- Until we figure out how to fix systemd issues, allow all apps that send syslog messag

- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
This commit is contained in:
Miroslav Grepl 2012-07-11 16:45:33 +02:00
parent 770036a507
commit 98ec5a124e
3 changed files with 612 additions and 189 deletions

View File

@ -58436,6 +58436,20 @@ index f477c7f..d80599b 100644
+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
+
') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
index d218387..c406594 100644
--- a/policy/mls
+++ b/policy/mls
@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsnetwrite ));
+ ( t1 == mlsnetwrite ) or
+ ( t2 == mlstrustedobject ));
# used by netlabel to restrict normal domains to same level connections
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 7a6f06f..48fc840 100644
--- a/policy/modules/admin/bootloader.fc
@ -58906,10 +58920,18 @@ index c6ca761..46e0767 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index e0791b9..9f49d01 100644
index e0791b9..98d188e 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
allow netutils_t self:socket create_socket_perms;
+allow netutils_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
@@ -48,6 +49,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)
@ -58918,7 +58940,7 @@ index e0791b9..9f49d01 100644
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
@@ -64,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
@ -58928,7 +58950,7 @@ index e0791b9..9f49d01 100644
fs_getattr_xattr_fs(netutils_t)
@@ -83,7 +88,7 @@ logging_send_syslog_msg(netutils_t)
@@ -83,7 +89,7 @@ logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
term_dontaudit_use_console(netutils_t)
@ -58937,7 +58959,7 @@ index e0791b9..9f49d01 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
@@ -104,6 +109,8 @@ optional_policy(`
@@ -104,6 +110,8 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
@ -58946,7 +58968,7 @@ index e0791b9..9f49d01 100644
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t)
@@ -134,8 +142,6 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
@ -58955,7 +58977,7 @@ index e0791b9..9f49d01 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
@@ -145,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@ -58981,7 +59003,7 @@ index e0791b9..9f49d01 100644
pcmcia_use_cardmgr_fds(ping_t)
')
@@ -157,6 +176,10 @@ optional_policy(`
@@ -157,6 +177,10 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@ -58992,7 +59014,7 @@ index e0791b9..9f49d01 100644
########################################
#
# Traceroute local policy
@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
@@ -194,6 +218,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@ -59000,7 +59022,7 @@ index e0791b9..9f49d01 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t)
@@ -204,9 +229,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@ -59359,6 +59381,18 @@ index 1bd7d84..4f57935 100644
+optional_policy(`
+ fprintd_dbus_chat(sudodomain)
+')
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index f82f0ce..204bdc8 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
/usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
/usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0)
/usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 98b8b2d..da75471 100644
--- a/policy/modules/admin/usermanage.if
@ -60162,7 +60196,7 @@ index 7590165..59539e8 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index db981df..b77f19f 100644
index db981df..b0ff71c 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@ -60240,7 +60274,7 @@ index db981df..b77f19f 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -174,53 +183,76 @@ ifdef(`distro_gentoo',`
@@ -174,53 +183,77 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@ -60261,7 +60295,8 @@ index db981df..b77f19f 100644
-/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/pingus -- gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
@ -60334,7 +60369,7 @@ index db981df..b77f19f 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
@@ -235,10 +267,15 @@ ifdef(`distro_gentoo',`
@@ -235,10 +268,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@ -60350,7 +60385,7 @@ index db981df..b77f19f 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
@@ -251,11 +288,18 @@ ifdef(`distro_gentoo',`
@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@ -60370,7 +60405,7 @@ index db981df..b77f19f 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',`
@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@ -60381,7 +60416,7 @@ index db981df..b77f19f 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',`
@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@ -60402,7 +60437,7 @@ index db981df..b77f19f 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -314,8 +366,12 @@ ifdef(`distro_redhat', `
@@ -314,8 +367,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@ -60415,7 +60450,7 @@ index db981df..b77f19f 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -325,9 +381,11 @@ ifdef(`distro_redhat', `
@@ -325,9 +382,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -60427,7 +60462,7 @@ index db981df..b77f19f 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -376,11 +434,14 @@ ifdef(`distro_suse', `
@@ -376,11 +435,14 @@ ifdef(`distro_suse', `
#
# /var
#
@ -60443,7 +60478,7 @@ index db981df..b77f19f 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
@@ -390,3 +451,12 @@ ifdef(`distro_suse', `
@@ -390,3 +452,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@ -72824,10 +72859,10 @@ index fe0c682..93ec53f 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index b17e27a..d193a52 100644
index b17e27a..9dbbafe 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.3.0)
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
#
## <desc>
@ -72872,13 +72907,14 @@ index b17e27a..d193a52 100644
type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)
@@ -33,17 +44,12 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
+mls_trusted_object(sshd_t)
+
+type sshd_initrc_exec_t;
+init_script_file(sshd_initrc_exec_t)
+
type sshd_key_t;
files_type(sshd_key_t)
@ -72893,7 +72929,7 @@ index b17e27a..d193a52 100644
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
@@ -73,6 +79,11 @@ type ssh_home_t;
@@ -73,6 +80,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
@ -72905,7 +72941,7 @@ index b17e27a..d193a52 100644
##############################
#
@@ -83,6 +94,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@ -72913,7 +72949,7 @@ index b17e27a..d193a52 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
@@ -90,15 +102,11 @@ allow ssh_t self:sem create_sem_perms;
@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@ -72930,7 +72966,7 @@ index b17e27a..d193a52 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
@@ -108,20 +116,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
@@ -108,20 +117,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@ -72960,7 +72996,7 @@ index b17e27a..d193a52 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
@@ -133,7 +147,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
@@ -133,7 +148,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@ -72972,7 +73008,7 @@ index b17e27a..d193a52 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
@@ -157,37 +175,36 @@ logging_read_generic_logs(ssh_t)
@@ -157,37 +176,36 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@ -73027,7 +73063,7 @@ index b17e27a..d193a52 100644
')
optional_policy(`
@@ -195,28 +212,24 @@ optional_policy(`
@@ -195,28 +213,24 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@ -73060,7 +73096,7 @@ index b17e27a..d193a52 100644
#################################
#
# sshd local policy
@@ -227,33 +240,46 @@ optional_policy(`
@@ -227,33 +241,46 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@ -73116,7 +73152,7 @@ index b17e27a..d193a52 100644
')
optional_policy(`
@@ -261,11 +287,24 @@ optional_policy(`
@@ -261,11 +288,24 @@ optional_policy(`
')
optional_policy(`
@ -73142,7 +73178,7 @@ index b17e27a..d193a52 100644
')
optional_policy(`
@@ -283,6 +322,15 @@ optional_policy(`
@@ -283,6 +323,15 @@ optional_policy(`
')
optional_policy(`
@ -73158,7 +73194,7 @@ index b17e27a..d193a52 100644
unconfined_shell_domtrans(sshd_t)
')
@@ -290,6 +338,29 @@ optional_policy(`
@@ -290,6 +339,29 @@ optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@ -73188,7 +73224,7 @@ index b17e27a..d193a52 100644
########################################
#
# ssh_keygen local policy
@@ -298,19 +369,26 @@ optional_policy(`
@@ -298,19 +370,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@ -73216,7 +73252,7 @@ index b17e27a..d193a52 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
@@ -327,9 +405,11 @@ auth_use_nsswitch(ssh_keygen_t)
@@ -327,9 +406,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@ -73230,7 +73266,7 @@ index b17e27a..d193a52 100644
')
optional_policy(`
@@ -339,3 +419,83 @@ optional_policy(`
@@ -339,3 +420,83 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@ -73315,7 +73351,7 @@ index b17e27a..d193a52 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index fc86b7c..f393f76 100644
index fc86b7c..3347d48 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -73421,11 +73457,12 @@ index fc86b7c..f393f76 100644
-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@ -77506,7 +77543,7 @@ index d2e40b8..3ba2e4c 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d26fe81..3ff8fef 100644
index d26fe81..3f3a57f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@ -77748,7 +77785,7 @@ index d26fe81..3ff8fef 100644
#
interface(`init_exec',`
gen_require(`
@@ -451,6 +522,29 @@ interface(`init_exec',`
@@ -451,6 +522,48 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@ -77760,6 +77797,25 @@ index d26fe81..3ff8fef 100644
+
+#######################################
+## <summary>
+## Check access to the init/systemd executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_access_check',`
+ gen_require(`
+ type init_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 init_exec_t:file { getattr_file_perms execute };
+')
+
+#######################################
+## <summary>
+## Dontaudit getattr on the init program.
+## </summary>
+## <param name="domain">
@ -77778,7 +77834,7 @@ index d26fe81..3ff8fef 100644
')
########################################
@@ -539,6 +633,24 @@ interface(`init_sigchld',`
@@ -539,6 +652,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@ -77803,7 +77859,7 @@ index d26fe81..3ff8fef 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
@@ -549,10 +661,66 @@ interface(`init_sigchld',`
@@ -549,10 +680,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@ -77872,7 +77928,7 @@ index d26fe81..3ff8fef 100644
')
########################################
@@ -718,19 +886,25 @@ interface(`init_telinit',`
@@ -718,19 +905,25 @@ interface(`init_telinit',`
type initctl_t;
')
@ -77899,7 +77955,7 @@ index d26fe81..3ff8fef 100644
')
')
@@ -760,7 +934,7 @@ interface(`init_rw_initctl',`
@@ -760,7 +953,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@ -77908,7 +77964,7 @@ index d26fe81..3ff8fef 100644
## </summary>
## </param>
#
@@ -803,11 +977,12 @@ interface(`init_script_file_entry_type',`
@@ -803,11 +996,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@ -77923,7 +77979,7 @@ index d26fe81..3ff8fef 100644
ifdef(`distro_gentoo',`
gen_require(`
@@ -818,11 +993,11 @@ interface(`init_spec_domtrans_script',`
@@ -818,11 +1012,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@ -77937,7 +77993,7 @@ index d26fe81..3ff8fef 100644
')
')
@@ -838,19 +1013,41 @@ interface(`init_spec_domtrans_script',`
@@ -838,19 +1032,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@ -77983,7 +78039,7 @@ index d26fe81..3ff8fef 100644
')
########################################
@@ -906,9 +1103,14 @@ interface(`init_script_file_domtrans',`
@@ -906,9 +1122,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@ -77998,7 +78054,7 @@ index d26fe81..3ff8fef 100644
files_search_etc($1)
')
@@ -999,7 +1201,9 @@ interface(`init_ptrace',`
@@ -999,7 +1220,9 @@ interface(`init_ptrace',`
type init_t;
')
@ -78009,7 +78065,7 @@ index d26fe81..3ff8fef 100644
')
########################################
@@ -1117,6 +1321,24 @@ interface(`init_read_all_script_files',`
@@ -1117,6 +1340,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@ -78034,7 +78090,7 @@ index d26fe81..3ff8fef 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
@@ -1168,12 +1390,7 @@ interface(`init_read_script_state',`
@@ -1168,12 +1409,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@ -78048,7 +78104,7 @@ index d26fe81..3ff8fef 100644
')
########################################
@@ -1413,6 +1630,27 @@ interface(`init_dbus_send_script',`
@@ -1413,6 +1649,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@ -78076,7 +78132,7 @@ index d26fe81..3ff8fef 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
@@ -1499,6 +1737,25 @@ interface(`init_getattr_script_status_files',`
@@ -1499,6 +1756,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@ -78102,7 +78158,7 @@ index d26fe81..3ff8fef 100644
## Do not audit attempts to read init script
## status files.
## </summary>
@@ -1557,6 +1814,24 @@ interface(`init_rw_script_tmp_files',`
@@ -1557,6 +1833,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@ -78127,7 +78183,7 @@ index d26fe81..3ff8fef 100644
## Create files in a init script
## temporary data directory.
## </summary>
@@ -1629,6 +1904,43 @@ interface(`init_read_utmp',`
@@ -1629,6 +1923,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@ -78171,7 +78227,7 @@ index d26fe81..3ff8fef 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
@@ -1717,7 +2029,7 @@ interface(`init_dontaudit_rw_utmp',`
@@ -1717,7 +2048,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@ -78180,7 +78236,7 @@ index d26fe81..3ff8fef 100644
')
########################################
@@ -1758,6 +2070,128 @@ interface(`init_pid_filetrans_utmp',`
@@ -1758,6 +2089,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@ -78309,7 +78365,7 @@ index d26fe81..3ff8fef 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
@@ -1792,3 +2226,284 @@ interface(`init_udp_recvfrom_all_daemons',`
@@ -1792,3 +2245,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@ -81014,7 +81070,7 @@ index 02f4c97..54c74fe 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 321bb13..4d8e1a9 100644
index 321bb13..e9c2da9 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -81099,10 +81155,17 @@ index 321bb13..4d8e1a9 100644
########################################
## <summary>
## Send system log messages.
@@ -550,6 +607,45 @@ interface(`logging_send_syslog_msg',`
########################################
## <summary>
@@ -546,6 +603,48 @@ interface(`logging_send_syslog_msg',`
# will write to the console.
term_write_console($1)
term_dontaudit_read_console($1)
+ ifdef(`hide_broken_symptoms',`
+ kernel_dgram_send($1)
+ ')
+')
+
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
@ -81138,14 +81201,10 @@ index 321bb13..4d8e1a9 100644
+
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
+')
+
+########################################
+## <summary>
## Read the auditd configuration files.
## </summary>
## <param name="domain">
@@ -739,7 +835,25 @@ interface(`logging_append_all_logs',`
')
########################################
@@ -739,7 +838,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@ -81172,7 +81231,7 @@ index 321bb13..4d8e1a9 100644
')
########################################
@@ -822,7 +936,7 @@ interface(`logging_manage_all_logs',`
@@ -822,7 +939,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@ -81181,7 +81240,7 @@ index 321bb13..4d8e1a9 100644
')
########################################
@@ -848,6 +962,44 @@ interface(`logging_read_generic_logs',`
@@ -848,6 +965,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@ -81226,7 +81285,7 @@ index 321bb13..4d8e1a9 100644
## Write generic log files.
## </summary>
## <param name="domain">
@@ -947,11 +1099,16 @@ interface(`logging_admin_audit',`
@@ -947,11 +1102,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@ -81244,7 +81303,7 @@ index 321bb13..4d8e1a9 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
@@ -967,6 +1124,33 @@ interface(`logging_admin_audit',`
@@ -967,6 +1127,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@ -81278,7 +81337,7 @@ index 321bb13..4d8e1a9 100644
')
########################################
@@ -995,10 +1179,15 @@ interface(`logging_admin_syslog',`
@@ -995,10 +1182,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@ -81296,7 +81355,7 @@ index 321bb13..4d8e1a9 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
@@ -1020,6 +1209,8 @@ interface(`logging_admin_syslog',`
@@ -1020,6 +1212,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@ -81305,7 +81364,7 @@ index 321bb13..4d8e1a9 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -1048,3 +1239,25 @@ interface(`logging_admin',`
@@ -1048,3 +1242,25 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.0
Release: 8%{?dist}
Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -491,6 +491,37 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed Jul 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-9
- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.