rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Don't audit access checks by sandbox xserver on xdb var_lib 

- Allow ntop to read usbmon devices
- Add labeling for new polcykit authorizor
- Dontaudit access checks from fail2ban_client
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream
- Fix labeling for all /usr/bim/razor-lightdm-* binaries
- Add filename trans for /dev/md126p1
This commit is contained in:
Miroslav Grepl 2013-06-20 16:58:38 +02:00
parent 859a101f23
commit 82acdf3079
3 changed files with 377 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

359
policy-rawhide-base.patch
View File

@ -15142,7 +15142,7 @@ index 54f1827..cc2de1a 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 1700ef2..f8f6456 100644
index 1700ef2..38b597e 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@ -15181,7 +15181,15 @@ index 1700ef2..f8f6456 100644
typeattribute $1 fixed_disk_raw_read;
')
@@ -205,6 +227,7 @@ interface(`storage_create_fixed_disk_dev',`
@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
interface(`storage_raw_rw_fixed_disk',`
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
+ dev_rw_generic_blk_files($1)
')
########################################
@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',`
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
@ -15189,7 +15197,7 @@ index 1700ef2..f8f6456 100644
dev_add_entry_generic_dirs($1)
')
@@ -269,6 +292,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
dev_filetrans($1, fixed_disk_device_t, blk_file)
')
@ -15238,7 +15246,7 @@ index 1700ef2..f8f6456 100644
########################################
## <summary>
## Create block devices in on a tmpfs filesystem with the
@@ -711,6 +776,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
@@ -711,6 +777,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')
@ -15263,7 +15271,7 @@ index 1700ef2..f8f6456 100644
########################################
## <summary>
## Allow the caller to directly read
@@ -808,3 +891,400 @@ interface(`storage_unconfined',`
@@ -808,3 +892,401 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@ -15374,6 +15382,7 @@ index 1700ef2..f8f6456 100644
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
@ -20595,7 +20604,7 @@ index 5fc0391..994eec2 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index d1f64a0..97140ee 100644
index d1f64a0..156a29f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -20685,7 +20694,7 @@ index d1f64a0..97140ee 100644
+
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/razor-lightdm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/razor-lightdm-* -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@ -20752,7 +20761,7 @@ index d1f64a0..97140ee 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..18223e7 100644
index 6bf0ecc..9388756 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -21224,18 +21233,19 @@ index 6bf0ecc..18223e7 100644
')
########################################
@@ -765,11 +904,91 @@ interface(`xserver_manage_xdm_spool_files',`
@@ -765,11 +904,92 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
- type xdm_t, xdm_tmp_t;
+ type xdm_t, xdm_tmp_t, xdm_var_run_t;
+ type xdm_dbusd_t;
')
files_search_tmp($1)
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, { xdm_t xdm_dbusd_t } )
+')
+
+########################################
@ -21318,7 +21328,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
@@ -793,6 +1012,25 @@ interface(`xserver_read_xdm_rw_config',`
@@ -793,6 +1013,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@ -21344,7 +21354,7 @@ index 6bf0ecc..18223e7 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
@@ -806,7 +1044,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
@@ -806,7 +1045,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@ -21371,7 +21381,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
@@ -846,7 +1102,26 @@ interface(`xserver_read_xdm_pid',`
@@ -846,7 +1103,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@ -21399,7 +21409,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
@@ -869,6 +1144,24 @@ interface(`xserver_read_xdm_lib_files',`
@@ -869,6 +1145,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@ -21424,7 +21434,7 @@ index 6bf0ecc..18223e7 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -938,7 +1231,26 @@ interface(`xserver_getattr_log',`
@@ -938,7 +1232,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@ -21452,7 +21462,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
@@ -957,7 +1269,7 @@ interface(`xserver_dontaudit_write_log',`
@@ -957,7 +1270,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@ -21461,66 +21471,167 @@ index 6bf0ecc..18223e7 100644
')
########################################
@@ -1004,6 +1316,45 @@ interface(`xserver_read_xkb_libs',`
@@ -1004,7 +1317,7 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
+## Read xdm config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_etc_files',`
+ gen_require(`
+ type xdm_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
+## Manage xdm config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_etc_files',`
+ gen_require(`
+ type xdm_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
## Read xdm temporary files.
-## Read xdm temporary files.
+## dontaudit access checks X keyboard extension libraries.
## </summary>
## <param name="domain">
@@ -1017,7 +1368,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
## <summary>
@@ -1012,56 +1325,57 @@ interface(`xserver_read_xkb_libs',`
## </summary>
## </param>
#
-interface(`xserver_read_xdm_tmp_files',`
+interface(`xserver_dontaudit_xkb_libs_access',`
gen_require(`
- type xdm_tmp_t;
+ type xkb_var_lib_t;
')
- files_search_tmp($1)
+ files_search_tmp($1)
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ dontaudit $1 xkb_var_lib_t:dir audit_access;
+ dontaudit $1 xkb_var_lib_t:file audit_access;
')
@@ -1079,7 +1430,43 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
-## Do not audit attempts to read xdm temporary files.
+## Read xdm config files.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain to not audit
## </summary>
## </param>
#
-interface(`xserver_dontaudit_read_xdm_tmp_files',`
+interface(`xserver_read_xdm_etc_files',`
gen_require(`
- type xdm_tmp_t;
+ type xdm_etc_t;
')
- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
- dontaudit $1 xdm_tmp_t:file read_file_perms;
+ files_search_etc($1)
+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
')
########################################
## <summary>
-## Read write xdm temporary files.
+## Manage xdm config files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit
## </summary>
## </param>
#
-interface(`xserver_rw_xdm_tmp_files',`
+interface(`xserver_manage_xdm_etc_files',`
gen_require(`
- type xdm_tmp_t;
+ type xdm_etc_t;
')
- allow $1 xdm_tmp_t:dir search_dir_perms;
- allow $1 xdm_tmp_t:file rw_file_perms;
+ files_search_etc($1)
+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
')
########################################
## <summary>
-## Create, read, write, and delete xdm temporary files.
+## Read xdm temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -1069,18 +1383,18 @@ interface(`xserver_rw_xdm_tmp_files',`
## </summary>
## </param>
#
-interface(`xserver_manage_xdm_tmp_files',`
+interface(`xserver_read_xdm_tmp_files',`
gen_require(`
type xdm_tmp_t;
')
- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ files_search_tmp($1)
+ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
########################################
## <summary>
-## Do not audit attempts to get the attributes of
-## xdm temporary named sockets.
+## Do not audit attempts to read xdm temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -1088,12 +1402,105 @@ interface(`xserver_manage_xdm_tmp_files',`
## </summary>
## </param>
#
-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+interface(`xserver_dontaudit_read_xdm_tmp_files',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+ dontaudit $1 xdm_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read write xdm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_tmp_files',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir search_dir_perms;
+ allow $1 xdm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete xdm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_tmp_files',`
gen_require(`
type xdm_tmp_t;
')
- dontaudit $1 xdm_tmp_t:sock_file getattr;
+ manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
@ -21558,19 +21669,24 @@ index 6bf0ecc..18223e7 100644
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
## <param name="domain">
@@ -1093,7 +1480,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
- dontaudit $1 xdm_tmp_t:sock_file getattr;
+## xdm temporary named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
@@ -1111,8 +1498,10 @@ interface(`xserver_domtrans',`
@@ -1111,8 +1518,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@ -21582,7 +21698,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
@@ -1210,6 +1599,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
@@ -1210,6 +1619,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@ -21608,7 +21724,7 @@ index 6bf0ecc..18223e7 100644
## Connect to the X server over a unix domain
## stream socket.
## </summary>
@@ -1226,6 +1634,26 @@ interface(`xserver_stream_connect',`
@@ -1226,6 +1654,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -21635,7 +21751,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
@@ -1251,7 +1679,7 @@ interface(`xserver_read_tmp_files',`
@@ -1251,7 +1699,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@ -21644,7 +21760,7 @@ index 6bf0ecc..18223e7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1261,13 +1689,23 @@ interface(`xserver_read_tmp_files',`
@@ -1261,13 +1709,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@ -21669,7 +21785,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
@@ -1284,10 +1722,604 @@ interface(`xserver_manage_core_devices',`
@@ -1284,10 +1742,604 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@ -23864,7 +23980,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 3efd5b6..c7f52c2 100644
index 3efd5b6..2f6ba05 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@ -24054,16 +24170,7 @@ index 3efd5b6..c7f52c2 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
@@ -395,6 +432,8 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
+ pcscd_manage_pub_files($1)
+ pcscd_manage_pub_pipes($1)
pcscd_read_pid_files($1)
pcscd_stream_connect($1)
')
@@ -402,6 +441,8 @@ interface(`auth_domtrans_chk_passwd',`
@@ -402,6 +439,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@ -24072,7 +24179,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
@@ -448,6 +489,25 @@ interface(`auth_run_chk_passwd',`
@@ -448,6 +487,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@ -24098,7 +24205,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
@@ -467,7 +527,6 @@ interface(`auth_domtrans_upd_passwd',`
@@ -467,7 +525,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@ -24106,7 +24213,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
@@ -664,6 +723,10 @@ interface(`auth_manage_shadow',`
@@ -664,6 +721,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -24117,7 +24224,7 @@ index 3efd5b6..c7f52c2 100644
')
#######################################
@@ -763,7 +826,50 @@ interface(`auth_rw_faillog',`
@@ -763,7 +824,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@ -24169,7 +24276,7 @@ index 3efd5b6..c7f52c2 100644
')
#######################################
@@ -824,9 +930,29 @@ interface(`auth_rw_lastlog',`
@@ -824,9 +928,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@ -24200,7 +24307,7 @@ index 3efd5b6..c7f52c2 100644
## </summary>
## <param name="domain">
## <summary>
@@ -834,12 +960,27 @@ interface(`auth_rw_lastlog',`
@@ -834,12 +958,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@ -24231,7 +24338,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
@@ -854,15 +995,15 @@ interface(`auth_domtrans_pam',`
@@ -854,15 +993,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@ -24250,7 +24357,7 @@ index 3efd5b6..c7f52c2 100644
## </summary>
## <param name="domain">
## <summary>
@@ -875,13 +1016,33 @@ interface(`auth_signal_pam',`
@@ -875,13 +1014,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@ -24288,7 +24395,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
@@ -959,9 +1120,30 @@ interface(`auth_manage_var_auth',`
@@ -959,9 +1118,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@ -24322,7 +24429,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
@@ -1040,6 +1222,10 @@ interface(`auth_manage_pam_pid',`
@@ -1040,6 +1220,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@ -24333,7 +24440,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
@@ -1176,6 +1362,7 @@ interface(`auth_manage_pam_console_data',`
@@ -1176,6 +1360,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@ -24341,7 +24448,7 @@ index 3efd5b6..c7f52c2 100644
')
#######################################
@@ -1576,6 +1763,25 @@ interface(`auth_setattr_login_records',`
@@ -1576,6 +1761,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@ -24367,7 +24474,7 @@ index 3efd5b6..c7f52c2 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
@@ -1726,24 +1932,7 @@ interface(`auth_manage_login_records',`
@@ -1726,24 +1930,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@ -24393,7 +24500,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
@@ -1767,11 +1956,13 @@ interface(`auth_relabel_login_records',`
@@ -1767,11 +1954,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@ -24410,7 +24517,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
@@ -1805,3 +1996,219 @@ interface(`auth_unconfined',`
@@ -1805,3 +1994,219 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@ -28821,7 +28928,7 @@ index 5dfa44b..2502d06 100644
optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 73bb3c0..dc79c6f 100644
index 73bb3c0..6e848de 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@ -28983,7 +29090,7 @@ index 73bb3c0..dc79c6f 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -299,17 +310,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
@@ -299,17 +310,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@ -29141,6 +29248,8 @@ index 73bb3c0..dc79c6f 100644
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
@ -30183,7 +30292,7 @@ index 4e94884..5481f47 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 39ea221..4dd92d4 100644
index 39ea221..7094526 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@ -30371,7 +30480,7 @@ index 39ea221..4dd92d4 100644
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 { syslog block_suspend };
# setpgid for metalog
@ -36903,10 +37012,10 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a5ec88b..1749342 100644
index a5ec88b..e7663f3 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@ -36921,8 +37030,13 @@ index a5ec88b..1749342 100644
+typealias udev_var_run_t alias udev_tbl_t;
init_daemon_run_dir(udev_var_run_t, "udev")
+type udev_tmp_t;
+files_tmp_file(udev_tmp_t)
+
ifdef(`enable_mcs',`
@@ -37,9 +35,11 @@ ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -37,9 +38,11 @@ ifdef(`enable_mcs',`
# Local policy
#
@ -36936,7 +37050,7 @@ index a5ec88b..1749342 100644
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
@@ -53,6 +53,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@ -36944,14 +37058,17 @@ index a5ec88b..1749342 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
@@ -63,31 +64,36 @@ can_exec(udev_t, udev_helper_exec_t)
@@ -63,31 +67,40 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
-# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
-
+allow udev_t udev_tmp_t:dir manage_dir_perms;
+allow udev_t udev_tmp_t:file manage_file_perms;
+files_tmp_filetrans(udev_t, udev_tmp_t, { file dir })
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
-read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
@ -36988,7 +37105,7 @@ index a5ec88b..1749342 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
@@ -98,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
@@ -98,6 +111,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@ -36996,7 +37113,7 @@ index a5ec88b..1749342 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
@@ -106,23 +113,31 @@ dev_relabel_all_dev_nodes(udev_t)
@@ -106,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@ -37032,7 +37149,7 @@ index a5ec88b..1749342 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
@@ -144,17 +159,20 @@ auth_use_nsswitch(udev_t)
@@ -144,17 +166,20 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@ -37054,7 +37171,7 @@ index a5ec88b..1749342 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
@@ -170,6 +188,9 @@ sysnet_signal_dhcpc(udev_t)
@@ -170,6 +195,9 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@ -37064,7 +37181,7 @@ index a5ec88b..1749342 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
@@ -179,16 +200,9 @@ ifdef(`distro_gentoo',`
@@ -179,16 +207,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@ -37083,7 +37200,7 @@ index a5ec88b..1749342 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
@@ -226,19 +240,34 @@ optional_policy(`
@@ -226,19 +247,34 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@ -37118,7 +37235,7 @@ index a5ec88b..1749342 100644
')
optional_policy(`
@@ -264,6 +293,10 @@ optional_policy(`
@@ -264,6 +300,10 @@ optional_policy(`
')
optional_policy(`
@ -37129,7 +37246,7 @@ index a5ec88b..1749342 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
@@ -278,6 +311,15 @@ optional_policy(`
@@ -278,6 +318,15 @@ optional_policy(`
')
optional_policy(`
@ -37145,7 +37262,7 @@ index a5ec88b..1749342 100644
unconfined_signal(udev_t)
')
@@ -290,6 +332,7 @@ optional_policy(`
@@ -290,6 +339,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)

144
policy-rawhide-contrib.patch
View File

@ -10904,7 +10904,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
index 914ee2d..770ae51 100644
index 914ee2d..1544e9b 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -10934,10 +10934,12 @@ index 914ee2d..770ae51 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -76,18 +83,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
+domain_dontaudit_getsession_all_domains(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
+
@ -23011,7 +23013,7 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
index 0872e50..5d49b4f 100644
index 0872e50..d336d7f 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
@ -23056,7 +23058,15 @@ index 0872e50..5d49b4f 100644
iptables_domtrans(fail2ban_t)
')
@@ -137,14 +137,12 @@ corecmd_exec_bin(fail2ban_client_t)
@@ -129,6 +129,7 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
kernel_read_system_state(fail2ban_client_t)
@@ -137,14 +138,12 @@ corecmd_exec_bin(fail2ban_client_t)
domain_use_interactive_fds(fail2ban_client_t)
@ -27140,7 +27150,7 @@ index d03fd43..26023f7 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
index 20f726b..6af4e62 100644
index 20f726b..8e905be 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@ -27368,7 +27378,7 @@ index 20f726b..6af4e62 100644
+')
+
+optional_policy(`
+ gnome_read_home_config(gnomesystemmm_t)
+ gnome_manage_home_config(gnomesystemmm_t)
+')
+
+optional_policy(`
@ -37396,11 +37406,104 @@ index 0000000..67b8b3d
+tunable_policy(`mock_enable_homedirs',`
+ userdom_read_user_home_content_files(mock_build_t)
+')
diff --git a/modemmanager.fc b/modemmanager.fc
index a83894c..481dca3 100644
--- a/modemmanager.fc
+++ b/modemmanager.fc
@@ -1 +1,4 @@
/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
diff --git a/modemmanager.if b/modemmanager.if
index b1ac8b5..90ca430 100644
--- a/modemmanager.if
+++ b/modemmanager.if
@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
########################################
## <summary>
+## Execute modemmanager server in the modemmanager domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modemmanager_systemctl',`
+ gen_require(`
+ type modemmanager_t;
+ type modemmanager_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, modemmanager_t)
+')
+
+########################################
+## <summary>
## Send and receive messages from
## modemmanager over dbus.
## </summary>
@@ -39,3 +63,38 @@ interface(`modemmanager_dbus_chat',`
allow $1 modemmanager_t:dbus send_msg;
allow modemmanager_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an modemmanager environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modemmanager_admin',`
+ gen_require(`
+ type modemmanager_t;
+ type modemmanager_unit_file_t;
+ ')
+
+ allow $1 modemmanager_t:process { ptrace signal_perms };
+ ps_process_pattern($1, modemmanager_t)
+
+ modemmanager_systemctl($1)
+ admin_pattern($1, modemmanager_unit_file_t)
+ allow $1 modemmanager_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
index cb4c13d..d744144 100644
index cb4c13d..ab6fb25 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -27,12 +27,12 @@ kernel_read_system_state(modemmanager_t)
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
typealias modemmanager_t alias ModemManager_t;
typealias modemmanager_exec_t alias ModemManager_exec_t;
+type modemmanager_unit_file_t;
+systemd_unit_file(modemmanager_unit_file_t)
+
########################################
#
# Local policy
@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
dev_read_sysfs(modemmanager_t)
dev_rw_modem(modemmanager_t)
@ -47550,7 +47653,7 @@ index 0000000..7d839fe
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
index 52757d8..638c3d2 100644
index 52757d8..6ce5c69 100644
--- a/ntop.te
+++ b/ntop.te
@@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t)
@ -47561,7 +47664,12 @@ index 52757d8..638c3d2 100644
corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t)
@@ -81,7 +80,6 @@ dev_rw_generic_usb_dev(ntop_t)
@@ -78,10 +77,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
dev_read_sysfs(ntop_t)
dev_rw_generic_usb_dev(ntop_t)
+dev_read_usbmon_dev(ntop_t)
+dev_write_usbmon_dev(ntop_t)
domain_use_interactive_fds(ntop_t)
@ -49990,10 +50098,10 @@ index 0000000..bddd4b3
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
index 0000000..877c71a
index 0000000..35f9df0
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,546 @@
@@ -0,0 +1,547 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@ -50041,6 +50149,7 @@ index 0000000..877c71a
+files_pid_file(openshift_var_run_t)
+
+type openshift_var_lib_t, openshift_file_type;
+userdom_user_home_content(openshift_var_lib_t)
+files_poly(openshift_var_lib_t)
+files_poly_parent(openshift_var_lib_t)
+files_mountpoint(openshift_var_lib_t)
@ -54227,10 +54336,10 @@ index a14b3bc..b196183 100644
userdom_signal_unpriv_users(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
index 1d76c72..4718a93 100644
index 1d76c72..eeb33d9 100644
--- a/policykit.fc
+++ b/policykit.fc
@@ -1,23 +1,20 @@
@@ -1,23 +1,21 @@
-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-
@ -54241,6 +54350,7 @@ index 1d76c72..4718a93 100644
-/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/bin/pkla-check-authorization -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
@ -74663,10 +74773,10 @@ index 0000000..5da5bff
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 0000000..81198c3
index 0000000..cb720ee
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,463 @@
@@ -0,0 +1,465 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@ -74774,6 +74884,8 @@ index 0000000..81198c3
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
+
+xserver_read_xkb_libs(sandbox_xserver_t)
+xserver_dontaudit_xkb_libs_access(sandbox_xserver_t)
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`

12
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 53%{?dist}
Release: 54%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -535,6 +535,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed Jun 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-54
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow ntop to read usbmon devices
- Add labeling for new polcykit authorizor
- Dontaudit access checks from fail2ban_client
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream
- Fix labeling for all /usr/bim/razor-lightdm-* binaries
- Add filename trans for /dev/md126p1
* Tue Jun 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-53
- Make vdagent able to request loading kernel module
- Add support for cloud-init make it as unconfined domain