From 64f816485266a757ddce13bedfb2f67e86f5ccec Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 18 Apr 2016 13:42:21 +0200 Subject: [PATCH] * Mon Apr 18 2016 Lukas Vrabec 3.13.1-183 - Allow modemmanager to talk to logind - Dontaudit tor daemon needs net_admin capability. rhbz#1311788 - Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042 - Xorg now writes content in users homedir. --- docker-selinux.tgz | Bin 4315 -> 4317 bytes policy-rawhide-base.patch | 44 ++++++++++++++++------------ policy-rawhide-contrib.patch | 54 ++++++++++++++++++++++++----------- selinux-policy.spec | 8 +++++- 4 files changed, 69 insertions(+), 37 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 6e99a9d1aa7d013af55db34e473f7e63be682ff0..a7af2a1470d0a469855a2d7550edde8653b2f19b 100644 GIT binary patch delta 4242 zcmV;D5N+?AQ=ABzY8y2lh(00Zq@>yO(u63KlQnh3w;U@$!7RT*PHf;yei{iRyS8uF~S{ zo9pxCLIH% zoC4Q6%?MRpN@_0pV`}P?5-(SuFC$!+_G+dBMf@)kC8m7&LVjJz)-WVKH$Im6^7ZQC zf+LH6W`~*8K#wY9x{Ye`WW>xzGf~ijc7m9*lrmIcr<5g%{d;tEM)d1WHp8Htl>;P?W*{BDI*&*nEMn$wCPs~Q; zd{B>Lr6l&l?3Cgjd>$Up()AbX$!yrhlA W048nY_mn_m5!vz{-@XKS0J5UHM4K z9=hnre~3us2T<$WoaDn8Mi(<*e;}t45L=n=^b{0lwWWKEo3>05J%y_$B30r zrCf8%DkOrIIOZan)0N;2<1C`o(-m*)_q8IjyJSv(`2TZ=w^9C4_Wg5KH@+z%snzX& ziloJ6Qn!w0LfNlrF|G57@J6kM)_-#Y|K7mAw?}lOe*VW#PhltE-ba-tGxmYHDLhsM zaOhN5m810U95>{mq`o^mA2TTSUXEZ^kh`ahciF5z}91X?1UAq6cK zBt`O?WF>mdAe9u9g|`IqQp|GY)};UrufS655?mXBV@H3+Fg}xo19gA;5O3>HsQNC1 z&W|HlyhKdaMqy%CR077#H7VE}@#59*W4HP?1LODc~{6x_kd$OxpM`_s5 zQTeRgaJ6><$_>f|xGi&HFSOjIG+Y43^YfVq6z+sw7`!zb2i#(f z@H);?kh;VG!EC^#;sSqiqHxJ6gzP@<^sUyz+rJ6~jQ$OPDc+Qw)R58u-C3ub3sT%2 z2X9+aMvn)@z1*Xq)r6MW-389~KtQnwxU)+jFnu)`fG|q(v=F+EiCE`iiYGyVTUjeDnAT;H&+-HwVWId4=SMB>T#{P4fdI$a z{9zY$+}-qVifw;o$U~O#Meqq+*czr7&~#Honegg@&mSiQAppxQuA^1;Kb(Q{vKyH; zuTl>(%b?m~Mgfj-3n3$`aw#46li8WQ=h);1ZYE;Rnuqv}O-gC87 z@vRJKA=)gMO8K7~?IZE;%cCYJ!l+?ed6eJHQt+0iRL+0EM>@HFgj2T={IyGK{}h+Zr7`k|eT>w9zrS(Re_y{l z)qj79OE~&rUM3Jrp9yVv6Pb7cN;PFQv861-(Hv$Qvu{^P;CkFNsKA7NIbO3ehg=K3|IVkT$D7!ZZovZB%Rsw&py7(u|rCt>F;a z(sX~7BoE#?lb#Xs%cI7y=9?H*)XTn$@Ueeye3t&u!yKOBZFIBlXPs6{G@;No+0 z#Okgy2bG=0PjOS8mz;G7E$%jfA$pX*`B3{g23M9u@MY@c;jGi#A_|;c6U79%0v`G^MD<5TnFqv>alE;qHv7;nge*ljsTBTXa_Q9th-j=%} zxJ|)~t>GIWtSMn>66Ci zhq5+Fk9Cx%UB{bX#h-ZE(25iZ*js-DXBu>8IcIM}(WgmWOXjL9oXOj-1f2>ndK%^j zvd+Y&%|n@CNA7o;5C;GRCt>l>@C|?d?(yuj@rwkd8rpj=Lb%G3?>|Kw-BSFdOk>KQcqrYMQo-y}9_G$AU8G+oL4#0maTWg!A-H6#=fb7zUjKd_tF`Dm{Uo(f z6^2^&?awljmBEM+(6-|>LRkdY53v)p2jSr4vHOO z_}gJtG~SYA02`xC(^ScX7FHPZqkt%8=^ZFxV!}(J1Wz}cgjd~5IMIJXdsAAf(^;OT zS{Vtu^KKK}k}R_sagrES^1yooKkGCOAucBtilU5krcKvVDd(VKveQG$N6O`k z2~iJ`N`Gz{tA@Z7U0mjQm67|9OW(u5L+DBKcT#%h-=Q6v7ZOfcCQau8lZJw8m5~fI zNd!f!fihPjln`w0L{fhn7CkP}?WQi9s^6__7Jd}n=UH0ZS_JYqH|ppy-0$?;>6Egv zM*CVvyO1Yp?!k{pQhI9=@gxR5mj$J}l*L=4QC6?vwqB0aTGR4JP>kQCeyrRzR|qv)!x@~)$JF7An;uI$?u=}R~0 z8Wf_;s7n+cj?xe}Vm1eU+t(=#7u2NhPrSKq2$~WWRh5?A1IvQDOP< zi4Ni6*U85~Y_t4+Cmrd|M=DbBuynJTP8fe4Hrdo|8upVbB^uyUC!E)b+1yV9N!hmY z*CimAbKS;|W5oT4(;s7*$4t^;X^orTso4l$=q|0`@hyMWrOWO4cS9%(`8$H0lT?F9 z4lv9?y}&9v{3=D^aG)F%UiYjixJwGQp4UTkP7!+~y$4&DVlBY~H8&U2Q8QX#7??<) zRx>wL4In43hU|`81y+|fEWUAvi2d7HSyp}~H=^96)mT#sF#?Liy_d^yWGH zc6B$U4#$7TNp;BGBNe+1RqrSFp`cof;vE3!yu3%kvQ%aL+%1mZtEx z)x_5}IDRc8>1x?)Xtz6EF&)!|_gr!MV{0k6&ou6_%^_(AC{~dsRD4BE(ig$H ztkJ)hTpy|by%|w89-oU=8@%*!Sor~QV~TA7%FGc{<+%}4H#kLT@2sG!Wr7#WrU?? zO2M(@QP&9Hu;oy1v1+q1Td}3w_*)`FrCp*ha(3;L$u_e9O2?%xEF&qRE6CcaB=>Hi z-qRR5KpJ_w#M>}@rgSi>|Cs4uXzzc?)5DPm4x>gv#}B5)&r$S3-*%6L?0kWy^Co~b zg^^=bbyR(r3CUPZJCZV0bYHtP{{P|_ou)A|3$7# z%#2_DCQCN?dsy-a?FzK)D2 z7Rc+OyeqRNC$EK#oQ`R}=d6LjOOn7o{D;D~_|lz{pR%6|na-F#exnG!JANm=JrCXA zL%UmEf`OOdXO|a$IsfZo8jvoa6)3Q$8B(8x)Vj5N{tD@~f#8ZA14(Ma-I_|YVX$tn z*pU??!p{BBS&B_xkF7=e4gY#T)^wd2!9oWDz~~XcWI$fvhbe*o#^}lib7ZXPd;Q)9506%zQGynhq delta 4240 zcmV;B5O43@A=@E;ABzY8O`Zo=00Zq@>yO(u63ozmne$VW9?10cUFk6*-@4v;*>ksd)%ul%9ynFlh?X&AQAK)hZcm3|!)%BZyZ$G?y7F<2znDo_97S%!U zEW4|t6^XrcW9@&^Yx&|u@EvXPJgWCU{JJGUS&`y3Et@(fK~z;)8b>TGiy$rw7NrHL z15#|@^WwWp#kK^HX;-H=__6r=J&7Aef`qGKkQM>k>R(BjLys4n>C)f|zN?}-%7Y@x z$@k9%)$<>Jde}elh9Jtaaz~PYl>w`xf~Ghf7w9ENh40I>V5DA0F**BP3?+n4IP=R_ zzb_XXQiL`6cazpYuv{$IzEWcj*(>#pz|=zaak+STzFaQivLeybV`rarVvi z`EsFv!zyCXDc-dZ^iOuaM5rUnItKYXEm`BVN98dH`hIa8<<`ok>P7tkvgZq zwN5iaRhN>Qi~g9J`lQ6m)#u9y*QLFh=|BiO-FXWxjm9y13xT zqS;}8W;M{G3Yl)BnmidX^U+Kcw4j|J<}9TQ71$|diDLgAU7ZoWthjvu@AOset?A$R zQ;a(&tw@}%Q8(cQ(0b+It`kzq|ZO9X|Q8^#f z<5($){V+SFxCfty$Fp?(#dEAhS$VEwgcX&Q#Q0%=N!K@&6PZ`N$mW?N5K3X@LB4u2{?OF)5L^?wXS}aJ4 zs&G>UT3BX3j8O)a?d}ohP9jB1(Ru=#4$u)vTj5Z0M+b zR&Kc3y8z_|qXO*4KR1p-F@2EY_=%1&xXX@Ksm)6E4b?v8`E zEh(eNgW_K9QP65a%k1s~=X)TaSOnbJB@mdt8Vo=fC3#v1UB^VMb1}t}pg=D4QXUr2 zl|>~C z=O5d{Px@rnrHUu74bq}Xg^#JLB5rfvC4_-;Q!A!TE%%m#-=KKZcm!P_hsDZS8@@9E zt3u(rfl&o=emtV!4{!<{!~V|`8ijhEz&@sRS>&@kfk#*F= zgUm9hwwO_XW86Z>$f{fl&Ab`sl~cCk+z~!w%|~KQ6*%Hk+>07jGAgXfERFYEEmeFg z16qhS3#L;3=SKTT{QL5#35qak*j66pce50{sl?L%%%^N>ms1EzcL zu(L47njBhI@)#CZO@5m2A6{8vupcA8f?`xQmNK62U*q;_cq3okuj>(c6frQXlo>)}!tb$)H+Qcar>n51U#CDQ2*B-e-5g$X8Js%lBPyLqv2pp5v}y-^#%tP@>Q^o zGD=`3mU(vB7k<*0L?kbZP?$o6Xcu*#FGYJuo7Ep-nuPH-DmDaLa~?ryMoo#@(LPOBwyQn9 zZ_VAO`K=iq=|x+kFr3ROt>G(V@K)OQIf51z~hNlX_m5m@F|G5<*o>B zQ!ry|_y!1TN?4i%`E5}qK|z>E2l8(aTIvb|exr_dfXUVXiP)1gAI!`dT3{a%;T-RmZ8d5ZW z(`3ju>+Y|qG8|%^AVVj6*Q4-AP;z=CICU%M)&tZ-tbh2IUI~((GI?YFkQi?z)Vo`DKJNXn6Ti3Fz!X~ystT9 z*?k3KLt{F~EDu(RPnYr-e}pc{I}m5$YI$K?#eYKxF4^k2a4EajzhB2{E&5JBNo`bx zp_YC7vy5bAFk%F>?RbsQ7Je2alSgeL1H@0<3|nB5K)SyZe)zwqG0UifVuu+1 zc9<27w5Pc0Nx%BBn?1vfnNU!dt#_7`?f{;(ha%> zg(x%X5`~8&tr#Ax%wfSlA9N=)$)6kJ$KT5rL3SUD8csYe8qKCAQ5<41N1Y}Fx7JOX z;75h|QTS}|f9Iacj4FOxl_ld}VE1 zLwNXg@-YzGEWh7LN4oQoic~x--E5{4#-E2xHg%hZ{p3oC2Kdwo=XGK>_tQX9wypei z3CQJKxAEf`aX;ep$5`eulXO^GMl*C`Y)uj!KZ`>hb|8`cEm7mFtC^u;})|5hwfZ}lP(fAMir9dh?b#co5@`^kMMsY*!VZ7kp)C2>=yMu_4<=nmZSe8dLa^G~3qDg13U z@wE+(UkgdPTJ{>+?M_!r$8_O6SDgOXS_$CB=5Zy5y4Y0jQ zpxY~!-`n?1!!fIXye({hLS`L6K! z`0DAC-Hub$($y@~ztjuX2BJER@_G}RKzPXBDglF3N0xY_A6K?yLS!wZJq;(N%Dhh^ zv=r3kQ*EktZQ(n<4KV75C98(2Yyo~1uR5BJqbLO7ZQH2dA{IuJy<^2cuA({4!FL5T ze=Hulq@7K`MU+SJHZ3}vuc)7N^|4NCvV*lt+=GAV6-lG_pNf{#8 z#@K8h;YDgk1h)8*%sWBMahcyQv7uQiq zA&yfP9pbjaw8dZW)s{7Ada-4*QH!Qtt9RvKTnp~i!41)UZ2)TUv-?rNUcjATPgT!i*5Mle+}>) zFEI3cXD7A{i5y1;5Ez+xWO-yTeMYuaL=gjq%2~93?lwgOM%Z{4!?&?;hIV%uVdh4M&2&*HVmIB9gONfW;z(!e|z%uaO8o*s8P`IgQ@Xz6ur>5-6J78U!du{31CfO zIwV#DzJA6IYRynWyM`~UAxfB*lBT$h*` zzx+*>Z1VT8WgTy(mqKspEX1DQWau1FTxR$2 zEIe65ZK7-*0OHgBOU$Ot!cuXZOKsa%{{ium|EaD=K}Emp2*7|QOv7*Z_sQnteeK=x mbe*o#b-GU1={jAf>vWy2({;K|*XjD-xc&?9Swb@acmM##SXb8o diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9a9cb7ec..2b4a3869 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -29116,16 +29116,17 @@ index cc877c7..b8e6e98 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..53f66a4 100644 +index 8274418..5f31270 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc -@@ -2,13 +2,38 @@ +@@ -2,13 +2,39 @@ # HOME_DIR # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) +HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.local/share/fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) ++HOME_DIR/\.local/share/xorg(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) @@ -29158,7 +29159,7 @@ index 8274418..53f66a4 100644 # # /dev -@@ -22,13 +47,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -22,13 +48,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -29181,7 +29182,7 @@ index 8274418..53f66a4 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +79,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +80,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -29223,7 +29224,7 @@ index 8274418..53f66a4 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -91,19 +133,34 @@ ifndef(`distro_debian',` +@@ -91,19 +134,34 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -29262,7 +29263,7 @@ index 8274418..53f66a4 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -111,7 +168,18 @@ ifndef(`distro_debian',` +@@ -111,7 +169,18 @@ ifndef(`distro_debian',` /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -31042,7 +31043,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..436b1e0 100644 +index 8b40377..fe6657c 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32099,7 +32100,7 @@ index 8b40377..436b1e0 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1128,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1128,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -32118,6 +32119,11 @@ index 8b40377..436b1e0 100644 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t, file) +manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) ++ ++manage_dirs_pattern(xserver_t, xdm_home_t, xdm_home_t) ++manage_files_pattern(xserver_t, xdm_home_t, xdm_home_t) ++manage_lnk_files_pattern(xserver_t, xdm_home_t, xdm_home_t) ++gnome_data_filetrans(xserver_t, xdm_home_t, dir, "xorg") kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) @@ -32136,7 +32142,7 @@ index 8b40377..436b1e0 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1174,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1179,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -32168,7 +32174,7 @@ index 8b40377..436b1e0 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1207,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1212,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -32183,7 +32189,7 @@ index 8b40377..436b1e0 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1228,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1233,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -32207,7 +32213,7 @@ index 8b40377..436b1e0 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1247,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1252,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -32216,7 +32222,7 @@ index 8b40377..436b1e0 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1291,54 @@ optional_policy(` +@@ -785,17 +1296,54 @@ optional_policy(` ') optional_policy(` @@ -32273,7 +32279,7 @@ index 8b40377..436b1e0 100644 ') optional_policy(` -@@ -803,6 +1346,10 @@ optional_policy(` +@@ -803,6 +1351,10 @@ optional_policy(` ') optional_policy(` @@ -32284,7 +32290,7 @@ index 8b40377..436b1e0 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1365,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1370,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -32309,7 +32315,7 @@ index 8b40377..436b1e0 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1388,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1393,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -32344,7 +32350,7 @@ index 8b40377..436b1e0 100644 ') optional_policy(` -@@ -912,7 +1453,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1458,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -32353,7 +32359,7 @@ index 8b40377..436b1e0 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1507,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1512,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -32385,7 +32391,7 @@ index 8b40377..436b1e0 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1553,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1558,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f8463ffc..e3721a36 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -49519,7 +49519,7 @@ index b1ac8b5..24782b3 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..6e2a403 100644 +index d15eb5b..7f3c31d 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -49561,6 +49561,14 @@ index d15eb5b..6e2a403 100644 logging_send_syslog_msg(modemmanager_t) +@@ -56,3 +63,7 @@ optional_policy(` + udev_read_db(modemmanager_t) + udev_manage_pid_files(modemmanager_t) + ') ++ ++optional_policy(` ++ systemd_dbus_chat_logind(modemmanager_t) ++') diff --git a/mojomojo.fc b/mojomojo.fc index 7b827ca..5ee8a0f 100644 --- a/mojomojo.fc @@ -107581,7 +107589,7 @@ index 61c2e07..3b86095 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..40e9303 100644 +index 5ceacde..9353adb 100644 --- a/tor.te +++ b/tor.te @@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) @@ -107608,7 +107616,16 @@ index 5ceacde..40e9303 100644 ######################################## # # Local policy -@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) +@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; + allow tor_t tor_etc_t:file read_file_perms; + allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; + ++dontaudit tor_t self:capability { net_admin }; ++ + manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) + manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) + manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) corenet_udp_sendrecv_generic_node(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) @@ -107616,7 +107633,7 @@ index 5ceacde..40e9303 100644 corenet_sendrecv_dns_server_packets(tor_t) corenet_udp_bind_dns_port(tor_t) corenet_udp_sendrecv_dns_port(tor_t) -@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t) +@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_tcp_bind_tor_port(tor_t) corenet_tcp_sendrecv_tor_port(tor_t) @@ -107624,7 +107641,7 @@ index 5ceacde..40e9303 100644 corenet_sendrecv_all_client_packets(tor_t) corenet_tcp_connect_all_ports(tor_t) -@@ -98,19 +108,22 @@ dev_read_urand(tor_t) +@@ -98,19 +110,22 @@ dev_read_urand(tor_t) domain_use_interactive_fds(tor_t) files_read_etc_runtime_files(tor_t) @@ -116833,7 +116850,7 @@ index 0928c5d..d270a72 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index a64aad3..fe078eb 100644 +index a64aad3..d923154 100644 --- a/xguest.te +++ b/xguest.te @@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0) @@ -116902,7 +116919,7 @@ index a64aad3..fe078eb 100644 storage_raw_read_removable_device(xguest_t) storage_raw_write_removable_device(xguest_t) ',` -@@ -54,9 +55,22 @@ ifndef(`enable_mls',` +@@ -54,9 +55,25 @@ ifndef(`enable_mls',` ') optional_policy(` @@ -116913,6 +116930,9 @@ index a64aad3..fe078eb 100644 +kernel_dontaudit_request_load_module(xguest_t) +kernel_read_software_raid_state(xguest_t) + ++#GDM runs the X server as the unprivileged user. ++dev_rw_input_dev(xguest_t) ++ +tunable_policy(`selinuxuser_execstack',` + allow xguest_t self:process execstack; +') @@ -116926,7 +116946,7 @@ index a64aad3..fe078eb 100644 files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -65,10 +79,9 @@ optional_policy(` +@@ -65,10 +82,9 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -116938,7 +116958,7 @@ index a64aad3..fe078eb 100644 ') ') -@@ -84,12 +97,25 @@ optional_policy(` +@@ -84,12 +100,25 @@ optional_policy(` ') ') @@ -116950,23 +116970,23 @@ index a64aad3..fe078eb 100644 + +optional_policy(` + colord_dbus_chat(xguest_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- gnomeclock_dontaudit_dbus_chat(xguest_t) + chrome_role(xguest_r, xguest_t) +') + +optional_policy(` + thumb_role(xguest_r, xguest_t) - ') - - optional_policy(` -- gnomeclock_dontaudit_dbus_chat(xguest_t) ++') ++ ++optional_policy(` + dbus_dontaudit_chat_system_bus(xguest_t) ') optional_policy(` -@@ -97,75 +123,78 @@ optional_policy(` +@@ -97,75 +126,78 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index aa9e7a9e..88fc4142 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 182%{?dist} +Release: 183%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -653,6 +653,12 @@ exit 0 %endif %changelog +* Mon Apr 18 2016 Lukas Vrabec 3.13.1-183 +- Allow modemmanager to talk to logind +- Dontaudit tor daemon needs net_admin capability. rhbz#1311788 +- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042 +- Xorg now writes content in users homedir. + * Fri Apr 08 2016 Lukas Vrabec 3.13.1-182 - rename several contrib modules according to their filenames - Add interface gnome_filetrans_cert_home_content()