rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files

Browse Source 
- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
This commit is contained in:
Miroslav 2011-09-14 16:11:08 +02:00
parent e8563b3245
commit b3edab31fb
2 changed files with 259 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

347
policy-F16.patch
View File

@ -32460,7 +32460,7 @@ index 9bd812b..2385a2c 100644
## an dnsmasq environment
## </summary>
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index fdaeeba..d707dde 100644
index fdaeeba..06021d4 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@ -32487,7 +32487,7 @@ index fdaeeba..d707dde 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -96,7 +100,16 @@ optional_policy(`
@@ -96,7 +100,20 @@ optional_policy(`
')
optional_policy(`
@ -32500,11 +32500,15 @@ index fdaeeba..d707dde 100644
+')
+
+optional_policy(`
+ networkmanager_read_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
+ ppp_read_pid_files(dnsmasq_t)
')
optional_policy(`
@@ -114,4 +127,5 @@ optional_policy(`
@@ -114,4 +131,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
@ -53589,7 +53593,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 22adaca..ba5d941 100644
index 22adaca..d9c1d90 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@ -53811,18 +53815,36 @@ index 22adaca..ba5d941 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
@@ -477,8 +493,9 @@ interface(`ssh_read_pipes',`
@@ -477,8 +493,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
- allow $1 sshd_t:fifo_file { getattr read };
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
')
+
+######################################
+## <summary>
+## Read and write ssh server unix dgram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_rw_dgram_sockets',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
+')
+
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
@@ -494,7 +511,7 @@ interface(`ssh_rw_pipes',`
@@ -494,7 +529,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@ -53831,7 +53853,7 @@ index 22adaca..ba5d941 100644
')
########################################
@@ -586,6 +603,24 @@ interface(`ssh_domtrans',`
@@ -586,6 +621,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@ -53856,7 +53878,7 @@ index 22adaca..ba5d941 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
@@ -618,7 +653,7 @@ interface(`ssh_setattr_key_files',`
@@ -618,7 +671,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@ -53865,7 +53887,7 @@ index 22adaca..ba5d941 100644
files_search_pids($1)
')
@@ -680,6 +715,32 @@ interface(`ssh_domtrans_keygen',`
@@ -680,6 +733,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@ -53898,7 +53920,7 @@ index 22adaca..ba5d941 100644
########################################
## <summary>
## Read ssh server keys
@@ -695,7 +756,7 @@ interface(`ssh_dontaudit_read_server_keys',`
@@ -695,7 +774,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@ -53907,7 +53929,7 @@ index 22adaca..ba5d941 100644
')
######################################
@@ -735,3 +796,62 @@ interface(`ssh_delete_tmp',`
@@ -735,3 +814,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@ -53930,6 +53952,25 @@ index 22adaca..ba5d941 100644
+ allow $1 sshd_t:process signull;
+')
+
+#####################################
+## <summary>
+## Allow domain dyntransition to chroot_user_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_dyntransition_chroot_user',`
+ gen_require(`
+ type chroot_user_t;
+ ')
+
+ allow $1 chroot_user_t:process dyntransition;
+ allow chroot_user_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Create .ssh directory in the /root directory
@ -53971,10 +54012,10 @@ index 22adaca..ba5d941 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..24f8d90 100644
index 2dad3c8..28ef6ae 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
#
## <desc>
@ -53988,15 +54029,12 @@ index 2dad3c8..24f8d90 100644
gen_tunable(allow_ssh_keysign, false)
## <desc>
-## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
-## </p>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
## </desc>
gen_tunable(ssh_sysadm_login, false)
+## </desc>
+gen_tunable(ssh_sysadm_login, false)
+
+## <desc>
+## <p>
+## allow sshd to forward port connections
@ -54004,9 +54042,23 @@ index 2dad3c8..24f8d90 100644
+## </desc>
+gen_tunable(sshd_forward_ports, false)
+
+## <desc>
## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
+## Allow ssh with chroot env to read and write files
+## in the user home directories
## </p>
## </desc>
-gen_tunable(ssh_sysadm_login, false)
+gen_tunable(ssh_chroot_rw_homedirs, false)
attribute ssh_server;
attribute ssh_agent_type;
+type chroot_user_t;
+domain_type(chroot_user_t)
+role system_r types chroot_user_t;
+
type ssh_keygen_t;
type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
@ -54014,7 +54066,7 @@ index 2dad3c8..24f8d90 100644
type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)
@@ -33,17 +39,12 @@ corecmd_executable_file(sshd_exec_t)
@@ -33,17 +51,12 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@ -54035,7 +54087,7 @@ index 2dad3c8..24f8d90 100644
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
@@ -76,8 +77,12 @@ ubac_constrained(ssh_tmpfs_t)
@@ -76,8 +89,12 @@ ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
@ -54049,7 +54101,7 @@ index 2dad3c8..24f8d90 100644
##############################
#
@@ -95,15 +100,11 @@ allow ssh_t self:sem create_sem_perms;
@@ -95,15 +112,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@ -54066,7 +54118,7 @@ index 2dad3c8..24f8d90 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
@@ -113,20 +114,25 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
@@ -113,20 +126,25 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@ -54095,7 +54147,7 @@ index 2dad3c8..24f8d90 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
@@ -138,7 +144,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
@@ -138,7 +156,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@ -54107,7 +54159,7 @@ index 2dad3c8..24f8d90 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
@@ -162,21 +172,28 @@ logging_read_generic_logs(ssh_t)
@@ -162,21 +184,28 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@ -54142,7 +54194,7 @@ index 2dad3c8..24f8d90 100644
')
tunable_policy(`use_nfs_home_dirs',`
@@ -196,10 +213,15 @@ tunable_policy(`user_tcp_server',`
@@ -196,10 +225,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@ -54158,7 +54210,7 @@ index 2dad3c8..24f8d90 100644
##############################
#
# ssh_keysign_t local policy
@@ -209,19 +231,14 @@ tunable_policy(`allow_ssh_keysign',`
@@ -209,19 +243,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@ -54180,7 +54232,7 @@ index 2dad3c8..24f8d90 100644
#################################
#
# sshd local policy
@@ -232,33 +249,43 @@ optional_policy(`
@@ -232,33 +261,44 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@ -54209,6 +54261,7 @@ index 2dad3c8..24f8d90 100644
+userdom_manage_tmp_role(system_r, sshd_t)
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
+
+tunable_policy(`sshd_forward_ports',`
+ corenet_tcp_bind_all_unreserved_ports(sshd_t)
@ -54233,7 +54286,7 @@ index 2dad3c8..24f8d90 100644
')
optional_policy(`
@@ -266,11 +293,24 @@ optional_policy(`
@@ -266,11 +306,24 @@ optional_policy(`
')
optional_policy(`
@ -54259,10 +54312,14 @@ index 2dad3c8..24f8d90 100644
')
optional_policy(`
@@ -284,6 +324,15 @@ optional_policy(`
@@ -284,6 +337,19 @@ optional_policy(`
')
optional_policy(`
+ ssh_dyntransition_chroot_user(sshd_t)
+')
+
+optional_policy(`
+ systemd_exec_systemctl(sshd_t)
+')
+
@ -54275,7 +54332,7 @@ index 2dad3c8..24f8d90 100644
unconfined_shell_domtrans(sshd_t)
')
@@ -292,26 +341,26 @@ optional_policy(`
@@ -292,26 +358,26 @@ optional_policy(`
')
ifdef(`TODO',`
@ -54321,7 +54378,7 @@ index 2dad3c8..24f8d90 100644
') dnl endif TODO
########################################
@@ -322,19 +371,26 @@ tunable_policy(`ssh_sysadm_login',`
@@ -322,19 +388,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@ -54349,18 +54406,73 @@ index 2dad3c8..24f8d90 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
@@ -351,10 +407,7 @@ auth_use_nsswitch(ssh_keygen_t)
@@ -351,15 +424,63 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-
-optional_policy(`
- nscd_socket_use(ssh_keygen_t)
-')
+userdom_use_user_terminals(ssh_keygen_t)
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
- nscd_socket_use(ssh_keygen_t)
+ seutil_sigchld_newrole(ssh_keygen_t)
')
optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
+ udev_read_db(ssh_keygen_t)
+')
+
+######################################
+#
+# chroot_user_t local policy
+#
+
+allow chroot_user_t self:capability { setuid sys_chroot setgid };
+
+allow chroot_user_t self:fifo_file rw_fifo_file_perms;
+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
+userdom_exec_user_home_content_files(chroot_user_t)
+
+tunable_policy(`ssh_chroot_rw_homedirs',`
+ files_list_home(chroot_user_t)
+ userdom_read_user_home_content_files(chroot_user_t)
+ userdom_manage_user_home_content(chroot_user_t)
+', `
+
+ userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(chroot_user_t)
+ fs_manage_nfs_files(chroot_user_t)
+ fs_manage_nfs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
+ fs_manage_cifs_dirs(chroot_user_t)
+ fs_manage_cifs_files(chroot_user_t)
+ fs_manage_cifs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(chroot_user_t)
+ fs_read_cifs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(chroot_user_t)
+ fs_read_nfs_symlinks(chroot_user_t)
')
optional_policy(`
- udev_read_db(ssh_keygen_t)
+ ssh_rw_stream_sockets(chroot_user_t)
+ ssh_rw_tcp_sockets(chroot_user_t)
+ ssh_rw_dgram_sockets(chroot_user_t)
')
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..6dbfc01 100644
--- a/policy/modules/services/sssd.if
@ -61212,7 +61324,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 94fd8dd..3e8f08e 100644
index 94fd8dd..f4a1020 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,42 @@ interface(`init_script_domain',`
@ -61587,7 +61699,7 @@ index 94fd8dd..3e8f08e 100644
')
')
@@ -800,23 +933,45 @@ interface(`init_spec_domtrans_script',`
@@ -800,19 +933,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@ -61610,11 +61722,11 @@ index 94fd8dd..3e8f08e 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
')
########################################
## <summary>
+ ')
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@ -61627,16 +61739,12 @@ index 94fd8dd..3e8f08e 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
+ ')
')
+
+ corecmd_bin_domtrans($1, initrc_t)
+')
+
+########################################
+## <summary>
## Execute a init script in a specified domain.
## </summary>
## <desc>
')
########################################
@@ -868,9 +1023,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
@ -61933,7 +62041,7 @@ index 94fd8dd..3e8f08e 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
@@ -1749,3 +2120,156 @@ interface(`init_udp_recvfrom_all_daemons',`
@@ -1749,3 +2120,175 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@ -62049,6 +62157,25 @@ index 94fd8dd..3e8f08e 100644
+
+########################################
+## <summary>
+## Send a message to init over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_stream_send',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket sendto;
+')
+
+########################################
+## <summary>
+## Create a file type used for init socket files.
+## </summary>
+## <desc>
@ -62091,7 +62218,7 @@ index 94fd8dd..3e8f08e 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29a9565..7902fbb 100644
index 29a9565..cd829ed 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@ -62899,7 +63026,7 @@ index 29a9565..7902fbb 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
@@ -815,11 +1163,24 @@ optional_policy(`
@@ -815,11 +1163,26 @@ optional_policy(`
')
optional_policy(`
@ -62922,10 +63049,12 @@ index 29a9565..7902fbb 100644
+ mcs_socket_write_all_levels(initrc_t)
+ mcs_killall(initrc_t)
+ mcs_ptrace_all(initrc_t)
+
+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -829,6 +1190,25 @@ optional_policy(`
@@ -829,6 +1192,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@ -62951,7 +63080,7 @@ index 29a9565..7902fbb 100644
')
optional_policy(`
@@ -844,6 +1224,10 @@ optional_policy(`
@@ -844,6 +1226,10 @@ optional_policy(`
')
optional_policy(`
@ -62962,7 +63091,7 @@ index 29a9565..7902fbb 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
@@ -854,3 +1238,149 @@ optional_policy(`
@@ -854,3 +1240,149 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@ -67130,7 +67259,7 @@ index 694fd94..334e80e 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index ff80d0a..b1395dc 100644
index ff80d0a..be800df 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@ -67317,7 +67446,7 @@ index ff80d0a..b1395dc 100644
')
########################################
@@ -731,3 +850,72 @@ interface(`sysnet_use_portmap',`
@@ -731,3 +850,73 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@ -67384,6 +67513,7 @@ index ff80d0a..b1395dc 100644
+ ')
+
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
@ -67391,7 +67521,7 @@ index ff80d0a..b1395dc 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 34d0ec5..2c1578e 100644
index 34d0ec5..7e4782d 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@ -67485,11 +67615,12 @@ index 34d0ec5..2c1578e 100644
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
@@ -130,13 +148,13 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
@@ -130,13 +148,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
init_rw_utmp(dhcpc_t)
+init_stream_connect(dhcpc_t)
+init_stream_send(dhcpc_t)
logging_send_syslog_msg(dhcpc_t)
@ -67501,7 +67632,7 @@ index 34d0ec5..2c1578e 100644
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
@@ -155,6 +173,16 @@ optional_policy(`
@@ -155,6 +174,16 @@ optional_policy(`
')
optional_policy(`
@ -67518,7 +67649,7 @@ index 34d0ec5..2c1578e 100644
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
@@ -171,6 +199,8 @@ optional_policy(`
@@ -171,6 +200,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@ -67527,7 +67658,7 @@ index 34d0ec5..2c1578e 100644
')
optional_policy(`
@@ -192,7 +222,19 @@ optional_policy(`
@@ -192,7 +223,19 @@ optional_policy(`
')
optional_policy(`
@ -67547,7 +67678,7 @@ index 34d0ec5..2c1578e 100644
')
optional_policy(`
@@ -213,6 +255,11 @@ optional_policy(`
@@ -213,6 +256,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@ -67559,7 +67690,7 @@ index 34d0ec5..2c1578e 100644
')
optional_policy(`
@@ -255,6 +302,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
@@ -255,6 +303,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@ -67567,7 +67698,7 @@ index 34d0ec5..2c1578e 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
@@ -276,8 +324,11 @@ dev_read_urand(ifconfig_t)
@@ -276,8 +325,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@ -67579,7 +67710,7 @@ index 34d0ec5..2c1578e 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -301,11 +352,12 @@ logging_send_syslog_msg(ifconfig_t)
@@ -301,11 +353,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@ -67594,7 +67725,7 @@ index 34d0ec5..2c1578e 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
@@ -314,7 +366,18 @@ ifdef(`distro_ubuntu',`
@@ -314,7 +367,18 @@ ifdef(`distro_ubuntu',`
')
')
@ -67613,7 +67744,7 @@ index 34d0ec5..2c1578e 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
@@ -325,8 +388,14 @@ ifdef(`hide_broken_symptoms',`
@@ -325,8 +389,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@ -67628,7 +67759,7 @@ index 34d0ec5..2c1578e 100644
')
optional_policy(`
@@ -335,6 +404,18 @@ optional_policy(`
@@ -335,6 +405,18 @@ optional_policy(`
')
optional_policy(`
@ -67647,7 +67778,7 @@ index 34d0ec5..2c1578e 100644
nis_use_ypbind(ifconfig_t)
')
@@ -356,3 +437,9 @@ optional_policy(`
@@ -356,3 +438,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@ -68125,10 +68256,10 @@ index 0000000..fc8cac1
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..3b03294
index 0000000..ce732b0
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,353 @@
@@ -0,0 +1,358 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -68313,6 +68444,7 @@ index 0000000..3b03294
+#
+
+allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
@ -68350,7 +68482,12 @@ index 0000000..3b03294
+files_relabel_all_tmp_files(systemd_tmpfiles_t)
+files_list_lost_found(systemd_tmpfiles_t)
+
+init_dgram_send(systemd_tmpfiles_t)
+mcs_file_read_all(systemd_tmpfiles_t)
+mcs_file_write_all(systemd_tmpfiles_t)
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_write_all_levels(systemd_tmpfiles_t)
+
+selinux_get_enforce_mode(systemd_tmpfiles_t)
+
+auth_manage_faillog(systemd_tmpfiles_t)
+auth_relabel_faillog(systemd_tmpfiles_t)
@ -68360,12 +68497,8 @@ index 0000000..3b03294
+auth_setattr_login_records(systemd_tmpfiles_t)
+auth_use_nsswitch(systemd_tmpfiles_t)
+
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+mcs_file_read_all(systemd_tmpfiles_t)
+mcs_file_write_all(systemd_tmpfiles_t)
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_write_all_levels(systemd_tmpfiles_t)
+init_dgram_send(systemd_tmpfiles_t)
+init_rw_stream_sockets(systemd_tmpfiles_t)
+
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
@ -68374,6 +68507,9 @@ index 0000000..3b03294
+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
+miscfiles_read_localization(systemd_tmpfiles_t)
+
+seutil_read_config(systemd_tmpfiles_t)
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+ifdef(`distro_redhat',`
+ userdom_list_user_home_content(systemd_tmpfiles_t)
+ userdom_delete_user_home_content_dirs(systemd_tmpfiles_t)
@ -69674,7 +69810,7 @@ index db75976..cca4cd1 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 4b2878a..022f6e7 100644
index 4b2878a..efc9525 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -71795,7 +71931,32 @@ index 4b2878a..022f6e7 100644
########################################
## <summary>
## Execute a shell in all user domains. This
@@ -2736,24 +3373,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
@@ -2713,6 +3350,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
+#####################################
+## <summary>
+## Allow domain dyntrans to unpriv userdomain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dyntransition_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process dyntransition;
+')
+
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
@@ -2736,24 +3391,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@ -71820,7 +71981,7 @@ index 4b2878a..022f6e7 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
@@ -2772,25 +3391,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
@@ -2772,25 +3409,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@ -71846,7 +72007,7 @@ index 4b2878a..022f6e7 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
@@ -2852,7 +3452,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -2852,7 +3470,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@ -71855,7 +72016,7 @@ index 4b2878a..022f6e7 100644
allow unpriv_userdomain $1:process sigchld;
')
@@ -2868,29 +3468,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -2868,29 +3486,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@ -71889,7 +72050,7 @@ index 4b2878a..022f6e7 100644
')
########################################
@@ -2972,7 +3556,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
@@ -2972,7 +3574,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@ -71898,7 +72059,7 @@ index 4b2878a..022f6e7 100644
')
########################################
@@ -3027,7 +3611,45 @@ interface(`userdom_write_user_tmp_files',`
@@ -3027,7 +3629,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@ -71945,7 +72106,7 @@ index 4b2878a..022f6e7 100644
')
########################################
@@ -3064,6 +3686,7 @@ interface(`userdom_read_all_users_state',`
@@ -3064,6 +3704,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@ -71953,7 +72114,7 @@ index 4b2878a..022f6e7 100644
kernel_search_proc($1)
')
@@ -3142,6 +3765,24 @@ interface(`userdom_signal_all_users',`
@@ -3142,6 +3783,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@ -71978,7 +72139,7 @@ index 4b2878a..022f6e7 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
@@ -3194,3 +3835,1076 @@ interface(`userdom_dbus_send_all_users',`
@@ -3194,3 +3853,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')

6
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
Release: 27%{?dist}
Release: 28%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -466,6 +466,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Sep 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-28
- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files
- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
* Tue Sep 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-27
- Allow collectd to read hardware state information
- Add loop_control_device_t