- Fix passenger_stream_connect interface

- setroubleshoot_fixit wants to read network state
- Allow procmail_t to connect to dovecot stream sockets
- Allow cimprovagt service providers to read network states
- Add labeling for /var/run/mariadb
- pwauth uses lastlog() to update system's lastlog
- Allow account provider to read login records
- Add support for texlive2013
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- Allow passwd_t to connect to gnome keyring to change password
- Update mls config files to have cronjobs in the user domains
- Remove access checks that systemd does not actually do
This commit is contained in:
Miroslav Grepl 2013-11-12 12:26:06 +01:00
parent e4104d9fc0
commit 73ec2c3819
3 changed files with 166 additions and 58 deletions

View File

@ -58,6 +58,19 @@ index 313d837..ef3c532 100644
@echo "Success." @echo "Success."
######################################## ########################################
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 881a292..80110a4 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
new file mode 100644 new file mode 100644
index 0000000..ff32acc index 0000000..ff32acc
@ -65,6 +78,19 @@ index 0000000..ff32acc
+++ b/config/appconfig-mcs/systemd_contexts +++ b/config/appconfig-mcs/systemd_contexts
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
index cacbc93..4f59f94 100644
--- a/config/appconfig-mcs/user_u_default_contexts
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 user_r:user_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
index d387b42..150f281 100644 index d387b42..150f281 100644
--- a/config/appconfig-mcs/virtual_domain_context --- a/config/appconfig-mcs/virtual_domain_context
@ -72,6 +98,19 @@ index d387b42..150f281 100644
@@ -1 +1,2 @@ @@ -1 +1,2 @@
system_u:system_r:svirt_t:s0 system_u:system_r:svirt_t:s0
+system_u:system_r:svirt_tcg_t:s0 +system_u:system_r:svirt_tcg_t:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index 881a292..80110a4 100644
--- a/config/appconfig-mls/staff_u_default_contexts
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts
new file mode 100644 new file mode 100644
index 0000000..ff32acc index 0000000..ff32acc
@ -79,6 +118,32 @@ index 0000000..ff32acc
+++ b/config/appconfig-mls/systemd_contexts +++ b/config/appconfig-mls/systemd_contexts
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
index cacbc93..4f59f94 100644
--- a/config/appconfig-mls/user_u_default_contexts
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 user_r:user_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index c2a5ea8..f63999e 100644
--- a/config/appconfig-standard/staff_u_default_contexts
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
system_r:remote_login_t staff_r:staff_t
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t staff_r:cronjob_t
+system_r:crond_t staff_r:staff_t
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
new file mode 100644 new file mode 100644
index 0000000..ff32acc index 0000000..ff32acc
@ -86,6 +151,19 @@ index 0000000..ff32acc
+++ b/config/appconfig-standard/systemd_contexts +++ b/config/appconfig-standard/systemd_contexts
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
index f5bfac3..639555b 100644
--- a/config/appconfig-standard/user_u_default_contexts
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t user_r:user_t
system_r:remote_login_t user_r:user_t
system_r:sshd_t user_r:user_t
-system_r:crond_t user_r:cronjob_t
+system_r:crond_t user_r:user_t
system_r:xdm_t user_r:user_t
user_r:user_su_t user_r:user_t
user_r:user_sudo_t user_r:user_t
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
index c049e10..150f281 100644 index c049e10..150f281 100644
--- a/config/appconfig-standard/virtual_domain_context --- a/config/appconfig-standard/virtual_domain_context
@ -689,7 +767,7 @@ index 3a45f23..f4754f0 100644
# fork # fork
# setexec # setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 28802c5..fdcb9a7 100644 index 28802c5..1afd77b 100644
--- a/policy/flask/access_vectors --- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors +++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process @@ -329,6 +329,7 @@ class process
@ -708,9 +786,9 @@ index 28802c5..fdcb9a7 100644
+ reboot + reboot
+ status + status
+ undefined + undefined
+ enable + enable
+ disable + disable
+ reload + reload
} }
# #
@ -747,7 +825,7 @@ index 28802c5..fdcb9a7 100644
class x_pointer class x_pointer
inherits x_device inherits x_device
@@ -862,3 +877,20 @@ inherits database @@ -862,3 +877,18 @@ inherits database
implement implement
execute execute
} }
@ -758,8 +836,6 @@ index 28802c5..fdcb9a7 100644
+ stop + stop
+ status + status
+ reload + reload
+ kill
+ load
+ enable + enable
+ disable + disable
+} +}
@ -2615,7 +2691,7 @@ index 99e3903..7270808 100644
######################################## ########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d555767..68f6887 100644 index d555767..3053e39 100644
--- a/policy/modules/admin/usermanage.te --- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@ -2897,7 +2973,7 @@ index d555767..68f6887 100644
userdom_use_unpriv_users_fds(passwd_t) userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds # make sure that getcon succeeds
userdom_getattr_all_users(passwd_t) userdom_getattr_all_users(passwd_t)
@@ -349,9 +389,16 @@ userdom_read_user_tmp_files(passwd_t) @@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search # user generally runs this from their home directory, so do not audit a search
# on user home dir # on user home dir
userdom_dontaudit_search_user_home_content(passwd_t) userdom_dontaudit_search_user_home_content(passwd_t)
@ -2906,7 +2982,8 @@ index d555767..68f6887 100644
optional_policy(` optional_policy(`
- nscd_run(passwd_t, passwd_roles) - nscd_run(passwd_t, passwd_roles)
+ gnome_exec_keyringd(passwd_t) + gnome_exec_keyringd(passwd_t)
+ gnome_manage_cache_home_dir(passwd_t) + gnome_manage_cache_home_dir(passwd_t)
+ gnome_stream_connect_gkeyringd(passwd_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -2915,7 +2992,7 @@ index d555767..68f6887 100644
') ')
######################################## ########################################
@@ -398,9 +445,10 @@ dev_read_urand(sysadm_passwd_t) @@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t)
@ -2928,7 +3005,7 @@ index d555767..68f6887 100644
auth_manage_shadow(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t)
@@ -413,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t) @@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t)
@ -2936,7 +3013,7 @@ index d555767..68f6887 100644
files_relabel_etc_files(sysadm_passwd_t) files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups # for nscd lookups
@@ -423,19 +470,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) @@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp. # correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t) init_dontaudit_rw_utmp(sysadm_passwd_t)
@ -2958,7 +3035,7 @@ index d555767..68f6887 100644
') ')
######################################## ########################################
@@ -443,7 +488,8 @@ optional_policy(` @@ -443,7 +489,8 @@ optional_policy(`
# Useradd local policy # Useradd local policy
# #
@ -2968,7 +3045,7 @@ index d555767..68f6887 100644
dontaudit useradd_t self:capability sys_tty_config; dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate; allow useradd_t self:process setfscreate;
@@ -458,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; @@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto; allow useradd_t self:unix_stream_socket connectto;
@ -2979,7 +3056,7 @@ index d555767..68f6887 100644
# for getting the number of groups # for getting the number of groups
kernel_read_kernel_sysctls(useradd_t) kernel_read_kernel_sysctls(useradd_t)
@@ -465,36 +515,36 @@ corecmd_exec_shell(useradd_t) @@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t) corecmd_exec_bin(useradd_t)
@ -3028,7 +3105,7 @@ index d555767..68f6887 100644
auth_manage_shadow(useradd_t) auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t) auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t)
@@ -505,33 +555,36 @@ init_rw_utmp(useradd_t) @@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t) logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t) logging_send_syslog_msg(useradd_t)
@ -3079,7 +3156,7 @@ index d555767..68f6887 100644
optional_policy(` optional_policy(`
apache_manage_all_user_content(useradd_t) apache_manage_all_user_content(useradd_t)
') ')
@@ -542,7 +595,12 @@ optional_policy(` @@ -542,7 +596,12 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -3093,7 +3170,7 @@ index d555767..68f6887 100644
') ')
optional_policy(` optional_policy(`
@@ -550,6 +608,11 @@ optional_policy(` @@ -550,6 +609,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -3105,7 +3182,7 @@ index d555767..68f6887 100644
tunable_policy(`samba_domain_controller',` tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t) samba_append_log(useradd_t)
') ')
@@ -559,3 +622,12 @@ optional_policy(` @@ -559,3 +623,12 @@ optional_policy(`
rpm_use_fds(useradd_t) rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t) rpm_rw_pipes(useradd_t)
') ')
@ -44757,7 +44834,7 @@ index e79d545..101086d 100644
') ')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 6e91317..936a91d 100644 index 6e91317..260ea6c 100644
--- a/policy/support/obj_perm_sets.spt --- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@ -44867,7 +44944,7 @@ index 6e91317..936a91d 100644
+# +#
+# Service +# Service
+# +#
+define(`manage_service_perms', `{ start stop status reload kill load } ') +define(`manage_service_perms', `{ start stop status reload } ')
diff --git a/policy/users b/policy/users diff --git a/policy/users b/policy/users
index c4ebc7e..30d6d7a 100644 index c4ebc7e..30d6d7a 100644
--- a/policy/users --- a/policy/users

View File

@ -40198,10 +40198,10 @@ index 0000000..b694afc
+') +')
+ +
diff --git a/mozilla.fc b/mozilla.fc diff --git a/mozilla.fc b/mozilla.fc
index 6ffaba2..2c1c0e0 100644 index 6ffaba2..a4d75bf 100644
--- a/mozilla.fc --- a/mozilla.fc
+++ b/mozilla.fc +++ b/mozilla.fc
@@ -1,38 +1,68 @@ @@ -1,38 +1,69 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@ -40244,6 +40244,7 @@ index 6ffaba2..2c1c0e0 100644
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@ -40304,7 +40305,7 @@ index 6ffaba2..2c1c0e0 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+') +')
diff --git a/mozilla.if b/mozilla.if diff --git a/mozilla.if b/mozilla.if
index 6194b80..d54c5ba 100644 index 6194b80..ada96f0 100644
--- a/mozilla.if --- a/mozilla.if
+++ b/mozilla.if +++ b/mozilla.if
@@ -1,146 +1,75 @@ @@ -1,146 +1,75 @@
@ -40995,7 +40996,7 @@ index 6194b80..d54c5ba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -530,45 +499,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` @@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -41065,6 +41066,7 @@ index 6194b80..d54c5ba 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
@ -44778,7 +44780,7 @@ index 97370e4..3549b8f 100644
+ apache_search_sys_content(munin_t) + apache_search_sys_content(munin_t)
+') +')
diff --git a/mysql.fc b/mysql.fc diff --git a/mysql.fc b/mysql.fc
index c48dc17..6355fb4 100644 index c48dc17..43d56e3 100644
--- a/mysql.fc --- a/mysql.fc
+++ b/mysql.fc +++ b/mysql.fc
@@ -1,11 +1,24 @@ @@ -1,11 +1,24 @@
@ -44814,7 +44816,7 @@ index c48dc17..6355fb4 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
@@ -13,13 +26,16 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) @@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@ -44836,6 +44838,7 @@ index c48dc17..6355fb4 100644
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) -/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) -/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) -/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+/var/run/mariadb(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) +/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if diff --git a/mysql.if b/mysql.if
@ -54755,7 +54758,7 @@ index 2c389ea..9155bd0 100644
+ +
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) +/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if diff --git a/passenger.if b/passenger.if
index bf59ef7..c050b37 100644 index bf59ef7..0ec51d4 100644
--- a/passenger.if --- a/passenger.if
+++ b/passenger.if +++ b/passenger.if
@@ -15,17 +15,16 @@ interface(`passenger_domtrans',` @@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
@ -54811,7 +54814,7 @@ index bf59ef7..c050b37 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -53,6 +69,88 @@ interface(`passenger_read_lib_files',` @@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',`
type passenger_var_lib_t; type passenger_var_lib_t;
') ')
@ -54877,9 +54880,14 @@ index bf59ef7..c050b37 100644
+interface(`passenger_stream_connect',` +interface(`passenger_stream_connect',`
+ gen_require(` + gen_require(`
+ type passenger_t; + type passenger_t;
+ type passenger_tmp_t;
+ type passenger_var_run_t;
+ ') + ')
+ +
+ allow $1 passenger_t:unix_stream_socket connectto; +
+
+ stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t)
+ stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t)
+') +')
+ +
+####################################### +#######################################
@ -55254,7 +55262,7 @@ index d2fc677..ded726f 100644
') ')
+ +
diff --git a/pegasus.te b/pegasus.te diff --git a/pegasus.te b/pegasus.te
index 7bcf327..2254bf5 100644 index 7bcf327..22a5b66 100644
--- a/pegasus.te --- a/pegasus.te
+++ b/pegasus.te +++ b/pegasus.te
@@ -1,17 +1,16 @@ @@ -1,17 +1,16 @@
@ -55278,7 +55286,7 @@ index 7bcf327..2254bf5 100644
type pegasus_cache_t; type pegasus_cache_t;
files_type(pegasus_cache_t) files_type(pegasus_cache_t)
@@ -30,20 +29,266 @@ files_type(pegasus_mof_t) @@ -30,20 +29,269 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t; type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t) files_pid_file(pegasus_var_run_t)
@ -55341,6 +55349,7 @@ index 7bcf327..2254bf5 100644
+auth_manage_passwd(pegasus_openlmi_account_t) +auth_manage_passwd(pegasus_openlmi_account_t)
+auth_manage_shadow(pegasus_openlmi_account_t) +auth_manage_shadow(pegasus_openlmi_account_t)
+auth_relabel_shadow(pegasus_openlmi_account_t) +auth_relabel_shadow(pegasus_openlmi_account_t)
+auth_read_login_records(pegasus_openlmi_account_t)
+auth_etc_filetrans_shadow(pegasus_openlmi_account_t) +auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
+ +
+logging_send_audit_msgs(pegasus_openlmi_account_t) +logging_send_audit_msgs(pegasus_openlmi_account_t)
@ -55404,6 +55413,8 @@ index 7bcf327..2254bf5 100644
+ +
+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms; +allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
+ +
+kernel_read_network_state(pegasus_openlmi_services_t)
+
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_services_t) + dbus_system_bus_client(pegasus_openlmi_services_t)
+') +')
@ -55550,7 +55561,7 @@ index 7bcf327..2254bf5 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,22 +299,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) @@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -55581,7 +55592,7 @@ index 7bcf327..2254bf5 100644
kernel_read_network_state(pegasus_t) kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t) kernel_read_kernel_sysctls(pegasus_t)
@@ -80,27 +325,21 @@ kernel_read_net_sysctls(pegasus_t) @@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t) kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t)
@ -55614,7 +55625,7 @@ index 7bcf327..2254bf5 100644
corecmd_exec_bin(pegasus_t) corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t) corecmd_exec_shell(pegasus_t)
@@ -114,6 +353,7 @@ files_getattr_all_dirs(pegasus_t) @@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t) auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t) auth_domtrans_chk_passwd(pegasus_t)
@ -55622,7 +55633,7 @@ index 7bcf327..2254bf5 100644
domain_use_interactive_fds(pegasus_t) domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t) domain_read_all_domains_state(pegasus_t)
@@ -128,18 +368,25 @@ init_stream_connect_script(pegasus_t) @@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t) logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t) logging_send_syslog_msg(pegasus_t)
@ -55654,7 +55665,7 @@ index 7bcf327..2254bf5 100644
') ')
optional_policy(` optional_policy(`
@@ -151,16 +398,24 @@ optional_policy(` @@ -151,16 +401,24 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -55683,7 +55694,7 @@ index 7bcf327..2254bf5 100644
') ')
optional_policy(` optional_policy(`
@@ -168,7 +423,7 @@ optional_policy(` @@ -168,7 +426,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -63019,7 +63030,7 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t) + read_files_pattern($1, procmail_home_t, procmail_home_t)
') ')
diff --git a/procmail.te b/procmail.te diff --git a/procmail.te b/procmail.te
index d447152..a911295 100644 index d447152..73c437c 100644
--- a/procmail.te --- a/procmail.te
+++ b/procmail.te +++ b/procmail.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -63054,7 +63065,7 @@ index d447152..a911295 100644
allow procmail_t procmail_log_t:dir setattr_dir_perms; allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -40,59 +44,76 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) @@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms; allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file) files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@ -63158,7 +63169,8 @@ index d447152..a911295 100644
') ')
optional_policy(` optional_policy(`
@@ -100,12 +121,7 @@ optional_policy(` - cyrus_stream_connect(procmail_t)
+ dovecot_stream_connect(procmail_t)
') ')
optional_policy(` optional_policy(`
@ -63168,18 +63180,20 @@ index d447152..a911295 100644
- mta_manage_mail_home_rw_content(procmail_t) - mta_manage_mail_home_rw_content(procmail_t)
- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir") - mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir") - mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
+ cyrus_stream_connect(procmail_t)
')
optional_policy(`
- munin_dontaudit_search_lib(procmail_t)
+ gnome_manage_data(procmail_t) + gnome_manage_data(procmail_t)
') ')
optional_policy(` optional_policy(`
@@ -113,16 +129,17 @@ optional_policy(` - nagios_search_spool(procmail_t)
+ munin_dontaudit_search_lib(procmail_t)
') ')
optional_policy(` optional_policy(`
- nagios_search_spool(procmail_t)
-')
-
-optional_policy(`
+ # for a bug in the postfix local program + # for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t) postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t) postfix_dontaudit_use_fds(procmail_t)
@ -63195,7 +63209,7 @@ index d447152..a911295 100644
') ')
optional_policy(` optional_policy(`
@@ -131,6 +148,8 @@ optional_policy(` @@ -131,6 +152,8 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -65393,10 +65407,10 @@ index 1148dce..86d25ea 100644
+ allow $2 pwauth_t:process signal; + allow $2 pwauth_t:process signal;
') ')
diff --git a/pwauth.te b/pwauth.te diff --git a/pwauth.te b/pwauth.te
index 3078e34..8f357cc 100644 index 3078e34..215df88 100644
--- a/pwauth.te --- a/pwauth.te
+++ b/pwauth.te +++ b/pwauth.te
@@ -5,38 +5,35 @@ policy_module(pwauth, 1.0.0) @@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
# Declarations # Declarations
# #
@ -65427,13 +65441,12 @@ index 3078e34..8f357cc 100644
manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t) manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
files_pid_filetrans(pwauth_t, pwauth_var_run_t, file) files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
domain_use_interactive_fds(pwauth_t)
+
auth_domtrans_chkpwd(pwauth_t) auth_domtrans_chkpwd(pwauth_t)
auth_use_nsswitch(pwauth_t) auth_use_nsswitch(pwauth_t)
+auth_read_shadow(pwauth_t) +auth_read_shadow(pwauth_t)
+auth_rw_lastlog(pwauth_t)
init_read_utmp(pwauth_t) init_read_utmp(pwauth_t)
@ -82400,7 +82413,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1) logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t) admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te diff --git a/setroubleshoot.te b/setroubleshoot.te
index 49b12ae..d47e356 100644 index 49b12ae..d686e4a 100644
--- a/setroubleshoot.te --- a/setroubleshoot.te
+++ b/setroubleshoot.te +++ b/setroubleshoot.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -82561,7 +82574,7 @@ index 49b12ae..d47e356 100644
rpm_exec(setroubleshootd_t) rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t) rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t) rpm_read_db(setroubleshootd_t)
@@ -148,15 +160,18 @@ optional_policy(` @@ -148,26 +160,36 @@ optional_policy(`
######################################## ########################################
# #
@ -82581,7 +82594,9 @@ index 49b12ae..d47e356 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t) setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t) kernel_read_system_state(setroubleshoot_fixit_t)
@@ -165,9 +180,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +kernel_read_network_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t) corecmd_getattr_all_executables(setroubleshoot_fixit_t)
@ -82598,7 +82613,7 @@ index 49b12ae..d47e356 100644
files_list_tmp(setroubleshoot_fixit_t) files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t)
@@ -175,23 +196,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) @@ -175,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 99%{?dist} Release: 100%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -573,6 +573,22 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Nov 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-100
- Fix passenger_stream_connect interface
- setroubleshoot_fixit wants to read network state
- Allow procmail_t to connect to dovecot stream sockets
- Allow cimprovagt service providers to read network states
- Add labeling for /var/run/mariadb
- pwauth uses lastlog() to update system's lastlog
- Allow account provider to read login records
- Add support for texlive2013
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- Allow passwd_t to connect to gnome keyring to change password
- Update mls config files to have cronjobs in the user domains
- Remove access checks that systemd does not actually do
* Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99 * Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
- Add support for yubikey in homedir - Add support for yubikey in homedir
- Add support for upd/3052 port - Add support for upd/3052 port