- Allow realmd to run ipa, really needs to be an unconfined_domain
- Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid - Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition - Add support for sshd_unit_file_t - Add oracleasmfs_t - Allow unlabeled_t files to be stored on unlabeled_t filesystems
This commit is contained in:
parent
d42d1657e3
commit
aae6505e89
@ -15235,7 +15235,7 @@ index 8416beb..60b2ce1 100644
|
||||
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
|
||||
index 9e603f5..2b79004 100644
|
||||
index 9e603f5..698aaee 100644
|
||||
--- a/policy/modules/kernel/filesystem.te
|
||||
+++ b/policy/modules/kernel/filesystem.te
|
||||
@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
|
||||
@ -15256,7 +15256,17 @@ index 9e603f5..2b79004 100644
|
||||
|
||||
type bdev_t;
|
||||
fs_type(bdev_t)
|
||||
@@ -68,7 +71,7 @@ fs_type(capifs_t)
|
||||
@@ -63,12 +66,17 @@ fs_type(binfmt_misc_fs_t)
|
||||
files_mountpoint(binfmt_misc_fs_t)
|
||||
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
|
||||
|
||||
+type oracleasmfs_t;
|
||||
+fs_type(oracleasmfs_t)
|
||||
+files_mountpoint(oracleasmfs_t)
|
||||
+genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
|
||||
+
|
||||
type capifs_t;
|
||||
fs_type(capifs_t)
|
||||
files_mountpoint(capifs_t)
|
||||
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
|
||||
|
||||
@ -15265,7 +15275,7 @@ index 9e603f5..2b79004 100644
|
||||
fs_type(cgroup_t)
|
||||
files_type(cgroup_t)
|
||||
files_mountpoint(cgroup_t)
|
||||
@@ -89,6 +92,11 @@ fs_noxattr_type(ecryptfs_t)
|
||||
@@ -89,6 +97,11 @@ fs_noxattr_type(ecryptfs_t)
|
||||
files_mountpoint(ecryptfs_t)
|
||||
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
|
||||
|
||||
@ -15277,7 +15287,7 @@ index 9e603f5..2b79004 100644
|
||||
type futexfs_t;
|
||||
fs_type(futexfs_t)
|
||||
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
|
||||
@@ -97,6 +105,7 @@ type hugetlbfs_t;
|
||||
@@ -97,6 +110,7 @@ type hugetlbfs_t;
|
||||
fs_type(hugetlbfs_t)
|
||||
files_mountpoint(hugetlbfs_t)
|
||||
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
|
||||
@ -15285,7 +15295,7 @@ index 9e603f5..2b79004 100644
|
||||
|
||||
type ibmasmfs_t;
|
||||
fs_type(ibmasmfs_t)
|
||||
@@ -125,6 +134,10 @@ type oprofilefs_t;
|
||||
@@ -125,6 +139,10 @@ type oprofilefs_t;
|
||||
fs_type(oprofilefs_t)
|
||||
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
|
||||
|
||||
@ -15296,7 +15306,7 @@ index 9e603f5..2b79004 100644
|
||||
type ramfs_t;
|
||||
fs_type(ramfs_t)
|
||||
files_mountpoint(ramfs_t)
|
||||
@@ -145,11 +158,6 @@ fs_type(spufs_t)
|
||||
@@ -145,11 +163,6 @@ fs_type(spufs_t)
|
||||
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
||||
files_mountpoint(spufs_t)
|
||||
|
||||
@ -15308,7 +15318,7 @@ index 9e603f5..2b79004 100644
|
||||
type sysv_t;
|
||||
fs_noxattr_type(sysv_t)
|
||||
files_mountpoint(sysv_t)
|
||||
@@ -167,6 +175,8 @@ type vxfs_t;
|
||||
@@ -167,6 +180,8 @@ type vxfs_t;
|
||||
fs_noxattr_type(vxfs_t)
|
||||
files_mountpoint(vxfs_t)
|
||||
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
|
||||
@ -15317,7 +15327,7 @@ index 9e603f5..2b79004 100644
|
||||
|
||||
#
|
||||
# tmpfs_t is the type for tmpfs filesystems
|
||||
@@ -176,6 +186,8 @@ fs_type(tmpfs_t)
|
||||
@@ -176,6 +191,8 @@ fs_type(tmpfs_t)
|
||||
files_type(tmpfs_t)
|
||||
files_mountpoint(tmpfs_t)
|
||||
files_poly_parent(tmpfs_t)
|
||||
@ -15326,7 +15336,7 @@ index 9e603f5..2b79004 100644
|
||||
|
||||
# Use a transition SID based on the allocating task SID and the
|
||||
# filesystem SID to label inodes in the following filesystem types,
|
||||
@@ -255,6 +267,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||
@@ -255,6 +272,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||
type removable_t;
|
||||
allow removable_t noxattrfs:filesystem associate;
|
||||
fs_noxattr_type(removable_t)
|
||||
@ -15335,7 +15345,7 @@ index 9e603f5..2b79004 100644
|
||||
files_mountpoint(removable_t)
|
||||
|
||||
#
|
||||
@@ -274,6 +288,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
@@ -274,6 +293,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
@ -15970,7 +15980,7 @@ index 649e458..cc924ae 100644
|
||||
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
|
||||
')
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 6fac350..06704f6 100644
|
||||
index 6fac350..b5b2f00 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -25,6 +25,9 @@ attribute kern_unconfined;
|
||||
@ -16021,7 +16031,15 @@ index 6fac350..06704f6 100644
|
||||
# /proc/sys/dev directory and files
|
||||
type sysctl_dev_t, sysctl_type;
|
||||
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
||||
@@ -189,6 +202,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
@@ -165,6 +178,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
||||
type unlabeled_t;
|
||||
fs_associate(unlabeled_t)
|
||||
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
+allow unlabeled_t self:filesystem associate;
|
||||
|
||||
# These initial sids are no longer used, and can be removed:
|
||||
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
@@ -189,6 +203,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
# kernel local policy
|
||||
#
|
||||
|
||||
@ -16029,7 +16047,7 @@ index 6fac350..06704f6 100644
|
||||
allow kernel_t self:capability ~sys_module;
|
||||
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow kernel_t self:shm create_shm_perms;
|
||||
@@ -233,7 +247,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
|
||||
@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
|
||||
corenet_in_generic_if(unlabeled_t)
|
||||
corenet_in_generic_node(unlabeled_t)
|
||||
|
||||
@ -16037,7 +16055,7 @@ index 6fac350..06704f6 100644
|
||||
corenet_all_recvfrom_netlabel(kernel_t)
|
||||
# Kernel-generated traffic e.g., ICMP replies:
|
||||
corenet_raw_sendrecv_all_if(kernel_t)
|
||||
@@ -244,17 +257,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
|
||||
@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
|
||||
corenet_tcp_sendrecv_all_nodes(kernel_t)
|
||||
corenet_raw_send_generic_node(kernel_t)
|
||||
corenet_send_all_packets(kernel_t)
|
||||
@ -16063,7 +16081,7 @@ index 6fac350..06704f6 100644
|
||||
|
||||
# Mount root file system. Used when loading a policy
|
||||
# from initrd, then mounting the root filesystem
|
||||
@@ -263,7 +280,8 @@ fs_unmount_all_fs(kernel_t)
|
||||
@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t)
|
||||
|
||||
selinux_load_policy(kernel_t)
|
||||
|
||||
@ -16073,7 +16091,7 @@ index 6fac350..06704f6 100644
|
||||
|
||||
corecmd_exec_shell(kernel_t)
|
||||
corecmd_list_bin(kernel_t)
|
||||
@@ -277,25 +295,49 @@ files_list_root(kernel_t)
|
||||
@@ -277,25 +296,49 @@ files_list_root(kernel_t)
|
||||
files_list_etc(kernel_t)
|
||||
files_list_home(kernel_t)
|
||||
files_read_usr_files(kernel_t)
|
||||
@ -16123,7 +16141,7 @@ index 6fac350..06704f6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -305,6 +347,19 @@ optional_policy(`
|
||||
@@ -305,6 +348,19 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(kernel_t)
|
||||
@ -16143,7 +16161,7 @@ index 6fac350..06704f6 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -334,7 +389,6 @@ optional_policy(`
|
||||
@@ -334,7 +390,6 @@ optional_policy(`
|
||||
|
||||
rpc_manage_nfs_ro_content(kernel_t)
|
||||
rpc_manage_nfs_rw_content(kernel_t)
|
||||
@ -16151,7 +16169,7 @@ index 6fac350..06704f6 100644
|
||||
rpc_udp_rw_nfs_sockets(kernel_t)
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -343,9 +397,7 @@ optional_policy(`
|
||||
@@ -343,9 +398,7 @@ optional_policy(`
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
||||
@ -16162,7 +16180,7 @@ index 6fac350..06704f6 100644
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
@@ -354,7 +406,7 @@ optional_policy(`
|
||||
@@ -354,7 +407,7 @@ optional_policy(`
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
||||
@ -16171,7 +16189,7 @@ index 6fac350..06704f6 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -367,6 +419,15 @@ optional_policy(`
|
||||
@@ -367,6 +420,15 @@ optional_policy(`
|
||||
unconfined_domain_noaudit(kernel_t)
|
||||
')
|
||||
|
||||
@ -16187,7 +16205,7 @@ index 6fac350..06704f6 100644
|
||||
########################################
|
||||
#
|
||||
# Unlabeled process local policy
|
||||
@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
||||
@@ -409,4 +471,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
||||
allow kern_unconfined unlabeled_t:filesystem *;
|
||||
allow kern_unconfined unlabeled_t:association *;
|
||||
allow kern_unconfined unlabeled_t:packet *;
|
||||
@ -20836,7 +20854,7 @@ index 346d011..3e23acb 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
|
||||
index 76d9f66..c61ed66 100644
|
||||
index 76d9f66..3063a17 100644
|
||||
--- a/policy/modules/services/ssh.fc
|
||||
+++ b/policy/modules/services/ssh.fc
|
||||
@@ -1,4 +1,15 @@
|
||||
@ -20855,7 +20873,12 @@ index 76d9f66..c61ed66 100644
|
||||
|
||||
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||
/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||
@@ -12,5 +23,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
@@ -8,9 +19,15 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
|
||||
|
||||
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
|
||||
+/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0)
|
||||
|
||||
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
|
||||
|
||||
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
|
||||
@ -20867,7 +20890,7 @@ index 76d9f66..c61ed66 100644
|
||||
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
|
||||
index fe0c682..da12170 100644
|
||||
index fe0c682..2e18809 100644
|
||||
--- a/policy/modules/services/ssh.if
|
||||
+++ b/policy/modules/services/ssh.if
|
||||
@@ -32,10 +32,11 @@
|
||||
@ -21396,7 +21419,7 @@ index fe0c682..da12170 100644
|
||||
')
|
||||
|
||||
######################################
|
||||
@@ -754,3 +854,101 @@ interface(`ssh_delete_tmp',`
|
||||
@@ -754,3 +854,124 @@ interface(`ssh_delete_tmp',`
|
||||
files_search_tmp($1)
|
||||
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
|
||||
')
|
||||
@ -21498,11 +21521,34 @@ index fe0c682..da12170 100644
|
||||
+
|
||||
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute sshd server in the sshd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ssh_systemctl',`
|
||||
+ gen_require(`
|
||||
+ type sshd_t;
|
||||
+ type sshd_unit_file_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ allow $1 sshd_unit_file_t:file manage_file_perms;
|
||||
+ allow $1 sshd_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, sshd_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index 5fc0391..3540387 100644
|
||||
index 5fc0391..b87b076 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3)
|
||||
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
@ -21552,25 +21598,27 @@ index 5fc0391..3540387 100644
|
||||
ssh_server_template(sshd)
|
||||
init_daemon_domain(sshd_t, sshd_exec_t)
|
||||
+mls_trusted_object(sshd_t)
|
||||
+
|
||||
|
||||
-type sshd_key_t;
|
||||
-files_type(sshd_key_t)
|
||||
+type sshd_initrc_exec_t;
|
||||
+init_script_file(sshd_initrc_exec_t)
|
||||
|
||||
type sshd_key_t;
|
||||
files_type(sshd_key_t)
|
||||
|
||||
-type sshd_tmp_t;
|
||||
-files_tmp_file(sshd_tmp_t)
|
||||
-files_poly_parent(sshd_tmp_t)
|
||||
-
|
||||
+type sshd_unit_file_t;
|
||||
+systemd_unit_file(sshd_unit_file_t)
|
||||
|
||||
-ifdef(`enable_mcs',`
|
||||
- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
|
||||
-')
|
||||
-
|
||||
+type sshd_key_t;
|
||||
+files_type(sshd_key_t)
|
||||
|
||||
type ssh_t;
|
||||
type ssh_exec_t;
|
||||
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
|
||||
@@ -73,6 +81,11 @@ type ssh_home_t;
|
||||
@@ -73,6 +84,11 @@ type ssh_home_t;
|
||||
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
|
||||
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
|
||||
userdom_user_home_content(ssh_home_t)
|
||||
@ -21582,7 +21630,7 @@ index 5fc0391..3540387 100644
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -83,6 +96,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
||||
@@ -83,6 +99,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
|
||||
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow ssh_t self:fd use;
|
||||
allow ssh_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -21590,7 +21638,7 @@ index 5fc0391..3540387 100644
|
||||
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow ssh_t self:shm create_shm_perms;
|
||||
@@ -90,15 +104,11 @@ allow ssh_t self:sem create_sem_perms;
|
||||
@@ -90,15 +107,11 @@ allow ssh_t self:sem create_sem_perms;
|
||||
allow ssh_t self:msgq create_msgq_perms;
|
||||
allow ssh_t self:msg { send receive };
|
||||
allow ssh_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -21607,7 +21655,7 @@ index 5fc0391..3540387 100644
|
||||
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
|
||||
@@ -107,33 +117,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
|
||||
@@ -107,33 +120,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
|
||||
|
||||
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
||||
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
|
||||
@ -21652,7 +21700,7 @@ index 5fc0391..3540387 100644
|
||||
dev_read_urand(ssh_t)
|
||||
|
||||
fs_getattr_all_fs(ssh_t)
|
||||
@@ -156,38 +172,42 @@ logging_read_generic_logs(ssh_t)
|
||||
@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t)
|
||||
|
||||
auth_use_nsswitch(ssh_t)
|
||||
|
||||
@ -21714,7 +21762,7 @@ index 5fc0391..3540387 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -195,6 +215,7 @@ optional_policy(`
|
||||
@@ -195,6 +218,7 @@ optional_policy(`
|
||||
xserver_domtrans_xauth(ssh_t)
|
||||
')
|
||||
|
||||
@ -21722,7 +21770,7 @@ index 5fc0391..3540387 100644
|
||||
##############################
|
||||
#
|
||||
# ssh_keysign_t local policy
|
||||
@@ -206,6 +227,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||
@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||
allow ssh_keysign_t sshd_key_t:file { getattr read };
|
||||
|
||||
dev_read_urand(ssh_keysign_t)
|
||||
@ -21730,7 +21778,7 @@ index 5fc0391..3540387 100644
|
||||
|
||||
files_read_etc_files(ssh_keysign_t)
|
||||
|
||||
@@ -223,33 +245,50 @@ optional_policy(`
|
||||
@@ -223,33 +248,50 @@ optional_policy(`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow sshd_t self:key { search link write };
|
||||
@ -21790,7 +21838,7 @@ index 5fc0391..3540387 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -257,11 +296,24 @@ optional_policy(`
|
||||
@@ -257,11 +299,24 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21816,7 +21864,7 @@ index 5fc0391..3540387 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -269,6 +321,10 @@ optional_policy(`
|
||||
@@ -269,6 +324,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21827,7 +21875,7 @@ index 5fc0391..3540387 100644
|
||||
rpm_use_script_fds(sshd_t)
|
||||
')
|
||||
|
||||
@@ -279,13 +335,69 @@ optional_policy(`
|
||||
@@ -279,13 +338,69 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21897,7 +21945,7 @@ index 5fc0391..3540387 100644
|
||||
########################################
|
||||
#
|
||||
# ssh_keygen local policy
|
||||
@@ -294,19 +406,26 @@ optional_policy(`
|
||||
@@ -294,19 +409,26 @@ optional_policy(`
|
||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||
# and by sysadm_t
|
||||
|
||||
@ -21925,7 +21973,7 @@ index 5fc0391..3540387 100644
|
||||
dev_read_urand(ssh_keygen_t)
|
||||
|
||||
term_dontaudit_use_console(ssh_keygen_t)
|
||||
@@ -323,6 +442,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
@@ -323,6 +445,12 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
logging_send_syslog_msg(ssh_keygen_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||
@ -21938,7 +21986,7 @@ index 5fc0391..3540387 100644
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ssh_keygen_t)
|
||||
@@ -331,3 +456,138 @@ optional_policy(`
|
||||
@@ -331,3 +459,138 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(ssh_keygen_t)
|
||||
')
|
||||
@ -22234,7 +22282,7 @@ index d1f64a0..3be3d00 100644
|
||||
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
|
||||
index 6bf0ecc..ab37b7e 100644
|
||||
index 6bf0ecc..f0080ba 100644
|
||||
--- a/policy/modules/services/xserver.if
|
||||
+++ b/policy/modules/services/xserver.if
|
||||
@@ -19,9 +19,10 @@
|
||||
@ -23102,7 +23150,7 @@ index 6bf0ecc..ab37b7e 100644
|
||||
+ type xdm_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 xdm_t:unix_stream_socket { ioctl read write };
|
||||
+ dontaudit $1 xdm_t:unix_stream_socket { getattr ioctl read write };
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
|
@ -1714,10 +1714,10 @@ index 0000000..a95a4ad
|
||||
+')
|
||||
+
|
||||
diff --git a/alsa.fc b/alsa.fc
|
||||
index 5de1e01..3aa9abb 100644
|
||||
index 5de1e01..e5ab7ff 100644
|
||||
--- a/alsa.fc
|
||||
+++ b/alsa.fc
|
||||
@@ -19,4 +19,6 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
|
||||
@@ -19,4 +19,8 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
|
||||
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
||||
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
||||
|
||||
@ -1725,6 +1725,8 @@ index 5de1e01..3aa9abb 100644
|
||||
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
|
||||
+
|
||||
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
|
||||
diff --git a/alsa.if b/alsa.if
|
||||
index 708b743..c2edd9a 100644
|
||||
--- a/alsa.if
|
||||
@ -1817,10 +1819,16 @@ index 708b743..c2edd9a 100644
|
||||
+ ps_process_pattern($1, alsa_t)
|
||||
+')
|
||||
diff --git a/alsa.te b/alsa.te
|
||||
index cda6d20..32d74d1 100644
|
||||
index cda6d20..89f2161 100644
|
||||
--- a/alsa.te
|
||||
+++ b/alsa.te
|
||||
@@ -24,6 +24,9 @@ files_type(alsa_var_lib_t)
|
||||
@@ -21,9 +21,15 @@ files_tmp_file(alsa_tmp_t)
|
||||
type alsa_var_lib_t;
|
||||
files_type(alsa_var_lib_t)
|
||||
|
||||
+type alsa_var_run_t;
|
||||
+files_pid_file(alsa_var_run_t)
|
||||
+
|
||||
type alsa_home_t;
|
||||
userdom_user_home_content(alsa_home_t)
|
||||
|
||||
@ -1830,15 +1838,27 @@ index cda6d20..32d74d1 100644
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -31,6 +34,7 @@ userdom_user_home_content(alsa_home_t)
|
||||
@@ -31,6 +37,7 @@ userdom_user_home_content(alsa_home_t)
|
||||
|
||||
allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
|
||||
dontaudit alsa_t self:capability sys_admin;
|
||||
+allow alsa_t self:process signal_perms;
|
||||
+allow alsa_t self:process { getsched setsched signal_perms };
|
||||
allow alsa_t self:sem create_sem_perms;
|
||||
allow alsa_t self:shm create_shm_perms;
|
||||
allow alsa_t self:unix_stream_socket { accept listen };
|
||||
@@ -59,7 +63,6 @@ dev_read_sound(alsa_t)
|
||||
@@ -51,6 +58,11 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
|
||||
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
|
||||
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
|
||||
|
||||
+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
|
||||
+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
|
||||
+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
|
||||
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
|
||||
+
|
||||
kernel_read_system_state(alsa_t)
|
||||
|
||||
corecmd_exec_bin(alsa_t)
|
||||
@@ -59,7 +71,6 @@ dev_read_sound(alsa_t)
|
||||
dev_read_sysfs(alsa_t)
|
||||
dev_write_sound(alsa_t)
|
||||
|
||||
@ -1846,7 +1866,7 @@ index cda6d20..32d74d1 100644
|
||||
files_search_var_lib(alsa_t)
|
||||
|
||||
term_dontaudit_use_console(alsa_t)
|
||||
@@ -72,8 +75,6 @@ init_use_fds(alsa_t)
|
||||
@@ -72,8 +83,6 @@ init_use_fds(alsa_t)
|
||||
|
||||
logging_send_syslog_msg(alsa_t)
|
||||
|
||||
@ -50403,7 +50423,7 @@ index 43d50f9..7f77d32 100644
|
||||
|
||||
########################################
|
||||
diff --git a/pcscd.te b/pcscd.te
|
||||
index 96db654..d23cd25 100644
|
||||
index 96db654..ff3aadd 100644
|
||||
--- a/pcscd.te
|
||||
+++ b/pcscd.te
|
||||
@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
|
||||
@ -50443,6 +50463,14 @@ index 96db654..d23cd25 100644
|
||||
sysnet_dns_name_resolve(pcscd_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -85,3 +82,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(pcscd_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ virt_rw_svirt_dev(pcscd_t)
|
||||
+')
|
||||
diff --git a/pegasus.fc b/pegasus.fc
|
||||
index dfd46e4..9515043 100644
|
||||
--- a/pegasus.fc
|
||||
@ -63626,14 +63654,16 @@ index f1512d6..93f1ee6 100644
|
||||
userdom_dontaudit_search_user_home_dirs(readahead_t)
|
||||
|
||||
diff --git a/realmd.fc b/realmd.fc
|
||||
index 04babe3..02a1f34 100644
|
||||
index 04babe3..3b92679 100644
|
||||
--- a/realmd.fc
|
||||
+++ b/realmd.fc
|
||||
@@ -1 +1,3 @@
|
||||
@@ -1 +1,5 @@
|
||||
-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
|
||||
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
|
||||
+
|
||||
+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
|
||||
+
|
||||
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
|
||||
diff --git a/realmd.if b/realmd.if
|
||||
index bff31df..e38693b 100644
|
||||
--- a/realmd.if
|
||||
@ -63651,7 +63681,7 @@ index bff31df..e38693b 100644
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
diff --git a/realmd.te b/realmd.te
|
||||
index 9a8f052..cffb3ca 100644
|
||||
index 9a8f052..1d63c74 100644
|
||||
--- a/realmd.te
|
||||
+++ b/realmd.te
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -63660,7 +63690,7 @@ index 9a8f052..cffb3ca 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -7,29 +7,38 @@ policy_module(realmd, 1.0.2)
|
||||
@@ -7,43 +7,78 @@ policy_module(realmd, 1.0.2)
|
||||
|
||||
type realmd_t;
|
||||
type realmd_exec_t;
|
||||
@ -63673,6 +63703,9 @@ index 9a8f052..cffb3ca 100644
|
||||
+
|
||||
+type realmd_var_cache_t;
|
||||
+files_type(realmd_var_cache_t)
|
||||
+
|
||||
+type realmd_var_lib_t;
|
||||
+files_type(realmd_var_lib_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -63680,9 +63713,12 @@ index 9a8f052..cffb3ca 100644
|
||||
+# realmd local policy
|
||||
#
|
||||
|
||||
allow realmd_t self:capability sys_nice;
|
||||
-allow realmd_t self:capability sys_nice;
|
||||
+allow realmd_t self:capability { sys_nice };
|
||||
+allow realmd_t self:capability2 block_suspend;
|
||||
allow realmd_t self:process setsched;
|
||||
|
||||
+allow realmd_t self:key manage_key_perms;
|
||||
+
|
||||
+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
|
||||
+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
|
||||
+files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
|
||||
@ -63690,7 +63726,12 @@ index 9a8f052..cffb3ca 100644
|
||||
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
|
||||
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
|
||||
+
|
||||
+manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
|
||||
+manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
|
||||
+files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir)
|
||||
|
||||
kernel_read_system_state(realmd_t)
|
||||
+kernel_read_network_state(realmd_t)
|
||||
|
||||
corecmd_exec_bin(realmd_t)
|
||||
corecmd_exec_shell(realmd_t)
|
||||
@ -63708,16 +63749,25 @@ index 9a8f052..cffb3ca 100644
|
||||
|
||||
domain_use_interactive_fds(realmd_t)
|
||||
|
||||
@@ -38,12 +47,20 @@ dev_read_urand(realmd_t)
|
||||
dev_read_rand(realmd_t)
|
||||
dev_read_urand(realmd_t)
|
||||
|
||||
fs_getattr_all_fs(realmd_t)
|
||||
-fs_getattr_all_fs(realmd_t)
|
||||
+files_manage_etc_files(realmd_t)
|
||||
|
||||
-files_read_usr_files(realmd_t)
|
||||
-
|
||||
+fs_getattr_all_fs(realmd_t)
|
||||
|
||||
auth_use_nsswitch(realmd_t)
|
||||
|
||||
+logging_manage_generic_logs(realmd_t)
|
||||
logging_send_syslog_msg(realmd_t)
|
||||
|
||||
+miscfiles_manage_generic_cert_files(realmd_t)
|
||||
+
|
||||
+seutil_domtrans_setfiles(realmd_t)
|
||||
+seutil_read_file_contexts(realmd_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(realmd_t)
|
||||
+systemd_exec_systemctl(realmd_t)
|
||||
+
|
||||
@ -63731,7 +63781,22 @@ index 9a8f052..cffb3ca 100644
|
||||
optional_policy(`
|
||||
dbus_system_domain(realmd_t, realmd_exec_t)
|
||||
|
||||
@@ -67,17 +84,25 @@ optional_policy(`
|
||||
@@ -63,21 +98,40 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
kerberos_use(realmd_t)
|
||||
kerberos_rw_keytab(realmd_t)
|
||||
+ kerberos_rw_config(realmd_t)
|
||||
+ kerberos_filetrans_named_content(realmd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ntp_domtrans_ntpdate(realmd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ssh_domtrans(realmd_t)
|
||||
+ ssh_systemctl(realmd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_exec_ypbind(realmd_t)
|
||||
@ -63760,7 +63825,7 @@ index 9a8f052..cffb3ca 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -86,5 +111,26 @@ optional_policy(`
|
||||
@@ -86,5 +140,27 @@ optional_policy(`
|
||||
sssd_manage_lib_files(realmd_t)
|
||||
sssd_manage_public_files(realmd_t)
|
||||
sssd_read_pid_files(realmd_t)
|
||||
@ -63772,12 +63837,15 @@ index 9a8f052..cffb3ca 100644
|
||||
+ xserver_read_state_xdm(realmd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(realmd_t)
|
||||
+')
|
||||
+
|
||||
+#####################################
|
||||
+#
|
||||
+# realmd consolehelper local policy
|
||||
+#
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ userhelper_console_role_template(realmd, system_r, realmd_t)
|
||||
+ authconfig_manage_lib_files(realmd_consolehelper_t)
|
||||
@ -63786,8 +63854,6 @@ index 9a8f052..cffb3ca 100644
|
||||
+
|
||||
+ unconfined_domain_noaudit(realmd_consolehelper_t)
|
||||
')
|
||||
+
|
||||
+
|
||||
diff --git a/remotelogin.fc b/remotelogin.fc
|
||||
index 327baf0..d8691bd 100644
|
||||
--- a/remotelogin.fc
|
||||
@ -72337,10 +72403,10 @@ index 0000000..577dfa7
|
||||
+')
|
||||
diff --git a/sandbox.te b/sandbox.te
|
||||
new file mode 100644
|
||||
index 0000000..3fc69d5
|
||||
index 0000000..b12aada
|
||||
--- /dev/null
|
||||
+++ b/sandbox.te
|
||||
@@ -0,0 +1,65 @@
|
||||
@@ -0,0 +1,62 @@
|
||||
+policy_module(sandbox,1.0.0)
|
||||
+
|
||||
+attribute sandbox_domain;
|
||||
@ -72400,12 +72466,9 @@ index 0000000..3fc69d5
|
||||
+
|
||||
+fs_dontaudit_getattr_all_fs(sandbox_domain)
|
||||
+
|
||||
+
|
||||
+userdom_dontaudit_use_user_terminals(sandbox_domain)
|
||||
+userdom_use_inherited_user_terminals(sandbox_domain)
|
||||
+
|
||||
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
|
||||
+
|
||||
+
|
||||
diff --git a/sandboxX.fc b/sandboxX.fc
|
||||
new file mode 100644
|
||||
index 0000000..6caef63
|
||||
@ -72813,7 +72876,7 @@ index 0000000..1b21b7b
|
||||
+')
|
||||
diff --git a/sandboxX.te b/sandboxX.te
|
||||
new file mode 100644
|
||||
index 0000000..5a3d049
|
||||
index 0000000..81198c3
|
||||
--- /dev/null
|
||||
+++ b/sandboxX.te
|
||||
@@ -0,0 +1,463 @@
|
||||
@ -73062,7 +73125,7 @@ index 0000000..5a3d049
|
||||
+ udev_read_db(sandbox_x_domain)
|
||||
+')
|
||||
+
|
||||
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
|
||||
+userdom_use_inherited_user_terminals(sandbox_x_domain)
|
||||
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
|
||||
+userdom_search_user_home_content(sandbox_x_domain)
|
||||
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
|
||||
@ -84742,7 +84805,7 @@ index c30da4c..014e40c 100644
|
||||
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
||||
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||
diff --git a/virt.if b/virt.if
|
||||
index 9dec06c..fa2c674 100644
|
||||
index 9dec06c..a202ead 100644
|
||||
--- a/virt.if
|
||||
+++ b/virt.if
|
||||
@@ -1,120 +1,51 @@
|
||||
@ -86162,7 +86225,7 @@ index 9dec06c..fa2c674 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1091,95 +961,150 @@ interface(`virt_manage_virt_cache',`
|
||||
@@ -1091,95 +961,168 @@ interface(`virt_manage_virt_cache',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -86361,16 +86424,34 @@ index 9dec06c..fa2c674 100644
|
||||
+ gen_require(`
|
||||
+ attribute svirt_lxc_domain;
|
||||
+ ')
|
||||
|
||||
- files_search_locks($1)
|
||||
- admin_pattern($1, virt_lock_t)
|
||||
+
|
||||
+ allow $1 svirt_lxc_domain:process transition;
|
||||
+ role $2 types svirt_lxc_domain;
|
||||
+ allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
|
||||
+
|
||||
+ allow svirt_lxc_domain $1:process sigchld;
|
||||
+')
|
||||
|
||||
- files_search_locks($1)
|
||||
- admin_pattern($1, virt_lock_t)
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read and write to svirt_image devices.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virt_rw_svirt_dev',`
|
||||
+ gen_require(`
|
||||
+ type svirt_image_t;
|
||||
+ ')
|
||||
|
||||
- dev_list_all_dev_nodes($1)
|
||||
- allow $1 virt_ptynode:chr_file rw_term_perms;
|
||||
+ allow svirt_lxc_domain $1:process sigchld;
|
||||
+ allow $1 svirt_image_t:chr_file rw_file_perms;
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index 1f22fba..f42e134 100644
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 31%{?dist}
|
||||
Release: 32%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -526,6 +526,17 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Apr 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-32
|
||||
- Allow realmd to run ipa, really needs to be an unconfined_domain
|
||||
- Allow sandbox domains to use inherted terminals
|
||||
- Allow pscd to use devices labeled svirt_image_t in order to use cat cards.
|
||||
- Add label for new alsa pid
|
||||
- Alsa now uses a pid file and needs to setsched
|
||||
- Fix oracleasmfs_t definition
|
||||
- Add support for sshd_unit_file_t
|
||||
- Add oracleasmfs_t
|
||||
- Allow unlabeled_t files to be stored on unlabeled_t filesystems
|
||||
|
||||
* Tue Apr 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-31
|
||||
- Fix description of deny_ptrace boolean
|
||||
- Remove allow for execmod lib_t for now
|
||||
|
Loading…
Reference in New Issue
Block a user