystem type.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4912,3 +6761,176 @@ interface(`fs_unconfined',` @@ -4912,3 +6781,176 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type; typeattribute $1 filesystem_unconfined_type;
') ')
@ -34661,7 +34654,7 @@ index 247958765..890e1e293 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 3efd5b669..a8cb6df3d 100644 index 3efd5b669..2ce58d86d 100644
--- a/policy/modules/system/authlogin.if --- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',` @@ -23,11 +23,17 @@ interface(`auth_role',`
@ -34883,7 +34876,15 @@ index 3efd5b669..a8cb6df3d 100644
## Manage authentication cache ## Manage authentication cache
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',` @@ -337,6 +394,7 @@ interface(`auth_manage_cache',`
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
manage_files_pattern($1, auth_cache_t, auth_cache_t)
+ allow $1 auth_cache_t:file map;
')
#######################################
@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(` optional_policy(`
samba_stream_connect_winbind($1) samba_stream_connect_winbind($1)
') ')
@ -34892,7 +34893,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
######################################## ########################################
@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',` @@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
######################################## ########################################
## <summary> ## <summary>
@ -34917,7 +34918,7 @@ index 3efd5b669..a8cb6df3d 100644
## Execute chkpwd programs in the chkpwd domain. ## Execute chkpwd programs in the chkpwd domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',` @@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1) auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t; role $2 types chkpwd_t;
@ -34943,7 +34944,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
######################################## ########################################
@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',` @@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t) domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1) auth_dontaudit_read_shadow($1)
@ -34951,7 +34952,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
######################################## ########################################
@@ -534,6 +629,24 @@ interface(`auth_dontaudit_getattr_shadow',` @@ -534,6 +630,24 @@ interface(`auth_dontaudit_getattr_shadow',`
######################################## ########################################
## <summary> ## <summary>
@ -34976,7 +34977,7 @@ index 3efd5b669..a8cb6df3d 100644
## Read the shadow passwords file (/etc/shadow) ## Read the shadow passwords file (/etc/shadow)
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -664,6 +777,11 @@ interface(`auth_manage_shadow',` @@ -664,6 +778,11 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms; allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -34988,7 +34989,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
####################################### #######################################
@@ -763,7 +881,50 @@ interface(`auth_rw_faillog',` @@ -763,7 +882,50 @@ interface(`auth_rw_faillog',`
') ')
logging_search_logs($1) logging_search_logs($1)
@ -35040,7 +35041,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
####################################### #######################################
@@ -824,9 +985,29 @@ interface(`auth_rw_lastlog',` @@ -824,9 +986,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr }; allow $1 lastlog_t:file { rw_file_perms lock setattr };
') ')
@ -35071,7 +35072,7 @@ index 3efd5b669..a8cb6df3d 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -834,12 +1015,27 @@ interface(`auth_rw_lastlog',` @@ -834,12 +1016,27 @@ interface(`auth_rw_lastlog',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -35102,7 +35103,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
######################################## ########################################
@@ -854,15 +1050,15 @@ interface(`auth_domtrans_pam',` @@ -854,15 +1051,15 @@ interface(`auth_domtrans_pam',`
# #
interface(`auth_signal_pam',` interface(`auth_signal_pam',`
gen_require(` gen_require(`
@ -35121,7 +35122,7 @@ index 3efd5b669..a8cb6df3d 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -875,13 +1071,33 @@ interface(`auth_signal_pam',` @@ -875,13 +1072,33 @@ interface(`auth_signal_pam',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -35159,7 +35160,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
######################################## ########################################
@@ -959,9 +1175,30 @@ interface(`auth_manage_var_auth',` @@ -959,9 +1176,30 @@ interface(`auth_manage_var_auth',`
') ')
files_search_var($1) files_search_var($1)
@ -35193,7 +35194,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
######################################## ########################################
@@ -1040,6 +1277,10 @@ interface(`auth_manage_pam_pid',` @@ -1040,6 +1278,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1) files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms; allow $1 pam_var_run_t:file manage_file_perms;
@ -35204,7 +35205,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
######################################## ########################################
@@ -1176,6 +1417,7 @@ interface(`auth_manage_pam_console_data',` @@ -1176,6 +1418,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1) files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@ -35212,7 +35213,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
####################################### #######################################
@@ -1576,6 +1818,25 @@ interface(`auth_setattr_login_records',` @@ -1576,6 +1819,25 @@ interface(`auth_setattr_login_records',`
######################################## ########################################
## <summary> ## <summary>
@ -35238,7 +35239,7 @@ index 3efd5b669..a8cb6df3d 100644
## Read login records files (/var/log/wtmp). ## Read login records files (/var/log/wtmp).
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1726,24 +1987,63 @@ interface(`auth_manage_login_records',` @@ -1726,24 +1988,63 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1) logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms; allow $1 wtmp_t:file manage_file_perms;
@ -35306,7 +35307,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
######################################## ########################################
@@ -1767,11 +2067,13 @@ interface(`auth_relabel_login_records',` @@ -1767,11 +2068,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/> ## <infoflow type="both" weight="10"/>
# #
interface(`auth_use_nsswitch',` interface(`auth_use_nsswitch',`
@ -35323,7 +35324,7 @@ index 3efd5b669..a8cb6df3d 100644
') ')
######################################## ########################################
@@ -1805,3 +2107,298 @@ interface(`auth_unconfined',` @@ -1805,3 +2108,298 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords;
') ')
@ -35623,7 +35624,7 @@ index 3efd5b669..a8cb6df3d 100644
+ allow $1 login_pgm:key manage_key_perms; + allow $1 login_pgm:key manage_key_perms;
+') +')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791dcc..c6721f846 100644 index 09b791dcc..03feb4c8d 100644
--- a/policy/modules/system/authlogin.te --- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -35982,7 +35983,7 @@ index 09b791dcc..c6721f846 100644
optional_policy(` optional_policy(`
kerberos_use(nsswitch_domain) kerberos_use(nsswitch_domain)
') ')
@@ -456,10 +525,163 @@ optional_policy(` @@ -456,10 +525,164 @@ optional_policy(`
optional_policy(` optional_policy(`
sssd_stream_connect(nsswitch_domain) sssd_stream_connect(nsswitch_domain)
@ -36037,6 +36038,7 @@ index 09b791dcc..c6721f846 100644
+manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t) +manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
+manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t) +manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
+files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey") +files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey")
+allow login_pgm auth_cache_t:file map;
+ +
+manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) +manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
+manage_files_pattern(login_pgm, auth_home_t, auth_home_t) +manage_files_pattern(login_pgm, auth_home_t, auth_home_t)

125
policy-rawhide-contrib.patch
View File

@ -5635,7 +5635,7 @@ index f6eb4851f..3628a384f 100644
+ allow $1 httpd_t:process { noatsecure }; + allow $1 httpd_t:process { noatsecure };
') ')
diff --git a/apache.te b/apache.te diff --git a/apache.te b/apache.te
index 6649962b6..b7ac74501 100644 index 6649962b6..1df48fb13 100644
--- a/apache.te --- a/apache.te
+++ b/apache.te +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -6323,7 +6323,7 @@ index 6649962b6..b7ac74501 100644
logging_log_filetrans(httpd_t, httpd_log_t, file) logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms; allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,13 +524,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -412,13 +524,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -6334,11 +6334,12 @@ index 6649962b6..b7ac74501 100644
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;
-allow httpd_t httpd_suexec_exec_t:file read_file_perms; +
+allow httpd_t httpd_suexec_t:process { signal signull }; +allow httpd_t httpd_suexec_t:process { signal signull };
+allow httpd_t httpd_suexec_t:file read_file_perms; +allow httpd_t httpd_suexec_t:file read_file_perms;
+
-allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms; +allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
@ -6346,7 +6347,7 @@ index 6649962b6..b7ac74501 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
@@ -428,6 +548,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -428,6 +549,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir) userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
@ -6354,7 +6355,7 @@ index 6649962b6..b7ac74501 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@@ -438,6 +559,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi @@ -438,6 +560,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
@ -6362,7 +6363,7 @@ index 6649962b6..b7ac74501 100644
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -450,140 +572,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -450,140 +573,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -6606,7 +6607,7 @@ index 6649962b6..b7ac74501 100644
') ')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` @@ -594,28 +756,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t) fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
') ')
@ -6666,7 +6667,7 @@ index 6649962b6..b7ac74501 100644
') ')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -624,68 +808,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t) fs_read_nfs_symlinks(httpd_t)
') ')
@ -6769,7 +6770,7 @@ index 6649962b6..b7ac74501 100644
') ')
tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_setrlimit',`
@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',` @@ -695,49 +867,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',` tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6850,7 +6851,7 @@ index 6649962b6..b7ac74501 100644
') ')
optional_policy(` optional_policy(`
@@ -749,24 +919,32 @@ optional_policy(` @@ -749,24 +920,32 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6889,7 +6890,7 @@ index 6649962b6..b7ac74501 100644
') ')
optional_policy(` optional_policy(`
@@ -775,6 +953,10 @@ optional_policy(` @@ -775,6 +954,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',` tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t) avahi_dbus_chat(httpd_t)
') ')
@ -6900,7 +6901,7 @@ index 6649962b6..b7ac74501 100644
') ')
optional_policy(` optional_policy(`
@@ -786,35 +968,62 @@ optional_policy(` @@ -786,35 +969,62 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6976,7 +6977,7 @@ index 6649962b6..b7ac74501 100644
tunable_policy(`httpd_manage_ipa',` tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t) memcached_manage_pid_files(httpd_t)
@@ -822,8 +1031,31 @@ optional_policy(` @@ -822,8 +1032,31 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -7008,7 +7009,7 @@ index 6649962b6..b7ac74501 100644
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t) mysql_tcp_connect(httpd_t)
@@ -832,6 +1064,8 @@ optional_policy(` @@ -832,6 +1065,8 @@ optional_policy(`
optional_policy(` optional_policy(`
nagios_read_config(httpd_t) nagios_read_config(httpd_t)
@ -7017,7 +7018,7 @@ index 6649962b6..b7ac74501 100644
') ')
optional_policy(` optional_policy(`
@@ -842,20 +1076,48 @@ optional_policy(` @@ -842,20 +1077,48 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -7072,7 +7073,7 @@ index 6649962b6..b7ac74501 100644
') ')
optional_policy(` optional_policy(`
@@ -863,16 +1125,31 @@ optional_policy(` @@ -863,16 +1126,31 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -7106,7 +7107,7 @@ index 6649962b6..b7ac74501 100644
') ')
optional_policy(` optional_policy(`
@@ -883,65 +1160,189 @@ optional_policy(` @@ -883,65 +1161,189 @@ optional_policy(`
yam_read_content(httpd_t) yam_read_content(httpd_t)
') ')
@ -7318,7 +7319,7 @@ index 6649962b6..b7ac74501 100644
files_dontaudit_search_pids(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t) files_search_home(httpd_suexec_t)
@@ -950,123 +1351,75 @@ auth_use_nsswitch(httpd_suexec_t) @@ -950,123 +1352,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t) logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t)
@ -7472,7 +7473,7 @@ index 6649962b6..b7ac74501 100644
mysql_read_config(httpd_suexec_t) mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1436,107 @@ optional_policy(` @@ -1083,172 +1437,107 @@ optional_policy(`
') ')
') ')
@ -7710,7 +7711,7 @@ index 6649962b6..b7ac74501 100644
') ')
tunable_policy(`httpd_read_user_content',` tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1544,74 @@ tunable_policy(`httpd_read_user_content',` @@ -1256,64 +1545,74 @@ tunable_policy(`httpd_read_user_content',`
') ')
tunable_policy(`httpd_use_cifs',` tunable_policy(`httpd_use_cifs',`
@ -7808,7 +7809,7 @@ index 6649962b6..b7ac74501 100644
######################################## ########################################
# #
@@ -1321,8 +1619,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) @@ -1321,8 +1620,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
# #
optional_policy(` optional_policy(`
@ -7825,7 +7826,7 @@ index 6649962b6..b7ac74501 100644
') ')
######################################## ########################################
@@ -1330,49 +1635,43 @@ optional_policy(` @@ -1330,49 +1636,43 @@ optional_policy(`
# User content local policy # User content local policy
# #
@ -7894,7 +7895,7 @@ index 6649962b6..b7ac74501 100644
kernel_read_system_state(httpd_passwd_t) kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1681,110 @@ dev_read_urand(httpd_passwd_t) @@ -1382,38 +1682,110 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t)
@ -16089,10 +16090,10 @@ index 954309e64..67801421b 100644
') ')
+ +
diff --git a/collectd.te b/collectd.te diff --git a/collectd.te b/collectd.te
index 6471fa8c4..90d2b5324 100644 index 6471fa8c4..00a1f00ef 100644
--- a/collectd.te --- a/collectd.te
+++ b/collectd.te +++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t) @@ -26,43 +26,62 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t; type collectd_var_run_t;
files_pid_file(collectd_var_run_t) files_pid_file(collectd_var_run_t)
@ -16144,6 +16145,7 @@ index 6471fa8c4..90d2b5324 100644
-kernel_read_system_state(collectd_t) -kernel_read_system_state(collectd_t)
+corenet_udp_bind_generic_node(collectd_t) +corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t) +corenet_udp_bind_collectd_port(collectd_t)
+corenet_tcp_connect_lmtp_port(collectd_t)
dev_read_rand(collectd_t) dev_read_rand(collectd_t)
dev_read_sysfs(collectd_t) dev_read_sysfs(collectd_t)
@ -16164,7 +16166,7 @@ index 6471fa8c4..90d2b5324 100644
logging_send_syslog_msg(collectd_t) logging_send_syslog_msg(collectd_t)
@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',` @@ -75,16 +94,47 @@ tunable_policy(`collectd_tcp_network_connect',`
') ')
optional_policy(` optional_policy(`
@ -28615,7 +28617,7 @@ index 18f245250..a446210f0 100644
+ +
') ')
diff --git a/dspam.te b/dspam.te diff --git a/dspam.te b/dspam.te
index ef6236335..25dcb975a 100644 index ef6236335..281bd61c6 100644
--- a/dspam.te --- a/dspam.te
+++ b/dspam.te +++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@ -28641,7 +28643,7 @@ index ef6236335..25dcb975a 100644
files_search_spool(dspam_t) files_search_spool(dspam_t)
@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t) @@ -64,14 +73,36 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t) logging_send_syslog_msg(dspam_t)
@ -28653,6 +28655,7 @@ index ef6236335..25dcb975a 100644
+ +
+ manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) + manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
+ manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) + manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t)
+ allow dspam_t dspam_rw_content_t:file map;
+ +
+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) + read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+ +
@ -28682,7 +28685,7 @@ index ef6236335..25dcb975a 100644
') ')
optional_policy(` optional_policy(`
@@ -87,3 +117,12 @@ optional_policy(` @@ -87,3 +118,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t) postgresql_tcp_connect(dspam_t)
') ')
@ -78385,7 +78388,7 @@ index b9e71b537..a7502cd0e 100644
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r; role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te diff --git a/postgrey.te b/postgrey.te
index fd58805e5..593a05367 100644 index fd58805e5..6f75dbd4b 100644
--- a/postgrey.te --- a/postgrey.te
+++ b/postgrey.te +++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@ -78406,7 +78409,15 @@ index fd58805e5..593a05367 100644
dontaudit postgrey_t self:capability sys_tty_config; dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms; allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms; allow postgrey_t self:fifo_file create_fifo_file_perms;
@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) @@ -43,6 +43,7 @@ manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+allow postgrey_t postgrey_spool_t:file map;
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
@@ -55,9 +56,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
kernel_read_system_state(postgrey_t) kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t) kernel_read_kernel_sysctls(postgrey_t)
@ -78419,7 +78430,7 @@ index fd58805e5..593a05367 100644
corenet_all_recvfrom_netlabel(postgrey_t) corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t) corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_generic_node(postgrey_t) corenet_tcp_sendrecv_generic_node(postgrey_t)
@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t) @@ -72,17 +74,15 @@ dev_read_sysfs(postgrey_t)
domain_use_interactive_fds(postgrey_t) domain_use_interactive_fds(postgrey_t)
@ -99519,10 +99530,10 @@ index 000000000..6caef6326
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644 new file mode 100644
index 000000000..98dc14ef6 index 000000000..92695bf0d
--- /dev/null --- /dev/null
+++ b/sandboxX.if +++ b/sandboxX.if
@@ -0,0 +1,401 @@ @@ -0,0 +1,402 @@
+ +
+## <summary>policy for sandboxX </summary> +## <summary>policy for sandboxX </summary>
+ +
@ -99641,8 +99652,9 @@ index 000000000..98dc14ef6
+ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file ) + fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
+ # Pulseaudio tmpfs files with different MCS labels + # Pulseaudio tmpfs files with different MCS labels
+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; + dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
+ dontaudit $1_t $1_client_tmpfs_t:file { read write }; + dontaudit $1_t $1_client_tmpfs_t:file { read write map };
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; + allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+ allow $1_client_t $1_client_tmpfs_t:file { map };
+ +
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) + domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms; + allow $1_t sandbox_xserver_t:process signal_perms;
@ -99926,10 +99938,10 @@ index 000000000..98dc14ef6
+') +')
diff --git a/sandboxX.te b/sandboxX.te diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644 new file mode 100644
index 000000000..22e956fe3 index 000000000..6d87bc156
--- /dev/null --- /dev/null
+++ b/sandboxX.te +++ b/sandboxX.te
@@ -0,0 +1,512 @@ @@ -0,0 +1,536 @@
+policy_module(sandboxX,1.0.0) +policy_module(sandboxX,1.0.0)
+ +
+dbus_stub() +dbus_stub()
@ -99973,6 +99985,8 @@ index 000000000..22e956fe3
+# +#
+allow sandbox_xserver_t self:process { signal_perms execstack }; +allow sandbox_xserver_t self:process { signal_perms execstack };
+ +
+allow sandbox_web_t sandbox_xserver_t:process2 nnp_transition;
+
+tunable_policy(`deny_execmem',`',` +tunable_policy(`deny_execmem',`',`
+ allow sandbox_xserver_t self:process execmem; + allow sandbox_xserver_t self:process execmem;
+') +')
@ -100052,6 +100066,22 @@ index 000000000..22e956fe3
+ +
+######################################## +########################################
+# +#
+# sandbox_x_t local policy
+#
+
+allow sandbox_x_t sandbox_x_client_t:process2 nnp_transition;
+allow sandbox_x_t sandbox_xserver_t:process2 nnp_transition;
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+# This access is needed due to Wayland
+userdom_manage_user_tmp_dirs(sandbox_x_t)
+userdom_map_tmp_files(sandbox_x_t)
+userdom_manage_user_tmp_files(sandbox_x_t)
+
+########################################
+#
+# sandbox_x_domain local policy +# sandbox_x_domain local policy
+# +#
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap }; +allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap };
@ -100226,9 +100256,6 @@ index 000000000..22e956fe3
+ networkmanager_dontaudit_dbus_chat(sandbox_x_domain) + networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
+') +')
+ +
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+#1103622 +#1103622
+corenet_tcp_connect_xserver_port(sandbox_x_domain) +corenet_tcp_connect_xserver_port(sandbox_x_domain)
+xserver_stream_connect(sandbox_x_domain) +xserver_stream_connect(sandbox_x_domain)
@ -100251,6 +100278,11 @@ index 000000000..22e956fe3
+ +
+logging_send_syslog_msg(sandbox_x_client_t) +logging_send_syslog_msg(sandbox_x_client_t)
+ +
+# This access is needed due to Wayland
+userdom_manage_user_tmp_dirs(sandbox_x_client_t)
+userdom_map_tmp_files(sandbox_x_client_t)
+userdom_manage_user_tmp_files(sandbox_x_client_t)
+
+optional_policy(` +optional_policy(`
+ avahi_dbus_chat(sandbox_x_client_t) + avahi_dbus_chat(sandbox_x_client_t)
+') +')
@ -100273,12 +100305,16 @@ index 000000000..22e956fe3
+# +#
+typeattribute sandbox_web_client_t sandbox_web_type; +typeattribute sandbox_web_client_t sandbox_web_type;
+ +
+allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition;
+
+selinux_get_fs_mount(sandbox_web_client_t) +selinux_get_fs_mount(sandbox_web_client_t)
+ +
+auth_use_nsswitch(sandbox_web_client_t) +auth_use_nsswitch(sandbox_web_client_t)
+ +
+logging_send_syslog_msg(sandbox_web_client_t) +logging_send_syslog_msg(sandbox_web_client_t)
+ +
+miscfiles_map_generic_certs(sandbox_web_client_t)
+
+allow sandbox_web_type self:capability { setuid setgid }; +allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; +allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
+dontaudit sandbox_web_type self:process setrlimit; +dontaudit sandbox_web_type self:process setrlimit;
@ -112041,10 +112077,10 @@ index 000000000..d371f62f6
+') +')
diff --git a/thumb.te b/thumb.te diff --git a/thumb.te b/thumb.te
new file mode 100644 new file mode 100644
index 000000000..1b34bc7b6 index 000000000..6c04973ea
--- /dev/null --- /dev/null
+++ b/thumb.te +++ b/thumb.te
@@ -0,0 +1,175 @@ @@ -0,0 +1,176 @@
+policy_module(thumb, 1.0.0) +policy_module(thumb, 1.0.0)
+ +
+######################################## +########################################
@ -112138,6 +112174,7 @@ index 000000000..1b34bc7b6
+fs_read_dos_files(thumb_t) +fs_read_dos_files(thumb_t)
+fs_rw_inherited_tmpfs_files(thumb_t) +fs_rw_inherited_tmpfs_files(thumb_t)
+fs_map_dos_files(thumb_t) +fs_map_dos_files(thumb_t)
+fs_mmap_removable_files(thumb_t)
+ +
+auth_read_passwd(thumb_t) +auth_read_passwd(thumb_t)
+ +

12
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 307%{?dist} Release: 308%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -717,6 +717,16 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308
- Make working SELinux sandbox with Wayland. BZ(1474082)
- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)
- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)
- Allow collectd to connect to lmtp_port_t BZ(1304029)
- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)
- Allow thumb_t to mmap removable_t files. BZ(1522724)
- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)
- Add interface fs_mmap_removable_files()
* Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307 * Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
- Allow crond_t to read pcp lib files BZ(1525420) - Allow crond_t to read pcp lib files BZ(1525420)
- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)