* Tue Sep 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-283

- Allow passwd_t domain mmap /etc/shadow and /etc/passwd - Allow pulseaudio_t domain to map user tmp files - Allow mozilla plugin to mmap mozilla tmpfs files
2017-09-12 14:05:47 +02:00 · 2017-09-12 14:05:47 +02:00 · c3f53c2a7e
parent 63dd04bba8
commit c3f53c2a7e
4 changed files with 100 additions and 48 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3189,7 +3189,7 @@ index 99e3903ea..fa68362ea 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..6a7c8001a 100644
+index 1d732f1e7..7e03673be 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@ -3395,7 +3395,7 @@ index 1d732f1e7..6a7c8001a 100644
 
 fs_getattr_xattr_fs(passwd_t)
 fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +341,34 @@ selinux_compute_create_context(passwd_t)
 selinux_compute_relabel_context(passwd_t)
 selinux_compute_user_contexts(passwd_t)
 
@ -3406,7 +3406,9 @@ index 1d732f1e7..6a7c8001a 100644
 
 auth_run_chk_passwd(passwd_t, passwd_roles)
 +auth_manage_passwd(passwd_t)
+auth_map_passwd(passwd_t)
 auth_manage_shadow(passwd_t)
+auth_map_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
 -auth_use_nsswitch(passwd_t)
@ -3432,7 +3434,7 @@ index 1d732f1e7..6a7c8001a 100644
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +375,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +377,11 @@ init_use_fds(passwd_t)
 logging_send_audit_msgs(passwd_t)
 logging_send_syslog_msg(passwd_t)
 
@ -3446,7 +3448,7 @@ index 1d732f1e7..6a7c8001a 100644
 userdom_use_unpriv_users_fds(passwd_t)
 # make sure that getcon succeeds
 userdom_getattr_all_users(passwd_t)
-@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +390,20 @@ userdom_read_user_tmp_files(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(passwd_t)
@ -3467,7 +3469,7 @@ index 1d732f1e7..6a7c8001a 100644
 
 optional_policy(`
 	nscd_run(passwd_t, passwd_roles)
-@@ -362,7 +412,7 @@ optional_policy(`
+@@ -362,7 +414,7 @@ optional_policy(`
 # Password admin local policy
 #
 
@ -3476,7 +3478,7 @@ index 1d732f1e7..6a7c8001a 100644
 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 allow sysadm_passwd_t self:fd use;
-@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +453,10 @@ dev_read_urand(sysadm_passwd_t)
 fs_getattr_xattr_fs(sysadm_passwd_t)
 fs_search_auto_mountpoints(sysadm_passwd_t)
 
@ -3489,7 +3491,7 @@ index 1d732f1e7..6a7c8001a 100644
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
 auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +469,6 @@ files_read_usr_files(sysadm_passwd_t)
 
 domain_use_interactive_fds(sysadm_passwd_t)
 
@ -3497,7 +3499,7 @@ index 1d732f1e7..6a7c8001a 100644
 files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
-@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +478,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(sysadm_passwd_t)
 
@ -3510,7 +3512,7 @@ index 1d732f1e7..6a7c8001a 100644
 userdom_use_unpriv_users_fds(sysadm_passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
-@@ -446,8 +493,10 @@ optional_policy(`
+@@ -446,8 +495,10 @@ optional_policy(`
 # Useradd local policy
 #
 
@ -3523,7 +3525,7 @@ index 1d732f1e7..6a7c8001a 100644
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
 allow useradd_t self:fd use;
-@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +512,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
 allow useradd_t self:unix_stream_socket connectto;
 
@ -3534,7 +3536,7 @@ index 1d732f1e7..6a7c8001a 100644
 # for getting the number of groups
 kernel_read_kernel_sysctls(useradd_t)
 
-@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +523,28 @@ corecmd_exec_shell(useradd_t)
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(useradd_t)
 
@ -3574,7 +3576,7 @@ index 1d732f1e7..6a7c8001a 100644
 
 auth_run_chk_passwd(useradd_t, useradd_roles)
 auth_rw_lastlog(useradd_t)
-@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t)
+@@ -498,45 +552,50 @@ auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
 # these may be unnecessary due to the above
 # domtrans_chk_passwd() call.
@ -3636,7 +3638,7 @@ index 1d732f1e7..6a7c8001a 100644
 ')
 
 optional_policy(`
-@@ -545,14 +602,27 @@ optional_policy(`
+@@ -545,14 +604,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -3664,7 +3666,7 @@ index 1d732f1e7..6a7c8001a 100644
 	tunable_policy(`samba_domain_controller',`
 		samba_append_log(useradd_t)
 	')
-@@ -562,3 +632,12 @@ optional_policy(`
+@@ -562,3 +634,12 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
@ -33740,7 +33742,7 @@ index 247958765..890e1e293 100644
 /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b669..3db526f84 100644
+index 3efd5b669..190c29841 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@ -34030,7 +34032,32 @@ index 3efd5b669..3db526f84 100644
 ')
 
 ########################################
-@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
+@@ -534,6 +629,24 @@ interface(`auth_dontaudit_getattr_shadow',`
+ 
+ ########################################
+ ## <summary>
+## Mmap the shadow passwords file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_map_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	allow $1 shadow_t:file map;
+')
+
+########################################
+## <summary>
+ ##	Read the shadow passwords file (/etc/shadow)
+ ## </summary>
+ ## <param name="domain">
+@@ -664,6 +777,10 @@ interface(`auth_manage_shadow',`
 
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -34041,7 +34068,7 @@ index 3efd5b669..3db526f84 100644
 ')
 
 #######################################
-@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +880,50 @@ interface(`auth_rw_faillog',`
 	')
 
 	logging_search_logs($1)
@ -34093,7 +34120,7 @@ index 3efd5b669..3db526f84 100644
 ')
 
 #######################################
-@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +984,29 @@ interface(`auth_rw_lastlog',`
 	allow $1 lastlog_t:file { rw_file_perms lock setattr };
 ')
 
@ -34124,7 +34151,7 @@ index 3efd5b669..3db526f84 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +1014,27 @@ interface(`auth_rw_lastlog',`
 ##	</summary>
 ## </param>
 #
@ -34155,7 +34182,7 @@ index 3efd5b669..3db526f84 100644
 ')
 
 ########################################
-@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1049,15 @@ interface(`auth_domtrans_pam',`
 #
 interface(`auth_signal_pam',`
 	gen_require(`
@ -34174,7 +34201,7 @@ index 3efd5b669..3db526f84 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1070,33 @@ interface(`auth_signal_pam',`
 ##	</summary>
 ## </param>
 #
@ -34212,7 +34239,7 @@ index 3efd5b669..3db526f84 100644
 ')
 
 ########################################
-@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1174,30 @@ interface(`auth_manage_var_auth',`
 	')
 
 	files_search_var($1)
@ -34246,7 +34273,7 @@ index 3efd5b669..3db526f84 100644
 ')
 
 ########################################
-@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1276,10 @@ interface(`auth_manage_pam_pid',`
 	files_search_pids($1)
 	allow $1 pam_var_run_t:dir manage_dir_perms;
 	allow $1 pam_var_run_t:file manage_file_perms;
@ -34257,7 +34284,7 @@ index 3efd5b669..3db526f84 100644
 ')
 
 ########################################
-@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1416,7 @@ interface(`auth_manage_pam_console_data',`
 	files_search_pids($1)
 	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
 	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@ -34265,7 +34292,7 @@ index 3efd5b669..3db526f84 100644
 ')
 
 #######################################
-@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1817,25 @@ interface(`auth_setattr_login_records',`
 
 ########################################
 ## <summary>
@ -34291,7 +34318,7 @@ index 3efd5b669..3db526f84 100644
 ##	Read login records files (/var/log/wtmp).
 ## </summary>
 ## <param name="domain">
-@@ -1726,24 +1968,63 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1986,63 @@ interface(`auth_manage_login_records',`
 
 	logging_rw_generic_log_dirs($1)
 	allow $1 wtmp_t:file manage_file_perms;
@ -34359,7 +34386,7 @@ index 3efd5b669..3db526f84 100644
 ')
 
 ########################################
-@@ -1767,11 +2048,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +2066,13 @@ interface(`auth_relabel_login_records',`
 ## <infoflow type="both" weight="10"/>
 #
 interface(`auth_use_nsswitch',`
@ -34376,7 +34403,7 @@ index 3efd5b669..3db526f84 100644
 ')
 
 ########################################
-@@ -1805,3 +2088,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2106,298 @@ interface(`auth_unconfined',`
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -34492,6 +34519,24 @@ index 3efd5b669..3db526f84 100644
 +
 +########################################
 +## <summary>
+##	Mmap the passwd passwords file (/etc/passwd)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_map_passwd',`
+	gen_require(`
+		type passwd_file_t;
+	')
+
+	allow $1 passwd_file_t:file map;
+')
+
+########################################
+## <summary>
 +##	Do not audit attempts to read the passwd
 +##	password file (/etc/passwd).
 +## </summary>
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -53630,7 +53630,7 @@ index 6194b806b..e27c53d6e 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..7d5d385a2 100644
+index 11ac8e4fc..3c24a12ef 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@ -53750,7 +53750,7 @@ index 11ac8e4fc..7d5d385a2 100644
 ########################################
 #
 # Local policy
-@@ -75,27 +109,30 @@ optional_policy(`
+@@ -75,104 +109,101 @@ optional_policy(`
 allow mozilla_t self:capability { sys_nice setgid setuid };
 allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
 allow mozilla_t self:fifo_file rw_fifo_file_perms;
@ -53794,10 +53794,10 @@ index 11ac8e4fc..7d5d385a2 100644
 
 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +140,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
- 
+-
 -allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
 -allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
 -allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
@ -53805,7 +53805,8 @@ index 11ac8e4fc..7d5d385a2 100644
 -stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
 -
 -can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
-
+allow mozilla_plugin_t mozilla_tmpfs_t:file map;
+ 
 kernel_read_kernel_sysctls(mozilla_t)
 kernel_read_network_state(mozilla_t)
 +# Access /proc, sysctl
@ -53902,7 +53903,7 @@ index 11ac8e4fc..7d5d385a2 100644
 
 term_dontaudit_getattr_pty_dirs(mozilla_t)
 
-@@ -181,56 +211,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +212,73 @@ auth_use_nsswitch(mozilla_t)
 logging_send_syslog_msg(mozilla_t)
 
 miscfiles_read_fonts(mozilla_t)
@ -54013,7 +54014,7 @@ index 11ac8e4fc..7d5d385a2 100644
 ')
 
 optional_policy(`
-@@ -244,19 +291,12 @@ optional_policy(`
+@@ -244,19 +292,12 @@ optional_policy(`
 
 optional_policy(`
 	cups_read_rw_config(mozilla_t)
@ -54035,7 +54036,7 @@ index 11ac8e4fc..7d5d385a2 100644
 
 	optional_policy(`
 		networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +305,32 @@ optional_policy(`
+@@ -265,33 +306,32 @@ optional_policy(`
 
 optional_policy(`
 	gnome_stream_connect_gconf(mozilla_t)
@ -54083,7 +54084,7 @@ index 11ac8e4fc..7d5d385a2 100644
 ')
 
 optional_policy(`
-@@ -300,259 +339,258 @@ optional_policy(`
+@@ -300,259 +340,258 @@ optional_policy(`
 
 ########################################
 #
@ -54488,7 +54489,7 @@ index 11ac8e4fc..7d5d385a2 100644
 ')
 
 optional_policy(`
-@@ -560,7 +598,11 @@ optional_policy(`
+@@ -560,7 +599,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -54501,7 +54502,7 @@ index 11ac8e4fc..7d5d385a2 100644
 ')
 
 optional_policy(`
-@@ -568,108 +610,144 @@ optional_policy(`
+@@ -568,108 +611,144 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -80891,10 +80892,10 @@ index 45843b55c..4d1adace5 100644
 +	ps_process_pattern($1, pulseaudio_t)
 ')
 diff --git a/pulseaudio.te b/pulseaudio.te
-index 6643b49c2..dd0c3d371 100644
+index 6643b49c2..22214f676 100644
 --- a/pulseaudio.te
 +++ b/pulseaudio.te
-@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0)
+@@ -8,61 +8,50 @@ policy_module(pulseaudio, 1.6.0)
 attribute pulseaudio_client;
 attribute pulseaudio_tmpfsfile;
 
@ -80970,10 +80971,11 @@ index 6643b49c2..dd0c3d371 100644
 +# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
 +userdom_read_user_home_content_files(pulseaudio_t)
 +userdom_search_admin_dir(pulseaudio_t)
+userdom_map_tmp_files(pulseaudio_t)
 
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+@@ -72,10 +61,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
@ -80985,7 +80987,7 @@ index 6643b49c2..dd0c3d371 100644
 
 can_exec(pulseaudio_t, pulseaudio_exec_t)
 
-@@ -85,62 +70,58 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -85,62 +71,58 @@ kernel_read_kernel_sysctls(pulseaudio_t)
 
 corecmd_exec_bin(pulseaudio_t)
 
@ -81067,7 +81069,7 @@ index 6643b49c2..dd0c3d371 100644
 ')
 
 optional_policy(`
-@@ -153,8 +134,9 @@ optional_policy(`
+@@ -153,8 +135,9 @@ optional_policy(`
 
 optional_policy(`
 	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
@ -81079,7 +81081,7 @@ index 6643b49c2..dd0c3d371 100644
 
 	optional_policy(`
 		consolekit_dbus_chat(pulseaudio_t)
-@@ -174,29 +156,49 @@ optional_policy(`
+@@ -174,29 +157,49 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -81131,7 +81133,7 @@ index 6643b49c2..dd0c3d371 100644
 #
 # Client local policy
 #
-@@ -210,8 +212,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
+@@ -210,8 +213,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
 
 fs_getattr_tmpfs(pulseaudio_client)
 
@ -81140,7 +81142,7 @@ index 6643b49c2..dd0c3d371 100644
 corenet_tcp_sendrecv_generic_if(pulseaudio_client)
 corenet_tcp_sendrecv_generic_node(pulseaudio_client)
 
-@@ -220,38 +220,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+@@ -220,38 +221,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
 corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
 
 pulseaudio_stream_connect(pulseaudio_client)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 282%{?dist}
+Release: 283%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -681,6 +681,11 @@ exit 0
 %endif

 %changelog
+* Tue Sep 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-283
+- Allow passwd_t domain mmap /etc/shadow and /etc/passwd
+- Allow pulseaudio_t domain to map user tmp files
+- Allow mozilla plugin to mmap mozilla tmpfs files
+
 * Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-282
 - Add new bunch of map rules
 - Merge pull request #25 from NetworkManager/nm-ovs