- Add auth_exec_chkpwd interface

- Fix port definition for ctdb ports - Allow systemd domains to read /dev/urand - Dontaudit attempts for mozilla_plugin to append to /dev/random - Add label for /var/run/charon.* - Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion servi - Fix for nagios_services plugins - Fix some bugs in zoneminder policy - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - glusterd binds to random unreserved ports - Additional allow rules found by testing glusterfs - apcupsd needs to send a message to all users on the system so needs to lo - Fix the label on ~/.juniper_networks - Dontaudit attempts for mozilla_plugin to append to /dev/random - Allow polipo_daemon to connect to flash ports - Allow gssproxy_t to create replay caches - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which sho - Add hypervkvp_unit_file_t type
2013-10-08 23:19:39 +02:00 · 2013-10-08 23:19:39 +02:00 · ce98dfd270
parent e1c33bb141
commit ce98dfd270
3 changed files with 659 additions and 172 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5423,7 +5423,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..836d056 100644
+index 4edc40d..dc853a1 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@ -5509,7 +5509,7 @@ index 4edc40d..836d056 100644
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
 network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
-@@ -96,18 +118,18 @@ network_port(boinc, tcp,31416,s0)
+@@ -96,19 +118,19 @@ network_port(boinc, tcp,31416,s0)
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
 network_port(biff) # no defined portcon
 network_port(certmaster, tcp,51235,s0)
@ -5527,9 +5527,11 @@ index 4edc40d..836d056 100644
 network_port(condor, tcp,9618,s0, udp,9618,s0)
 network_port(couchdb, tcp,5984,s0, udp,5984,s0)
 -network_port(cslistener, tcp,9000,s0, udp,9000,s0)
- network_port(ctdb, tcp,4379,s0, udp,4397,s0)
+-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
+ network_port(daap, tcp,3689,s0, udp,3689,s0)
@@ -119,19 +141,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
 network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
 network_port(dict, tcp,2628,s0)
@ -5555,7 +5557,7 @@ index 4edc40d..836d056 100644
 network_port(git, tcp,9418,s0, udp,9418,s0)
 +network_port(glance, tcp,9292,s0, udp,9292,s0)
 network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
-+network_port(gluster, tcp,24007,s0, tcp, 38465-38469,s0)
+network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)
@ -5915,7 +5917,7 @@ index b31c054..17e11e0 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..48504fe 100644
+index 76f285e..b708d28 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -6806,6 +6808,24 @@ index 76f285e..48504fe 100644
 +	dev_filetrans_printer_named_dev($1)
 ')
 
+ ########################################
+@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',`
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to append to random
+##	Do not audit attempts to append to the random
+ ##	number generator devices (e.g., /dev/random)
+ ## </summary>
+ ## <param name="domain">
+@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',`
+ 		type random_device_t;
+ 	')
+ 
+-	dontaudit $1 random_device_t:chr_file append_chr_file_perms;
+	dontaudit $1 random_device_t:chr_file { append };
+ ')
+ 
 ########################################
@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',`
 
@ -8733,7 +8753,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..5a40b38 100644
+index cf04cb5..c8fc903 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -8870,7 +8890,7 @@ index cf04cb5..5a40b38 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,297 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,298 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
@ -9041,6 +9061,7 @@ index cf04cb5..5a40b38 100644
 +	systemd_login_undefined(unconfined_domain_type)
 +	systemd_filetrans_named_content(named_filetrans_domain)
 +	systemd_filetrans_named_hostname(named_filetrans_domain)
+    systemd_filetrans_home_content(named_filetrans_domain)
 +')
 +
 +optional_policy(`
@ -24647,7 +24668,7 @@ index 28ad538..ebe81bf 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..362b3af 100644
+index 3efd5b6..eb629f0 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@ -24845,7 +24866,32 @@ index 3efd5b6..362b3af 100644
 ')
 
 ########################################
-@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',`
+@@ -428,6 +466,24 @@ interface(`auth_domtrans_chkpwd',`
+ 
+ ########################################
+ ## <summary>
+##  Execute chkpwd in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+##  </param>
+#
+interface(`auth_exec_chkpwd',`
+    gen_require(`
+        type chkpwd_exec_t;
+    ')
+
+    allow $1 chkpwd_exec_t:file execute;
+')
+
+########################################
+## <summary>
+ ##	Execute chkpwd programs in the chkpwd domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -448,6 +504,25 @@ interface(`auth_run_chk_passwd',`
 
 	auth_domtrans_chk_passwd($1)
 	role $2 types chkpwd_t;
@ -24871,7 +24917,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 ########################################
-@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +542,6 @@ interface(`auth_domtrans_upd_passwd',`
 
 	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
 	auth_dontaudit_read_shadow($1)
@ -24879,7 +24925,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 ########################################
-@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +738,10 @@ interface(`auth_manage_shadow',`
 
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -24890,7 +24936,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 #######################################
-@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +841,50 @@ interface(`auth_rw_faillog',`
 	')
 
 	logging_search_logs($1)
@ -24942,7 +24988,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 #######################################
-@@ -824,9 +927,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +945,29 @@ interface(`auth_rw_lastlog',`
 	allow $1 lastlog_t:file { rw_file_perms lock setattr };
 ')
 
@ -24973,7 +25019,7 @@ index 3efd5b6..362b3af 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -834,12 +957,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +975,27 @@ interface(`auth_rw_lastlog',`
 ##	</summary>
 ## </param>
 #
@ -25004,7 +25050,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 ########################################
-@@ -854,15 +992,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1010,15 @@ interface(`auth_domtrans_pam',`
 #
 interface(`auth_signal_pam',`
 	gen_require(`
@ -25023,7 +25069,7 @@ index 3efd5b6..362b3af 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -875,13 +1013,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1031,33 @@ interface(`auth_signal_pam',`
 ##	</summary>
 ## </param>
 #
@ -25061,7 +25107,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 ########################################
-@@ -959,9 +1117,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1135,30 @@ interface(`auth_manage_var_auth',`
 	')
 
 	files_search_var($1)
@ -25095,7 +25141,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 ########################################
-@@ -1040,6 +1219,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1237,10 @@ interface(`auth_manage_pam_pid',`
 	files_search_pids($1)
 	allow $1 pam_var_run_t:dir manage_dir_perms;
 	allow $1 pam_var_run_t:file manage_file_perms;
@ -25106,7 +25152,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 ########################################
-@@ -1176,6 +1359,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1377,7 @@ interface(`auth_manage_pam_console_data',`
 	files_search_pids($1)
 	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
 	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@ -25114,7 +25160,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 #######################################
-@@ -1576,6 +1760,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1778,25 @@ interface(`auth_setattr_login_records',`
 
 ########################################
 ## <summary>
@ -25140,7 +25186,7 @@ index 3efd5b6..362b3af 100644
 ##	Read login records files (/var/log/wtmp).
 ## </summary>
 ## <param name="domain">
-@@ -1726,24 +1929,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1947,7 @@ interface(`auth_manage_login_records',`
 
 	logging_rw_generic_log_dirs($1)
 	allow $1 wtmp_t:file manage_file_perms;
@ -25166,7 +25212,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 ########################################
-@@ -1767,11 +1953,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1971,13 @@ interface(`auth_relabel_login_records',`
 ## <infoflow type="both" weight="10"/>
 #
 interface(`auth_use_nsswitch',`
@ -25183,7 +25229,7 @@ index 3efd5b6..362b3af 100644
 ')
 
 ########################################
-@@ -1805,3 +1993,241 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2011,241 @@ interface(`auth_unconfined',`
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -29101,7 +29147,7 @@ index dd3be8d..c4fe08b 100644
 +    allow direct_run_init direct_init_entry:file { getattr open read execute };
 +')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..3cbc35d 100644
+index 662e79b..97f750e 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,21 @@
@ -29128,7 +29174,7 @@ index 662e79b..3cbc35d 100644
 
 /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
-@@ -26,12 +33,15 @@
+@@ -26,16 +33,22 @@
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@ -29144,8 +29190,9 @@ index 662e79b..3cbc35d 100644
 
 /var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
 
-@@ -39,3 +49,5 @@
+ /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
+/var/run/charon.*       --  gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
@ -31584,7 +31631,7 @@ index 39ea221..a55b140 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..5aa4eeb 100644
+index 879bb1e..b250b3e 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
@ -31624,13 +31671,14 @@ index 879bb1e..5aa4eeb 100644
 /sbin/lvmiopversion	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +95,71 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +95,72 @@ ifdef(`distro_gentoo',`
 #
 # /usr
 #
 -/usr/sbin/clvmd		--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 -/usr/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/lib/systemd/generator/lvm.*   gen_context(system_u:object_r:lvm_unit_file_t,s0)
+/usr/lib/systemd/system/lvm2.*\.service      gen_context(system_u:object_r:lvm_unit_file_t,s0)
 +
 +/usr/sbin/clvmd			--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 +/usr/sbin/cryptsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@ -31698,7 +31746,7 @@ index 879bb1e..5aa4eeb 100644
 
 #
 # /var
-@@ -97,5 +167,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +168,8 @@ ifdef(`distro_gentoo',`
 /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
 /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@ -35946,10 +35994,10 @@ index 0000000..e9f1096
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..5e5f8f9
+index 0000000..7e80d22
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1375 @@
+@@ -0,0 +1,1373 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -36292,8 +36340,10 @@ index 0000000..5e5f8f9
 +interface(`systemd_write_inherited_logind_sessions_pipes',`
 +	gen_require(`
 +		type systemd_logind_sessions_t;
+		type systemd_logind_t;
 +	')
 +
+	allow $1 systemd_logind_t:fd use;
 +	allow $1 systemd_logind_sessions_t:fifo_file write;
 +')
 +
@ -36968,10 +37018,6 @@ index 0000000..5e5f8f9
 +	init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
 +	files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
 +	files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
-+
-+	#optional_policy (`
-+		#gnome_data_filetrans($1, systemd_home_t, dir, "systemd")
-+	#')
 +')
 +
 +########################################
@ -37327,10 +37373,10 @@ index 0000000..5e5f8f9
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..1d407bf
+index 0000000..666a9eb
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,642 @@
+@@ -0,0 +1,648 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -37382,6 +37428,9 @@ index 0000000..1d407bf
 +type systemd_unit_file_t;
 +systemd_unit_file(systemd_unit_file_t)
 +
+type systemd_runtime_unit_file_t;
+systemd_unit_file(systemd_runtime_unit_file_t)
+
 +type power_unit_file_t;
 +systemd_unit_file(power_unit_file_t)
 +
@ -37795,6 +37844,7 @@ index 0000000..1d407bf
 +dev_write_kmsg(systemd_localed_t)
 +
 +init_dbus_chat(systemd_localed_t)
+init_reload_services(systemd_localed_t)
 +
 +logging_stream_connect_syslog(systemd_localed_t)
 +logging_send_syslog_msg(systemd_localed_t)
@ -37865,7 +37915,6 @@ index 0000000..1d407bf
 +corenet_tcp_connect_time_port(systemd_timedated_t)
 +
 +dev_rw_realtime_clock(systemd_timedated_t)
-+dev_read_urand(systemd_timedated_t)
 +dev_write_kmsg(systemd_timedated_t)
 +dev_read_sysfs(systemd_timedated_t)
 +
@ -37956,6 +38005,9 @@ index 0000000..1d407bf
 +# Common rules for systemd domains
 +#
 +allow systemd_domain self:process { setfscreate signal_perms };
+
+dev_read_urand(systemd_domain)
+
 +files_read_etc_files(systemd_domain)
 +files_read_etc_runtime_files(systemd_domain)
 +files_read_usr_files(systemd_domain)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 87%{?dist}
+Release: 88%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -571,6 +571,30 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-88
+- Add auth_exec_chkpwd interface
+- Fix port definition for ctdb ports
+- Allow systemd domains to read /dev/urand
+- Dontaudit attempts for mozilla_plugin to append to /dev/random
+- Add label for /var/run/charon.*
+- Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service
+- Fix for nagios_services plugins
+- Fix some bugs in zoneminder policy
+- add type defintion for ctdbd_var_t
+- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
+- Allow net_admin/netlink_socket all hyperv_domain domains
+- Add labeling for zarafa-search.log and zarafa-search.pid
+- glusterd binds to random unreserved ports
+- Additional allow rules found by testing glusterfs
+- apcupsd needs to send a message to all users on the system so needs to look them up
+- Fix the label on ~/.juniper_networks
+- Dontaudit attempts for mozilla_plugin to append to /dev/random
+- Allow polipo_daemon to connect to flash ports
+- Allow gssproxy_t to create replay caches
+- Fix nscd_shm_use()
+- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.
+- Add hypervkvp_unit_file_t type
+
 * Fri Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-87
 - init reload  from systemd_localed_t
 - Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd