From 6337678e766b3e7da18b6f9916c215db8f0ea101 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 17 Mar 2014 08:59:51 +0100 Subject: [PATCH] - Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - unconfined_service should be allowed to transition to rpm_script_t - Allow couchdb to listen on port 6984 - Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command - Allow systemd-logind to setup user tmpfs directories - Add additional fixes for systemd_networkd_t - Allow systemd-logind to manage user_tmpfs_t - Allow systemd-logind to mount /run/user/1000 to get gdm working --- policy-rawhide-base.patch | 329 +++++++++++++++++++---------------- policy-rawhide-contrib.patch | 122 ++++++++----- selinux-policy.spec | 22 ++- 3 files changed, 275 insertions(+), 198 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 18e996e3..88466e42 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..136b78e 100644 +index b191055..11bfc30 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5515,11 +5515,12 @@ index b191055..136b78e 100644 network_port(commplex_main, tcp,5000,s0, udp,5000,s0) network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) -+network_port(conman, tcp,7890,s0, udp,7890,s0) -+network_port(connlcli, tcp,1358,s0, udp,1358,s0) - network_port(couchdb, tcp,5984,s0, udp,5984,s0) +-network_port(couchdb, tcp,5984,s0, udp,5984,s0) -network_port(cslistener, tcp,9000,s0, udp,9000,s0) -network_port(ctdb, tcp,4379,s0, udp,4397,s0) ++network_port(conman, tcp,7890,s0, udp,7890,s0) ++network_port(connlcli, tcp,1358,s0, udp,1358,s0) ++network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0) +network_port(ctdb, tcp,4379,s0, udp,4379,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) @@ -13159,7 +13160,7 @@ index f962f76..ae94e80 100644 + allow $1 etc_t:service status; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 1a03abd..dfcd2ad 100644 +index 1a03abd..32a40f8 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.18.1) @@ -13179,7 +13180,7 @@ index 1a03abd..dfcd2ad 100644 # For labeling types that are to be polyinstantiated attribute polydir; -@@ -48,47 +52,55 @@ attribute usercanread; +@@ -48,47 +52,53 @@ attribute usercanread; # type boot_t; files_mountpoint(boot_t) @@ -13223,12 +13224,11 @@ index 1a03abd..dfcd2ad 100644 # generated during initialization. # -type etc_runtime_t; -+type etc_runtime_t, configfile; - files_type(etc_runtime_t) - #Temporarily in policy until FC5 dissappears - typealias etc_runtime_t alias firstboot_rw_t; - - # +-files_type(etc_runtime_t) +-#Temporarily in policy until FC5 dissappears +-typealias etc_runtime_t alias firstboot_rw_t; +- +-# -# file_t is the default type of a file that has not yet been -# assigned an extended attribute (EA) value (when using a filesystem -# that supports EAs). @@ -13237,8 +13237,10 @@ index 1a03abd..dfcd2ad 100644 -files_mountpoint(file_t) -kernel_rootfs_mountpoint(file_t) -sid file gen_context(system_u:object_r:file_t,s0) -- --# ++type etc_runtime_t, configfile; ++files_ro_base_file(etc_runtime_t) + + # # home_root_t is the type for the directory where user home directories # are created # @@ -13247,7 +13249,7 @@ index 1a03abd..dfcd2ad 100644 files_mountpoint(home_root_t) files_poly_parent(home_root_t) -@@ -96,12 +108,13 @@ files_poly_parent(home_root_t) +@@ -96,12 +106,13 @@ files_poly_parent(home_root_t) # lost_found_t is the type for the lost+found directories. # type lost_found_t; @@ -13262,7 +13264,7 @@ index 1a03abd..dfcd2ad 100644 files_mountpoint(mnt_t) # -@@ -123,6 +136,7 @@ files_type(readable_t) +@@ -123,6 +134,7 @@ files_type(readable_t) # root_t is the type for rootfs and the root directory. # type root_t; @@ -13270,7 +13272,7 @@ index 1a03abd..dfcd2ad 100644 files_mountpoint(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) -@@ -133,45 +147,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) +@@ -133,45 +145,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # type src_t; files_mountpoint(src_t) @@ -13325,7 +13327,7 @@ index 1a03abd..dfcd2ad 100644 files_lock_file(var_lock_t) files_mountpoint(var_lock_t) -@@ -180,6 +203,7 @@ files_mountpoint(var_lock_t) +@@ -180,6 +201,7 @@ files_mountpoint(var_lock_t) # used for pid and other runtime files. # type var_run_t; @@ -13333,7 +13335,7 @@ index 1a03abd..dfcd2ad 100644 files_pid_file(var_run_t) files_mountpoint(var_run_t) -@@ -187,7 +211,9 @@ files_mountpoint(var_run_t) +@@ -187,7 +209,9 @@ files_mountpoint(var_run_t) # var_spool_t is the type of /var/spool # type var_spool_t; @@ -13343,7 +13345,7 @@ index 1a03abd..dfcd2ad 100644 ######################################## # -@@ -224,12 +250,13 @@ fs_associate_tmpfs(tmpfsfile) +@@ -224,12 +248,13 @@ fs_associate_tmpfs(tmpfsfile) # # Create/access any file in a labeled filesystem; @@ -24413,7 +24415,7 @@ index 6bf0ecc..bf98136 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..c52fbe6 100644 +index 8b40377..95dde04 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -24621,7 +24623,7 @@ index 8b40377..c52fbe6 100644 userdom_user_tmpfs_file(xserver_tmpfs_t) type xsession_exec_t; -@@ -226,21 +288,33 @@ optional_policy(` +@@ -226,21 +288,35 @@ optional_policy(` # allow iceauth_t iceauth_home_t:file manage_file_perms; @@ -24642,6 +24644,10 @@ index 8b40377..c52fbe6 100644 -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(iceauth_t) -') ++xserver_filetrans_home_content(iceauth_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files(iceauth_t) +ifdef(`hide_broken_symptoms',` + dev_dontaudit_read_urand(iceauth_t) + dev_dontaudit_rw_dri(iceauth_t) @@ -24649,9 +24655,7 @@ index 8b40377..c52fbe6 100644 + fs_dontaudit_list_inotifyfs(iceauth_t) + fs_dontaudit_rw_anon_inodefs_files(iceauth_t) + term_dontaudit_use_unallocated_ttys(iceauth_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files(iceauth_t) ++ + userdom_dontaudit_read_user_home_content_files(iceauth_t) + userdom_dontaudit_write_user_home_content_files(iceauth_t) + userdom_dontaudit_write_user_tmp_files(iceauth_t) @@ -24662,7 +24666,7 @@ index 8b40377..c52fbe6 100644 ') ######################################## -@@ -248,48 +322,89 @@ tunable_policy(`use_samba_home_dirs',` +@@ -248,48 +324,90 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -24725,6 +24729,7 @@ index 8b40377..c52fbe6 100644 +userdom_use_inherited_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) +userdom_read_all_users_state(xauth_t) ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c") @@ -24763,7 +24768,7 @@ index 8b40377..c52fbe6 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -300,64 +415,109 @@ optional_policy(` +@@ -300,64 +418,109 @@ optional_policy(` # XDM Local policy # @@ -24791,10 +24796,10 @@ index 8b40377..c52fbe6 100644 allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; +allow xdm_t self:dbus { send_msg acquire_svc }; -+ -+allow xdm_t xauth_home_t:file manage_file_perms; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++allow xdm_t xauth_home_t:file manage_file_perms; ++ +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -24883,7 +24888,7 @@ index 8b40377..c52fbe6 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -366,20 +529,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -24916,7 +24921,7 @@ index 8b40377..c52fbe6 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +562,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -24970,7 +24975,7 @@ index 8b40377..c52fbe6 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +612,28 @@ files_list_mnt(xdm_t) +@@ -431,9 +615,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -24999,7 +25004,7 @@ index 8b40377..c52fbe6 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +645,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -25048,7 +25053,7 @@ index 8b40377..c52fbe6 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +689,149 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +692,149 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -25204,7 +25209,7 @@ index 8b40377..c52fbe6 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -503,11 +845,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -503,11 +848,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -25231,7 +25236,7 @@ index 8b40377..c52fbe6 100644 ') optional_policy(` -@@ -517,9 +874,34 @@ optional_policy(` +@@ -517,9 +877,34 @@ optional_policy(` optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -25239,17 +25244,17 @@ index 8b40377..c52fbe6 100644 + optional_policy(` + accountsd_dbus_chat(xdm_t) + ') -+ -+ optional_policy(` + + optional_policy(` +- accountsd_dbus_chat(xdm_t) + bluetooth_dbus_chat(xdm_t) + ') + + optional_policy(` + cpufreqselector_dbus_chat(xdm_t) + ') - - optional_policy(` -- accountsd_dbus_chat(xdm_t) ++ ++ optional_policy(` + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') @@ -25267,7 +25272,7 @@ index 8b40377..c52fbe6 100644 ') ') -@@ -530,6 +912,20 @@ optional_policy(` +@@ -530,6 +915,20 @@ optional_policy(` ') optional_policy(` @@ -25288,7 +25293,7 @@ index 8b40377..c52fbe6 100644 hostname_exec(xdm_t) ') -@@ -547,28 +943,78 @@ optional_policy(` +@@ -547,28 +946,78 @@ optional_policy(` ') optional_policy(` @@ -25376,7 +25381,7 @@ index 8b40377..c52fbe6 100644 ') optional_policy(` -@@ -580,6 +1026,14 @@ optional_policy(` +@@ -580,6 +1029,14 @@ optional_policy(` ') optional_policy(` @@ -25391,7 +25396,7 @@ index 8b40377..c52fbe6 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1048,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1051,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -25400,7 +25405,7 @@ index 8b40377..c52fbe6 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1061,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -25413,7 +25418,7 @@ index 8b40377..c52fbe6 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1078,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -25429,7 +25434,7 @@ index 8b40377..c52fbe6 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1094,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -25440,7 +25445,7 @@ index 8b40377..c52fbe6 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1106,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1109,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -25477,7 +25482,7 @@ index 8b40377..c52fbe6 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1152,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1155,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -25509,7 +25514,7 @@ index 8b40377..c52fbe6 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1185,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1188,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -25524,7 +25529,7 @@ index 8b40377..c52fbe6 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1206,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1209,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -25548,7 +25553,7 @@ index 8b40377..c52fbe6 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1228,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -25557,7 +25562,7 @@ index 8b40377..c52fbe6 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1269,44 @@ optional_policy(` +@@ -785,17 +1272,44 @@ optional_policy(` ') optional_policy(` @@ -25604,7 +25609,7 @@ index 8b40377..c52fbe6 100644 ') optional_policy(` -@@ -803,6 +1314,10 @@ optional_policy(` +@@ -803,6 +1317,10 @@ optional_policy(` ') optional_policy(` @@ -25615,7 +25620,7 @@ index 8b40377..c52fbe6 100644 xfs_stream_connect(xserver_t) ') -@@ -818,10 +1333,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,10 +1336,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -25629,7 +25634,7 @@ index 8b40377..c52fbe6 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -829,7 +1344,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -829,7 +1347,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -25638,7 +25643,7 @@ index 8b40377..c52fbe6 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1357,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1360,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -25673,7 +25678,7 @@ index 8b40377..c52fbe6 100644 ') optional_policy(` -@@ -912,7 +1422,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -25682,7 +25687,7 @@ index 8b40377..c52fbe6 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1476,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -25714,7 +25719,7 @@ index 8b40377..c52fbe6 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1522,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1525,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -34949,7 +34954,7 @@ index a38605e..f035d9f 100644 +/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..fb1c881 100644 +index 4584457..c2ae1ea 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,13 @@ interface(`mount_domtrans',` @@ -34974,7 +34979,7 @@ index 4584457..fb1c881 100644 ') mount_domtrans($1) -@@ -47,6 +55,92 @@ interface(`mount_run',` +@@ -47,6 +55,110 @@ interface(`mount_run',` ######################################## ## @@ -35043,6 +35048,24 @@ index 4584457..fb1c881 100644 + files_search_pids($1) +') + ++####################################### ++## ++## Do not audit attemps to write mount PID files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mount_dontaudit_write_mount_pid',` ++ gen_require(` ++ type mount_var_run_t; ++ ') ++ ++ dontaudit $1 mount_var_run_t:file write; ++') ++ +######################################## +## +## Manage mount PID files. @@ -35067,7 +35090,7 @@ index 4584457..fb1c881 100644 ## Execute mount in the caller domain. ## ## -@@ -91,7 +185,7 @@ interface(`mount_signal',` +@@ -91,7 +203,7 @@ interface(`mount_signal',` ## ## ## @@ -35076,7 +35099,7 @@ index 4584457..fb1c881 100644 ## ## # -@@ -131,45 +225,184 @@ interface(`mount_send_nfs_client_request',` +@@ -131,45 +243,184 @@ interface(`mount_send_nfs_client_request',` ######################################## ## @@ -35142,15 +35165,12 @@ index 4584457..fb1c881 100644 # -interface(`mount_run_unconfined',` +interface(`mount_exec_fusermount',` - gen_require(` -- type unconfined_mount_t; ++ gen_require(` + type fusermount_exec_t; - ') - -- mount_domtrans_unconfined($1) -- role $2 types unconfined_mount_t; ++ ') ++ + can_exec($1, fusermount_exec_t) - ') ++') + +######################################## +## @@ -35163,12 +35183,15 @@ index 4584457..fb1c881 100644 +## +# +interface(`mount_dontaudit_exec_fusermount',` -+ gen_require(` + gen_require(` +- type unconfined_mount_t; + type fusermount_exec_t; -+ ') -+ + ') + +- mount_domtrans_unconfined($1) +- role $2 types unconfined_mount_t; + dontaudit $1 fusermount_exec_t:file exec_file_perms; -+') + ') + +###################################### +## @@ -39676,10 +39699,10 @@ index 0000000..8bca1d7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..188a153 +index 0000000..ca13b14 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,677 @@ +@@ -0,0 +1,680 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -39776,6 +39799,9 @@ index 0000000..188a153 +mls_file_read_all_levels(systemd_logind_t) +mls_file_write_all_levels(systemd_logind_t) + ++fs_mount_tmpfs(systemd_logind_t) ++fs_unmount_tmpfs(systemd_logind_t) ++ +manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t) +manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t) +init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger") @@ -39861,8 +39887,8 @@ index 0000000..188a153 + +userdom_read_all_users_state(systemd_logind_t) +userdom_use_user_ttys(systemd_logind_t) -+userdom_manage_all_user_tmp_content(systemd_logind_t) -+userdom_manage_all_user_tmpfs_content(systemd_logind_t) ++userdom_manage_tmp_role(system_r, systemd_logind_t) ++userdom_manage_tmpfs_role(system_r, systemd_logind_t) + +xserver_dbus_chat(systemd_logind_t) + @@ -41487,10 +41513,10 @@ index 5ca20a9..e749152 100644 + corecmd_bin_domtrans($1, unconfined_service_t) ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902d..9382e97 100644 +index 5fe902d..fcc9efe 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,16 @@ +@@ -1,207 +1,20 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) @@ -41700,12 +41726,13 @@ index 5fe902d..9382e97 100644 - -allow unconfined_execmem_t self:process { execstack execmem }; -unconfined_domain_noaudit(unconfined_execmem_t) -- --optional_policy(` -- unconfined_dbus_chat(unconfined_execmem_t) --') +corecmd_bin_entry_type(unconfined_service_t) +corecmd_shell_entry_type(unconfined_service_t) + + optional_policy(` +- unconfined_dbus_chat(unconfined_execmem_t) ++ rpm_transition_script(unconfined_service_t, system_r) + ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db75976..e4eb903 100644 --- a/policy/modules/system/userdomain.fc @@ -41737,7 +41764,7 @@ index db75976..e4eb903 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..428fe58 100644 +index 9dc60c6..858bd7a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -42230,7 +42257,7 @@ index 9dc60c6..428fe58 100644 + type user_tmpfs_t; + ') + -+ allow $1 user_tmpfs_t:file manage_file_perms; ++ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +') + +####################################### @@ -42286,11 +42313,11 @@ index 9dc60c6..428fe58 100644 - gen_require(` - type $1_t; - ') -+interface(`userdom_basic_networking',` - +- - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -- ++interface(`userdom_basic_networking',` + - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) @@ -42382,27 +42409,27 @@ index 9dc60c6..428fe58 100644 + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) +- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -42426,12 +42453,12 @@ index 9dc60c6..428fe58 100644 + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) - -- fs_rw_cgroup_files($1_t) ++ + application_getattr_socket($1_usertype) + + logging_send_syslog_msg($1_t) -+ + +- fs_rw_cgroup_files($1_t) + selinux_get_enforce_mode($1_t) # cjp: some of this probably can be removed @@ -42537,68 +42564,68 @@ index 9dc60c6..428fe58 100644 + + optional_policy(` + geoclue_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ gnome_dbus_chat_gconfdefault($1_usertype) + ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) - ') - - optional_policy(` -- consolekit_dbus_chat($1_t) + hal_dbus_chat($1_usertype) ') optional_policy(` -- cups_dbus_chat_config($1_t) +- consolekit_dbus_chat($1_t) + kde_dbus_chat_backlighthelper($1_usertype) ') optional_policy(` -- hal_dbus_chat($1_t) +- cups_dbus_chat_config($1_t) + modemmanager_dbus_chat($1_usertype) ') optional_policy(` -- networkmanager_dbus_chat($1_t) +- hal_dbus_chat($1_t) + networkmanager_dbus_chat($1_usertype) + networkmanager_read_lib_files($1_usertype) ') optional_policy(` -- policykit_dbus_chat($1_t) +- networkmanager_dbus_chat($1_t) + policykit_dbus_chat($1_usertype) ') -+ -+ optional_policy(` + + optional_policy(` +- policykit_dbus_chat($1_t) + vpn_dbus_chat($1_usertype) -+ ') -+ ') -+ -+ optional_policy(` -+ git_role($1_r, $1_t) + ') ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ git_role($1_r, $1_t) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - kerberos_manage_krb5_home_files($1_t) - kerberos_relabel_krb5_home_files($1_t) - kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ++ ') ++ ++ optional_policy(` + lircd_stream_connect($1_usertype) ') @@ -42660,35 +42687,27 @@ index 9dc60c6..428fe58 100644 optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpc_dontaudit_getattr_exports($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ rpc_dontaudit_getattr_exports($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - usernetctl_run($1_t, $1_r) -+ slrnpull_search_spool($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` @@ -42697,6 +42716,14 @@ index 9dc60c6..428fe58 100644 - virt_home_filetrans_virt_content($1_t, dir, "isos") - virt_home_filetrans_svirt_home($1_t, dir, "qemu") - virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") ++ seunshare_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ slrnpull_search_spool($1_usertype) ++ ') ++ ++ optional_policy(` + thumb_role($1_r, $1_usertype) ') ') @@ -42721,7 +42748,9 @@ index 9dc60c6..428fe58 100644 + + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -42729,9 +42758,7 @@ index 9dc60c6..428fe58 100644 + tunable_policy(`$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -43138,16 +43165,16 @@ index 9dc60c6..428fe58 100644 + + optional_policy(` + gpm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) -+ mount_run_fusermount($1_t, $1_r) -+ mount_read_pid_files($1_t) -+ ') -+ -+ optional_policy(` + wine_role_template($1, $1_r, $1_t) + ') + @@ -44391,7 +44418,7 @@ index 9dc60c6..428fe58 100644 ') ######################################## -@@ -3214,31 +3977,49 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,30 +3977,48 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -44424,7 +44451,6 @@ index 9dc60c6..428fe58 100644 ######################################## ## -## Do not audit attempts to relabel files from --## user pty types. +## Relabel files to unprivileged user pty types. +## +## @@ -44444,10 +44470,9 @@ index 9dc60c6..428fe58 100644 +######################################## +## +## Do not audit attempts to relabel files from -+## user pty types. + ## user pty types. ## ## - ## @@ -3269,7 +4050,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -46300,7 +46325,7 @@ index 9dc60c6..428fe58 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..711759c 100644 +index f4ac38d..7283238 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -46389,7 +46414,7 @@ index f4ac38d..711759c 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,384 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -46456,6 +46481,8 @@ index f4ac38d..711759c 100644 +dontaudit unpriv_userdomain self:dir setattr; +allow unpriv_userdomain self:key manage_key_perms; + ++mount_dontaudit_write_mount_pid(unpriv_userdomain) ++ +optional_policy(` + alsa_read_rw_config(unpriv_userdomain) + alsa_manage_home_files(unpriv_userdomain) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b5ed9efe..5449d471 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -11316,10 +11316,10 @@ index 0000000..57866f6 +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) diff --git a/chrome.if b/chrome.if new file mode 100644 -index 0000000..8ea5b7c +index 0000000..a0fdbcb --- /dev/null +++ b/chrome.if -@@ -0,0 +1,133 @@ +@@ -0,0 +1,136 @@ + +## policy for chrome + @@ -11343,6 +11343,9 @@ index 0000000..8ea5b7c + + allow $1 chrome_sandbox_t:fd use; + ++ dontaudit chrome_sandbox_t $1:socket_class_set getattr; ++ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms; ++ + ifdef(`hide_broken_symptoms',` + fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) + ') @@ -13273,7 +13276,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..26584f2 100644 +index 6471fa8..36c3464 100644 --- a/collectd.te +++ b/collectd.te @@ -26,18 +26,28 @@ files_type(collectd_var_lib_t) @@ -13342,7 +13345,7 @@ index 6471fa8..26584f2 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +90,30 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +90,31 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` @@ -13355,6 +13358,7 @@ index 6471fa8..26584f2 100644 + +optional_policy(` virt_read_config(collectd_t) ++ virt_stream_connect(collectd_t) ') ######################################## @@ -16650,7 +16654,7 @@ index 1303b30..72481a7 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..23baf47 100644 +index 7de3859..24f2712 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,46 @@ gen_require(` @@ -16724,7 +16728,7 @@ index 7de3859..23baf47 100644 type crond_tmp_t; files_tmp_file(crond_tmp_t) files_poly_parent(crond_tmp_t) -@@ -92,15 +95,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; +@@ -92,15 +95,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; @@ -16739,12 +16743,13 @@ index 7de3859..23baf47 100644 init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) -domain_entry_file(system_cronjob_t, system_cron_spool_t) ++corecmd_bin_entry_type(system_cronjob_t) +role system_r types system_cronjob_t; +domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) -@@ -108,94 +112,34 @@ files_lock_file(system_cronjob_lock_t) +@@ -108,94 +113,34 @@ files_lock_file(system_cronjob_lock_t) type system_cronjob_tmp_t alias system_crond_tmp_t; files_tmp_file(system_cronjob_tmp_t) @@ -16851,7 +16856,7 @@ index 7de3859..23baf47 100644 selinux_get_fs_mount(admin_crontab_t) selinux_validate_context(admin_crontab_t) selinux_compute_access_vector(admin_crontab_t) -@@ -204,22 +148,26 @@ selinux_compute_relabel_context(admin_crontab_t) +@@ -204,22 +149,26 @@ selinux_compute_relabel_context(admin_crontab_t) selinux_compute_user_contexts(admin_crontab_t) tunable_policy(`fcron_crond',` @@ -16881,7 +16886,7 @@ index 7de3859..23baf47 100644 allow crond_t self:shm create_shm_perms; allow crond_t self:sem create_sem_perms; allow crond_t self:msgq create_msgq_perms; -@@ -227,7 +175,7 @@ allow crond_t self:msg { send receive }; +@@ -227,7 +176,7 @@ allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; @@ -16890,7 +16895,7 @@ index 7de3859..23baf47 100644 logging_log_filetrans(crond_t, cron_log_t, file) manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) -@@ -237,73 +185,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) +@@ -237,73 +186,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) @@ -16994,7 +16999,7 @@ index 7de3859..23baf47 100644 auth_use_nsswitch(crond_t) logging_send_audit_msgs(crond_t) -@@ -312,41 +255,46 @@ logging_set_loginuid(crond_t) +@@ -312,41 +256,46 @@ logging_set_loginuid(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) @@ -17057,7 +17062,7 @@ index 7de3859..23baf47 100644 ') optional_policy(` -@@ -354,103 +302,135 @@ optional_policy(` +@@ -354,103 +303,135 @@ optional_policy(` ') optional_policy(` @@ -17224,7 +17229,7 @@ index 7de3859..23baf47 100644 allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -@@ -461,11 +441,11 @@ kernel_read_network_state(system_cronjob_t) +@@ -461,11 +442,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -17237,7 +17242,7 @@ index 7de3859..23baf47 100644 corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -485,6 +465,7 @@ fs_getattr_all_symlinks(system_cronjob_t) +@@ -485,6 +466,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -17245,7 +17250,7 @@ index 7de3859..23baf47 100644 domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) -@@ -495,17 +476,22 @@ files_getattr_all_files(system_cronjob_t) +@@ -495,17 +477,22 @@ files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) @@ -17270,7 +17275,7 @@ index 7de3859..23baf47 100644 auth_use_nsswitch(system_cronjob_t) -@@ -516,20 +502,26 @@ logging_read_generic_logs(system_cronjob_t) +@@ -516,20 +503,26 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -17300,7 +17305,7 @@ index 7de3859..23baf47 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,10 +531,18 @@ tunable_policy(`cron_can_relabel',` +@@ -539,10 +532,18 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -17319,7 +17324,7 @@ index 7de3859..23baf47 100644 ') optional_policy(` -@@ -551,10 +551,6 @@ optional_policy(` +@@ -551,10 +552,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -17330,7 +17335,7 @@ index 7de3859..23baf47 100644 ') optional_policy(` -@@ -591,6 +587,7 @@ optional_policy(` +@@ -591,6 +588,7 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -17338,7 +17343,7 @@ index 7de3859..23baf47 100644 ') optional_policy(` -@@ -598,7 +595,23 @@ optional_policy(` +@@ -598,7 +596,23 @@ optional_policy(` ') optional_policy(` @@ -17362,7 +17367,7 @@ index 7de3859..23baf47 100644 ') optional_policy(` -@@ -608,6 +621,7 @@ optional_policy(` +@@ -608,6 +622,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -17370,7 +17375,7 @@ index 7de3859..23baf47 100644 ') optional_policy(` -@@ -615,12 +629,24 @@ optional_policy(` +@@ -615,12 +630,24 @@ optional_policy(` ') optional_policy(` @@ -17397,7 +17402,7 @@ index 7de3859..23baf47 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +654,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +655,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -17431,7 +17436,7 @@ index 7de3859..23baf47 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +687,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +688,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -18130,7 +18135,7 @@ index 949011e..afe482b 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 3023be7..20e370b 100644 +index 3023be7..303af85 100644 --- a/cups.if +++ b/cups.if @@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',` @@ -18207,7 +18212,7 @@ index 3023be7..20e370b 100644 init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) -@@ -368,13 +399,44 @@ interface(`cups_admin',` +@@ -368,13 +399,45 @@ interface(`cups_admin',` logging_list_logs($1) admin_pattern($1, cupsd_log_t) @@ -18256,6 +18261,7 @@ index 3023be7..20e370b 100644 + files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf") + files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") + corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ++ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te index c91813c..2230476 100644 @@ -23932,7 +23938,7 @@ index c880070..4448055 100644 -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/dovecot.if b/dovecot.if -index d5badb7..f439164 100644 +index d5badb7..c2431fc 100644 --- a/dovecot.if +++ b/dovecot.if @@ -1,29 +1,49 @@ @@ -24059,7 +24065,7 @@ index d5badb7..f439164 100644 ## ## ## -@@ -120,10 +136,29 @@ interface(`dovecot_write_inherited_tmp_files',` +@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',` allow $1 dovecot_tmp_t:file write; ') @@ -24079,6 +24085,7 @@ index d5badb7..f439164 100644 + ') + + files_search_etc($1) ++ list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t) + read_files_pattern($1, dovecot_etc_t, dovecot_etc_t) +') + @@ -24091,7 +24098,7 @@ index d5badb7..f439164 100644 ## ## ## -@@ -132,7 +167,7 @@ interface(`dovecot_write_inherited_tmp_files',` +@@ -132,7 +168,7 @@ interface(`dovecot_write_inherited_tmp_files',` ## ## ## @@ -24100,7 +24107,7 @@ index d5badb7..f439164 100644 ## ## ## -@@ -146,9 +181,13 @@ interface(`dovecot_admin',` +@@ -146,9 +182,13 @@ interface(`dovecot_admin',` type dovecot_keytab_t; ') @@ -24115,7 +24122,7 @@ index d5badb7..f439164 100644 init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dovecot_initrc_exec_t system_r; -@@ -157,20 +196,25 @@ interface(`dovecot_admin',` +@@ -157,20 +197,25 @@ interface(`dovecot_admin',` files_list_etc($1) admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) @@ -30767,7 +30774,7 @@ index ab09d61..d0bfef0 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb..e9adc23 100644 +index 63893eb..8720f49 100644 --- a/gnome.te +++ b/gnome.te @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) @@ -30806,7 +30813,7 @@ index 63893eb..e9adc23 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +@@ -31,105 +50,226 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) role gconfd_roles types gconfd_t; @@ -31034,6 +31041,7 @@ index 63893eb..e9adc23 100644 +manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) +manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) +files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) ++fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) +userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir }) -kernel_read_system_state(gkeyringd_domain) @@ -43487,10 +43495,10 @@ index 0000000..b694afc +') + diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..7128926 100644 +index 6ffaba2..549fb8c 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,71 @@ +@@ -1,38 +1,72 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -43514,6 +43522,7 @@ index 6ffaba2..7128926 100644 +HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.cache/icedtea-web(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -43597,7 +43606,7 @@ index 6ffaba2..7128926 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..03c6414 100644 +index 6194b80..cafb2b0 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -44308,7 +44317,7 @@ index 6194b80..03c6414 100644 ## ## ## -@@ -530,45 +519,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -44386,6 +44395,7 @@ index 6194b80..03c6414 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex") + optional_policy(` + gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla") ++ gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web") + ') ') + @@ -84729,10 +84739,10 @@ index 0000000..3258f45 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..01ff0ea +index 0000000..956922c --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,496 @@ +@@ -0,0 +1,500 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -84947,6 +84957,10 @@ index 0000000..01ff0ea +storage_dontaudit_rw_fuse(sandbox_x_domain) + +optional_policy(` ++ bluetooth_dbus_chat(sandbox_x_domain) ++') ++ ++optional_policy(` + consolekit_dbus_chat(sandbox_x_domain) +') + @@ -89257,7 +89271,7 @@ index 7d86b34..5f58180 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index 1af72df..f63015b 100644 +index 1af72df..7e55b50 100644 --- a/snort.te +++ b/snort.te @@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t) @@ -89275,7 +89289,18 @@ index 1af72df..f63015b 100644 allow snort_t self:netlink_firewall_socket create_socket_perms; allow snort_t snort_etc_t:dir list_dir_perms; -@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t) +@@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms; + allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) +-append_files_pattern(snort_t, snort_log_t, snort_log_t) +-create_files_pattern(snort_t, snort_log_t, snort_log_t) +-setattr_files_pattern(snort_t, snort_log_t, snort_log_t) ++manage_files_pattern(snort_t, snort_log_t, snort_log_t) + logging_log_filetrans(snort_t, snort_log_t, { file dir }) + + manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) +@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t) kernel_dontaudit_read_system_state(snort_t) kernel_read_network_state(snort_t) @@ -89283,7 +89308,7 @@ index 1af72df..f63015b 100644 corenet_all_recvfrom_netlabel(snort_t) corenet_tcp_sendrecv_generic_if(snort_t) corenet_udp_sendrecv_generic_if(snort_t) -@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t) +@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t) domain_use_interactive_fds(snort_t) @@ -101913,10 +101938,10 @@ index 0000000..7933d80 +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..5ce7d9c +index 0000000..d59b917 --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,94 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -102006,6 +102031,11 @@ index 0000000..5ce7d9c +corecmd_exec_bin(vmtools_helper_t) + +userdom_stream_connect(vmtools_helper_t) ++ ++optional_policy(` ++ unconfined_domain(vmtools_helper_t) ++') ++ diff --git a/vmware.if b/vmware.if index 20a1fb2..470ea95 100644 --- a/vmware.if @@ -102295,7 +102325,7 @@ index 7a7f342..afedcba 100644 ## ## diff --git a/vpn.te b/vpn.te -index 95b26d1..28e0030 100644 +index 95b26d1..3d74e70 100644 --- a/vpn.te +++ b/vpn.te @@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0) @@ -102407,7 +102437,7 @@ index 95b26d1..28e0030 100644 - -optional_policy(` - seutil_use_newrole_fds(vpnc_t) -+ networkmanager_delete_pid_files(vpnc_t) ++ networkmanager_manage_pid_files(vpnc_t) ') diff --git a/w3c.fc b/w3c.fc index 463c799..227feaf 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index 840b31c7..29241e91 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 36%{?dist} +Release: 37%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -580,6 +580,26 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Mar 17 2014 Miroslav Grepl 3.13.1-37 +- Allow collectd to talk to libvirt +- Allow chrome_sandbox to use leaked unix_stream_sockets +- Dontaudit leaks of sockets into chrome_sandbox_t +- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t +- Run vmtools as unconfined domains +- Allow snort to manage its log files +- Allow systemd_cronjob_t to be entered via bin_t +- Allow procman to list doveconf_etc_t +- allow keyring daemon to create content in tmpfs directories +- Add proper labelling for icedtea-web +- vpnc is creating content in networkmanager var run directory +- unconfined_service should be allowed to transition to rpm_script_t +- Allow couchdb to listen on port 6984 +- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command +- Allow systemd-logind to setup user tmpfs directories +- Add additional fixes for systemd_networkd_t +- Allow systemd-logind to manage user_tmpfs_t +- Allow systemd-logind to mount /run/user/1000 to get gdm working + * Fri Mar 14 2014 Miroslav Grepl 3.13.1-36 - Add additional fixes for systemd_networkd_t - Allow systemd-logind to manage user_tmpfs_t