- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.

This commit is contained in:
Dan Walsh 2010-10-18 13:18:55 -04:00
parent c849c84305
commit 4da7659056
4 changed files with 150 additions and 60 deletions

2
.gitignore vendored
View File

@ -226,4 +226,4 @@ serefpolicy*
/serefpolicy-3.9.3.tgz
/serefpolicy-3.9.4.tgz
/serefpolicy-3.9.5.tgz
/serefpolicy-3.9.7.tgz
/serefpolicy-3.9.6.tgz

View File

@ -23,7 +23,7 @@ accountsd = module
#
# Berkeley process accounting
#
acct = base
acct = module
# Layer: services
# Module: ajaxterm
@ -67,7 +67,7 @@ cpufreqselector = module
#
chrome = module
# Layer: modules
# Layer: module
# Module: awstats
#
# awstats executable
@ -717,7 +717,7 @@ howl = module
#
# Internet services daemon.
#
inetd = base
inetd = module
# Layer: system
# Module: init
@ -759,7 +759,7 @@ irc = module
#
# IRQ balancing daemon
#
irqbalance = base
irqbalance = module
# Layer: system
# Module: iscsi
@ -1893,7 +1893,7 @@ uucp = module
#
# run real-mode video BIOS code to alter hardware state
#
vbetool = base
vbetool = module
# Layer: apps
# Module: webalizer
@ -1914,7 +1914,7 @@ xfs = module
#
# X windows login display manager
#
xserver = base
xserver = module
# Layer: services
# Module: zarafa
@ -1942,7 +1942,7 @@ usermanage = base
#
# Red Hat utility to change /etc/fstab.
#
updfstab = base
updfstab = module
# Layer: admin
# Module: vpn
@ -1956,7 +1956,7 @@ vpn = module
#
# run real-mode video BIOS code to alter hardware state
#
vbetool = base
vbetool = module
# Layer: kernel
# Module: terminal

View File

@ -5812,10 +5812,10 @@ index 0000000..587c440
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
index 0000000..89fcce3
index 0000000..39f006a
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
@@ -0,0 +1,408 @@
@@ -0,0 +1,420 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@ -6052,6 +6052,18 @@ index 0000000..89fcce3
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(sandbox_x_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(sandbox_x_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_search_fusefs(sandbox_x_domain)
+')
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
@ -6380,10 +6392,10 @@ index 0000000..7866118
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644
index 0000000..3d12484
index 0000000..46368cc
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
@@ -0,0 +1,188 @@
@@ -0,0 +1,168 @@
+
+## <summary>Telepathy framework.</summary>
+
@ -6497,26 +6509,6 @@ index 0000000..3d12484
+
+########################################
+## <summary>
+## Read and write Telepathy Butterfly
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_butterfly_rw_tmp_files', `
+ gen_require(`
+ type telepathy_butterfly_tmp_t;
+ ')
+
+ allow $1 telepathy_butterfly_tmp_t:file rw_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Stream connect to Telepathy Gabble
+## </summary>
+## <param name="domain">
@ -7691,7 +7683,7 @@ index 3b2da10..7c29e17 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 99482ca..8d34173 100644
index 99482ca..c381190 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
@ -7887,7 +7879,32 @@ index 99482ca..8d34173 100644
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',`
@@ -3048,24 +3192,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_printk',`
- gen_require(`
- type device_t, printk_device_t;
- ')
-
- read_chr_files_pattern($1, device_t, printk_device_t)
-')
-
-########################################
-## <summary>
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
@@ -3613,6 +3739,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
@ -7912,7 +7929,7 @@ index 99482ca..8d34173 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
@@ -3755,6 +3917,24 @@ interface(`dev_rw_sysfs',`
@@ -3755,6 +3899,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@ -7937,7 +7954,7 @@ index 99482ca..8d34173 100644
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
@@ -3924,6 +4104,24 @@ interface(`dev_read_usbmon_dev',`
@@ -3924,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@ -7962,7 +7979,7 @@ index 99482ca..8d34173 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
@@ -4234,11 +4432,10 @@ interface(`dev_write_video_dev',`
@@ -4234,11 +4414,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@ -16219,7 +16236,7 @@ index fa82327..7f4ca47 100644
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 1f11572..01b02f3 100644
index 1f11572..7f6a7ab 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
@ -16230,6 +16247,22 @@ index 1f11572..01b02f3 100644
stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
')
@@ -49,12 +50,12 @@ interface(`clamav_stream_connect',`
#
interface(`clamav_append_log',`
gen_require(`
- type clamav_log_t;
+ type clamav_var_log_t;
')
logging_search_logs($1)
- allow $1 clamav_log_t:dir list_dir_perms;
- append_files_pattern($1, clamav_log_t, clamav_log_t)
+ allow $1 clamav_var_log_t:dir list_dir_perms;
+ append_files_pattern($1, clamav_var_log_t, clamav_var_log_t)
')
########################################
@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
interface(`clamav_admin',`
gen_require(`
@ -18739,7 +18772,7 @@ index f706b99..ab2edfc 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..8d467c4 100644
index f231f17..3aaa784 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@ -18861,7 +18894,7 @@ index f231f17..8d467c4 100644
')
optional_policy(`
+ mount_exec(devicekit_power_t)
+ mount_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
@ -18902,10 +18935,19 @@ index 5e2cea8..7e129ff 100644
')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d4424ad..a307b51 100644
index d4424ad..2e09383 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -111,6 +111,10 @@ optional_policy(`
@@ -73,6 +73,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
corenet_sendrecv_pxe_server_packets(dhcpd_t)
corenet_sendrecv_all_client_packets(dhcpd_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
+corenet_udp_bind_all_unreserved_ports(dhcpd_t)
dev_read_sysfs(dhcpd_t)
dev_read_rand(dhcpd_t)
@@ -111,6 +113,10 @@ optional_policy(`
')
optional_policy(`
@ -28038,7 +28080,7 @@ index 29b9295..2a70dd1 100644
pyzor_signal(procmail_t)
')
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
index bc329d1..d1a3745 100644
index bc329d1..f040c20 100644
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
@ -28085,6 +28127,15 @@ index bc329d1..d1a3745 100644
## Read and write psad fifo files.
## </summary>
## <param name="domain">
@@ -186,7 +205,7 @@ interface(`psad_append_log',`
#
interface(`psad_rw_fifo_file',`
gen_require(`
- type psad_t;
+ type psad_t, psad_var_lib_t;
')
files_search_var_lib($1)
@@ -233,7 +252,7 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
@ -32881,7 +32932,7 @@ index 22adaca..784c363 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..c7efe5d 100644
index 2dad3c8..580297a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@ -32959,7 +33010,12 @@ index 2dad3c8..c7efe5d 100644
##############################
#
# SSH client local policy
@@ -99,11 +103,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -95,15 +99,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
+can_exec(ssh_t, ssh_exec_t)
# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;
@ -32971,7 +33027,7 @@ index 2dad3c8..c7efe5d 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
@@ -113,6 +112,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
@@ -113,6 +113,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@ -32979,7 +33035,7 @@ index 2dad3c8..c7efe5d 100644
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
@@ -124,9 +124,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -124,9 +125,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@ -32993,7 +33049,7 @@ index 2dad3c8..c7efe5d 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
@@ -138,6 +139,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
@@ -138,6 +140,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@ -33002,7 +33058,7 @@ index 2dad3c8..c7efe5d 100644
dev_read_urand(ssh_t)
@@ -169,14 +172,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
@@ -169,14 +173,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@ -33021,7 +33077,7 @@ index 2dad3c8..c7efe5d 100644
')
tunable_policy(`use_nfs_home_dirs',`
@@ -200,6 +202,53 @@ optional_policy(`
@@ -200,6 +203,53 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@ -33075,7 +33131,7 @@ index 2dad3c8..c7efe5d 100644
##############################
#
# ssh_keysign_t local policy
@@ -209,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
@@ -209,7 +259,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@ -33084,7 +33140,7 @@ index 2dad3c8..c7efe5d 100644
dev_read_urand(ssh_keysign_t)
@@ -232,33 +281,39 @@ optional_policy(`
@@ -232,33 +282,39 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@ -33133,7 +33189,7 @@ index 2dad3c8..c7efe5d 100644
')
optional_policy(`
@@ -266,11 +321,24 @@ optional_policy(`
@@ -266,11 +322,24 @@ optional_policy(`
')
optional_policy(`
@ -33159,7 +33215,7 @@ index 2dad3c8..c7efe5d 100644
')
optional_policy(`
@@ -284,6 +352,11 @@ optional_policy(`
@@ -284,6 +353,11 @@ optional_policy(`
')
optional_policy(`
@ -33171,7 +33227,7 @@ index 2dad3c8..c7efe5d 100644
unconfined_shell_domtrans(sshd_t)
')
@@ -292,26 +365,26 @@ optional_policy(`
@@ -292,26 +366,26 @@ optional_policy(`
')
ifdef(`TODO',`
@ -33217,7 +33273,7 @@ index 2dad3c8..c7efe5d 100644
') dnl endif TODO
########################################
@@ -324,7 +397,6 @@ tunable_policy(`ssh_sysadm_login',`
@@ -324,7 +398,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@ -33225,7 +33281,7 @@ index 2dad3c8..c7efe5d 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
@@ -353,10 +425,6 @@ logging_send_syslog_msg(ssh_keygen_t)
@@ -353,10 +426,6 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@ -40400,7 +40456,7 @@ index 9df8c4d..0199a7d 100644
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index d97d16d..8b174c8 100644
index d97d16d..ed1b8be 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
@ -40430,6 +40486,37 @@ index d97d16d..8b174c8 100644
## Use the dynamic link/loader for automatic loading
## of shared libraries.
## </summary>
@@ -383,7 +403,7 @@ interface(`libs_manage_shared_libs',`
type lib_t, textrel_shlib_t;
')
- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
')
########################################
@@ -402,9 +422,9 @@ interface(`libs_use_shared_libs',`
')
files_search_usr($1)
- allow $1 lib_t:dir list_dir_perms;
- read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
+ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
allow $1 textrel_shlib_t:file execmod;
')
@@ -445,7 +465,7 @@ interface(`libs_relabel_shared_libs',`
type lib_t, textrel_shlib_t;
')
- relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
')
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index bf416a4..99d7f60 100644
--- a/policy/modules/system/libraries.te

View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -470,6 +470,9 @@ exit 0
%endif
%changelog
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-4
- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-3
- Allow cobblerd to list cobler appache content