One more fix for virt_transition_userdomain
This commit is contained in:
Miroslav Grepl
parent
4c142c0a6c
commit
c911699ca4
@ -8272,7 +8272,7 @@ index 6529bd9..831344c 100644
|
||||
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
|
||||
allow devices_unconfined_type mtrr_device_t:file *;
|
||||
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
||||
index 6a1e4d1..47a42d5 100644
|
||||
index 6a1e4d1..57cc8d1 100644
|
||||
--- a/policy/modules/kernel/domain.if
|
||||
+++ b/policy/modules/kernel/domain.if
|
||||
@@ -76,33 +76,8 @@ interface(`domain_type',`
|
||||
@ -8450,7 +8450,7 @@ index 6a1e4d1..47a42d5 100644
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
@ -8459,7 +8459,7 @@ index 6a1e4d1..47a42d5 100644
|
||||
+ attribute domain;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 domain:process transition;
|
||||
+ allow $1 domain:process transition;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..bcaf613 100644
|
||||
@ -20951,7 +20951,7 @@ index d1f64a0..8f50bb9 100644
|
||||
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
+
|
||||
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
|
||||
index 6bf0ecc..266289c 100644
|
||||
index 6bf0ecc..d740738 100644
|
||||
--- a/policy/modules/services/xserver.if
|
||||
+++ b/policy/modules/services/xserver.if
|
||||
@@ -18,100 +18,37 @@
|
||||
@ -21438,19 +21438,18 @@ index 6bf0ecc..266289c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -765,11 +817,92 @@ interface(`xserver_manage_xdm_spool_files',`
|
||||
@@ -765,11 +817,91 @@ interface(`xserver_manage_xdm_spool_files',`
|
||||
#
|
||||
interface(`xserver_stream_connect_xdm',`
|
||||
gen_require(`
|
||||
- type xdm_t, xdm_tmp_t;
|
||||
+ type xdm_t, xdm_tmp_t, xdm_var_run_t;
|
||||
+ type xdm_dbusd_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
|
||||
+ files_search_pids($1)
|
||||
+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, { xdm_t xdm_dbusd_t } )
|
||||
+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -21533,7 +21532,7 @@ index 6bf0ecc..266289c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -793,6 +926,25 @@ interface(`xserver_read_xdm_rw_config',`
|
||||
@@ -793,6 +925,25 @@ interface(`xserver_read_xdm_rw_config',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -21559,7 +21558,7 @@ index 6bf0ecc..266289c 100644
|
||||
## Set the attributes of XDM temporary directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -806,7 +958,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
|
||||
@@ -806,7 +957,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
|
||||
type xdm_tmp_t;
|
||||
')
|
||||
|
||||
@ -21586,7 +21585,7 @@ index 6bf0ecc..266289c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -846,7 +1016,26 @@ interface(`xserver_read_xdm_pid',`
|
||||
@@ -846,7 +1015,26 @@ interface(`xserver_read_xdm_pid',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
@ -21614,7 +21613,7 @@ index 6bf0ecc..266289c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -869,6 +1058,24 @@ interface(`xserver_read_xdm_lib_files',`
|
||||
@@ -869,6 +1057,24 @@ interface(`xserver_read_xdm_lib_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -21639,7 +21638,7 @@ index 6bf0ecc..266289c 100644
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -938,10 +1145,29 @@ interface(`xserver_getattr_log',`
|
||||
@@ -938,10 +1144,29 @@ interface(`xserver_getattr_log',`
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
@ -21671,7 +21670,7 @@ index 6bf0ecc..266289c 100644
|
||||
## <summary>
|
||||
## Do not audit attempts to write the X server
|
||||
## log files.
|
||||
@@ -957,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',`
|
||||
@@ -957,7 +1182,7 @@ interface(`xserver_dontaudit_write_log',`
|
||||
type xserver_log_t;
|
||||
')
|
||||
|
||||
@ -21680,7 +21679,7 @@ index 6bf0ecc..266289c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',`
|
||||
@@ -1004,6 +1229,64 @@ interface(`xserver_read_xkb_libs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -21745,7 +21744,7 @@ index 6bf0ecc..266289c 100644
|
||||
## Read xdm temporary files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',`
|
||||
@@ -1017,7 +1300,7 @@ interface(`xserver_read_xdm_tmp_files',`
|
||||
type xdm_tmp_t;
|
||||
')
|
||||
|
||||
@ -21754,7 +21753,7 @@ index 6bf0ecc..266289c 100644
|
||||
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||
')
|
||||
|
||||
@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',`
|
||||
@@ -1079,6 +1362,42 @@ interface(`xserver_manage_xdm_tmp_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -21797,7 +21796,7 @@ index 6bf0ecc..266289c 100644
|
||||
## Do not audit attempts to get the attributes of
|
||||
## xdm temporary named sockets.
|
||||
## </summary>
|
||||
@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
|
||||
@@ -1093,7 +1412,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
|
||||
type xdm_tmp_t;
|
||||
')
|
||||
|
||||
@ -21806,7 +21805,7 @@ index 6bf0ecc..266289c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',`
|
||||
@@ -1111,8 +1430,10 @@ interface(`xserver_domtrans',`
|
||||
type xserver_t, xserver_exec_t;
|
||||
')
|
||||
|
||||
@ -21818,7 +21817,7 @@ index 6bf0ecc..266289c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
|
||||
@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -21844,7 +21843,7 @@ index 6bf0ecc..266289c 100644
|
||||
## Connect to the X server over a unix domain
|
||||
## stream socket.
|
||||
## </summary>
|
||||
@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',`
|
||||
@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',`
|
||||
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||
@ -21871,7 +21870,7 @@ index 6bf0ecc..266289c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',`
|
||||
@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',`
|
||||
## <summary>
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
## an X client domain. Gives the domain permission to read the
|
||||
@ -21880,7 +21879,7 @@ index 6bf0ecc..266289c 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1261,13 +1622,23 @@ interface(`xserver_read_tmp_files',`
|
||||
@@ -1261,13 +1621,23 @@ interface(`xserver_read_tmp_files',`
|
||||
#
|
||||
interface(`xserver_manage_core_devices',`
|
||||
gen_require(`
|
||||
@ -21905,7 +21904,7 @@ index 6bf0ecc..266289c 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1284,10 +1655,622 @@ interface(`xserver_manage_core_devices',`
|
||||
@@ -1284,10 +1654,622 @@ interface(`xserver_manage_core_devices',`
|
||||
#
|
||||
interface(`xserver_unconfined',`
|
||||
gen_require(`
|
||||
@ -22531,7 +22530,7 @@ index 6bf0ecc..266289c 100644
|
||||
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index 2696452..7e081fb 100644
|
||||
index 2696452..31450f4 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,28 +26,59 @@ gen_require(`
|
||||
@ -22663,10 +22662,11 @@ index 2696452..7e081fb 100644
|
||||
fs_associate_tmpfs(xconsole_device_t)
|
||||
files_associate_tmp(xconsole_device_t)
|
||||
|
||||
-type xdm_t;
|
||||
+type xdm_unconfined_exec_t;
|
||||
+application_executable_file(xdm_unconfined_exec_t)
|
||||
+
|
||||
type xdm_t;
|
||||
+type xdm_t alias xdm_dbusd_t;
|
||||
type xdm_exec_t;
|
||||
auth_login_pgm_domain(xdm_t)
|
||||
init_domain(xdm_t, xdm_exec_t)
|
||||
@ -23106,7 +23106,7 @@ index 2696452..7e081fb 100644
|
||||
|
||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||
@@ -441,28 +629,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||
@@ -441,28 +629,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
@ -23133,6 +23133,8 @@ index 2696452..7e081fb 100644
|
||||
+init_dbus_chat(xdm_t)
|
||||
+init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
|
||||
+init_status(xdm_t)
|
||||
+
|
||||
+application_exec(xdm_t)
|
||||
|
||||
libs_exec_lib_files(xdm_t)
|
||||
+libs_exec_ldconfig(xdm_t)
|
||||
@ -23153,7 +23155,7 @@ index 2696452..7e081fb 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
@@ -471,24 +674,144 @@ userdom_read_user_home_content_files(xdm_t)
|
||||
@@ -471,24 +676,144 @@ userdom_read_user_home_content_files(xdm_t)
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
@ -23304,7 +23306,7 @@ index 2696452..7e081fb 100644
|
||||
tunable_policy(`xdm_sysadm_login',`
|
||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||
# FIXME:
|
||||
@@ -502,11 +825,26 @@ tunable_policy(`xdm_sysadm_login',`
|
||||
@@ -502,11 +827,26 @@ tunable_policy(`xdm_sysadm_login',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23331,29 +23333,12 @@ index 2696452..7e081fb 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -514,12 +852,72 @@ optional_policy(`
|
||||
@@ -514,12 +854,55 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ # Use dbus to start other processes as xdm_t
|
||||
+ dbus_role_template(xdm, system_r, xdm_t)
|
||||
+ dbus_system_bus_client(xdm_dbusd_t)
|
||||
+ dbus_system_bus_client(xdm_t)
|
||||
+
|
||||
+ application_dontaudit_exec(xdm_dbusd_t)
|
||||
+ #fixes for xfce4-notifyd
|
||||
+ allow xdm_dbusd_t self:unix_stream_socket connectto;
|
||||
+ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
|
||||
+
|
||||
+
|
||||
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
|
||||
+ xserver_xdm_append_log(xdm_dbusd_t)
|
||||
+ xserver_read_xdm_pid(xdm_dbusd_t)
|
||||
+
|
||||
+ miscfiles_read_fonts(xdm_dbusd_t)
|
||||
+
|
||||
+ corecmd_bin_entry_type(xdm_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ bluetooth_dbus_chat(xdm_t)
|
||||
+ ')
|
||||
@ -23404,7 +23389,7 @@ index 2696452..7e081fb 100644
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -537,28 +935,78 @@ optional_policy(`
|
||||
@@ -537,28 +920,78 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23492,7 +23477,7 @@ index 2696452..7e081fb 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -570,6 +1018,14 @@ optional_policy(`
|
||||
@@ -570,6 +1003,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23507,7 +23492,7 @@ index 2696452..7e081fb 100644
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
@@ -594,8 +1035,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
@ -23520,7 +23505,7 @@ index 2696452..7e081fb 100644
|
||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow xserver_t self:fd use;
|
||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
@@ -608,8 +1052,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
@ -23536,7 +23521,7 @@ index 2696452..7e081fb 100644
|
||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||
@@ -617,6 +1068,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||
|
||||
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
||||
|
||||
@ -23547,7 +23532,7 @@ index 2696452..7e081fb 100644
|
||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
@@ -628,12 +1083,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -23569,7 +23554,7 @@ index 2696452..7e081fb 100644
|
||||
|
||||
kernel_read_system_state(xserver_t)
|
||||
kernel_read_device_sysctls(xserver_t)
|
||||
@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||
@@ -641,12 +1103,12 @@ kernel_read_modprobe_sysctls(xserver_t)
|
||||
# Xorg wants to check if kernel is tainted
|
||||
kernel_read_kernel_sysctls(xserver_t)
|
||||
kernel_write_proc_files(xserver_t)
|
||||
@ -23583,7 +23568,7 @@ index 2696452..7e081fb 100644
|
||||
corenet_all_recvfrom_netlabel(xserver_t)
|
||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||
@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t)
|
||||
@@ -667,23 +1129,28 @@ dev_rw_apm_bios(xserver_t)
|
||||
dev_rw_agp(xserver_t)
|
||||
dev_rw_framebuffer(xserver_t)
|
||||
dev_manage_dri_dev(xserver_t)
|
||||
@ -23615,7 +23600,7 @@ index 2696452..7e081fb 100644
|
||||
|
||||
# brought on by rhgb
|
||||
files_search_mnt(xserver_t)
|
||||
@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t)
|
||||
@@ -694,7 +1161,16 @@ fs_getattr_xattr_fs(xserver_t)
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
@ -23633,7 +23618,7 @@ index 2696452..7e081fb 100644
|
||||
mls_xwin_read_to_clearance(xserver_t)
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
@@ -708,20 +1199,18 @@ init_getpgid(xserver_t)
|
||||
@@ -708,20 +1184,18 @@ init_getpgid(xserver_t)
|
||||
term_setattr_unallocated_ttys(xserver_t)
|
||||
term_use_unallocated_ttys(xserver_t)
|
||||
|
||||
@ -23657,7 +23642,7 @@ index 2696452..7e081fb 100644
|
||||
|
||||
userdom_search_user_home_dirs(xserver_t)
|
||||
userdom_use_user_ttys(xserver_t)
|
||||
@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
@@ -729,8 +1203,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
userdom_read_user_tmp_files(xserver_t)
|
||||
userdom_rw_user_tmpfs_files(xserver_t)
|
||||
|
||||
@ -23666,7 +23651,7 @@ index 2696452..7e081fb 100644
|
||||
ifndef(`distro_redhat',`
|
||||
allow xserver_t self:process { execmem execheap execstack };
|
||||
domain_mmap_low_uncond(xserver_t)
|
||||
@@ -775,16 +1262,44 @@ optional_policy(`
|
||||
@@ -775,16 +1247,44 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23712,7 +23697,7 @@ index 2696452..7e081fb 100644
|
||||
unconfined_domtrans(xserver_t)
|
||||
')
|
||||
|
||||
@@ -793,6 +1308,10 @@ optional_policy(`
|
||||
@@ -793,6 +1293,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23723,7 +23708,7 @@ index 2696452..7e081fb 100644
|
||||
xfs_stream_connect(xserver_t)
|
||||
')
|
||||
|
||||
@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
@@ -808,10 +1312,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
@ -23737,7 +23722,7 @@ index 2696452..7e081fb 100644
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -819,7 +1323,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
|
||||
# Run xkbcomp.
|
||||
@ -23746,7 +23731,7 @@ index 2696452..7e081fb 100644
|
||||
can_exec(xserver_t, xkb_var_lib_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
@@ -832,26 +1351,21 @@ init_use_fds(xserver_t)
|
||||
@@ -832,26 +1336,21 @@ init_use_fds(xserver_t)
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -23781,7 +23766,7 @@ index 2696452..7e081fb 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
@@ -902,7 +1401,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
@ -23790,7 +23775,7 @@ index 2696452..7e081fb 100644
|
||||
# operations allowed on all windows
|
||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||
|
||||
@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write };
|
||||
@@ -956,11 +1455,31 @@ allow x_domain self:x_resource { read write };
|
||||
# can mess with the screensaver
|
||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||
|
||||
@ -23822,7 +23807,7 @@ index 2696452..7e081fb 100644
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',`
|
||||
@@ -982,18 +1501,150 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
@ -31581,7 +31566,7 @@ index 9fe8e01..83acb32 100644
|
||||
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
')
|
||||
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
|
||||
index fc28bc3..2960ed7 100644
|
||||
index fc28bc3..18451e8 100644
|
||||
--- a/policy/modules/system/miscfiles.if
|
||||
+++ b/policy/modules/system/miscfiles.if
|
||||
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
|
||||
@ -31609,7 +31594,34 @@ index fc28bc3..2960ed7 100644
|
||||
## Manage generic SSL certificates.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -434,6 +452,7 @@ interface(`miscfiles_rw_localization',`
|
||||
@@ -156,6 +174,26 @@ interface(`miscfiles_manage_cert_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Do not audit attempts to access check cert dirs/files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corecmd_dontaudit_access_check_cert',`
|
||||
+ gen_require(`
|
||||
+ type cert_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 cert_t:file audit_access;
|
||||
+ dontaudit $1 cert_t:dir audit_access;
|
||||
+')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Manage SSL certificates.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -434,6 +472,7 @@ interface(`miscfiles_rw_localization',`
|
||||
files_search_usr($1)
|
||||
allow $1 locale_t:dir list_dir_perms;
|
||||
rw_files_pattern($1, locale_t, locale_t)
|
||||
@ -31617,7 +31629,7 @@ index fc28bc3..2960ed7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -453,6 +472,7 @@ interface(`miscfiles_relabel_localization',`
|
||||
@@ -453,6 +492,7 @@ interface(`miscfiles_relabel_localization',`
|
||||
|
||||
files_search_usr($1)
|
||||
relabel_files_pattern($1, locale_t, locale_t)
|
||||
@ -31625,7 +31637,7 @@ index fc28bc3..2960ed7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -470,7 +490,6 @@ interface(`miscfiles_legacy_read_localization',`
|
||||
@@ -470,7 +510,6 @@ interface(`miscfiles_legacy_read_localization',`
|
||||
type locale_t;
|
||||
')
|
||||
|
||||
@ -31633,7 +31645,7 @@ index fc28bc3..2960ed7 100644
|
||||
allow $1 locale_t:file execute;
|
||||
')
|
||||
|
||||
@@ -531,6 +550,10 @@ interface(`miscfiles_read_man_pages',`
|
||||
@@ -531,6 +570,10 @@ interface(`miscfiles_read_man_pages',`
|
||||
allow $1 { man_cache_t man_t }:dir list_dir_perms;
|
||||
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
@ -31644,7 +31656,7 @@ index fc28bc3..2960ed7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -554,6 +577,29 @@ interface(`miscfiles_delete_man_pages',`
|
||||
@@ -554,6 +597,29 @@ interface(`miscfiles_delete_man_pages',`
|
||||
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
@ -31674,7 +31686,7 @@ index fc28bc3..2960ed7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -622,6 +668,30 @@ interface(`miscfiles_manage_man_cache',`
|
||||
@@ -622,6 +688,30 @@ interface(`miscfiles_manage_man_cache',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -31705,7 +31717,7 @@ index fc28bc3..2960ed7 100644
|
||||
## Read public files used for file
|
||||
## transfer services.
|
||||
## </summary>
|
||||
@@ -784,8 +854,11 @@ interface(`miscfiles_etc_filetrans_localization',`
|
||||
@@ -784,8 +874,11 @@ interface(`miscfiles_etc_filetrans_localization',`
|
||||
type locale_t;
|
||||
')
|
||||
|
||||
@ -31719,7 +31731,7 @@ index fc28bc3..2960ed7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -809,3 +882,61 @@ interface(`miscfiles_manage_localization',`
|
||||
@@ -809,3 +902,61 @@ interface(`miscfiles_manage_localization',`
|
||||
manage_lnk_files_pattern($1, locale_t, locale_t)
|
||||
')
|
||||
|
||||
@ -32538,7 +32550,7 @@ index 4584457..e432df3 100644
|
||||
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
|
||||
')
|
||||
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
||||
index 6a50270..fa545e7 100644
|
||||
index 6a50270..4e5bf09 100644
|
||||
--- a/policy/modules/system/mount.te
|
||||
+++ b/policy/modules/system/mount.te
|
||||
@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
|
||||
@ -32855,7 +32867,7 @@ index 6a50270..fa545e7 100644
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# for a bug in the X server
|
||||
rhgb_dontaudit_rw_stream_sockets(mount_t)
|
||||
@@ -194,24 +297,128 @@ optional_policy(`
|
||||
@@ -194,24 +297,132 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -32935,6 +32947,10 @@ index 6a50270..fa545e7 100644
|
||||
+ vmware_exec_host(mount_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(mount_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+#
|
||||
+# showmount local policy
|
||||
@ -34862,7 +34878,7 @@ index 6944526..ec17624 100644
|
||||
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
|
||||
+')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index b7686d5..431d2f1 100644
|
||||
index b7686d5..a5086e8 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
|
||||
@ -35078,7 +35094,18 @@ index b7686d5..431d2f1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -259,12 +302,21 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
@@ -228,6 +271,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ virt_manage_pid_files(dhcpc_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
vmware_append_log(dhcpc_t)
|
||||
')
|
||||
|
||||
@@ -259,12 +306,21 @@ allow ifconfig_t self:msgq create_msgq_perms;
|
||||
allow ifconfig_t self:msg { send receive };
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
@ -35100,7 +35127,7 @@ index b7686d5..431d2f1 100644
|
||||
kernel_use_fds(ifconfig_t)
|
||||
kernel_read_system_state(ifconfig_t)
|
||||
kernel_read_network_state(ifconfig_t)
|
||||
@@ -274,14 +326,29 @@ kernel_rw_net_sysctls(ifconfig_t)
|
||||
@@ -274,14 +330,29 @@ kernel_rw_net_sysctls(ifconfig_t)
|
||||
|
||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
|
||||
@ -35130,7 +35157,7 @@ index b7686d5..431d2f1 100644
|
||||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
@@ -294,22 +361,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
@@ -294,22 +365,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
|
||||
term_dontaudit_use_ptmx(ifconfig_t)
|
||||
term_dontaudit_use_generic_ptys(ifconfig_t)
|
||||
|
||||
@ -35158,7 +35185,7 @@ index b7686d5..431d2f1 100644
|
||||
userdom_use_all_users_fds(ifconfig_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
@@ -318,7 +385,22 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -318,7 +389,22 @@ ifdef(`distro_ubuntu',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -35181,7 +35208,7 @@ index b7686d5..431d2f1 100644
|
||||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
')
|
||||
@@ -329,8 +411,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
@@ -329,8 +415,11 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -35195,7 +35222,7 @@ index b7686d5..431d2f1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -339,7 +424,15 @@ optional_policy(`
|
||||
@@ -339,7 +428,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -35212,7 +35239,7 @@ index b7686d5..431d2f1 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -360,3 +453,13 @@ optional_policy(`
|
||||
@@ -360,3 +457,13 @@ optional_policy(`
|
||||
xen_append_log(ifconfig_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||
')
|
||||
@ -35277,14 +35304,37 @@ index 0000000..2cd29ba
|
||||
+/var/run/initramfs(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
new file mode 100644
|
||||
index 0000000..1a254f8
|
||||
index 0000000..8f58a33
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -0,0 +1,1286 @@
|
||||
@@ -0,0 +1,1309 @@
|
||||
+## <summary>SELinux policy for systemd components</summary>
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Creates types and rules for a basic
|
||||
+## systemd domains.
|
||||
+## </summary>
|
||||
+## <param name="prefix">
|
||||
+## <summary>
|
||||
+## Prefix for the domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+template(`systemd_domain_template',`
|
||||
+ gen_require(`
|
||||
+ attribute systemd_domain;
|
||||
+ ')
|
||||
+
|
||||
+ type $1_t, systemd_domain;
|
||||
+ type $1_exec_t;
|
||||
+ init_daemon_domain($1_t, $1_exec_t)
|
||||
+
|
||||
+ kernel_read_system_state($1_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Create a domain for processes which are started
|
||||
+## exuting systemctl.
|
||||
+## </summary>
|
||||
@ -36569,10 +36619,10 @@ index 0000000..1a254f8
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..6379489
|
||||
index 0000000..4cc8263
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,661 @@
|
||||
@@ -0,0 +1,636 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -36584,13 +36634,8 @@ index 0000000..6379489
|
||||
+attribute systemd_domain;
|
||||
+attribute systemctl_domain;
|
||||
+
|
||||
+type systemd_logger_t, systemd_domain;
|
||||
+type systemd_logger_exec_t;
|
||||
+init_daemon_domain(systemd_logger_t, systemd_logger_exec_t)
|
||||
+
|
||||
+type systemd_logind_t, systemd_domain;
|
||||
+type systemd_logind_exec_t;
|
||||
+init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
|
||||
+systemd_domain_template(systemd_logger)
|
||||
+systemd_domain_template(systemd_logind)
|
||||
+
|
||||
+# /run/systemd/sessions
|
||||
+type systemd_logind_sessions_t;
|
||||
@ -36613,21 +36658,14 @@ index 0000000..6379489
|
||||
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
|
||||
+# systemd components
|
||||
+
|
||||
+type systemd_passwd_agent_t, systemd_domain;
|
||||
+type systemd_passwd_agent_exec_t;
|
||||
+init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
|
||||
+systemd_domain_template(systemd_passwd_agent)
|
||||
+
|
||||
+type systemd_passwd_var_run_t alias systemd_device_t;
|
||||
+files_pid_file(systemd_passwd_var_run_t)
|
||||
+
|
||||
+# domain for systemd-tmpfiles component
|
||||
+type systemd_tmpfiles_t, systemd_domain;
|
||||
+type systemd_tmpfiles_exec_t;
|
||||
+init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
|
||||
+
|
||||
+type systemd_notify_t, systemd_domain;
|
||||
+type systemd_notify_exec_t;
|
||||
+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
|
||||
+systemd_domain_template(systemd_tmpfiles)
|
||||
+systemd_domain_template(systemd_notify)
|
||||
+
|
||||
+# type for systemd unit files
|
||||
+type systemd_unit_file_t;
|
||||
@ -36643,26 +36681,17 @@ index 0000000..6379489
|
||||
+type systemd_systemctl_exec_t;
|
||||
+corecmd_executable_file(systemd_systemctl_exec_t)
|
||||
+
|
||||
+type systemd_localed_t, systemd_domain;
|
||||
+type systemd_localed_exec_t;
|
||||
+init_daemon_domain(systemd_localed_t, systemd_localed_exec_t)
|
||||
+
|
||||
+type systemd_hostnamed_t, systemd_domain;
|
||||
+type systemd_hostnamed_exec_t;
|
||||
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
|
||||
+systemd_domain_template(systemd_localed)
|
||||
+systemd_domain_template(systemd_hostnamed)
|
||||
+
|
||||
+type hostname_etc_t;
|
||||
+files_config_file(hostname_etc_t)
|
||||
+
|
||||
+type systemd_timedated_t, systemd_domain;
|
||||
+type systemd_timedated_exec_t;
|
||||
+init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
|
||||
+systemd_domain_template(systemd_timedated)
|
||||
+typeattribute systemd_timedated_t systemd_domain;
|
||||
+typealias systemd_timedated_t alias gnomeclock_t;
|
||||
+
|
||||
+type systemd_sysctl_t, systemd_domain;
|
||||
+type systemd_sysctl_exec_t;
|
||||
+init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
|
||||
+systemd_domain_template(systemd_sysctl)
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
@ -36693,8 +36722,6 @@ index 0000000..6379489
|
||||
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||||
+manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
|
||||
+
|
||||
+kernel_read_system_state(systemd_logind_t)
|
||||
+
|
||||
+dev_getattr_all_chr_files(systemd_logind_t)
|
||||
+dev_getattr_all_blk_files(systemd_logind_t)
|
||||
+dev_rw_sysfs(systemd_logind_t)
|
||||
@ -37120,8 +37147,6 @@ index 0000000..6379489
|
||||
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+kernel_read_system_state(systemd_timedated_t)
|
||||
+
|
||||
+corecmd_exec_bin(systemd_timedated_t)
|
||||
+corecmd_exec_shell(systemd_timedated_t)
|
||||
+corecmd_dontaudit_access_check_bin(systemd_timedated_t)
|
||||
@ -38614,7 +38639,7 @@ index db75976..65191bd 100644
|
||||
+
|
||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index 3c5dba7..89012c2 100644
|
||||
index 3c5dba7..3fdbb55 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||
@ -41298,7 +41323,7 @@ index 3c5dba7..89012c2 100644
|
||||
## Create keys for all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3438,4 +4214,1454 @@ interface(`userdom_dbus_send_all_users',`
|
||||
@@ -3438,4 +4214,1472 @@ interface(`userdom_dbus_send_all_users',`
|
||||
')
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
@ -42752,6 +42777,24 @@ index 3c5dba7..89012c2 100644
|
||||
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
|
||||
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
|
||||
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow caller to transition to any userdomain
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_transition',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 userdomain:process transition;
|
||||
')
|
||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||
index e2b538b..211263f 100644
|
||||
|
||||
@ -90253,7 +90253,7 @@ index 9dec06c..378880d 100644
|
||||
+ allow $1 svirt_image_t:chr_file rw_file_perms;
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index 1f22fba..4493e63 100644
|
||||
index 1f22fba..fd31e1b 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,94 +1,104 @@
|
||||
@ -92034,8 +92034,8 @@ index 1f22fba..4493e63 100644
|
||||
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
+
|
||||
+tunable_policy(`virt_transition_userdomain',`
|
||||
+ userdom_transition(virt_t)
|
||||
+ userdom_transition(virt_lxc_t)
|
||||
+ userdom_transition(virtd_t)
|
||||
+ userdom_transition(virtd_lxc_t)
|
||||
+')
|
||||
+
|
||||
diff --git a/vlock.te b/vlock.te
|
||||
|
||||
Loading…
Reference in New Issue
Block a user