* Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
This commit is contained in:
Lukas Vrabec
parent
0eccbd957d
commit
631f95b1cf
Binary file not shown.
@ -2328,10 +2328,18 @@ index 688abc2..3d89250 100644
|
||||
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
|
||||
index 03ec5ca..1ed2cd4 100644
|
||||
index 03ec5ca..1e3ace4 100644
|
||||
--- a/policy/modules/admin/su.if
|
||||
+++ b/policy/modules/admin/su.if
|
||||
@@ -48,6 +48,7 @@ template(`su_restricted_domain_template', `
|
||||
@@ -41,13 +41,14 @@ template(`su_restricted_domain_template', `
|
||||
|
||||
allow $2 $1_su_t:process signal;
|
||||
|
||||
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
||||
+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
|
||||
dontaudit $1_su_t self:capability sys_tty_config;
|
||||
allow $1_su_t self:key { search write };
|
||||
allow $1_su_t self:process { setexec setsched setrlimit };
|
||||
allow $1_su_t self:fifo_file rw_fifo_file_perms;
|
||||
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
|
||||
allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -2516,7 +2524,7 @@ index 03ec5ca..1ed2cd4 100644
|
||||
|
||||
#######################################
|
||||
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
|
||||
index 85bb77e..5f38282 100644
|
||||
index 85bb77e..a430233 100644
|
||||
--- a/policy/modules/admin/su.te
|
||||
+++ b/policy/modules/admin/su.te
|
||||
@@ -9,3 +9,82 @@ attribute su_domain_type;
|
||||
@ -2524,7 +2532,7 @@ index 85bb77e..5f38282 100644
|
||||
type su_exec_t;
|
||||
corecmd_executable_file(su_exec_t)
|
||||
+
|
||||
+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
||||
+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
|
||||
+dontaudit su_domain_type self:capability sys_tty_config;
|
||||
+allow su_domain_type self:process { setexec setsched setrlimit };
|
||||
+allow su_domain_type self:fifo_file rw_fifo_file_perms;
|
||||
@ -2797,7 +2805,7 @@ index 0960199..2e75ec7 100644
|
||||
+ manage_files_pattern($1, sudo_db_t, sudo_db_t)
|
||||
+')
|
||||
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
|
||||
index d9fce57..8a18a54 100644
|
||||
index d9fce57..174f893 100644
|
||||
--- a/policy/modules/admin/sudo.te
|
||||
+++ b/policy/modules/admin/sudo.te
|
||||
@@ -7,3 +7,111 @@ attribute sudodomain;
|
||||
@ -2818,7 +2826,7 @@ index d9fce57..8a18a54 100644
|
||||
+#
|
||||
+
|
||||
+# Use capabilities.
|
||||
+allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
|
||||
+allow sudodomain self:capability { chown fowner setuid setgid dac_read_search dac_override sys_nice sys_resource };
|
||||
+dontaudit sudodomain self:capability net_admin;
|
||||
+allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
+allow sudodomain self:process { setexec setrlimit };
|
||||
@ -3090,7 +3098,7 @@ index 99e3903..fa68362 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 1d732f1..a7fa09d 100644
|
||||
index 1d732f1..121ace8 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -26,6 +26,7 @@ type chfn_exec_t;
|
||||
@ -3113,7 +3121,7 @@ index 1d732f1..a7fa09d 100644
|
||||
application_domain(passwd_t, passwd_exec_t)
|
||||
role passwd_roles types passwd_t;
|
||||
|
||||
@@ -61,9 +64,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
|
||||
@@ -61,15 +64,19 @@ files_tmp_file(sysadm_passwd_tmp_t)
|
||||
type useradd_t;
|
||||
type useradd_exec_t;
|
||||
domain_obj_id_change_exemption(useradd_t)
|
||||
@ -3127,6 +3135,13 @@ index 1d732f1..a7fa09d 100644
|
||||
########################################
|
||||
#
|
||||
# Chfn local policy
|
||||
#
|
||||
|
||||
-allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
|
||||
+allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
|
||||
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow chfn_t self:process { setrlimit setfscreate };
|
||||
allow chfn_t self:fd use;
|
||||
@@ -86,6 +93,7 @@ allow chfn_t self:unix_stream_socket connectto;
|
||||
|
||||
kernel_read_system_state(chfn_t)
|
||||
@ -3205,6 +3220,15 @@ index 1d732f1..a7fa09d 100644
|
||||
########################################
|
||||
#
|
||||
# Crack local policy
|
||||
@@ -186,7 +210,7 @@ optional_policy(`
|
||||
# Groupadd local policy
|
||||
#
|
||||
|
||||
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
|
||||
+allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write };
|
||||
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
|
||||
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow groupadd_t self:process { setrlimit setfscreate };
|
||||
@@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t)
|
||||
selinux_compute_relabel_context(groupadd_t)
|
||||
selinux_compute_user_contexts(groupadd_t)
|
||||
@ -3259,7 +3283,7 @@ index 1d732f1..a7fa09d 100644
|
||||
#
|
||||
|
||||
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
|
||||
+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
|
||||
+allow passwd_t self:capability { chown dac_read_search dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
|
||||
dontaudit passwd_t self:capability sys_tty_config;
|
||||
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow passwd_t self:process { setrlimit setfscreate };
|
||||
@ -3351,6 +3375,15 @@ index 1d732f1..a7fa09d 100644
|
||||
|
||||
optional_policy(`
|
||||
nscd_run(passwd_t, passwd_roles)
|
||||
@@ -362,7 +411,7 @@ optional_policy(`
|
||||
# Password admin local policy
|
||||
#
|
||||
|
||||
-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
|
||||
+allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
|
||||
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow sysadm_passwd_t self:process { setrlimit setfscreate };
|
||||
allow sysadm_passwd_t self:fd use;
|
||||
@@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t)
|
||||
fs_getattr_xattr_fs(sysadm_passwd_t)
|
||||
fs_search_auto_mountpoints(sysadm_passwd_t)
|
||||
@ -3391,7 +3424,7 @@ index 1d732f1..a7fa09d 100644
|
||||
|
||||
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
|
||||
-dontaudit useradd_t self:capability sys_tty_config;
|
||||
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
|
||||
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
|
||||
+
|
||||
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
|
||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
@ -3632,7 +3665,7 @@ index 1dc7a85..e4f6fc2 100644
|
||||
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
|
||||
')
|
||||
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
|
||||
index 7590165..d81185e 100644
|
||||
index 7590165..f50f799 100644
|
||||
--- a/policy/modules/apps/seunshare.te
|
||||
+++ b/policy/modules/apps/seunshare.te
|
||||
@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
|
||||
@ -3649,7 +3682,7 @@ index 7590165..d81185e 100644
|
||||
#
|
||||
# seunshare local policy
|
||||
#
|
||||
+allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
|
||||
+allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice };
|
||||
+allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched };
|
||||
|
||||
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
|
||||
@ -11114,7 +11147,7 @@ index b876c48..2e591a5 100644
|
||||
+
|
||||
+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0)
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index f962f76..4785fe8 100644
|
||||
index f962f76..c1b46d8 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -19,6 +19,136 @@
|
||||
@ -11993,7 +12026,7 @@ index f962f76..4785fe8 100644
|
||||
- type root_t;
|
||||
+ attribute mountpoint;
|
||||
')
|
||||
+ dontaudit $1 self:capability dac_override;
|
||||
+ dontaudit $1 self:capability { dac_read_search dac_override };
|
||||
|
||||
- allow $1 root_t:dir list_dir_perms;
|
||||
- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
@ -24360,7 +24393,7 @@ index ff92430..36740ea 100644
|
||||
## <summary>
|
||||
## Execute a generic bin program in the sysadm domain.
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index 2522ca6..e5d8ff8 100644
|
||||
index 2522ca6..8932351 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -5,39 +5,102 @@ policy_module(sysadm, 2.6.1)
|
||||
@ -24781,7 +24814,7 @@ index 2522ca6..e5d8ff8 100644
|
||||
|
||||
optional_policy(`
|
||||
screen_role_template(sysadm, sysadm_r, sysadm_t)
|
||||
+ allow sysadm_screen_t self:capability dac_override;
|
||||
+ allow sysadm_screen_t self:capability { dac_read_search dac_override };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -27061,7 +27094,7 @@ index 76d9f66..7528851 100644
|
||||
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
|
||||
index fe0c682..20f3ba4 100644
|
||||
index fe0c682..79d568a 100644
|
||||
--- a/policy/modules/services/ssh.if
|
||||
+++ b/policy/modules/services/ssh.if
|
||||
@@ -32,10 +32,11 @@
|
||||
@ -27192,7 +27225,7 @@ index fe0c682..20f3ba4 100644
|
||||
files_pid_file($1_var_run_t)
|
||||
|
||||
- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
|
||||
+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
|
||||
+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
|
||||
allow $1_t self:fifo_file rw_fifo_file_perms;
|
||||
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
|
||||
+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
|
||||
@ -27794,7 +27827,7 @@ index fe0c682..20f3ba4 100644
|
||||
+ ps_process_pattern($1, sshd_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index cc877c7..92de2d7 100644
|
||||
index cc877c7..3038b08 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
|
||||
@ -28275,7 +28308,7 @@ index cc877c7..92de2d7 100644
|
||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||
# and by sysadm_t
|
||||
|
||||
+allow ssh_keygen_t self:capability dac_override;
|
||||
+allow ssh_keygen_t self:capability { dac_read_search dac_override };
|
||||
dontaudit ssh_keygen_t self:capability sys_tty_config;
|
||||
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
||||
-
|
||||
@ -30397,7 +30430,7 @@ index 6bf0ecc..e6be63a 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index 8b40377..8c9110f 100644
|
||||
index 8b40377..fc04c66 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,28 +26,66 @@ gen_require(`
|
||||
@ -30657,7 +30690,7 @@ index 8b40377..8c9110f 100644
|
||||
# Xauth local policy
|
||||
#
|
||||
|
||||
+allow xauth_t self:capability dac_override;
|
||||
+allow xauth_t self:capability { dac_read_search dac_override };
|
||||
allow xauth_t self:process signal;
|
||||
+allow xauth_t self:shm create_shm_perms;
|
||||
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -31433,7 +31466,7 @@ index 8b40377..8c9110f 100644
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
|
||||
+allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
|
||||
+allow xserver_t self:capability { sys_ptrace dac_read_search dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
|
||||
+
|
||||
dontaudit xserver_t self:capability chown;
|
||||
+#allow xserver_t self:capability2 compromise_kernel;
|
||||
@ -33094,7 +33127,7 @@ index 3efd5b6..3db526f 100644
|
||||
+ allow $1 login_pgm:key manage_key_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||
index 09b791d..fde4518 100644
|
||||
index 09b791d..2d255df 100644
|
||||
--- a/policy/modules/system/authlogin.te
|
||||
+++ b/policy/modules/system/authlogin.te
|
||||
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
|
||||
@ -33178,6 +33211,15 @@ index 09b791d..fde4518 100644
|
||||
type updpwd_t;
|
||||
type updpwd_exec_t;
|
||||
domain_type(updpwd_t)
|
||||
@@ -90,7 +112,7 @@ logging_log_file(wtmp_t)
|
||||
# Check password local policy
|
||||
#
|
||||
|
||||
-allow chkpwd_t self:capability { dac_override setuid };
|
||||
+allow chkpwd_t self:capability { dac_read_search dac_override setuid };
|
||||
dontaudit chkpwd_t self:capability sys_tty_config;
|
||||
allow chkpwd_t self:process { getattr signal };
|
||||
|
||||
@@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t)
|
||||
files_read_etc_files(chkpwd_t)
|
||||
# for nscd
|
||||
@ -33291,6 +33333,15 @@ index 09b791d..fde4518 100644
|
||||
miscfiles_read_generic_certs(pam_console_t)
|
||||
|
||||
seutil_read_file_contexts(pam_console_t)
|
||||
@@ -330,7 +351,7 @@ optional_policy(`
|
||||
# updpwd local policy
|
||||
#
|
||||
|
||||
-allow updpwd_t self:capability { chown dac_override };
|
||||
+allow updpwd_t self:capability { chown dac_read_search dac_override };
|
||||
allow updpwd_t self:process setfscreate;
|
||||
allow updpwd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
|
||||
dev_read_urand(updpwd_t)
|
||||
|
||||
@ -33634,9 +33685,18 @@ index d475c2d..55305d5 100644
|
||||
+ files_etc_filetrans($1, adjtime_t, file, "adjtime" )
|
||||
+')
|
||||
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
|
||||
index edece47..cb014fd 100644
|
||||
index edece47..2e7b811 100644
|
||||
--- a/policy/modules/system/clock.te
|
||||
+++ b/policy/modules/system/clock.te
|
||||
@@ -20,7 +20,7 @@ role system_r types hwclock_t;
|
||||
|
||||
# Give hwclock the capabilities it requires. dac_override is a surprise,
|
||||
# but hwclock does require it.
|
||||
-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
|
||||
+allow hwclock_t self:capability { dac_read_search dac_override sys_rawio sys_time sys_tty_config };
|
||||
dontaudit hwclock_t self:capability sys_tty_config;
|
||||
allow hwclock_t self:process signal_perms;
|
||||
allow hwclock_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
|
||||
|
||||
term_dontaudit_use_console(hwclock_t)
|
||||
@ -34014,10 +34074,10 @@ index e4376aa..2c98c56 100644
|
||||
+ allow $1 getty_unit_file_t:service start;
|
||||
+')
|
||||
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
|
||||
index f6743ea..22425f5 100644
|
||||
index f6743ea..ef08ff3 100644
|
||||
--- a/policy/modules/system/getty.te
|
||||
+++ b/policy/modules/system/getty.te
|
||||
@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
|
||||
@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
|
||||
type getty_var_run_t;
|
||||
files_pid_file(getty_var_run_t)
|
||||
|
||||
@ -34035,6 +34095,14 @@ index f6743ea..22425f5 100644
|
||||
########################################
|
||||
#
|
||||
# Getty local policy
|
||||
#
|
||||
|
||||
# Use capabilities.
|
||||
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
|
||||
+allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
|
||||
dontaudit getty_t self:capability sys_tty_config;
|
||||
allow getty_t self:process { getpgid setpgid getsession signal_perms };
|
||||
allow getty_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -56,6 +67,7 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
|
||||
files_pid_filetrans(getty_t, getty_var_run_t, file)
|
||||
|
||||
@ -39211,7 +39279,7 @@ index 808ba93..baca326 100644
|
||||
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
|
||||
+')
|
||||
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
|
||||
index 54f8fa5..544b8e3 100644
|
||||
index 54f8fa5..b9dbbe0 100644
|
||||
--- a/policy/modules/system/libraries.te
|
||||
+++ b/policy/modules/system/libraries.te
|
||||
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
|
||||
@ -39231,9 +39299,12 @@ index 54f8fa5..544b8e3 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
# openrc unfortunately mounts a tmpfs
|
||||
@@ -59,9 +59,11 @@ optional_policy(`
|
||||
@@ -57,11 +57,13 @@ optional_policy(`
|
||||
# ldconfig local policy
|
||||
#
|
||||
|
||||
allow ldconfig_t self:capability { dac_override sys_chroot };
|
||||
-allow ldconfig_t self:capability { dac_override sys_chroot };
|
||||
+allow ldconfig_t self:capability { dac_read_search dac_override sys_chroot };
|
||||
|
||||
+manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
|
||||
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
|
||||
@ -39409,7 +39480,7 @@ index 0e3c2a9..ea9bd57 100644
|
||||
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
|
||||
+')
|
||||
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
|
||||
index 446fa99..d66491c 100644
|
||||
index 446fa99..fcf08ac 100644
|
||||
--- a/policy/modules/system/locallogin.te
|
||||
+++ b/policy/modules/system/locallogin.te
|
||||
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
|
||||
@ -39444,7 +39515,7 @@ index 446fa99..d66491c 100644
|
||||
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
|
||||
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
-allow local_login_t self:process { setrlimit setexec };
|
||||
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
|
||||
+allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
|
||||
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
|
||||
allow local_login_t self:fd use;
|
||||
allow local_login_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -39546,7 +39617,7 @@ index 446fa99..d66491c 100644
|
||||
#
|
||||
|
||||
-allow sulogin_t self:capability dac_override;
|
||||
+allow sulogin_t self:capability { dac_override sys_admin };
|
||||
+allow sulogin_t self:capability { dac_read_search dac_override sys_admin };
|
||||
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow sulogin_t self:fd use;
|
||||
allow sulogin_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -40303,7 +40374,7 @@ index 4e94884..0690edf 100644
|
||||
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
|
||||
+')
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 59b04c1..d9eb312 100644
|
||||
index 59b04c1..0114ad2 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
|
||||
@ -40458,6 +40529,15 @@ index 59b04c1..d9eb312 100644
|
||||
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(auditd_t)
|
||||
|
||||
@@ -219,7 +258,7 @@ optional_policy(`
|
||||
# audit dispatcher local policy
|
||||
#
|
||||
|
||||
-allow audisp_t self:capability { dac_override setpcap sys_nice };
|
||||
+allow audisp_t self:capability { dac_read_search dac_override setpcap sys_nice };
|
||||
allow audisp_t self:process { getcap signal_perms setcap setsched };
|
||||
allow audisp_t self:fifo_file rw_fifo_file_perms;
|
||||
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t)
|
||||
|
||||
domain_use_interactive_fds(audisp_t)
|
||||
@ -40543,7 +40623,7 @@ index 59b04c1..d9eb312 100644
|
||||
# sys_nice for rsyslog
|
||||
# cjp: why net_admin!
|
||||
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
|
||||
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
|
||||
+allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
|
||||
dontaudit syslogd_t self:capability sys_tty_config;
|
||||
+dontaudit syslogd_t self:cap_userns sys_ptrace;
|
||||
+allow syslogd_t self:capability2 { syslog block_suspend };
|
||||
@ -41239,7 +41319,7 @@ index 58bc27f..842ce28 100644
|
||||
+
|
||||
+
|
||||
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
|
||||
index 79048c4..262c9ec 100644
|
||||
index 79048c4..b0cb1e5 100644
|
||||
--- a/policy/modules/system/lvm.te
|
||||
+++ b/policy/modules/system/lvm.te
|
||||
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
|
||||
@ -41323,7 +41403,13 @@ index 79048c4..262c9ec 100644
|
||||
ccs_stream_connect(clvmd_t)
|
||||
')
|
||||
|
||||
@@ -170,15 +181,22 @@ dontaudit lvm_t self:capability sys_tty_config;
|
||||
@@ -165,20 +176,27 @@ optional_policy(`
|
||||
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
||||
# rawio needed for dmraid
|
||||
# net_admin for multipath
|
||||
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
|
||||
+allow lvm_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
|
||||
dontaudit lvm_t self:capability sys_tty_config;
|
||||
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
|
||||
# LVM will complain a lot if it cannot set its priority.
|
||||
allow lvm_t self:process setsched;
|
||||
@ -42099,7 +42185,7 @@ index 7449974..b792900 100644
|
||||
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
|
||||
+')
|
||||
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
|
||||
index 7a363b8..6d92782 100644
|
||||
index 7a363b8..aa59857 100644
|
||||
--- a/policy/modules/system/modutils.te
|
||||
+++ b/policy/modules/system/modutils.te
|
||||
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
|
||||
@ -42205,7 +42291,7 @@ index 7a363b8..6d92782 100644
|
||||
#
|
||||
|
||||
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
|
||||
+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
|
||||
+allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config };
|
||||
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow insmod_t self:udp_socket create_socket_perms;
|
||||
@ -44134,7 +44220,7 @@ index 3822072..d358162 100644
|
||||
+ allow semanage_t $1:dbus send_msg;
|
||||
+')
|
||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||
index dc46420..67f4de1 100644
|
||||
index dc46420..1a0d4fb 100644
|
||||
--- a/policy/modules/system/selinuxutil.te
|
||||
+++ b/policy/modules/system/selinuxutil.te
|
||||
@@ -11,14 +11,16 @@ gen_require(`
|
||||
@ -44223,7 +44309,7 @@ index dc46420..67f4de1 100644
|
||||
|
||||
type restorecond_var_run_t;
|
||||
files_pid_file(restorecond_var_run_t)
|
||||
@@ -92,34 +105,43 @@ type run_init_t;
|
||||
@@ -92,40 +105,49 @@ type run_init_t;
|
||||
type run_init_exec_t;
|
||||
application_domain(run_init_t, run_init_exec_t)
|
||||
domain_system_change_exemption(run_init_t)
|
||||
@ -44276,6 +44362,13 @@ index dc46420..67f4de1 100644
|
||||
########################################
|
||||
#
|
||||
# Checkpolicy local policy
|
||||
#
|
||||
|
||||
-allow checkpolicy_t self:capability dac_override;
|
||||
+allow checkpolicy_t self:capability { dac_read_search dac_override };
|
||||
|
||||
# able to create and modify binary policy files
|
||||
manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
|
||||
@@ -137,6 +159,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
|
||||
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||
@ -44293,6 +44386,15 @@ index dc46420..67f4de1 100644
|
||||
userdom_use_all_users_fds(checkpolicy_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
@@ -165,7 +188,7 @@ ifdef(`distro_ubuntu',`
|
||||
# Load_policy local policy
|
||||
#
|
||||
|
||||
-allow load_policy_t self:capability dac_override;
|
||||
+allow load_policy_t self:capability { dac_read_search dac_override };
|
||||
|
||||
# only allow read of policy config files
|
||||
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
|
||||
@@ -188,13 +211,13 @@ term_list_ptys(load_policy_t)
|
||||
|
||||
init_use_script_fds(load_policy_t)
|
||||
@ -44337,7 +44439,7 @@ index dc46420..67f4de1 100644
|
||||
#
|
||||
|
||||
-allow newrole_t self:capability { fowner setuid setgid dac_override };
|
||||
+allow newrole_t self:capability { fowner setpcap setuid setgid dac_override };
|
||||
+allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search dac_override };
|
||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow newrole_t self:process setexec;
|
||||
allow newrole_t self:fd use;
|
||||
@ -44899,7 +45001,7 @@ index dc46420..67f4de1 100644
|
||||
+ dbus_read_pid_files(setfiles_domain)
|
||||
')
|
||||
|
||||
+allow policy_manager_domain self:capability { dac_override sys_nice sys_resource };
|
||||
+allow policy_manager_domain self:capability { dac_read_search dac_override sys_nice sys_resource };
|
||||
+dontaudit policy_manager_domain self:capability sys_tty_config;
|
||||
+allow policy_manager_domain self:process { signal setsched };
|
||||
+allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -45675,7 +45777,7 @@ index 2cea692..e3cb4f2 100644
|
||||
+ files_etc_filetrans($1, net_conf_t, file)
|
||||
+')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index a392fc4..b7497fc 100644
|
||||
index a392fc4..41a5b08 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
|
||||
@ -45717,11 +45819,13 @@ index a392fc4..b7497fc 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
init_daemon_run_dir(net_conf_t, "network")
|
||||
@@ -48,10 +61,11 @@ ifdef(`distro_debian',`
|
||||
@@ -47,11 +60,12 @@ ifdef(`distro_debian',`
|
||||
#
|
||||
# DHCP client local policy
|
||||
#
|
||||
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
|
||||
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
|
||||
-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
|
||||
+allow dhcpc_t self:capability { dac_read_search dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
|
||||
+dontaudit dhcpc_t self:capability sys_tty_config;
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
||||
@ -48035,7 +48139,7 @@ index 0000000..d1356af
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..54d6359
|
||||
index 0000000..35fc2b8
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,1020 @@
|
||||
@ -48197,7 +48301,7 @@ index 0000000..54d6359
|
||||
+#
|
||||
+
|
||||
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
|
||||
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config sys_admin };
|
||||
+allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin };
|
||||
+allow systemd_logind_t self:capability2 block_suspend;
|
||||
+allow systemd_logind_t self:process getcap;
|
||||
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
@ -48359,7 +48463,7 @@ index 0000000..54d6359
|
||||
+# systemd_machined local policy
|
||||
+#
|
||||
+
|
||||
+allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace kill };
|
||||
+allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill };
|
||||
+allow systemd_machined_t systemd_unit_file_t:service { status start };
|
||||
+allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
@ -48414,7 +48518,7 @@ index 0000000..54d6359
|
||||
+# systemd-networkd local policy
|
||||
+#
|
||||
+
|
||||
+allow systemd_networkd_t self:capability { dac_override net_admin net_raw setuid fowner chown setgid setpcap };
|
||||
+allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap };
|
||||
+allow systemd_networkd_t self:process { getcap setcap };
|
||||
+
|
||||
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
@ -48477,7 +48581,7 @@ index 0000000..54d6359
|
||||
+# Local policy
|
||||
+#
|
||||
+
|
||||
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
|
||||
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search dac_override };
|
||||
+allow systemd_passwd_agent_t self:process { setsockcreate };
|
||||
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
@ -48521,7 +48625,7 @@ index 0000000..54d6359
|
||||
+# Local policy
|
||||
+#
|
||||
+
|
||||
+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod sys_admin };
|
||||
+allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
|
||||
+allow systemd_tmpfiles_t self:process { setfscreate };
|
||||
+
|
||||
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -48792,7 +48896,7 @@ index 0000000..54d6359
|
||||
+# Timedated policy
|
||||
+#
|
||||
+
|
||||
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
|
||||
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search dac_override };
|
||||
+allow systemd_timedated_t self:process { getattr getsched setfscreate };
|
||||
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 266%{?dist}
|
||||
Release: 267%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -683,6 +683,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
|
||||
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
|
||||
|
||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.13.1-266
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user