* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/ - Additional fixes for seutil_manage_module_store() - dbus_system_domain() should be used with optional_policy - Fix svirt to be allowed to use fusefs file system - Allow login programs to read /run/ data created by systemd_login - sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM modu - Fix svirt to be allowed to use fusefs file system - Allow piranha domain to use nsswitch - Sanlock needs to send Kill Signals to non root processes - Pulseaudio wants to execute /run/user/PID/.orc
This commit is contained in:
parent
e2915aed43
commit
711b0e2035
@ -70640,7 +70640,7 @@ index cda5588..91d1e25 100644
|
||||
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||
+/usr/lib/udev/devices/shm/.* <<none>>
|
||||
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
||||
index 7c6b791..aad6319 100644
|
||||
index 7c6b791..b40a5a5 100644
|
||||
--- a/policy/modules/kernel/filesystem.if
|
||||
+++ b/policy/modules/kernel/filesystem.if
|
||||
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
|
||||
@ -71137,7 +71137,7 @@ index 7c6b791..aad6319 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a FUSE filesystem.
|
||||
@@ -2025,6 +2387,68 @@ interface(`fs_read_fusefs_symlinks',`
|
||||
@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71202,11 +71202,30 @@ index 7c6b791..aad6319 100644
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Get the attributes of a FUSEFS filesystem.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`fs_getattr_fusefs',`
|
||||
+ gen_require(`
|
||||
+ type fusefs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 fusefs_t:filesystem getattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Get the attributes of an hugetlbfs
|
||||
## filesystem.
|
||||
## </summary>
|
||||
@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
|
||||
@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71231,7 +71250,7 @@ index 7c6b791..aad6319 100644
|
||||
## Read and write hugetlbfs files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
|
||||
@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
|
||||
')
|
||||
|
||||
allow $1 inotifyfs_t:dir list_dir_perms;
|
||||
@ -71245,7 +71264,7 @@ index 7c6b791..aad6319 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',`
|
||||
@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
@ -71253,7 +71272,7 @@ index 7c6b791..aad6319 100644
|
||||
allow $1 nfs_t:dir list_dir_perms;
|
||||
read_files_pattern($1, nfs_t, nfs_t)
|
||||
')
|
||||
@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',`
|
||||
@@ -2523,6 +2986,7 @@ interface(`fs_write_nfs_files',`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
@ -71261,7 +71280,7 @@ index 7c6b791..aad6319 100644
|
||||
allow $1 nfs_t:dir list_dir_perms;
|
||||
write_files_pattern($1, nfs_t, nfs_t)
|
||||
')
|
||||
@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',`
|
||||
@@ -2549,6 +3013,25 @@ interface(`fs_exec_nfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71287,7 +71306,7 @@ index 7c6b791..aad6319 100644
|
||||
## Append files
|
||||
## on a NFS filesystem.
|
||||
## </summary>
|
||||
@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',`
|
||||
@@ -2569,7 +3052,7 @@ interface(`fs_append_nfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71296,7 +71315,7 @@ index 7c6b791..aad6319 100644
|
||||
## on a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',`
|
||||
@@ -2589,6 +3072,42 @@ interface(`fs_dontaudit_append_nfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71339,7 +71358,7 @@ index 7c6b791..aad6319 100644
|
||||
## Do not audit attempts to read or
|
||||
## write files on a NFS filesystem.
|
||||
## </summary>
|
||||
@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
||||
@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
@ -71348,7 +71367,7 @@ index 7c6b791..aad6319 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',`
|
||||
@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71357,7 +71376,7 @@ index 7c6b791..aad6319 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',`
|
||||
@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -71366,7 +71385,7 @@ index 7c6b791..aad6319 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',`
|
||||
@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -71375,7 +71394,7 @@ index 7c6b791..aad6319 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',`
|
||||
@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
@ -71383,7 +71402,7 @@ index 7c6b791..aad6319 100644
|
||||
allow $1 nfs_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',`
|
||||
@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
@ -71391,7 +71410,7 @@ index 7c6b791..aad6319 100644
|
||||
manage_files_pattern($1, nfs_t, nfs_t)
|
||||
')
|
||||
|
||||
@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',`
|
||||
@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
@ -71399,7 +71418,7 @@ index 7c6b791..aad6319 100644
|
||||
manage_lnk_files_pattern($1, nfs_t, nfs_t)
|
||||
')
|
||||
|
||||
@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',`
|
||||
@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',`
|
||||
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
|
||||
')
|
||||
|
||||
@ -71424,7 +71443,7 @@ index 7c6b791..aad6319 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write NFS server files.
|
||||
@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',`
|
||||
@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71449,7 +71468,7 @@ index 7c6b791..aad6319 100644
|
||||
## Allow the type to associate to ramfs filesystems.
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',`
|
||||
@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71458,7 +71477,7 @@ index 7c6b791..aad6319 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',`
|
||||
@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71467,7 +71486,7 @@ index 7c6b791..aad6319 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
|
||||
@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71476,7 +71495,7 @@ index 7c6b791..aad6319 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',`
|
||||
@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71501,7 +71520,7 @@ index 7c6b791..aad6319 100644
|
||||
## Get the attributes of a tmpfs
|
||||
## filesystem.
|
||||
## </summary>
|
||||
@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',`
|
||||
@@ -3963,6 +4539,42 @@ interface(`fs_dontaudit_list_tmpfs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71544,7 +71563,7 @@ index 7c6b791..aad6319 100644
|
||||
## Create, read, write, and delete
|
||||
## tmpfs directories
|
||||
## </summary>
|
||||
@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
|
||||
@@ -4069,7 +4681,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
@ -71553,7 +71572,7 @@ index 7c6b791..aad6319 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',`
|
||||
@@ -4129,6 +4741,24 @@ interface(`fs_rw_tmpfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71578,7 +71597,7 @@ index 7c6b791..aad6319 100644
|
||||
## Read tmpfs link files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',`
|
||||
@@ -4166,7 +4796,7 @@ interface(`fs_rw_tmpfs_chr_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71587,7 +71606,7 @@ index 7c6b791..aad6319 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
||||
@@ -4185,6 +4815,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71630,7 +71649,7 @@ index 7c6b791..aad6319 100644
|
||||
## Relabel character nodes on tmpfs filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4242,6 +4889,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
|
||||
@@ -4242,6 +4908,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71674,7 +71693,7 @@ index 7c6b791..aad6319 100644
|
||||
## Read and write, create and delete generic
|
||||
## files on tmpfs filesystems.
|
||||
## </summary>
|
||||
@@ -4261,6 +4945,25 @@ interface(`fs_manage_tmpfs_files',`
|
||||
@@ -4261,6 +4964,25 @@ interface(`fs_manage_tmpfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -71700,7 +71719,7 @@ index 7c6b791..aad6319 100644
|
||||
## Read and write, create and delete symbolic
|
||||
## links on tmpfs filesystems.
|
||||
## </summary>
|
||||
@@ -4467,6 +5170,8 @@ interface(`fs_mount_all_fs',`
|
||||
@@ -4467,6 +5189,8 @@ interface(`fs_mount_all_fs',`
|
||||
')
|
||||
|
||||
allow $1 filesystem_type:filesystem mount;
|
||||
@ -71709,7 +71728,7 @@ index 7c6b791..aad6319 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4513,7 +5218,7 @@ interface(`fs_unmount_all_fs',`
|
||||
@@ -4513,7 +5237,7 @@ interface(`fs_unmount_all_fs',`
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow the specified domain to
|
||||
@ -71718,7 +71737,7 @@ index 7c6b791..aad6319 100644
|
||||
## Example attributes:
|
||||
## </p>
|
||||
## <ul>
|
||||
@@ -4876,3 +5581,43 @@ interface(`fs_unconfined',`
|
||||
@@ -4876,3 +5600,43 @@ interface(`fs_unconfined',`
|
||||
|
||||
typeattribute $1 filesystem_unconfined_type;
|
||||
')
|
||||
@ -87697,14 +87716,15 @@ index cbbda4a..8dcc346 100644
|
||||
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
|
||||
+
|
||||
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
|
||||
index d43f3b1..5858c5f 100644
|
||||
index d43f3b1..c4182e8 100644
|
||||
--- a/policy/modules/system/selinuxutil.fc
|
||||
+++ b/policy/modules/system/selinuxutil.fc
|
||||
@@ -6,13 +6,13 @@
|
||||
@@ -6,13 +6,14 @@
|
||||
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
||||
-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
|
||||
+/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
|
||||
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
|
||||
@ -87717,7 +87737,7 @@ index d43f3b1..5858c5f 100644
|
||||
|
||||
#
|
||||
# /root
|
||||
@@ -35,12 +35,14 @@
|
||||
@@ -35,12 +36,14 @@
|
||||
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
|
||||
|
||||
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
||||
@ -87733,7 +87753,7 @@ index d43f3b1..5858c5f 100644
|
||||
|
||||
#
|
||||
# /var/lib
|
||||
@@ -51,3 +53,7 @@
|
||||
@@ -51,3 +54,7 @@
|
||||
# /var/run
|
||||
#
|
||||
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
|
||||
@ -87742,7 +87762,7 @@ index d43f3b1..5858c5f 100644
|
||||
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
|
||||
index 3822072..cac0b1e 100644
|
||||
index 3822072..beae2dc 100644
|
||||
--- a/policy/modules/system/selinuxutil.if
|
||||
+++ b/policy/modules/system/selinuxutil.if
|
||||
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
|
||||
@ -87899,7 +87919,7 @@ index 3822072..cac0b1e 100644
|
||||
## Execute setfiles in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -680,6 +776,7 @@ interface(`seutil_manage_config',`
|
||||
@@ -680,10 +776,94 @@ interface(`seutil_manage_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -87907,7 +87927,160 @@ index 3822072..cac0b1e 100644
|
||||
manage_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||
')
|
||||
@@ -746,6 +843,29 @@ interface(`seutil_read_default_contexts',`
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to search the SELinux
|
||||
+## login configuration directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`seutil_dontaudit_search_login_config',`
|
||||
+ gen_require(`
|
||||
+ type selinux_login_config_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to read the SELinux
|
||||
+## login configuration.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`seutil_dontaudit_read_login_config',`
|
||||
+ gen_require(`
|
||||
+ type selinux_login_config_t;
|
||||
+ ')
|
||||
+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
|
||||
+ dontaudit $1 selinux_login_config_t:file read_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read the SELinux login configuration files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`seutil_read_login_config',`
|
||||
+ gen_require(`
|
||||
+ type selinux_config_t;
|
||||
+ type selinux_login_config_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||
+ allow $1 selinux_login_config_t:dir list_dir_perms;
|
||||
+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write the SELinux login configuration files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`seutil_rw_login_config',`
|
||||
+ gen_require(`
|
||||
+ type selinux_config_t;
|
||||
+ type selinux_login_config_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||
+ allow $1 selinux_login_config_t:dir list_dir_perms;
|
||||
+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||
+')
|
||||
+
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
@@ -694,15 +874,62 @@ interface(`seutil_manage_config',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <rolecap/>
|
||||
#
|
||||
-interface(`seutil_manage_config_dirs',`
|
||||
+interface(`seutil_rw_login_config_dirs',`
|
||||
gen_require(`
|
||||
type selinux_config_t;
|
||||
+ type selinux_login_config_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
- allow $1 selinux_config_t:dir manage_dir_perms;
|
||||
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||
+ allow $1 selinux_login_config_t:dir rw_dir_perms;
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete
|
||||
+## the general selinux configuration files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`seutil_manage_login_config',`
|
||||
+ gen_require(`
|
||||
+ type selinux_config_t;
|
||||
+ type selinux_login_config_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||
+ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||
+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## manage the login selinux configuration files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`seutil_manage_login_config_files',`
|
||||
+ gen_require(`
|
||||
+ type selinux_config_t;
|
||||
+ type selinux_login_config_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ allow $1 selinux_config_t:dir search_dir_perms;
|
||||
+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -746,6 +973,29 @@ interface(`seutil_read_default_contexts',`
|
||||
read_files_pattern($1, default_context_t, default_context_t)
|
||||
')
|
||||
|
||||
@ -87937,7 +88110,7 @@ index 3822072..cac0b1e 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete the default_contexts files.
|
||||
@@ -999,6 +1119,26 @@ interface(`seutil_domtrans_semanage',`
|
||||
@@ -999,6 +1249,26 @@ interface(`seutil_domtrans_semanage',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -87964,7 +88137,7 @@ index 3822072..cac0b1e 100644
|
||||
## Execute semanage in the semanage domain, and
|
||||
## allow the specified role the semanage domain,
|
||||
## and use the caller's terminal.
|
||||
@@ -1017,11 +1157,66 @@ interface(`seutil_domtrans_semanage',`
|
||||
@@ -1017,11 +1287,66 @@ interface(`seutil_domtrans_semanage',`
|
||||
#
|
||||
interface(`seutil_run_semanage',`
|
||||
gen_require(`
|
||||
@ -88033,7 +88206,17 @@ index 3822072..cac0b1e 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1137,3 +1332,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
||||
@@ -1044,6 +1369,9 @@ interface(`seutil_manage_module_store',`
|
||||
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
|
||||
manage_files_pattern($1, semanage_store_t, semanage_store_t)
|
||||
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
|
||||
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
|
||||
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
|
||||
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -1137,3 +1465,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
||||
selinux_dontaudit_get_fs_mount($1)
|
||||
seutil_dontaudit_read_config($1)
|
||||
')
|
||||
@ -88093,7 +88276,7 @@ index 3822072..cac0b1e 100644
|
||||
+ auth_relabelto_shadow($1)
|
||||
+')
|
||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||
index ec01d0b..98094ae 100644
|
||||
index ec01d0b..12ed3ea 100644
|
||||
--- a/policy/modules/system/selinuxutil.te
|
||||
+++ b/policy/modules/system/selinuxutil.te
|
||||
@@ -11,14 +11,17 @@ gen_require(`
|
||||
@ -88119,17 +88302,20 @@ index ec01d0b..98094ae 100644
|
||||
|
||||
#
|
||||
# selinux_config_t is the type applied to
|
||||
@@ -30,6 +33,9 @@ roleattribute system_r semanage_roles;
|
||||
@@ -30,6 +33,12 @@ roleattribute system_r semanage_roles;
|
||||
type selinux_config_t;
|
||||
files_type(selinux_config_t)
|
||||
|
||||
+type selinux_login_config_t;
|
||||
+files_type(selinux_login_config_t)
|
||||
+
|
||||
+type selinux_var_lib_t;
|
||||
+files_type(selinux_var_lib_t)
|
||||
+
|
||||
type checkpolicy_t, can_write_binary_policy;
|
||||
type checkpolicy_exec_t;
|
||||
application_domain(checkpolicy_t, checkpolicy_exec_t)
|
||||
@@ -60,14 +66,20 @@ application_domain(newrole_t, newrole_exec_t)
|
||||
@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
|
||||
domain_role_change_exemption(newrole_t)
|
||||
domain_obj_id_change_exemption(newrole_t)
|
||||
domain_interactive_fd(newrole_t)
|
||||
@ -88153,7 +88339,7 @@ index ec01d0b..98094ae 100644
|
||||
|
||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||
@@ -83,7 +95,6 @@ type restorecond_t;
|
||||
@@ -83,7 +98,6 @@ type restorecond_t;
|
||||
type restorecond_exec_t;
|
||||
init_daemon_domain(restorecond_t, restorecond_exec_t)
|
||||
domain_obj_id_change_exemption(restorecond_t)
|
||||
@ -88161,7 +88347,7 @@ index ec01d0b..98094ae 100644
|
||||
|
||||
type restorecond_var_run_t;
|
||||
files_pid_file(restorecond_var_run_t)
|
||||
@@ -92,25 +103,33 @@ type run_init_t;
|
||||
@@ -92,25 +106,32 @@ type run_init_t;
|
||||
type run_init_exec_t;
|
||||
application_domain(run_init_t, run_init_exec_t)
|
||||
domain_system_change_exemption(run_init_t)
|
||||
@ -88172,7 +88358,6 @@ index ec01d0b..98094ae 100644
|
||||
type semanage_t;
|
||||
type semanage_exec_t;
|
||||
application_domain(semanage_t, semanage_exec_t)
|
||||
+dbus_system_domain(semanage_t, semanage_exec_t)
|
||||
+init_daemon_domain(semanage_t, semanage_exec_t)
|
||||
domain_interactive_fd(semanage_t)
|
||||
-role semanage_roles types semanage_t;
|
||||
@ -88200,7 +88385,7 @@ index ec01d0b..98094ae 100644
|
||||
|
||||
type semanage_var_lib_t;
|
||||
files_type(semanage_var_lib_t)
|
||||
@@ -120,6 +139,11 @@ type setfiles_exec_t alias restorecon_exec_t;
|
||||
@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
|
||||
init_system_domain(setfiles_t, setfiles_exec_t)
|
||||
domain_obj_id_change_exemption(setfiles_t)
|
||||
|
||||
@ -88212,7 +88397,15 @@ index ec01d0b..98094ae 100644
|
||||
########################################
|
||||
#
|
||||
# Checkpolicy local policy
|
||||
@@ -151,7 +175,7 @@ term_use_console(checkpolicy_t)
|
||||
@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
|
||||
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
|
||||
+allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
|
||||
|
||||
domain_use_interactive_fds(checkpolicy_t)
|
||||
|
||||
@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
|
||||
init_use_fds(checkpolicy_t)
|
||||
init_use_script_ptys(checkpolicy_t)
|
||||
|
||||
@ -88221,7 +88414,7 @@ index ec01d0b..98094ae 100644
|
||||
userdom_use_all_users_fds(checkpolicy_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
@@ -188,13 +212,15 @@ term_list_ptys(load_policy_t)
|
||||
@@ -188,13 +215,15 @@ term_list_ptys(load_policy_t)
|
||||
|
||||
init_use_script_fds(load_policy_t)
|
||||
init_use_script_ptys(load_policy_t)
|
||||
@ -88238,7 +88431,15 @@ index ec01d0b..98094ae 100644
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
@@ -220,7 +246,7 @@ optional_policy(`
|
||||
@@ -205,6 +234,7 @@ ifdef(`distro_ubuntu',`
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# cjp: cover up stray file descriptors.
|
||||
dontaudit load_policy_t selinux_config_t:file write;
|
||||
+ dontaudit load_policy_t selinux_login_config_t:file write;
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_read_pipes(load_policy_t)
|
||||
@@ -220,7 +250,7 @@ optional_policy(`
|
||||
# Newrole local policy
|
||||
#
|
||||
|
||||
@ -88247,7 +88448,7 @@ index ec01d0b..98094ae 100644
|
||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow newrole_t self:process setexec;
|
||||
allow newrole_t self:fd use;
|
||||
@@ -232,7 +258,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
||||
@@ -232,7 +262,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
||||
allow newrole_t self:msg { send receive };
|
||||
allow newrole_t self:unix_dgram_socket sendto;
|
||||
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
@ -88256,7 +88457,7 @@ index ec01d0b..98094ae 100644
|
||||
|
||||
read_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||
@@ -249,6 +275,7 @@ domain_use_interactive_fds(newrole_t)
|
||||
@@ -249,6 +279,7 @@ domain_use_interactive_fds(newrole_t)
|
||||
# for when the user types "exec newrole" at the command line:
|
||||
domain_sigchld_interactive_fds(newrole_t)
|
||||
|
||||
@ -88264,7 +88465,7 @@ index ec01d0b..98094ae 100644
|
||||
files_read_etc_files(newrole_t)
|
||||
files_read_var_files(newrole_t)
|
||||
files_read_var_symlinks(newrole_t)
|
||||
@@ -276,25 +303,39 @@ term_relabel_all_ptys(newrole_t)
|
||||
@@ -276,25 +307,39 @@ term_relabel_all_ptys(newrole_t)
|
||||
term_getattr_unallocated_ttys(newrole_t)
|
||||
term_dontaudit_use_unallocated_ttys(newrole_t)
|
||||
|
||||
@ -88310,7 +88511,7 @@ index ec01d0b..98094ae 100644
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(newrole_t)
|
||||
@@ -309,7 +350,7 @@ if(secure_mode) {
|
||||
@@ -309,7 +354,7 @@ if(secure_mode) {
|
||||
userdom_spec_domtrans_all_users(newrole_t)
|
||||
}
|
||||
|
||||
@ -88319,7 +88520,7 @@ index ec01d0b..98094ae 100644
|
||||
files_polyinstantiate_all(newrole_t)
|
||||
')
|
||||
|
||||
@@ -328,9 +369,13 @@ kernel_use_fds(restorecond_t)
|
||||
@@ -328,9 +373,13 @@ kernel_use_fds(restorecond_t)
|
||||
kernel_rw_pipes(restorecond_t)
|
||||
kernel_read_system_state(restorecond_t)
|
||||
|
||||
@ -88334,7 +88535,7 @@ index ec01d0b..98094ae 100644
|
||||
fs_list_inotifyfs(restorecond_t)
|
||||
|
||||
selinux_validate_context(restorecond_t)
|
||||
@@ -341,6 +386,7 @@ selinux_compute_user_contexts(restorecond_t)
|
||||
@@ -341,6 +390,7 @@ selinux_compute_user_contexts(restorecond_t)
|
||||
|
||||
files_relabel_non_auth_files(restorecond_t )
|
||||
files_read_non_auth_files(restorecond_t)
|
||||
@ -88342,7 +88543,7 @@ index ec01d0b..98094ae 100644
|
||||
auth_use_nsswitch(restorecond_t)
|
||||
|
||||
locallogin_dontaudit_use_fds(restorecond_t)
|
||||
@@ -351,6 +397,8 @@ miscfiles_read_localization(restorecond_t)
|
||||
@@ -351,6 +401,8 @@ miscfiles_read_localization(restorecond_t)
|
||||
|
||||
seutil_libselinux_linked(restorecond_t)
|
||||
|
||||
@ -88351,7 +88552,7 @@ index ec01d0b..98094ae 100644
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(restorecond_t)
|
||||
@@ -366,21 +414,24 @@ optional_policy(`
|
||||
@@ -366,21 +418,24 @@ optional_policy(`
|
||||
# Run_init local policy
|
||||
#
|
||||
|
||||
@ -88378,7 +88579,7 @@ index ec01d0b..98094ae 100644
|
||||
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
||||
|
||||
domain_use_interactive_fds(run_init_t)
|
||||
@@ -398,14 +449,23 @@ selinux_compute_create_context(run_init_t)
|
||||
@@ -398,14 +453,23 @@ selinux_compute_create_context(run_init_t)
|
||||
selinux_compute_relabel_context(run_init_t)
|
||||
selinux_compute_user_contexts(run_init_t)
|
||||
|
||||
@ -88404,7 +88605,7 @@ index ec01d0b..98094ae 100644
|
||||
|
||||
logging_send_syslog_msg(run_init_t)
|
||||
|
||||
@@ -414,7 +474,7 @@ miscfiles_read_localization(run_init_t)
|
||||
@@ -414,7 +478,7 @@ miscfiles_read_localization(run_init_t)
|
||||
seutil_libselinux_linked(run_init_t)
|
||||
seutil_read_default_contexts(run_init_t)
|
||||
|
||||
@ -88413,7 +88614,7 @@ index ec01d0b..98094ae 100644
|
||||
|
||||
ifndef(`direct_sysadm_daemon',`
|
||||
ifdef(`distro_gentoo',`
|
||||
@@ -425,6 +485,19 @@ ifndef(`direct_sysadm_daemon',`
|
||||
@@ -425,6 +489,19 @@ ifndef(`direct_sysadm_daemon',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -88433,7 +88634,7 @@ index ec01d0b..98094ae 100644
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(run_init_t)
|
||||
@@ -440,81 +513,83 @@ optional_policy(`
|
||||
@@ -440,81 +517,87 @@ optional_policy(`
|
||||
# semodule local policy
|
||||
#
|
||||
|
||||
@ -88480,11 +88681,11 @@ index ec01d0b..98094ae 100644
|
||||
-
|
||||
-# Running genhomedircon requires this for finding all users
|
||||
-auth_use_nsswitch(semanage_t)
|
||||
-
|
||||
-locallogin_use_fds(semanage_t)
|
||||
+# Admins are creating pp files in random locations
|
||||
+files_read_non_security_files(semanage_t)
|
||||
|
||||
-locallogin_use_fds(semanage_t)
|
||||
-
|
||||
-logging_send_syslog_msg(semanage_t)
|
||||
-
|
||||
-miscfiles_read_localization(semanage_t)
|
||||
@ -88527,6 +88728,10 @@ index ec01d0b..98094ae 100644
|
||||
- unconfined_domain(semanage_t)
|
||||
- ')
|
||||
+optional_policy(`
|
||||
+ dbus_system_domain(semanage_t, semanage_exec_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mock_manage_lib_files(semanage_t)
|
||||
+ mock_manage_lib_dirs(semanage_t)
|
||||
+')
|
||||
@ -88570,7 +88775,7 @@ index ec01d0b..98094ae 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -522,108 +597,184 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -522,108 +605,184 @@ ifdef(`distro_ubuntu',`
|
||||
# Setfiles local policy
|
||||
#
|
||||
|
||||
@ -88647,14 +88852,15 @@ index ec01d0b..98094ae 100644
|
||||
+ devicekit_dontaudit_read_pid_files(setfiles_t)
|
||||
+ devicekit_dontaudit_rw_log(setfiles_t)
|
||||
+')
|
||||
|
||||
-seutil_libselinux_linked(setfiles_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_append_xdm_tmp_files(setfiles_t)
|
||||
+')
|
||||
+
|
||||
|
||||
-seutil_libselinux_linked(setfiles_t)
|
||||
+ifdef(`hide_broken_symptoms',`
|
||||
+
|
||||
|
||||
-userdom_use_all_users_fds(setfiles_t)
|
||||
+ optional_policy(`
|
||||
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
|
||||
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
|
||||
@ -88665,8 +88871,7 @@ index ec01d0b..98094ae 100644
|
||||
+ unconfined_domain(setfiles_t)
|
||||
+ ')
|
||||
+')
|
||||
|
||||
-userdom_use_all_users_fds(setfiles_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Setfiles common policy
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.11.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -491,6 +491,18 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
|
||||
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
|
||||
- Additional fixes for seutil_manage_module_store()
|
||||
- dbus_system_domain() should be used with optional_policy
|
||||
- Fix svirt to be allowed to use fusefs file system
|
||||
- Allow login programs to read /run/ data created by systemd_login
|
||||
- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
|
||||
- Fix svirt to be allowed to use fusefs file system
|
||||
- Allow piranha domain to use nsswitch
|
||||
- Sanlock needs to send Kill Signals to non root processes
|
||||
- Pulseaudio wants to execute /run/user/PID/.orc
|
||||
|
||||
* Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-1
|
||||
- Fix saslauthd when it tries to read /etc/shadow
|
||||
- Label gnome-boxes as a virt homedir
|
||||
|
Loading…
Reference in New Issue
Block a user