From b03747cd87ec40245890cca8ad8921c6f0040771 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 29 Sep 2015 18:17:13 +0200 Subject: [PATCH] * Tue Sep 29 2015 Lukas Vrabec 3.13.1-149 - Add few rules related to new policy for pkcs11proxyd - Added new policy for pkcs11proxyd daemon - We need to require sandbox_web_type attribute in sandbox_x_domain_template(). - Dontaudit abrt_t to rw lvm_lock_t dir. - Allow abrt_d domain to write to kernel msg device. - Add interface lvm_dontaudit_rw_lock_dir() - Merge pull request #35 from lkundrak/lr-libreswan --- policy-rawhide-base.patch | 79 ++++++-- policy-rawhide-contrib.patch | 378 +++++++++++++++++++++++++++++------ selinux-policy.spec | 11 +- 3 files changed, 382 insertions(+), 86 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 03bb267b..89f5679d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1,5 +1,5 @@ diff --git a/Makefile b/Makefile -index ec7b5cb..029dcaf 100644 +index ec7b5cb..a027110 100644 --- a/Makefile +++ b/Makefile @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule @@ -19,7 +19,7 @@ index ec7b5cb..029dcaf 100644 net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -@@ -609,15 +610,17 @@ resetlabels: +@@ -609,15 +610,16 @@ resetlabels: # Clean everything # bare: clean @@ -32,7 +32,6 @@ index ec7b5cb..029dcaf 100644 - rm -f $(booleans) - rm -fR $(htmldir) - rm -f $(tags) -+ echo "hehe kde jsem asi tak" + pwd + #rm -f $(polxml) + #rm -f $(layerxml) @@ -35357,7 +35356,7 @@ index 0d4c8d3..720ece8 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..dd6638a 100644 +index 312cd04..30cecca 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -35370,7 +35369,17 @@ index 312cd04..dd6638a 100644 type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) -@@ -72,24 +75,32 @@ role system_r types setkey_t; +@@ -67,29 +70,42 @@ type setkey_exec_t; + init_system_domain(setkey_t, setkey_exec_t) + role system_r types setkey_t; + ++# The NetworkManager helper communicates the password via PTY ++type ipsec_mgmt_devpts_t; ++term_pty(ipsec_mgmt_devpts_t) ++files_type(ipsec_mgmt_devpts_t) ++ + ######################################## + # # ipsec Local policy # @@ -35408,7 +35417,7 @@ index 312cd04..dd6638a 100644 manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -@@ -110,10 +121,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) +@@ -110,10 +126,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; @@ -35421,7 +35430,7 @@ index 312cd04..dd6638a 100644 kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; -@@ -128,20 +139,22 @@ corecmd_exec_shell(ipsec_t) +@@ -128,20 +144,22 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -35451,7 +35460,7 @@ index 312cd04..dd6638a 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,24 +170,32 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,24 +175,32 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -35486,7 +35495,7 @@ index 312cd04..dd6638a 100644 seutil_sigchld_newrole(ipsec_t) ') -@@ -187,10 +208,10 @@ optional_policy(` +@@ -187,14 +213,15 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -35501,7 +35510,12 @@ index 312cd04..dd6638a 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) + allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; ++allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; + + allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; + files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) +@@ -208,12 +235,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -35517,7 +35531,7 @@ index 312cd04..dd6638a 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +275,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -35534,7 +35548,7 @@ index 312cd04..dd6638a 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +294,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -35543,7 +35557,7 @@ index 312cd04..dd6638a 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -269,6 +304,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) +@@ -269,6 +310,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -35551,7 +35565,7 @@ index 312cd04..dd6638a 100644 files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) -@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +320,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -35563,7 +35577,7 @@ index 312cd04..dd6638a 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +325,25 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +331,28 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -35585,6 +35599,9 @@ index 312cd04..dd6638a 100644 + +userdom_use_inherited_user_terminals(ipsec_mgmt_t) + ++allow ipsec_mgmt_t ipsec_mgmt_devpts_t:chr_file rw_term_perms; ++term_create_pty(ipsec_mgmt_t,ipsec_mgmt_devpts_t) ++ +optional_policy(` + bind_domtrans(ipsec_mgmt_t) + bind_read_dnssec_keys(ipsec_mgmt_t) @@ -35594,7 +35611,7 @@ index 312cd04..dd6638a 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +367,10 @@ optional_policy(` +@@ -322,6 +376,10 @@ optional_policy(` ') optional_policy(` @@ -35605,7 +35622,7 @@ index 312cd04..dd6638a 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +384,7 @@ optional_policy(` +@@ -335,7 +393,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -35614,7 +35631,7 @@ index 312cd04..dd6638a 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +419,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +428,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -35634,7 +35651,7 @@ index 312cd04..dd6638a 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +449,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +458,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -35647,7 +35664,7 @@ index 312cd04..dd6638a 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +486,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +495,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -38136,7 +38153,7 @@ index 6b91740..5c1669a 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..6293110 100644 +index 58bc27f..8f7b119 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -1,5 +1,22 @@ @@ -38239,7 +38256,7 @@ index 58bc27f..6293110 100644 ###################################### ## ## Execute a domain transition to run clvmd. -@@ -123,3 +203,157 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +203,175 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -38355,6 +38372,24 @@ index 58bc27f..6293110 100644 + +######################################## +## ++## Dontaudit read and write to lvm_lock_t dir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_dontaudit_rw_lock_dir',` ++ gen_require(` ++ type lvm_lock_t; ++ ') ++ ++ dontaudit $1 lvm_lock_t:dir rw_file_perms; ++') ++ ++######################################## ++## +## Read the process state (/proc/pid) of lvm. +## +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 73b86e6e..599054ec 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -572,7 +572,7 @@ index 058d908..7da78c7 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..f93be3c 100644 +index eb50f07..9bd797b 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -720,7 +720,7 @@ index eb50f07..f93be3c 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -125,48 +135,56 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -125,48 +135,57 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -781,10 +781,11 @@ index eb50f07..f93be3c 100644 dev_rw_sysfs(abrt_t) -dev_dontaudit_read_raw_memory(abrt_t) +dev_read_raw_memory(abrt_t) ++dev_write_kmsg(abrt_t) domain_getattr_all_domains(abrt_t) domain_read_all_domains_state(abrt_t) -@@ -176,29 +194,43 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +195,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -816,11 +817,11 @@ index eb50f07..f93be3c 100644 +logging_send_syslog_msg(abrt_t) +logging_stream_connect_syslog(abrt_t) +logging_read_syslog_pid(abrt_t) - ++ +auth_use_nsswitch(abrt_t) + +init_read_utmp(abrt_t) -+ + +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) +miscfiles_dontaudit_access_check_cert(abrt_t) @@ -831,7 +832,7 @@ index eb50f07..f93be3c 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +238,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +239,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -848,7 +849,7 @@ index eb50f07..f93be3c 100644 ') optional_policy(` -@@ -222,6 +250,24 @@ optional_policy(` +@@ -222,6 +251,28 @@ optional_policy(` ') optional_policy(` @@ -856,6 +857,10 @@ index eb50f07..f93be3c 100644 +') + +optional_policy(` ++ lvm_dontaudit_rw_lock_dir(abrt_t) ++') ++ ++optional_policy(` + mcelog_read_log(abrt_t) +') + @@ -873,7 +878,7 @@ index eb50f07..f93be3c 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +280,11 @@ optional_policy(` +@@ -234,6 +285,11 @@ optional_policy(` ') optional_policy(` @@ -885,7 +890,7 @@ index eb50f07..f93be3c 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +294,7 @@ optional_policy(` +@@ -243,6 +299,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -893,7 +898,7 @@ index eb50f07..f93be3c 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +305,21 @@ optional_policy(` +@@ -253,9 +310,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -916,7 +921,7 @@ index eb50f07..f93be3c 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +330,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +335,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -931,7 +936,7 @@ index eb50f07..f93be3c 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +349,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +354,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -939,7 +944,7 @@ index eb50f07..f93be3c 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +358,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +363,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -960,7 +965,7 @@ index eb50f07..f93be3c 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +379,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +384,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -987,7 +992,7 @@ index eb50f07..f93be3c 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +415,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +420,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1001,7 +1006,7 @@ index eb50f07..f93be3c 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +433,11 @@ optional_policy(` +@@ -343,10 +438,11 @@ optional_policy(` ####################################### # @@ -1015,7 +1020,7 @@ index eb50f07..f93be3c 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +456,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +461,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1084,7 +1089,7 @@ index eb50f07..f93be3c 100644 ####################################### # -@@ -404,25 +521,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +526,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1147,7 +1152,7 @@ index eb50f07..f93be3c 100644 ') ####################################### -@@ -430,10 +582,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +587,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -5273,7 +5278,7 @@ index f6eb485..c55558a 100644 + read_files_pattern($1, httpd_var_run_t, httpd_var_run_t) ') diff --git a/apache.te b/apache.te -index 6649962..7abf562 100644 +index 6649962..1862dfb 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -5991,7 +5996,7 @@ index 6649962..7abf562 100644 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -450,140 +575,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +575,176 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -6047,7 +6052,8 @@ index 6649962..7abf562 100644 dev_rw_crypto(httpd_t) -domain_use_interactive_fds(httpd_t) -- ++files_dontaudit_write_all_mountpoints(httpd_t) + fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) - @@ -6231,7 +6237,7 @@ index 6649962..7abf562 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6291,7 +6297,7 @@ index 6649962..7abf562 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6352,17 +6358,17 @@ index 6649962..7abf562 100644 - tunable_policy(`httpd_can_network_connect_zabbix',` - zabbix_tcp_connect(httpd_t) - ') +-') +- +-optional_policy(` +- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` +- spamassassin_domtrans_client(httpd_t) +- ') + tunable_policy(`httpd_can_sendmail',` + postfix_rw_spool_maildrop_files(httpd_t) + ') ') --optional_policy(` -- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` -- spamassassin_domtrans_client(httpd_t) -- ') --') -- -tunable_policy(`httpd_graceful_shutdown',` - corenet_sendrecv_http_client_packets(httpd_t) - corenet_tcp_connect_http_port(httpd_t) @@ -6394,7 +6400,7 @@ index 6649962..7abf562 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6475,7 +6481,7 @@ index 6649962..7abf562 100644 ') optional_policy(` -@@ -749,24 +917,32 @@ optional_policy(` +@@ -749,24 +919,32 @@ optional_policy(` ') optional_policy(` @@ -6514,7 +6520,7 @@ index 6649962..7abf562 100644 ') optional_policy(` -@@ -775,6 +951,10 @@ optional_policy(` +@@ -775,6 +953,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6525,7 +6531,7 @@ index 6649962..7abf562 100644 ') optional_policy(` -@@ -786,35 +966,60 @@ optional_policy(` +@@ -786,35 +968,60 @@ optional_policy(` ') optional_policy(` @@ -6599,7 +6605,7 @@ index 6649962..7abf562 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1027,30 @@ optional_policy(` +@@ -822,8 +1029,30 @@ optional_policy(` ') optional_policy(` @@ -6630,7 +6636,7 @@ index 6649962..7abf562 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1059,8 @@ optional_policy(` +@@ -832,6 +1061,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6639,7 +6645,7 @@ index 6649962..7abf562 100644 ') optional_policy(` -@@ -842,20 +1071,40 @@ optional_policy(` +@@ -842,20 +1073,44 @@ optional_policy(` ') optional_policy(` @@ -6661,6 +6667,13 @@ index 6649962..7abf562 100644 optional_policy(` - postgresql_stream_connect(httpd_t) - postgresql_unpriv_client(httpd_t) ++ pkcs11proxyd_stream_connect(httpd_t) ++') + +- tunable_policy(`httpd_can_network_connect_db',` +- postgresql_tcp_connect(httpd_t) +- ') ++optional_policy(` + pki_apache_domain_signal(httpd_t) + pki_manage_apache_config_files(httpd_t) + pki_manage_apache_lib(httpd_t) @@ -6668,25 +6681,22 @@ index 6649962..7abf562 100644 + pki_manage_apache_run(httpd_t) + pki_read_tomcat_cert(httpd_t) +') - -- tunable_policy(`httpd_can_network_connect_db',` -- postgresql_tcp_connect(httpd_t) -- ') ++ +optional_policy(` + puppet_read_lib(httpd_t) ++') ++ ++optional_policy(` ++ pwauth_domtrans(httpd_t) ') optional_policy(` - puppet_read_lib_files(httpd_t) -+ pwauth_domtrans(httpd_t) -+') -+ -+optional_policy(` + rpm_dontaudit_read_db(httpd_t) ') optional_policy(` -@@ -863,16 +1112,31 @@ optional_policy(` +@@ -863,16 +1118,31 @@ optional_policy(` ') optional_policy(` @@ -6706,21 +6716,21 @@ index 6649962..7abf562 100644 optional_policy(` smokeping_read_lib_files(httpd_t) + smokeping_read_pid_files(httpd_t) -+') -+ -+optional_policy(` -+ files_dontaudit_rw_usr_dirs(httpd_t) -+ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t) ') optional_policy(` - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ++ files_dontaudit_rw_usr_dirs(httpd_t) ++ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t) ++') ++ ++optional_policy(` + thin_stream_connect(httpd_t) ') optional_policy(` -@@ -883,65 +1147,189 @@ optional_policy(` +@@ -883,65 +1153,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6932,7 +6942,7 @@ index 6649962..7abf562 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1338,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1344,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7086,7 +7096,7 @@ index 6649962..7abf562 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1423,107 @@ optional_policy(` +@@ -1083,172 +1429,107 @@ optional_policy(` ') ') @@ -7253,7 +7263,8 @@ index 6649962..7abf562 100644 -# -# System script local policy -# -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -allow httpd_sys_script_t self:tcp_socket { accept listen }; - -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; @@ -7269,8 +7280,7 @@ index 6649962..7abf562 100644 -kernel_read_kernel_sysctls(httpd_sys_script_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) @@ -7324,7 +7334,7 @@ index 6649962..7abf562 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1531,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1537,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7421,7 +7431,7 @@ index 6649962..7abf562 100644 ######################################## # -@@ -1321,8 +1606,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1612,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7438,7 +7448,7 @@ index 6649962..7abf562 100644 ') ######################################## -@@ -1330,49 +1622,38 @@ optional_policy(` +@@ -1330,49 +1628,38 @@ optional_policy(` # User content local policy # @@ -7503,7 +7513,7 @@ index 6649962..7abf562 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1663,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1669,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -68410,6 +68420,247 @@ index 8eb3f7b..ee837c6 100644 -miscfiles_read_localization(pkcs_slotd_t) +userdom_read_all_users_state(pkcs_slotd_t) +diff --git a/pkcs11proxyd.fc b/pkcs11proxyd.fc +new file mode 100644 +index 0000000..ca1160a +--- /dev/null ++++ b/pkcs11proxyd.fc +@@ -0,0 +1,7 @@ ++/usr/lib/systemd/system/pkcs11proxyd-softhsm.* -- gen_context(system_u:object_r:pkcs11proxyd_unit_file_t,s0) ++ ++/usr/sbin/pkcs11proxyd -- gen_context(system_u:object_r:pkcs11proxyd_exec_t,s0) ++ ++/var/lib/pkcs11proxyd(/.*)? gen_context(system_u:object_r:pkcs11proxyd_var_lib_t,s0) ++ ++/var/run/pkcs11proxyd\.socket -s gen_context(system_u:object_r:pkcs11proxyd_var_run_t,s0) +diff --git a/pkcs11proxyd.if b/pkcs11proxyd.if +new file mode 100644 +index 0000000..1fa6db2 +--- /dev/null ++++ b/pkcs11proxyd.if +@@ -0,0 +1,175 @@ ++ ++## pkcs11proxyd-softhsm-ctl - manage the isolated PKCS #11 daemon with softhsm ++ ++######################################## ++## ++## Execute pkcs11proxyd_exec_t in the pkcs11proxyd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pkcs11proxyd_domtrans',` ++ gen_require(` ++ type pkcs11proxyd_t, pkcs11proxyd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pkcs11proxyd_exec_t, pkcs11proxyd_t) ++') ++ ++###################################### ++## ++## Execute pkcs11proxyd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcs11proxyd_exec',` ++ gen_require(` ++ type pkcs11proxyd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, pkcs11proxyd_exec_t) ++') ++ ++######################################## ++## ++## Search pkcs11proxyd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcs11proxyd_search_lib',` ++ gen_require(` ++ type pkcs11proxyd_var_lib_t; ++ ') ++ ++ allow $1 pkcs11proxyd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read pkcs11proxyd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcs11proxyd_read_lib_files',` ++ gen_require(` ++ type pkcs11proxyd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage pkcs11proxyd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcs11proxyd_manage_lib_files',` ++ gen_require(` ++ type pkcs11proxyd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage pkcs11proxyd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcs11proxyd_manage_lib_dirs',` ++ gen_require(` ++ type pkcs11proxyd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pkcs11proxyd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`pkcs11proxyd_admin',` ++ gen_require(` ++ type pkcs11proxyd_t; ++ type pkcs11proxyd_var_lib_t; ++ ') ++ ++ allow $1 pkcs11proxyd_t:process { signal_perms }; ++ ps_process_pattern($1, pkcs11proxyd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pkcs11proxyd_t:process ptrace; ++ ') ++ ++ files_search_var_lib($1) ++ admin_pattern($1, pkcs11proxyd_var_lib_t) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') ++ ++######################################## ++## ++## Connect to pkcs11proxyd over an unix ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcs11proxyd_stream_connect',` ++ gen_require(` ++ type pkcs11proxyd_t, pkcs11proxyd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t, pkcs11proxyd_t) ++') +diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te +new file mode 100644 +index 0000000..6b49e41 +--- /dev/null ++++ b/pkcs11proxyd.te +@@ -0,0 +1,41 @@ ++policy_module(pkcs11proxyd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type pkcs11proxyd_t; ++type pkcs11proxyd_exec_t; ++init_daemon_domain(pkcs11proxyd_t, pkcs11proxyd_exec_t) ++ ++type pkcs11proxyd_unit_file_t; ++systemd_unit_file(pkcs11proxyd_unit_file_t) ++ ++type pkcs11proxyd_var_lib_t; ++files_type(pkcs11proxyd_var_lib_t) ++ ++type pkcs11proxyd_var_run_t; ++files_pid_file(pkcs11proxyd_var_run_t) ++ ++######################################## ++# ++# pkcs11proxyd local policy ++# ++allow pkcs11proxyd_t self:capability { kill setuid setgid }; ++allow pkcs11proxyd_t self:process { getpgid setpgid }; ++ ++manage_dirs_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t) ++manage_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t) ++manage_lnk_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t) ++files_var_lib_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_lib_t, { dir }) ++ ++manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t) ++files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file }) ++ ++auth_use_nsswitch(pkcs11proxyd_t) ++ ++dev_read_urand(pkcs11proxyd_t) ++ ++logging_send_syslog_msg(pkcs11proxyd_t) ++ diff --git a/pki.fc b/pki.fc new file mode 100644 index 0000000..e6592ea @@ -92902,10 +93153,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..5b65b7c +index 0000000..3e89d71 --- /dev/null +++ b/sandboxX.if -@@ -0,0 +1,395 @@ +@@ -0,0 +1,396 @@ + +## policy for sandboxX + @@ -92991,6 +93242,7 @@ index 0000000..5b65b7c + attribute sandbox_x_domain; + attribute sandbox_tmpfs_type; + attribute sandbox_type; ++ attribute sandbox_web_type; + ') + + type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type; diff --git a/selinux-policy.spec b/selinux-policy.spec index ea25522f..673e3def 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 148%{?dist} +Release: 149%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -656,6 +656,15 @@ exit 0 %endif %changelog +* Tue Sep 29 2015 Lukas Vrabec 3.13.1-149 +- Add few rules related to new policy for pkcs11proxyd +- Added new policy for pkcs11proxyd daemon +- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). +- Dontaudit abrt_t to rw lvm_lock_t dir. +- Allow abrt_d domain to write to kernel msg device. +- Add interface lvm_dontaudit_rw_lock_dir() +- Merge pull request #35 from lkundrak/lr-libreswan + * Tue Sep 22 2015 Lukas Vrabec 3.13.1-148 - Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users. - Added support for permissive domains