- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.

2010-10-18 13:18:55 -04:00 · 2010-10-18 13:18:55 -04:00 · 4da7659056
parent c849c84305
commit 4da7659056
4 changed files with 150 additions and 60 deletions
--- a/.gitignore
+++ b/.gitignore
@ -226,4 +226,4 @@ serefpolicy*
 /serefpolicy-3.9.3.tgz
 /serefpolicy-3.9.4.tgz
 /serefpolicy-3.9.5.tgz
-/serefpolicy-3.9.7.tgz
+/serefpolicy-3.9.6.tgz
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -23,7 +23,7 @@ accountsd = module
 #
 # Berkeley process accounting
 # 
-acct = base
+acct = module

 # Layer: services
 # Module: ajaxterm
@ -67,7 +67,7 @@ cpufreqselector = module
 # 
 chrome = module

-# Layer: modules
+# Layer: module
 # Module: awstats
 #
 # awstats executable
@ -717,7 +717,7 @@ howl = module
 #
 # Internet services daemon.
 # 
-inetd = base
+inetd = module

 # Layer: system
 # Module: init
@ -759,7 +759,7 @@ irc = module
 #
 # IRQ balancing daemon
 # 
-irqbalance = base
+irqbalance = module

 # Layer: system
 # Module: iscsi
@ -1893,7 +1893,7 @@ uucp = module
 #
 # run real-mode video BIOS code to alter hardware state
 # 
-vbetool = base
+vbetool = module

 # Layer: apps
 # Module: webalizer
@ -1914,7 +1914,7 @@ xfs = module
 #
 # X windows login display manager
 # 
-xserver = base
+xserver = module

 # Layer: services
 # Module: zarafa
@ -1942,7 +1942,7 @@ usermanage = base
 #
 # Red Hat utility to change /etc/fstab.
 # 
-updfstab = base
+updfstab = module

 # Layer: admin
 # Module: vpn
@ -1956,7 +1956,7 @@ vpn = module
 #
 # run real-mode video BIOS code to alter hardware state
 # 
-vbetool = base
+vbetool = module

 # Layer: kernel
 # Module: terminal
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -5812,10 +5812,10 @@ index 0000000..587c440
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..89fcce3
+index 0000000..39f006a
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,408 @@
+@@ -0,0 +1,420 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@ -6052,6 +6052,18 @@ index 0000000..89fcce3
 +userdom_read_user_home_content_symlinks(sandbox_x_domain)
 +userdom_search_user_home_content(sandbox_x_domain)
 +
+tunable_policy(`use_nfs_home_dirs',`
+	fs_search_nfs(sandbox_x_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_search_cifs(sandbox_x_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+	fs_search_fusefs(sandbox_x_domain)
+')
+
 +files_search_home(sandbox_x_t)
 +userdom_use_user_ptys(sandbox_x_t)
 +
@ -6380,10 +6392,10 @@ index 0000000..7866118
 +/usr/libexec/telepathy-sunshine			--		gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
 diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
 new file mode 100644
-index 0000000..3d12484
+index 0000000..46368cc
 --- /dev/null
 +++ b/policy/modules/apps/telepathy.if
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,168 @@
 +
 +## <summary>Telepathy framework.</summary>
 +
@ -6497,26 +6509,6 @@ index 0000000..3d12484
 +
 +########################################
 +## <summary>
-+##	Read and write Telepathy Butterfly
-+##	temporary files.
-+## </summary>
-+## <param name="domain">
-+## 	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`telepathy_butterfly_rw_tmp_files', `
-+	gen_require(`
-+		type telepathy_butterfly_tmp_t;
-+	')
-+
-+	allow $1 telepathy_butterfly_tmp_t:file rw_file_perms;
-+	files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
 +##	Stream connect to Telepathy Gabble
 +## </summary>
 +## <param name="domain">
@ -7691,7 +7683,7 @@ index 3b2da10..7c29e17 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 99482ca..8d34173 100644
+index 99482ca..c381190 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
@ -7887,7 +7879,32 @@ index 99482ca..8d34173 100644
 ##	Do not audit attempts to get the attributes of
 ##	the autofs device node.
 ## </summary>
-@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',`
+@@ -3048,24 +3192,6 @@ interface(`dev_rw_printer',`
+ 
+ ########################################
+ ## <summary>
+-##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`dev_read_printk',`
+-	gen_require(`
+-		type device_t, printk_device_t;
+-	')
+-
+-	read_chr_files_pattern($1, device_t, printk_device_t)
+-')
+-
+-########################################
+-## <summary>
+ ##	Get the attributes of the QEMU
+ ##	microcode and id interfaces.
+ ## </summary>
+@@ -3613,6 +3739,24 @@ interface(`dev_manage_smartcard',`
 
 ########################################
 ## <summary>
@ -7912,7 +7929,7 @@ index 99482ca..8d34173 100644
 ##	Get the attributes of sysfs directories.
 ## </summary>
 ## <param name="domain">
-@@ -3755,6 +3917,24 @@ interface(`dev_rw_sysfs',`
+@@ -3755,6 +3899,24 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
@ -7937,7 +7954,7 @@ index 99482ca..8d34173 100644
 ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
 ## </summary>
 ## <desc>
-@@ -3924,6 +4104,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3924,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
 
 ########################################
 ## <summary>
@ -7962,7 +7979,7 @@ index 99482ca..8d34173 100644
 ##	Mount a usbfs filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -4234,11 +4432,10 @@ interface(`dev_write_video_dev',`
+@@ -4234,11 +4414,10 @@ interface(`dev_write_video_dev',`
 #
 interface(`dev_rw_vhost',`
 	gen_require(`
@ -16219,7 +16236,7 @@ index fa82327..7f4ca47 100644
 # bind to udp/323
 corenet_udp_bind_chronyd_port(chronyd_t)
 diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
-index 1f11572..01b02f3 100644
+index 1f11572..7f6a7ab 100644
 --- a/policy/modules/services/clamav.if
 +++ b/policy/modules/services/clamav.if
@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
@ -16230,6 +16247,22 @@ index 1f11572..01b02f3 100644
 	stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
 ')
 
+@@ -49,12 +50,12 @@ interface(`clamav_stream_connect',`
+ #
+ interface(`clamav_append_log',`
+ 	gen_require(`
+-		type clamav_log_t;
+		type clamav_var_log_t;
+ 	')
+ 
+ 	logging_search_logs($1)
+-	allow $1 clamav_log_t:dir list_dir_perms;
+-	append_files_pattern($1, clamav_log_t, clamav_log_t)
+	allow $1 clamav_var_log_t:dir list_dir_perms;
+	append_files_pattern($1, clamav_var_log_t, clamav_var_log_t)
+ ')
+ 
+ ########################################
@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
 interface(`clamav_admin',`
 	gen_require(`
@ -18739,7 +18772,7 @@ index f706b99..ab2edfc 100644
 +	files_list_pids($1)
 ')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..8d467c4 100644
+index f231f17..3aaa784 100644
 --- a/policy/modules/services/devicekit.te
 +++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@ -18861,7 +18894,7 @@ index f231f17..8d467c4 100644
 ')
 
 optional_policy(`
-+	mount_exec(devicekit_power_t)
+	mount_domtrans(devicekit_power_t)
 +')
 +
 +optional_policy(`
@ -18902,10 +18935,19 @@ index 5e2cea8..7e129ff 100644
 	')
 
 diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
-index d4424ad..a307b51 100644
+index d4424ad..2e09383 100644
 --- a/policy/modules/services/dhcp.te
 +++ b/policy/modules/services/dhcp.te
-@@ -111,6 +111,10 @@ optional_policy(`
+@@ -73,6 +73,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
+ corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+ corenet_sendrecv_pxe_server_packets(dhcpd_t)
+ corenet_sendrecv_all_client_packets(dhcpd_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
+corenet_udp_bind_all_unreserved_ports(dhcpd_t)
+ 
+ dev_read_sysfs(dhcpd_t)
+ dev_read_rand(dhcpd_t)
+@@ -111,6 +113,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -28038,7 +28080,7 @@ index 29b9295..2a70dd1 100644
 	pyzor_signal(procmail_t)
 ')
 diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
-index bc329d1..d1a3745 100644
+index bc329d1..f040c20 100644
 --- a/policy/modules/services/psad.if
 +++ b/policy/modules/services/psad.if
@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
@ -28085,6 +28127,15 @@ index bc329d1..d1a3745 100644
 ##	Read and write psad fifo files.
 ## </summary>
 ## <param name="domain">
+@@ -186,7 +205,7 @@ interface(`psad_append_log',`
+ #
+ interface(`psad_rw_fifo_file',`
+ 	gen_require(`
+-		type psad_t;
+		type psad_t, psad_var_lib_t;
+ 	')
+ 
+ 	files_search_var_lib($1)
@@ -233,7 +252,7 @@ interface(`psad_rw_tmp_files',`
 interface(`psad_admin',`
 	gen_require(`
@ -32881,7 +32932,7 @@ index 22adaca..784c363 100644
 +	allow $1 sshd_t:process signull;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..c7efe5d 100644
+index 2dad3c8..580297a 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@ -32959,7 +33010,12 @@ index 2dad3c8..c7efe5d 100644
 ##############################
 #
 # SSH client local policy
-@@ -99,11 +103,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms;
+@@ -95,15 +99,11 @@ allow ssh_t self:sem create_sem_perms;
+ allow ssh_t self:msgq create_msgq_perms;
+ allow ssh_t self:msg { send receive };
+ allow ssh_t self:tcp_socket create_stream_socket_perms;
+can_exec(ssh_t, ssh_exec_t)
+ 
 # Read the ssh key file.
 allow ssh_t sshd_key_t:file read_file_perms;
 
@ -32971,7 +33027,7 @@ index 2dad3c8..c7efe5d 100644
 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,6 +112,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,6 +113,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
 manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
 manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@ -32979,7 +33035,7 @@ index 2dad3c8..c7efe5d 100644
 
 # Allow the ssh program to communicate with ssh-agent.
 stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -124,9 +124,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+@@ -124,9 +125,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 
 # ssh servers can read the user keys and config
@ -32993,7 +33049,7 @@ index 2dad3c8..c7efe5d 100644
 
 kernel_read_kernel_sysctls(ssh_t)
 kernel_read_system_state(ssh_t)
-@@ -138,6 +139,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,6 +140,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
 corenet_tcp_sendrecv_all_ports(ssh_t)
 corenet_tcp_connect_ssh_port(ssh_t)
 corenet_sendrecv_ssh_client_packets(ssh_t)
@ -33002,7 +33058,7 @@ index 2dad3c8..c7efe5d 100644
 
 dev_read_urand(ssh_t)
 
-@@ -169,14 +172,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -169,14 +173,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
 userdom_search_user_home_dirs(ssh_t)
 # Write to the user domain tty.
 userdom_use_user_terminals(ssh_t)
@ -33021,7 +33077,7 @@ index 2dad3c8..c7efe5d 100644
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +202,53 @@ optional_policy(`
+@@ -200,6 +203,53 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
 
@ -33075,7 +33131,7 @@ index 2dad3c8..c7efe5d 100644
 ##############################
 #
 # ssh_keysign_t local policy
-@@ -209,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +259,7 @@ tunable_policy(`allow_ssh_keysign',`
 	allow ssh_keysign_t self:capability { setgid setuid };
 	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
 
@ -33084,7 +33140,7 @@ index 2dad3c8..c7efe5d 100644
 
 	dev_read_urand(ssh_keysign_t)
 
-@@ -232,33 +281,39 @@ optional_policy(`
+@@ -232,33 +282,39 @@ optional_policy(`
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
@ -33133,7 +33189,7 @@ index 2dad3c8..c7efe5d 100644
 ')
 
 optional_policy(`
-@@ -266,11 +321,24 @@ optional_policy(`
+@@ -266,11 +322,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -33159,7 +33215,7 @@ index 2dad3c8..c7efe5d 100644
 ')
 
 optional_policy(`
-@@ -284,6 +352,11 @@ optional_policy(`
+@@ -284,6 +353,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -33171,7 +33227,7 @@ index 2dad3c8..c7efe5d 100644
 	unconfined_shell_domtrans(sshd_t)
 ')
 
-@@ -292,26 +365,26 @@ optional_policy(`
+@@ -292,26 +366,26 @@ optional_policy(`
 ')
 
 ifdef(`TODO',`
@ -33217,7 +33273,7 @@ index 2dad3c8..c7efe5d 100644
 ') dnl endif TODO
 
 ########################################
-@@ -324,7 +397,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +398,6 @@ tunable_policy(`ssh_sysadm_login',`
 
 dontaudit ssh_keygen_t self:capability sys_tty_config;
 allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@ -33225,7 +33281,7 @@ index 2dad3c8..c7efe5d 100644
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 
 allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +425,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +426,6 @@ logging_send_syslog_msg(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 
 optional_policy(`
@ -40400,7 +40456,7 @@ index 9df8c4d..0199a7d 100644
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index d97d16d..8b174c8 100644
+index d97d16d..ed1b8be 100644
 --- a/policy/modules/system/libraries.if
 +++ b/policy/modules/system/libraries.if
@@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
@ -40430,6 +40486,37 @@ index d97d16d..8b174c8 100644
 ##	Use the dynamic link/loader for automatic loading
 ##	of shared libraries.
 ## </summary>
+@@ -383,7 +403,7 @@ interface(`libs_manage_shared_libs',`
+ 		type lib_t, textrel_shlib_t;
+ 	')
+ 
+-	manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+	manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ ')
+ 
+ ########################################
+@@ -402,9 +422,9 @@ interface(`libs_use_shared_libs',`
+ 	')
+ 
+ 	files_search_usr($1)
+-	allow $1 lib_t:dir list_dir_perms;
+-	read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+-	mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+	allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
+	read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+	mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ 	allow $1 textrel_shlib_t:file execmod;
+ ')
+ 
+@@ -445,7 +465,7 @@ interface(`libs_relabel_shared_libs',`
+ 		type lib_t, textrel_shlib_t;
+ 	')
+ 
+-	relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+	relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ ')
+ 
+ ########################################
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
 index bf416a4..99d7f60 100644
 --- a/policy/modules/system/libraries.te
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.7
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -470,6 +470,9 @@ exit 0
 %endif

 %changelog
+* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-4
+- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
+
 * Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-3
 - Allow cobblerd to list cobler appache content