rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149

Browse Source 
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Dontaudit abrt_t to rw lvm_lock_t dir.
- Allow abrt_d domain to write to kernel msg device.
- Add interface lvm_dontaudit_rw_lock_dir()
- Merge pull request #35 from lkundrak/lr-libreswan
This commit is contained in:
Lukas Vrabec 2015-09-29 18:17:13 +02:00
parent 23d80687e0
commit b03747cd87
3 changed files with 382 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
policy-rawhide-base.patch
View File

@ -1,5 +1,5 @@
diff --git a/Makefile b/Makefile
index ec7b5cb..029dcaf 100644
index ec7b5cb..a027110 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@ -19,7 +19,7 @@ index ec7b5cb..029dcaf 100644
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@@ -609,15 +610,17 @@ resetlabels:
@@ -609,15 +610,16 @@ resetlabels:
# Clean everything
#
bare: clean
@ -32,7 +32,6 @@ index ec7b5cb..029dcaf 100644
- rm -f $(booleans)
- rm -fR $(htmldir)
- rm -f $(tags)
+ echo "hehe kde jsem asi tak"
+ pwd
+ #rm -f $(polxml)
+ #rm -f $(layerxml)
@ -35357,7 +35356,7 @@ index 0d4c8d3..720ece8 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd04..dd6638a 100644
index 312cd04..30cecca 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -35370,7 +35369,17 @@ index 312cd04..dd6638a 100644
type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)
@@ -72,24 +75,32 @@ role system_r types setkey_t;
@@ -67,29 +70,42 @@ type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
role system_r types setkey_t;
+# The NetworkManager helper communicates the password via PTY
+type ipsec_mgmt_devpts_t;
+term_pty(ipsec_mgmt_devpts_t)
+files_type(ipsec_mgmt_devpts_t)
+
########################################
#
# ipsec Local policy
#
@ -35408,7 +35417,7 @@ index 312cd04..dd6638a 100644
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
@@ -110,10 +121,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
@@ -110,10 +126,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@ -35421,7 +35430,7 @@ index 312cd04..dd6638a 100644
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
@@ -128,20 +139,22 @@ corecmd_exec_shell(ipsec_t)
@@ -128,20 +144,22 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@ -35451,7 +35460,7 @@ index 312cd04..dd6638a 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
@@ -157,24 +170,32 @@ files_dontaudit_search_home(ipsec_t)
@@ -157,24 +175,32 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@ -35486,7 +35495,7 @@ index 312cd04..dd6638a 100644
seutil_sigchld_newrole(ipsec_t)
')
@@ -187,10 +208,10 @@ optional_policy(`
@@ -187,14 +213,15 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@ -35501,7 +35510,12 @@ index 312cd04..dd6638a 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -208,12 +235,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -35517,7 +35531,7 @@ index 312cd04..dd6638a 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
@@ -246,6 +275,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@ -35534,7 +35548,7 @@ index 312cd04..dd6638a 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +294,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@ -35543,7 +35557,7 @@ index 312cd04..dd6638a 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
@@ -269,6 +304,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
@@ -269,6 +310,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@ -35551,7 +35565,7 @@ index 312cd04..dd6638a 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
@@ -278,9 +320,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@ -35563,7 +35577,7 @@ index 312cd04..dd6638a 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
@@ -288,17 +325,25 @@ init_exec_script_files(ipsec_mgmt_t)
@@ -288,17 +331,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@ -35585,6 +35599,9 @@ index 312cd04..dd6638a 100644
+
+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
+
+allow ipsec_mgmt_t ipsec_mgmt_devpts_t:chr_file rw_term_perms;
+term_create_pty(ipsec_mgmt_t,ipsec_mgmt_devpts_t)
+
+optional_policy(`
+ bind_domtrans(ipsec_mgmt_t)
+ bind_read_dnssec_keys(ipsec_mgmt_t)
@ -35594,7 +35611,7 @@ index 312cd04..dd6638a 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
@@ -322,6 +367,10 @@ optional_policy(`
@@ -322,6 +376,10 @@ optional_policy(`
')
optional_policy(`
@ -35605,7 +35622,7 @@ index 312cd04..dd6638a 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -335,7 +384,7 @@ optional_policy(`
@@ -335,7 +393,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@ -35614,7 +35631,7 @@ index 312cd04..dd6638a 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
@@ -370,13 +419,12 @@ kernel_request_load_module(racoon_t)
@@ -370,13 +428,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@ -35634,7 +35651,7 @@ index 312cd04..dd6638a 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -401,10 +449,10 @@ locallogin_use_fds(racoon_t)
@@ -401,10 +458,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@ -35647,7 +35664,7 @@ index 312cd04..dd6638a 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
@@ -438,9 +486,8 @@ corenet_setcontext_all_spds(setkey_t)
@@ -438,9 +495,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@ -38136,7 +38153,7 @@ index 6b91740..5c1669a 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f..6293110 100644
index 58bc27f..8f7b119 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -1,5 +1,22 @@
@ -38239,7 +38256,7 @@ index 58bc27f..6293110 100644
######################################
## <summary>
## Execute a domain transition to run clvmd.
@@ -123,3 +203,157 @@ interface(`lvm_domtrans_clvmd',`
@@ -123,3 +203,175 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@ -38355,6 +38372,24 @@ index 58bc27f..6293110 100644
+
+########################################
+## <summary>
+## Dontaudit read and write to lvm_lock_t dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_dontaudit_rw_lock_dir',`
+ gen_require(`
+ type lvm_lock_t;
+ ')
+
+ dontaudit $1 lvm_lock_t:dir rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of lvm.
+## </summary>
+## <param name="domain">

378
policy-rawhide-contrib.patch
View File

@ -572,7 +572,7 @@ index 058d908..7da78c7 100644
+')
+
diff --git a/abrt.te b/abrt.te
index eb50f07..f93be3c 100644
index eb50f07..9bd797b 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -720,7 +720,7 @@ index eb50f07..f93be3c 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -125,48 +135,56 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -125,48 +135,57 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@ -781,10 +781,11 @@ index eb50f07..f93be3c 100644
dev_rw_sysfs(abrt_t)
-dev_dontaudit_read_raw_memory(abrt_t)
+dev_read_raw_memory(abrt_t)
+dev_write_kmsg(abrt_t)
domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
@@ -176,29 +194,43 @@ files_getattr_all_files(abrt_t)
@@ -176,29 +195,43 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@ -816,11 +817,11 @@ index eb50f07..f93be3c 100644
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
+
+auth_use_nsswitch(abrt_t)
+
+init_read_utmp(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
@ -831,7 +832,7 @@ index eb50f07..f93be3c 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
@@ -206,15 +238,11 @@ tunable_policy(`abrt_anon_write',`
@@ -206,15 +239,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@ -848,7 +849,7 @@ index eb50f07..f93be3c 100644
')
optional_policy(`
@@ -222,6 +250,24 @@ optional_policy(`
@@ -222,6 +251,28 @@ optional_policy(`
')
optional_policy(`
@ -856,6 +857,10 @@ index eb50f07..f93be3c 100644
+')
+
+optional_policy(`
+ lvm_dontaudit_rw_lock_dir(abrt_t)
+')
+
+optional_policy(`
+ mcelog_read_log(abrt_t)
+')
+
@ -873,7 +878,7 @@ index eb50f07..f93be3c 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
@@ -234,6 +280,11 @@ optional_policy(`
@@ -234,6 +285,11 @@ optional_policy(`
')
optional_policy(`
@ -885,7 +890,7 @@ index eb50f07..f93be3c 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -243,6 +294,7 @@ optional_policy(`
@@ -243,6 +299,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@ -893,7 +898,7 @@ index eb50f07..f93be3c 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
@@ -253,9 +305,21 @@ optional_policy(`
@@ -253,9 +310,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@ -916,7 +921,7 @@ index eb50f07..f93be3c 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +330,13 @@ tunable_policy(`abrt_handle_event',`
@@ -266,9 +335,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@ -931,7 +936,7 @@ index eb50f07..f93be3c 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +349,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
@@ -281,6 +354,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@ -939,7 +944,7 @@ index eb50f07..f93be3c 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +358,20 @@ corecmd_read_all_executables(abrt_helper_t)
@@ -289,15 +363,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@ -960,7 +965,7 @@ index eb50f07..f93be3c 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +379,25 @@ ifdef(`hide_broken_symptoms',`
@@ -305,11 +384,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -987,7 +992,7 @@ index eb50f07..f93be3c 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +415,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
@@ -327,10 +420,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@ -1001,7 +1006,7 @@ index eb50f07..f93be3c 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +433,11 @@ optional_policy(`
@@ -343,10 +438,11 @@ optional_policy(`
#######################################
#
@ -1015,7 +1020,7 @@ index eb50f07..f93be3c 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +456,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
@@ -365,38 +461,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@ -1084,7 +1089,7 @@ index eb50f07..f93be3c 100644
#######################################
#
@@ -404,25 +521,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
@@ -404,25 +526,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1147,7 +1152,7 @@ index eb50f07..f93be3c 100644
')
#######################################
@@ -430,10 +582,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
@@ -430,10 +587,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@ -5273,7 +5278,7 @@ index f6eb485..c55558a 100644
+ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
')
diff --git a/apache.te b/apache.te
index 6649962..7abf562 100644
index 6649962..1862dfb 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -5991,7 +5996,7 @@ index 6649962..7abf562 100644
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -450,140 +575,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -450,140 +575,176 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -6047,7 +6052,8 @@ index 6649962..7abf562 100644
dev_rw_crypto(httpd_t)
-domain_use_interactive_fds(httpd_t)
-
+files_dontaudit_write_all_mountpoints(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
-
@ -6231,7 +6237,7 @@ index 6649962..7abf562 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@ -6291,7 +6297,7 @@ index 6649962..7abf562 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@ -6352,17 +6358,17 @@ index 6649962..7abf562 100644
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
-')
-
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
- ')
+ tunable_policy(`httpd_can_sendmail',`
+ postfix_rw_spool_maildrop_files(httpd_t)
+ ')
')
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
- ')
-')
-
-tunable_policy(`httpd_graceful_shutdown',`
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
@ -6394,7 +6400,7 @@ index 6649962..7abf562 100644
')
tunable_policy(`httpd_setrlimit',`
@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',`
@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6475,7 +6481,7 @@ index 6649962..7abf562 100644
')
optional_policy(`
@@ -749,24 +917,32 @@ optional_policy(`
@@ -749,24 +919,32 @@ optional_policy(`
')
optional_policy(`
@ -6514,7 +6520,7 @@ index 6649962..7abf562 100644
')
optional_policy(`
@@ -775,6 +951,10 @@ optional_policy(`
@@ -775,6 +953,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@ -6525,7 +6531,7 @@ index 6649962..7abf562 100644
')
optional_policy(`
@@ -786,35 +966,60 @@ optional_policy(`
@@ -786,35 +968,60 @@ optional_policy(`
')
optional_policy(`
@ -6599,7 +6605,7 @@ index 6649962..7abf562 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -822,8 +1027,30 @@ optional_policy(`
@@ -822,8 +1029,30 @@ optional_policy(`
')
optional_policy(`
@ -6630,7 +6636,7 @@ index 6649962..7abf562 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -832,6 +1059,8 @@ optional_policy(`
@@ -832,6 +1061,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@ -6639,7 +6645,7 @@ index 6649962..7abf562 100644
')
optional_policy(`
@@ -842,20 +1071,40 @@ optional_policy(`
@@ -842,20 +1073,44 @@ optional_policy(`
')
optional_policy(`
@ -6661,6 +6667,13 @@ index 6649962..7abf562 100644
optional_policy(`
- postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
+ pkcs11proxyd_stream_connect(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ pki_apache_domain_signal(httpd_t)
+ pki_manage_apache_config_files(httpd_t)
+ pki_manage_apache_lib(httpd_t)
@ -6668,25 +6681,22 @@ index 6649962..7abf562 100644
+ pki_manage_apache_run(httpd_t)
+ pki_read_tomcat_cert(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
- ')
+
+optional_policy(`
+ puppet_read_lib(httpd_t)
+')
+
+optional_policy(`
+ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
+ pwauth_domtrans(httpd_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
@@ -863,16 +1112,31 @@ optional_policy(`
@@ -863,16 +1118,31 @@ optional_policy(`
')
optional_policy(`
@ -6706,21 +6716,21 @@ index 6649962..7abf562 100644
optional_policy(`
smokeping_read_lib_files(httpd_t)
+ smokeping_read_pid_files(httpd_t)
+')
+
+optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
')
optional_policy(`
- snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
- snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
+')
+
+optional_policy(`
+ thin_stream_connect(httpd_t)
')
optional_policy(`
@@ -883,65 +1147,189 @@ optional_policy(`
@@ -883,65 +1153,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@ -6932,7 +6942,7 @@ index 6649962..7abf562 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -950,123 +1338,75 @@ auth_use_nsswitch(httpd_suexec_t)
@@ -950,123 +1344,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@ -7086,7 +7096,7 @@ index 6649962..7abf562 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1423,107 @@ optional_policy(`
@@ -1083,172 +1429,107 @@ optional_policy(`
')
')
@ -7253,7 +7263,8 @@ index 6649962..7abf562 100644
-#
-# System script local policy
-#
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-allow httpd_sys_script_t self:tcp_socket { accept listen };
-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@ -7269,8 +7280,7 @@ index 6649962..7abf562 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
@ -7324,7 +7334,7 @@ index 6649962..7abf562 100644
')
tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1531,74 @@ tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1537,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@ -7421,7 +7431,7 @@ index 6649962..7abf562 100644
########################################
#
@@ -1321,8 +1606,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
@@ -1321,8 +1612,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@ -7438,7 +7448,7 @@ index 6649962..7abf562 100644
')
########################################
@@ -1330,49 +1622,38 @@ optional_policy(`
@@ -1330,49 +1628,38 @@ optional_policy(`
# User content local policy
#
@ -7503,7 +7513,7 @@ index 6649962..7abf562 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1663,109 @@ dev_read_urand(httpd_passwd_t)
@@ -1382,38 +1669,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@ -68410,6 +68420,247 @@ index 8eb3f7b..ee837c6 100644
-miscfiles_read_localization(pkcs_slotd_t)
+userdom_read_all_users_state(pkcs_slotd_t)
diff --git a/pkcs11proxyd.fc b/pkcs11proxyd.fc
new file mode 100644
index 0000000..ca1160a
--- /dev/null
+++ b/pkcs11proxyd.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/pkcs11proxyd-softhsm.* -- gen_context(system_u:object_r:pkcs11proxyd_unit_file_t,s0)
+
+/usr/sbin/pkcs11proxyd -- gen_context(system_u:object_r:pkcs11proxyd_exec_t,s0)
+
+/var/lib/pkcs11proxyd(/.*)? gen_context(system_u:object_r:pkcs11proxyd_var_lib_t,s0)
+
+/var/run/pkcs11proxyd\.socket -s gen_context(system_u:object_r:pkcs11proxyd_var_run_t,s0)
diff --git a/pkcs11proxyd.if b/pkcs11proxyd.if
new file mode 100644
index 0000000..1fa6db2
--- /dev/null
+++ b/pkcs11proxyd.if
@@ -0,0 +1,175 @@
+
+## <summary>pkcs11proxyd-softhsm-ctl - manage the isolated PKCS #11 daemon with softhsm</summary>
+
+########################################
+## <summary>
+## Execute pkcs11proxyd_exec_t in the pkcs11proxyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_domtrans',`
+ gen_require(`
+ type pkcs11proxyd_t, pkcs11proxyd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pkcs11proxyd_exec_t, pkcs11proxyd_t)
+')
+
+######################################
+## <summary>
+## Execute pkcs11proxyd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_exec',`
+ gen_require(`
+ type pkcs11proxyd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pkcs11proxyd_exec_t)
+')
+
+########################################
+## <summary>
+## Search pkcs11proxyd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_search_lib',`
+ gen_require(`
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ allow $1 pkcs11proxyd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read pkcs11proxyd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_read_lib_files',`
+ gen_require(`
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage pkcs11proxyd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_manage_lib_files',`
+ gen_require(`
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage pkcs11proxyd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_manage_lib_dirs',`
+ gen_require(`
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pkcs11proxyd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pkcs11proxyd_admin',`
+ gen_require(`
+ type pkcs11proxyd_t;
+ type pkcs11proxyd_var_lib_t;
+ ')
+
+ allow $1 pkcs11proxyd_t:process { signal_perms };
+ ps_process_pattern($1, pkcs11proxyd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pkcs11proxyd_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, pkcs11proxyd_var_lib_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
+########################################
+## <summary>
+## Connect to pkcs11proxyd over an unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs11proxyd_stream_connect',`
+ gen_require(`
+ type pkcs11proxyd_t, pkcs11proxyd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t, pkcs11proxyd_t)
+')
diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te
new file mode 100644
index 0000000..6b49e41
--- /dev/null
+++ b/pkcs11proxyd.te
@@ -0,0 +1,41 @@
+policy_module(pkcs11proxyd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pkcs11proxyd_t;
+type pkcs11proxyd_exec_t;
+init_daemon_domain(pkcs11proxyd_t, pkcs11proxyd_exec_t)
+
+type pkcs11proxyd_unit_file_t;
+systemd_unit_file(pkcs11proxyd_unit_file_t)
+
+type pkcs11proxyd_var_lib_t;
+files_type(pkcs11proxyd_var_lib_t)
+
+type pkcs11proxyd_var_run_t;
+files_pid_file(pkcs11proxyd_var_run_t)
+
+########################################
+#
+# pkcs11proxyd local policy
+#
+allow pkcs11proxyd_t self:capability { kill setuid setgid };
+allow pkcs11proxyd_t self:process { getpgid setpgid };
+
+manage_dirs_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+manage_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+manage_lnk_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
+files_var_lib_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, { dir })
+
+manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t)
+files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file })
+
+auth_use_nsswitch(pkcs11proxyd_t)
+
+dev_read_urand(pkcs11proxyd_t)
+
+logging_send_syslog_msg(pkcs11proxyd_t)
+
diff --git a/pki.fc b/pki.fc
new file mode 100644
index 0000000..e6592ea
@ -92902,10 +93153,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
index 0000000..5b65b7c
index 0000000..3e89d71
--- /dev/null
+++ b/sandboxX.if
@@ -0,0 +1,395 @@
@@ -0,0 +1,396 @@
+
+## <summary>policy for sandboxX </summary>
+
@ -92991,6 +93242,7 @@ index 0000000..5b65b7c
+ attribute sandbox_x_domain;
+ attribute sandbox_tmpfs_type;
+ attribute sandbox_type;
+ attribute sandbox_web_type;
+ ')
+
+ type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type;

11
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 148%{?dist}
Release: 149%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -656,6 +656,15 @@ exit 0
%endif
%changelog
* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Dontaudit abrt_t to rw lvm_lock_t dir.
- Allow abrt_d domain to write to kernel msg device.
- Add interface lvm_dontaudit_rw_lock_dir()
- Merge pull request #35 from lkundrak/lr-libreswan
* Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
- Added support for permissive domains