* Tue Apr 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-38

- Allow thumbnails to share memory with apps which run thumbnails
- Allow postfix-postqueue block_suspend
- Add lib interfaces for smsd
- Add support for nginx
- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t
- Allow pki apache domain to create own tmp files and execute httpd_suexec
- Allow procmail to manger user tmp files/dirs/lnk_files
- Add virt_stream_connect_svirt() interface
- Allow dovecot-auth to execute bin_t
- Allow iscsid to request that kernel load a kernel module
- Add labeling support for /var/lib/mod_security
- Allow iw running as tuned_t to create netlink socket
- Dontaudit sys_tty_config for thumb_t
- Add labeling for nm-l2tp-service
- Allow httpd running as certwatch_t to open tcp socket
- Allow useradd to manager smsd lib files
- Allow useradd_t to add homedirs in /var/lib
- Fix typo in userdomain.te
- Cleanup userdom_read_home_certs
- Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t
- Allow staff to stream connect to svirt_t to make gnome-boxes working
This commit is contained in:
Miroslav Grepl 2013-04-30 15:56:20 +02:00
parent ac58d9fab2
commit a97fbb2332
3 changed files with 427 additions and 223 deletions

View File

@ -2367,7 +2367,7 @@ index 99e3903..7270808 100644
######################################## ########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d555767..fdd0567 100644 index d555767..4165b4d 100644
--- a/policy/modules/admin/usermanage.te --- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@ -2653,13 +2653,13 @@ index d555767..fdd0567 100644
# on user home dir # on user home dir
userdom_dontaudit_search_user_home_content(passwd_t) userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t) +userdom_stream_connect(passwd_t)
+
+optional_policy(`
+ gnome_exec_keyringd(passwd_t)
+')
optional_policy(` optional_policy(`
- nscd_run(passwd_t, passwd_roles) - nscd_run(passwd_t, passwd_roles)
+ gnome_exec_keyringd(passwd_t)
+')
+
+optional_policy(`
+ #nscd_run(passwd_t, passwd_roles) + #nscd_run(passwd_t, passwd_roles)
+ nscd_domtrans(passwd_t) + nscd_domtrans(passwd_t)
') ')
@ -2729,7 +2729,7 @@ index d555767..fdd0567 100644
# for getting the number of groups # for getting the number of groups
kernel_read_kernel_sysctls(useradd_t) kernel_read_kernel_sysctls(useradd_t)
@@ -465,36 +513,35 @@ corecmd_exec_shell(useradd_t) @@ -465,36 +513,36 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t) corecmd_exec_bin(useradd_t)
@ -2745,6 +2745,7 @@ index d555767..fdd0567 100644
files_relabel_etc_files(useradd_t) files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t) files_read_etc_runtime_files(useradd_t)
+files_manage_etc_files(useradd_t) +files_manage_etc_files(useradd_t)
+files_rw_var_lib_dirs(useradd_t)
fs_search_auto_mountpoints(useradd_t) fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t) fs_getattr_xattr_fs(useradd_t)
@ -2777,7 +2778,7 @@ index d555767..fdd0567 100644
auth_manage_shadow(useradd_t) auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t) auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t)
@@ -505,33 +552,36 @@ init_rw_utmp(useradd_t) @@ -505,33 +553,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t) logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t) logging_send_syslog_msg(useradd_t)
@ -2828,7 +2829,7 @@ index d555767..fdd0567 100644
optional_policy(` optional_policy(`
apache_manage_all_user_content(useradd_t) apache_manage_all_user_content(useradd_t)
') ')
@@ -542,7 +592,8 @@ optional_policy(` @@ -542,7 +593,8 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -2838,7 +2839,7 @@ index d555767..fdd0567 100644
') ')
optional_policy(` optional_policy(`
@@ -550,6 +601,11 @@ optional_policy(` @@ -550,6 +602,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -2850,12 +2851,17 @@ index d555767..fdd0567 100644
tunable_policy(`samba_domain_controller',` tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t) samba_append_log(useradd_t)
') ')
@@ -559,3 +615,7 @@ optional_policy(` @@ -559,3 +616,12 @@ optional_policy(`
rpm_use_fds(useradd_t) rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t) rpm_rw_pipes(useradd_t)
') ')
+ +
+optional_policy(` +optional_policy(`
+ smsd_manage_lib_files(useradd_t)
+ smsd_manage_lib_dirs(useradd_t)
+')
+
+optional_policy(`
+ stapserver_manage_lib(useradd_t) + stapserver_manage_lib(useradd_t)
+') +')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
@ -18190,7 +18196,7 @@ index 234a940..d340f20 100644
######################################## ########################################
## <summary> ## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 5da7870..b66bc2a 100644 index 5da7870..8bd910a 100644
--- a/policy/modules/roles/staff.te --- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1) @@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
@ -18510,7 +18516,7 @@ index 5da7870..b66bc2a 100644
spamassassin_role(staff_r, staff_t) spamassassin_role(staff_r, staff_t)
') ')
@@ -176,3 +363,20 @@ ifndef(`distro_redhat',` @@ -176,3 +363,21 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t) wireshark_role(staff_r, staff_t)
') ')
') ')
@ -18529,6 +18535,7 @@ index 5da7870..b66bc2a 100644
+ allow staff_t self:fifo_file relabelfrom; + allow staff_t self:fifo_file relabelfrom;
+ dev_rw_kvm(staff_t) + dev_rw_kvm(staff_t)
+ virt_manage_images(staff_t) + virt_manage_images(staff_t)
+ virt_stream_connect_svirt(staff_t)
+ ') + ')
+') +')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
@ -39203,7 +39210,7 @@ index db75976..65191bd 100644
+ +
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3c5dba7..b44b1c9 100644 index 3c5dba7..df7407b 100644
--- a/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -41870,7 +41877,7 @@ index 3c5dba7..b44b1c9 100644
## Create keys for all user domains. ## Create keys for all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',` @@ -3438,4 +4197,1390 @@ interface(`userdom_dbus_send_all_users',`
') ')
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
@ -42687,13 +42694,10 @@ index 3c5dba7..b44b1c9 100644
+# +#
+interface(`userdom_read_home_certs',` +interface(`userdom_read_home_certs',`
+ gen_require(` + gen_require(`
+ type home_cert_t; + attribute userdom_home_reader_certs_type;
+ ') + ')
+ +
+ userdom_search_user_home_content($1) + typeattribute $1 userdom_home_reader_certs_type;
+ allow $1 home_cert_t:dir list_dir_perms;
+ read_files_pattern($1, home_cert_t, home_cert_t)
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
+') +')
+ +
+######################################## +########################################
@ -43265,7 +43269,7 @@ index 3c5dba7..b44b1c9 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) + filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
') ')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e2b538b..9e23738 100644 index e2b538b..2582882 100644
--- a/policy/modules/system/userdomain.te --- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@ -43290,36 +43294,36 @@ index e2b538b..9e23738 100644
## <desc> ## <desc>
## <p> ## <p>
-## Allow regular users direct mouse access -## Allow regular users direct mouse access
-## </p>
-## </desc>
-gen_tunable(user_direct_mouse, false)
-
-## <desc>
-## <p>
-## Allow users to read system messages.
+## Allow user to r/w files on filesystems +## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY) +## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p> ## </p>
## </desc> ## </desc>
-gen_tunable(user_direct_mouse, false)
+gen_tunable(selinuxuser_rw_noexattrfile, false)
## <desc>
## <p>
-## Allow users to read system messages.
+## Allow user music sharing
## </p>
## </desc>
-gen_tunable(user_dmesg, false) -gen_tunable(user_dmesg, false)
+gen_tunable(selinuxuser_share_music, false) +gen_tunable(selinuxuser_rw_noexattrfile, false)
## <desc> ## <desc>
## <p> ## <p>
-## Allow user to r/w files on filesystems -## Allow user to r/w files on filesystems
-## that do not have extended attributes (FAT, CDROM, FLOPPY) -## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## Allow user to use ssh chroot environment. +## Allow user music sharing
## </p> ## </p>
## </desc> ## </desc>
-gen_tunable(user_rw_noexattrfile, false) -gen_tunable(user_rw_noexattrfile, false)
- +gen_tunable(selinuxuser_share_music, false)
-## <desc>
-## <p> ## <desc>
## <p>
-## Allow w to display everyone -## Allow w to display everyone
-## </p> +## Allow user to use ssh chroot environment.
-## </desc> ## </p>
## </desc>
-gen_tunable(user_ttyfile_stat, false) -gen_tunable(user_ttyfile_stat, false)
+gen_tunable(selinuxuser_use_ssh_chroot, false) +gen_tunable(selinuxuser_use_ssh_chroot, false)
@ -43328,10 +43332,11 @@ index e2b538b..9e23738 100644
# all user domains # all user domains
attribute userdomain; attribute userdomain;
@@ -58,6 +52,23 @@ attribute unpriv_userdomain; @@ -58,6 +52,24 @@ attribute unpriv_userdomain;
attribute user_home_content_type; attribute user_home_content_type;
+attribute userdom_home_reader_certs_type;
+attribute userdom_home_reader_type; +attribute userdom_home_reader_type;
+attribute userdom_home_manager_type; +attribute userdom_home_manager_type;
+attribute userdom_filetrans_type; +attribute userdom_filetrans_type;
@ -43352,7 +43357,7 @@ index e2b538b..9e23738 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t) fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t) files_type(user_home_dir_t)
@@ -70,26 +81,207 @@ ubac_constrained(user_home_dir_t) @@ -70,26 +82,218 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -43436,6 +43441,17 @@ index e2b538b..9e23738 100644
+ xserver_filetrans_home_content(userdomain) + xserver_filetrans_home_content(userdomain)
+') +')
+ +
+
+# rules for types which can read home certs
+allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms;
+read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
+read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
+userdom_search_user_home_content(userdom_home_reader_certs_type)
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(userdom_home_reader_certs_type)
+')
+
+tunable_policy(`use_nfs_home_dirs',` +tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(userdom_home_reader_type) + fs_list_auto_mountpoints(userdom_home_reader_type)
+ fs_read_nfs_files(userdom_home_reader_type) + fs_read_nfs_files(userdom_home_reader_type)

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 37%{?dist} Release: 38%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -530,6 +530,29 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Apr 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-38
- Allow thumbnails to share memory with apps which run thumbnails
- Allow postfix-postqueue block_suspend
- Add lib interfaces for smsd
- Add support for nginx
- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t
- Allow pki apache domain to create own tmp files and execute httpd_suexec
- Allow procmail to manger user tmp files/dirs/lnk_files
- Add virt_stream_connect_svirt() interface
- Allow dovecot-auth to execute bin_t
- Allow iscsid to request that kernel load a kernel module
- Add labeling support for /var/lib/mod_security
- Allow iw running as tuned_t to create netlink socket
- Dontaudit sys_tty_config for thumb_t
- Add labeling for nm-l2tp-service
- Allow httpd running as certwatch_t to open tcp socket
- Allow useradd to manager smsd lib files
- Allow useradd_t to add homedirs in /var/lib
- Fix typo in userdomain.te
- Cleanup userdom_read_home_certs
- Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t
- Allow staff to stream connect to svirt_t to make gnome-boxes working
* Fri Apr 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-37 * Fri Apr 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-37
- Allow lvm to create its own unit files - Allow lvm to create its own unit files
- Label /var/lib/sepolgen as selinux_config_t - Label /var/lib/sepolgen as selinux_config_t