- Allow realmd to run ipa, really needs to be an unconfined_domain

- Allow sandbox domains to use inherted terminals
- Allow pscd to use devices labeled svirt_image_t in order to use cat cards.
- Add label for new alsa pid
- Alsa now uses a pid file and needs to setsched
- Fix oracleasmfs_t definition
- Add support for sshd_unit_file_t
- Add oracleasmfs_t
- Allow unlabeled_t files to be stored on unlabeled_t filesystems
This commit is contained in:
Miroslav Grepl 2013-04-18 12:46:24 +02:00
parent d42d1657e3
commit aae6505e89
3 changed files with 229 additions and 89 deletions

View File

@ -15235,7 +15235,7 @@ index 8416beb..60b2ce1 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 9e603f5..2b79004 100644
index 9e603f5..698aaee 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
@ -15256,7 +15256,17 @@ index 9e603f5..2b79004 100644
type bdev_t;
fs_type(bdev_t)
@@ -68,7 +71,7 @@ fs_type(capifs_t)
@@ -63,12 +66,17 @@ fs_type(binfmt_misc_fs_t)
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
+type oracleasmfs_t;
+fs_type(oracleasmfs_t)
+files_mountpoint(oracleasmfs_t)
+genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
+
type capifs_t;
fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@ -15265,7 +15275,7 @@ index 9e603f5..2b79004 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
@@ -89,6 +92,11 @@ fs_noxattr_type(ecryptfs_t)
@@ -89,6 +97,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@ -15277,7 +15287,7 @@ index 9e603f5..2b79004 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
@@ -97,6 +105,7 @@ type hugetlbfs_t;
@@ -97,6 +110,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@ -15285,7 +15295,7 @@ index 9e603f5..2b79004 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
@@ -125,6 +134,10 @@ type oprofilefs_t;
@@ -125,6 +139,10 @@ type oprofilefs_t;
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
@ -15296,7 +15306,7 @@ index 9e603f5..2b79004 100644
type ramfs_t;
fs_type(ramfs_t)
files_mountpoint(ramfs_t)
@@ -145,11 +158,6 @@ fs_type(spufs_t)
@@ -145,11 +163,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@ -15308,7 +15318,7 @@ index 9e603f5..2b79004 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
@@ -167,6 +175,8 @@ type vxfs_t;
@@ -167,6 +180,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@ -15317,7 +15327,7 @@ index 9e603f5..2b79004 100644
#
# tmpfs_t is the type for tmpfs filesystems
@@ -176,6 +186,8 @@ fs_type(tmpfs_t)
@@ -176,6 +191,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@ -15326,7 +15336,7 @@ index 9e603f5..2b79004 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
@@ -255,6 +267,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
@@ -255,6 +272,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@ -15335,7 +15345,7 @@ index 9e603f5..2b79004 100644
files_mountpoint(removable_t)
#
@@ -274,6 +288,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -274,6 +293,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@ -15970,7 +15980,7 @@ index 649e458..cc924ae 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6fac350..06704f6 100644
index 6fac350..b5b2f00 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -16021,7 +16031,15 @@ index 6fac350..06704f6 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
@@ -189,6 +202,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -165,6 +178,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+allow unlabeled_t self:filesystem associate;
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -189,6 +203,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
@ -16029,7 +16047,7 @@ index 6fac350..06704f6 100644
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
@@ -233,7 +247,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@ -16037,7 +16055,7 @@ index 6fac350..06704f6 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
@@ -244,17 +257,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@ -16063,7 +16081,7 @@ index 6fac350..06704f6 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
@@ -263,7 +280,8 @@ fs_unmount_all_fs(kernel_t)
@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@ -16073,7 +16091,7 @@ index 6fac350..06704f6 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
@@ -277,25 +295,49 @@ files_list_root(kernel_t)
@@ -277,25 +296,49 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@ -16123,7 +16141,7 @@ index 6fac350..06704f6 100644
')
optional_policy(`
@@ -305,6 +347,19 @@ optional_policy(`
@@ -305,6 +348,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@ -16143,7 +16161,7 @@ index 6fac350..06704f6 100644
')
optional_policy(`
@@ -334,7 +389,6 @@ optional_policy(`
@@ -334,7 +390,6 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
@ -16151,7 +16169,7 @@ index 6fac350..06704f6 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
@@ -343,9 +397,7 @@ optional_policy(`
@@ -343,9 +398,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@ -16162,7 +16180,7 @@ index 6fac350..06704f6 100644
')
tunable_policy(`nfs_export_all_rw',`
@@ -354,7 +406,7 @@ optional_policy(`
@@ -354,7 +407,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@ -16171,7 +16189,7 @@ index 6fac350..06704f6 100644
')
')
@@ -367,6 +419,15 @@ optional_policy(`
@@ -367,6 +420,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@ -16187,7 +16205,7 @@ index 6fac350..06704f6 100644
########################################
#
# Unlabeled process local policy
@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
@@ -409,4 +471,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@ -20836,7 +20854,7 @@ index 346d011..3e23acb 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..c61ed66 100644
index 76d9f66..3063a17 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,4 +1,15 @@
@ -20855,7 +20873,12 @@ index 76d9f66..c61ed66 100644
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
@@ -12,5 +23,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
@@ -8,9 +19,15 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0)
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
@ -20867,7 +20890,7 @@ index 76d9f66..c61ed66 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..da12170 100644
index fe0c682..2e18809 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@ -21396,7 +21419,7 @@ index fe0c682..da12170 100644
')
######################################
@@ -754,3 +854,101 @@ interface(`ssh_delete_tmp',`
@@ -754,3 +854,124 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@ -21498,11 +21521,34 @@ index fe0c682..da12170 100644
+
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Execute sshd server in the sshd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ssh_systemctl',`
+ gen_require(`
+ type sshd_t;
+ type sshd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 sshd_unit_file_t:file manage_file_perms;
+ allow $1 sshd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5fc0391..3540387 100644
index 5fc0391..b87b076 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3)
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
#
## <desc>
@ -21552,25 +21598,27 @@ index 5fc0391..3540387 100644
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
+mls_trusted_object(sshd_t)
+
-type sshd_key_t;
-files_type(sshd_key_t)
+type sshd_initrc_exec_t;
+init_script_file(sshd_initrc_exec_t)
type sshd_key_t;
files_type(sshd_key_t)
-type sshd_tmp_t;
-files_tmp_file(sshd_tmp_t)
-files_poly_parent(sshd_tmp_t)
-
+type sshd_unit_file_t;
+systemd_unit_file(sshd_unit_file_t)
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
-')
-
+type sshd_key_t;
+files_type(sshd_key_t)
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
@@ -73,6 +81,11 @@ type ssh_home_t;
@@ -73,6 +84,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
@ -21582,7 +21630,7 @@ index 5fc0391..3540387 100644
##############################
#
@@ -83,6 +96,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
@@ -83,6 +99,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@ -21590,7 +21638,7 @@ index 5fc0391..3540387 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
@@ -90,15 +104,11 @@ allow ssh_t self:sem create_sem_perms;
@@ -90,15 +107,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@ -21607,7 +21655,7 @@ index 5fc0391..3540387 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
@@ -107,33 +117,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
@@ -107,33 +120,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@ -21652,7 +21700,7 @@ index 5fc0391..3540387 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
@@ -156,38 +172,42 @@ logging_read_generic_logs(ssh_t)
@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
@ -21714,7 +21762,7 @@ index 5fc0391..3540387 100644
')
optional_policy(`
@@ -195,6 +215,7 @@ optional_policy(`
@@ -195,6 +218,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@ -21722,7 +21770,7 @@ index 5fc0391..3540387 100644
##############################
#
# ssh_keysign_t local policy
@@ -206,6 +227,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@ -21730,7 +21778,7 @@ index 5fc0391..3540387 100644
files_read_etc_files(ssh_keysign_t)
@@ -223,33 +245,50 @@ optional_policy(`
@@ -223,33 +248,50 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@ -21790,7 +21838,7 @@ index 5fc0391..3540387 100644
')
optional_policy(`
@@ -257,11 +296,24 @@ optional_policy(`
@@ -257,11 +299,24 @@ optional_policy(`
')
optional_policy(`
@ -21816,7 +21864,7 @@ index 5fc0391..3540387 100644
')
optional_policy(`
@@ -269,6 +321,10 @@ optional_policy(`
@@ -269,6 +324,10 @@ optional_policy(`
')
optional_policy(`
@ -21827,7 +21875,7 @@ index 5fc0391..3540387 100644
rpm_use_script_fds(sshd_t)
')
@@ -279,13 +335,69 @@ optional_policy(`
@@ -279,13 +338,69 @@ optional_policy(`
')
optional_policy(`
@ -21897,7 +21945,7 @@ index 5fc0391..3540387 100644
########################################
#
# ssh_keygen local policy
@@ -294,19 +406,26 @@ optional_policy(`
@@ -294,19 +409,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@ -21925,7 +21973,7 @@ index 5fc0391..3540387 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
@@ -323,6 +442,12 @@ auth_use_nsswitch(ssh_keygen_t)
@@ -323,6 +445,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@ -21938,7 +21986,7 @@ index 5fc0391..3540387 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
@@ -331,3 +456,138 @@ optional_policy(`
@@ -331,3 +459,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@ -22234,7 +22282,7 @@ index d1f64a0..3be3d00 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..ab37b7e 100644
index 6bf0ecc..f0080ba 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -23102,7 +23150,7 @@ index 6bf0ecc..ab37b7e 100644
+ type xdm_t;
+ ')
+
+ dontaudit $1 xdm_t:unix_stream_socket { ioctl read write };
+ dontaudit $1 xdm_t:unix_stream_socket { getattr ioctl read write };
+')
+
+########################################

View File

@ -1714,10 +1714,10 @@ index 0000000..a95a4ad
+')
+
diff --git a/alsa.fc b/alsa.fc
index 5de1e01..3aa9abb 100644
index 5de1e01..e5ab7ff 100644
--- a/alsa.fc
+++ b/alsa.fc
@@ -19,4 +19,6 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
@@ -19,4 +19,8 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@ -1725,6 +1725,8 @@ index 5de1e01..3aa9abb 100644
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
index 708b743..c2edd9a 100644
--- a/alsa.if
@ -1817,10 +1819,16 @@ index 708b743..c2edd9a 100644
+ ps_process_pattern($1, alsa_t)
+')
diff --git a/alsa.te b/alsa.te
index cda6d20..32d74d1 100644
index cda6d20..89f2161 100644
--- a/alsa.te
+++ b/alsa.te
@@ -24,6 +24,9 @@ files_type(alsa_var_lib_t)
@@ -21,9 +21,15 @@ files_tmp_file(alsa_tmp_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
+type alsa_var_run_t;
+files_pid_file(alsa_var_run_t)
+
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
@ -1830,15 +1838,27 @@ index cda6d20..32d74d1 100644
########################################
#
# Local policy
@@ -31,6 +34,7 @@ userdom_user_home_content(alsa_home_t)
@@ -31,6 +37,7 @@ userdom_user_home_content(alsa_home_t)
allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:process signal_perms;
+allow alsa_t self:process { getsched setsched signal_perms };
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
@@ -59,7 +63,6 @@ dev_read_sound(alsa_t)
@@ -51,6 +58,11 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
+
kernel_read_system_state(alsa_t)
corecmd_exec_bin(alsa_t)
@@ -59,7 +71,6 @@ dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
dev_write_sound(alsa_t)
@ -1846,7 +1866,7 @@ index cda6d20..32d74d1 100644
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
@@ -72,8 +75,6 @@ init_use_fds(alsa_t)
@@ -72,8 +83,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
@ -50403,7 +50423,7 @@ index 43d50f9..7f77d32 100644
########################################
diff --git a/pcscd.te b/pcscd.te
index 96db654..d23cd25 100644
index 96db654..ff3aadd 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
@ -50443,6 +50463,14 @@ index 96db654..d23cd25 100644
sysnet_dns_name_resolve(pcscd_t)
optional_policy(`
@@ -85,3 +82,7 @@ optional_policy(`
optional_policy(`
udev_read_db(pcscd_t)
')
+
+optional_policy(`
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4..9515043 100644
--- a/pegasus.fc
@ -63626,14 +63654,16 @@ index f1512d6..93f1ee6 100644
userdom_dontaudit_search_user_home_dirs(readahead_t)
diff --git a/realmd.fc b/realmd.fc
index 04babe3..02a1f34 100644
index 04babe3..3b92679 100644
--- a/realmd.fc
+++ b/realmd.fc
@@ -1 +1,3 @@
@@ -1 +1,5 @@
-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+
+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
+
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
diff --git a/realmd.if b/realmd.if
index bff31df..e38693b 100644
--- a/realmd.if
@ -63651,7 +63681,7 @@ index bff31df..e38693b 100644
## <param name="domain">
## <summary>
diff --git a/realmd.te b/realmd.te
index 9a8f052..cffb3ca 100644
index 9a8f052..1d63c74 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@ -63660,7 +63690,7 @@ index 9a8f052..cffb3ca 100644
########################################
#
@@ -7,29 +7,38 @@ policy_module(realmd, 1.0.2)
@@ -7,43 +7,78 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
@ -63673,6 +63703,9 @@ index 9a8f052..cffb3ca 100644
+
+type realmd_var_cache_t;
+files_type(realmd_var_cache_t)
+
+type realmd_var_lib_t;
+files_type(realmd_var_lib_t)
########################################
#
@ -63680,9 +63713,12 @@ index 9a8f052..cffb3ca 100644
+# realmd local policy
#
allow realmd_t self:capability sys_nice;
-allow realmd_t self:capability sys_nice;
+allow realmd_t self:capability { sys_nice };
+allow realmd_t self:capability2 block_suspend;
allow realmd_t self:process setsched;
+allow realmd_t self:key manage_key_perms;
+
+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
@ -63690,7 +63726,12 @@ index 9a8f052..cffb3ca 100644
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+
+manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir)
kernel_read_system_state(realmd_t)
+kernel_read_network_state(realmd_t)
corecmd_exec_bin(realmd_t)
corecmd_exec_shell(realmd_t)
@ -63708,16 +63749,25 @@ index 9a8f052..cffb3ca 100644
domain_use_interactive_fds(realmd_t)
@@ -38,12 +47,20 @@ dev_read_urand(realmd_t)
dev_read_rand(realmd_t)
dev_read_urand(realmd_t)
fs_getattr_all_fs(realmd_t)
-fs_getattr_all_fs(realmd_t)
+files_manage_etc_files(realmd_t)
-files_read_usr_files(realmd_t)
-
+fs_getattr_all_fs(realmd_t)
auth_use_nsswitch(realmd_t)
+logging_manage_generic_logs(realmd_t)
logging_send_syslog_msg(realmd_t)
+miscfiles_manage_generic_cert_files(realmd_t)
+
+seutil_domtrans_setfiles(realmd_t)
+seutil_read_file_contexts(realmd_t)
+
+sysnet_dns_name_resolve(realmd_t)
+systemd_exec_systemctl(realmd_t)
+
@ -63731,7 +63781,22 @@ index 9a8f052..cffb3ca 100644
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
@@ -67,17 +84,25 @@ optional_policy(`
@@ -63,21 +98,40 @@ optional_policy(`
optional_policy(`
kerberos_use(realmd_t)
kerberos_rw_keytab(realmd_t)
+ kerberos_rw_config(realmd_t)
+ kerberos_filetrans_named_content(realmd_t)
+')
+
+optional_policy(`
+ ntp_domtrans_ntpdate(realmd_t)
+')
+
+optional_policy(`
+ ssh_domtrans(realmd_t)
+ ssh_systemctl(realmd_t)
')
optional_policy(`
nis_exec_ypbind(realmd_t)
@ -63760,7 +63825,7 @@ index 9a8f052..cffb3ca 100644
')
optional_policy(`
@@ -86,5 +111,26 @@ optional_policy(`
@@ -86,5 +140,27 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
@ -63772,12 +63837,15 @@ index 9a8f052..cffb3ca 100644
+ xserver_read_state_xdm(realmd_t)
+')
+
+optional_policy(`
+ unconfined_domain(realmd_t)
+')
+
+#####################################
+#
+# realmd consolehelper local policy
+#
+
+
+optional_policy(`
+ userhelper_console_role_template(realmd, system_r, realmd_t)
+ authconfig_manage_lib_files(realmd_consolehelper_t)
@ -63786,8 +63854,6 @@ index 9a8f052..cffb3ca 100644
+
+ unconfined_domain_noaudit(realmd_consolehelper_t)
')
+
+
diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf0..d8691bd 100644
--- a/remotelogin.fc
@ -72337,10 +72403,10 @@ index 0000000..577dfa7
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
index 0000000..3fc69d5
index 0000000..b12aada
--- /dev/null
+++ b/sandbox.te
@@ -0,0 +1,65 @@
@@ -0,0 +1,62 @@
+policy_module(sandbox,1.0.0)
+
+attribute sandbox_domain;
@ -72400,12 +72466,9 @@ index 0000000..3fc69d5
+
+fs_dontaudit_getattr_all_fs(sandbox_domain)
+
+
+userdom_dontaudit_use_user_terminals(sandbox_domain)
+userdom_use_inherited_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
+
+
diff --git a/sandboxX.fc b/sandboxX.fc
new file mode 100644
index 0000000..6caef63
@ -72813,7 +72876,7 @@ index 0000000..1b21b7b
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 0000000..5a3d049
index 0000000..81198c3
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,463 @@
@ -73062,7 +73125,7 @@ index 0000000..5a3d049
+ udev_read_db(sandbox_x_domain)
+')
+
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_use_inherited_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
@ -84742,7 +84805,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
index 9dec06c..fa2c674 100644
index 9dec06c..a202ead 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@ -86162,7 +86225,7 @@ index 9dec06c..fa2c674 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1091,95 +961,150 @@ interface(`virt_manage_virt_cache',`
@@ -1091,95 +961,168 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@ -86361,16 +86424,34 @@ index 9dec06c..fa2c674 100644
+ gen_require(`
+ attribute svirt_lxc_domain;
+ ')
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
+
+ allow $1 svirt_lxc_domain:process transition;
+ role $2 types svirt_lxc_domain;
+ allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
+
+ allow svirt_lxc_domain $1:process sigchld;
+')
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
+########################################
+## <summary>
+## Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_rw_svirt_dev',`
+ gen_require(`
+ type svirt_image_t;
+ ')
- dev_list_all_dev_nodes($1)
- allow $1 virt_ptynode:chr_file rw_term_perms;
+ allow svirt_lxc_domain $1:process sigchld;
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
index 1f22fba..f42e134 100644

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 31%{?dist}
Release: 32%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -526,6 +526,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed Apr 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-32
- Allow realmd to run ipa, really needs to be an unconfined_domain
- Allow sandbox domains to use inherted terminals
- Allow pscd to use devices labeled svirt_image_t in order to use cat cards.
- Add label for new alsa pid
- Alsa now uses a pid file and needs to setsched
- Fix oracleasmfs_t definition
- Add support for sshd_unit_file_t
- Add oracleasmfs_t
- Allow unlabeled_t files to be stored on unlabeled_t filesystems
* Tue Apr 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-31
- Fix description of deny_ptrace boolean
- Remove allow for execmod lib_t for now