rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fix description of deny_ptrace boolean 

- Remove allow for execmod lib_t for now
- Allow quantum to connect to keystone port
- Allow nova-console to talk with mysql over unix stream socket
- Allow dirsrv to stream connect to uuidd
- thumb_t needs to be able to create ~/.cache if it does not exist
- virtd needs to be able to sys_ptrace when starting and stoping containers
This commit is contained in:
Miroslav Grepl 2013-04-16 13:24:49 +02:00
parent 1d348dfc25
commit d42d1657e3
3 changed files with 325 additions and 261 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
policy-rawhide-base.patch
View File

@ -765,14 +765,14 @@ index 66e85ea..d02654d 100644
## user domains.
## </p>
diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..11a1ae6 100644
index 4705ab6..629fe1b 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,52 +6,59 @@
## <desc>
## <p>
+## Allow sysadm to debug or ptrace all processes.
+## Deny any process from ptracing or debugging any other processes.
+## </p>
+## </desc>
+gen_tunable(deny_ptrace, false)
@ -22234,7 +22234,7 @@ index d1f64a0..3be3d00 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..2706448 100644
index 6bf0ecc..ab37b7e 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -23098,11 +23098,11 @@ index 6bf0ecc..2706448 100644
+## </param>
+#
+interface(`xserver_dontaudit_xdm_rw_stream_sockets',`
+ gen_require(`
+ type xdm_t;
+ ')
+ gen_require(`
+ type xdm_t;
+ ')
+
+ dontaudit $1 xdm_t:unix_stream_socket { read write };
+ dontaudit $1 xdm_t:unix_stream_socket { ioctl read write };
+')
+
+########################################
@ -30338,7 +30338,7 @@ index 73bb3c0..aadfba0 100644
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 808ba93..7b506f2 100644
index 808ba93..9d8f729 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@ -30451,7 +30451,7 @@ index 808ba93..7b506f2 100644
')
########################################
@@ -440,9 +463,9 @@ interface(`libs_use_shared_libs',`
@@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',`
')
files_search_usr($1)
@ -30461,10 +30461,11 @@ index 808ba93..7b506f2 100644
+ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
+ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+# allow $1 lib_t:file execmod;
allow $1 textrel_shlib_t:file execmod;
')
@@ -483,7 +506,7 @@ interface(`libs_relabel_shared_libs',`
@@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',`
type lib_t, textrel_shlib_t;
')
@ -30473,7 +30474,7 @@ index 808ba93..7b506f2 100644
')
########################################
@@ -534,3 +557,26 @@ interface(`lib_filetrans_shared_lib',`
@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.')
')

552
policy-rawhide-contrib.patch
View File

@ -19854,10 +19854,10 @@ index 0000000..b214253
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 0000000..217b0ef
index 0000000..8cf8ddd
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,190 @@
@@ -0,0 +1,194 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@ -20005,6 +20005,10 @@ index 0000000..217b0ef
+ rpcbind_stream_connect(dirsrv_t)
+')
+
+optional_policy(`
+ uuidd_stream_connect_manager(dirsrv_t)
+')
+
+########################################
+#
+# dirsrv-snmp local policy
@ -24581,7 +24585,7 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index d03fd43..b000017 100644
index d03fd43..26023f7 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,154 @@
@ -25152,7 +25156,7 @@ index d03fd43..b000017 100644
## <summary>
-## Create, read, write, and delete
-## generic gnome home content.
+## Set attributes of cache home dir (.cache)
+## Create generic cache home dir (.cache)
## </summary>
## <param name="domain">
## <summary>
@ -25161,25 +25165,26 @@ index d03fd43..b000017 100644
## </param>
#
-interface(`gnome_manage_generic_home_content',`
+interface(`gnome_setattr_cache_home_dir',`
+interface(`gnome_create_generic_cache_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms;
- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+ allow $1 cache_home_t:dir create_dir_perms;
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
')
########################################
## <summary>
-## Search generic gnome home directories.
+## Manage cache home dir (.cache)
+## Set attributes of cache home dir (.cache)
## </summary>
## <param name="domain">
## <summary>
@ -25188,13 +25193,13 @@ index d03fd43..b000017 100644
## </param>
#
-interface(`gnome_search_generic_home',`
+interface(`gnome_manage_cache_home_dir',`
+interface(`gnome_setattr_cache_home_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
+ manage_dirs_pattern($1, cache_home_t, cache_home_t)
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir search_dir_perms;
')
@ -25203,7 +25208,7 @@ index d03fd43..b000017 100644
## <summary>
-## Create objects in gnome user home
-## directories with a private type.
+## append to generic cache home files (.cache)
+## Manage cache home dir (.cache)
## </summary>
## <param name="domain">
## <summary>
@ -25227,13 +25232,13 @@ index d03fd43..b000017 100644
-## </param>
#
-interface(`gnome_home_filetrans',`
+interface(`gnome_append_generic_cache_files',`
+interface(`gnome_manage_cache_home_dir',`
gen_require(`
- type gnome_home_t;
+ type cache_home_t;
')
+ append_files_pattern($1, cache_home_t, cache_home_t)
+ manage_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gnome_home_t, $2, $3, $4)
')
@ -25241,7 +25246,7 @@ index d03fd43..b000017 100644
########################################
## <summary>
-## Create generic gconf home directories.
+## write to generic cache home files (.cache)
+## append to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
@ -25250,29 +25255,57 @@ index d03fd43..b000017 100644
## </param>
#
-interface(`gnome_create_generic_gconf_home_dirs',`
+interface(`gnome_write_generic_cache_files',`
+interface(`gnome_append_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
- allow $1 gconf_home_t:dir create_dir_perms;
+ write_files_pattern($1, cache_home_t, cache_home_t)
+ append_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Read generic gconf home content.
+## Manage a sock_file in the generic cache home files (.cache)
+## write to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -449,46 +497,36 @@ interface(`gnome_create_generic_gconf_home_dirs',`
@@ -449,23 +497,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary>
## </param>
#
-interface(`gnome_read_generic_gconf_home_content',`
+interface(`gnome_write_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
+ write_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir list_dir_perms;
- allow $1 gconf_home_t:file read_file_perms;
- allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
- allow $1 gconf_home_t:sock_file read_sock_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## generic gconf home content.
+## Manage a sock_file in the generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
@@ -473,82 +516,72 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
-interface(`gnome_manage_generic_gconf_home_content',`
+interface(`gnome_manage_generic_cache_sockets',`
gen_require(`
- type gconf_home_t;
@ -25280,18 +25313,17 @@ index d03fd43..b000017 100644
')
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir list_dir_perms;
- allow $1 gconf_home_t:file read_file_perms;
- allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
- allow $1 gconf_home_t:sock_file read_sock_file_perms;
- allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## generic gconf home content.
-## Search generic gconf home directories.
+## Dontaudit read/write to generic cache home files (.cache)
## </summary>
## <param name="domain">
@ -25301,7 +25333,7 @@ index d03fd43..b000017 100644
## </summary>
## </param>
#
-interface(`gnome_manage_generic_gconf_home_content',`
-interface(`gnome_search_generic_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
gen_require(`
- type gconf_home_t;
@ -25309,34 +25341,41 @@ index d03fd43..b000017 100644
')
- userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
- allow $1 gconf_home_t:dir search_dir_perms;
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Search generic gconf home directories.
-## Create objects in user home
-## directories with the generic gconf
-## home type.
+## read gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
@@ -496,29 +534,35 @@ interface(`gnome_manage_generic_gconf_home_content',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
-interface(`gnome_search_generic_gconf_home',`
-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_read_config',`
gen_require(`
- type gconf_home_t;
+ attribute gnome_home_type;
')
- userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir search_dir_perms;
- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
@ -25345,7 +25384,7 @@ index d03fd43..b000017 100644
########################################
## <summary>
-## Create objects in user home
-## directories with the generic gconf
-## directories with the generic gnome
-## home type.
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
@ -25368,18 +25407,18 @@ index d03fd43..b000017 100644
## </summary>
## </param>
## <param name="name" optional="true">
@@ -527,62 +571,125 @@ interface(`gnome_search_generic_gconf_home',`
@@ -557,52 +590,76 @@ interface(`gnome_home_filetrans_gconf_home',`
## </summary>
## </param>
#
-interface(`gnome_home_filetrans_gconf_home',`
-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_data_filetrans',`
gen_require(`
- type gconf_home_t;
- type gnome_home_t;
+ type data_home_t;
')
- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
')
@ -25387,9 +25426,8 @@ index d03fd43..b000017 100644
-########################################
+#######################################
## <summary>
-## Create objects in user home
-## directories with the generic gnome
-## home type.
-## Create objects in gnome gconf home
-## directories with a private type.
+## Read generic data home files.
## </summary>
## <param name="domain">
@ -25397,7 +25435,15 @@ index d03fd43..b000017 100644
## Domain allowed access.
## </summary>
## </param>
-## <param name="private_type">
-## <summary>
-## Private file type.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
+#
+interface(`gnome_read_generic_data_home_files',`
+ gen_require(`
@ -25415,7 +25461,8 @@ index d03fd43..b000017 100644
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
## </param>
-## <param name="name" optional="true">
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
@ -25429,30 +25476,6 @@ index d03fd43..b000017 100644
+## <summary>
+## Manage gconf data home files
+## </summary>
+## <param name="domain">
## <summary>
-## Class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
+#
+interface(`gnome_manage_data',`
+ gen_require(`
+ type data_home_t;
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+## Read icc data home content.
+## </summary>
+## <param name="domain">
## <summary>
-## The name of the object being created.
@ -25460,104 +25483,52 @@ index d03fd43..b000017 100644
## </summary>
## </param>
#
-interface(`gnome_home_filetrans_gnome_home',`
-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_manage_data',`
gen_require(`
+ type data_home_t;
type gconf_home_t;
')
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
')
########################################
## <summary>
-## Read generic gnome keyring home files.
+## Read icc data home content.
## </summary>
## <param name="domain">
## <summary>
@@ -610,93 +667,126 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_home_icc_data_content',`
gen_require(`
- type gnome_home_t;
- type gnome_home_t, gnome_keyring_home_t;
+ type icc_data_home_t, gconf_home_t, data_home_t;
')
- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ userdom_search_user_home_dirs($1)
userdom_search_user_home_dirs($1)
- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
')
########################################
## <summary>
-## Create objects in gnome gconf home
-## directories with a private type.
+## Read inherited icc data home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="private_type">
+#
+interface(`gnome_read_inherited_home_icc_data_files',`
+ gen_require(`
+ type icc_data_home_t;
+ ')
+
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
## <summary>
-## Private file type.
+## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
-## Class of the object being created.
+## The class of the object to be created.
## </summary>
## </param>
## <param name="name" optional="true">
@@ -591,65 +698,76 @@ interface(`gnome_home_filetrans_gnome_home',`
## </summary>
## </param>
#
-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_admin_home_gconf_filetrans',`
gen_require(`
type gconf_home_t;
')
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
')
########################################
## <summary>
-## Read generic gnome keyring home files.
+## Do not audit attempts to read
+## inherited gconf config files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- type gnome_home_t, gnome_keyring_home_t;
+ type gconf_etc_t;
')
- userdom_search_user_home_dirs($1)
- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
')
########################################
## <summary>
-## Send and receive messages from
-## gnome keyring daemon over dbus.
+## read gconf config files
+## Read inherited icc data home files.
## </summary>
-## <param name="role_prefix">
-## <summary>
@ -25572,15 +25543,96 @@ index d03fd43..b000017 100644
## </param>
#
-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_read_gconf_config',`
+interface(`gnome_read_inherited_home_icc_data_files',`
gen_require(`
- type $1_gkeyringd_t;
- class dbus send_msg;
+ type gconf_etc_t;
+ type icc_data_home_t;
')
- allow $2 $1_gkeyringd_t:dbus send_msg;
- allow $1_gkeyringd_t $2:dbus send_msg;
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
## <summary>
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
+## Create gconf_home_t objects in the /root directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_admin_home_gconf_filetrans',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
+ type gconf_home_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
')
########################################
## <summary>
-## Connect to gnome keyring daemon
-## with a unix stream socket.
+## Do not audit attempts to read
+## inherited gconf config files.
## </summary>
-## <param name="role_prefix">
+## <param name="domain">
## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Domain to not audit.
## </summary>
## </param>
+#
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## read gconf config files
+## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_read_gconf_config',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gconf_etc_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
@ -25607,78 +25659,59 @@ index d03fd43..b000017 100644
########################################
## <summary>
-## Send and receive messages from all
-## gnome keyring daemon over dbus.
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
+## Execute gconf programs in
+## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -657,46 +775,36 @@ interface(`gnome_dbus_chat_gkeyringd',`
## </summary>
## </param>
#
-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_exec_gconf',`
gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
+ type gconfd_exec_t;
')
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
+ can_exec($1, gconfd_exec_t)
')
########################################
## <summary>
-## Connect to gnome keyring daemon
-## with a unix stream socket.
+## Execute gnome keyringd in the caller domain.
## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_exec_keyringd',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gkeyringd_exec_t;
')
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
')
########################################
## <summary>
-## Connect to all gnome keyring daemon
-## with a unix stream socket.
+## Read gconf home files
## </summary>
## <param name="domain">
## <summary>
@@ -704,12 +812,774 @@ interface(`gnome_stream_connect_gkeyringd',`
@@ -704,12 +794,811 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
-interface(`gnome_stream_connect_all_gkeyringd',`
+interface(`gnome_read_gconf_home_files',`
+interface(`gnome_exec_gconf',`
gen_require(`
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute gnome keyringd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_keyringd',`
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Read gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
@ -25705,10 +25738,9 @@ index d03fd43..b000017 100644
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
')
files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ ')
+
+ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
+')
+
@ -25725,9 +25757,10 @@ index d03fd43..b000017 100644
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
')
files_search_tmp($1)
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
@ -44014,10 +44047,10 @@ index 0000000..7d11148
+')
diff --git a/nova.te b/nova.te
new file mode 100644
index 0000000..c3a9a89
index 0000000..061a689
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,325 @@
@@ -0,0 +1,329 @@
+policy_module(nova, 1.0.0)
+
+########################################
@ -44196,6 +44229,10 @@ index 0000000..c3a9a89
+
+auth_use_nsswitch(nova_console_t)
+
+optional_policy(`
+ mysql_stream_connect(nova_console_t)
+')
+
+#######################################
+#
+# nova direct local policy
@ -62034,7 +62071,7 @@ index afc0068..7616aa4 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
index 769d1fd..5bbd65f 100644
index 769d1fd..bf3f16f 100644
--- a/quantum.te
+++ b/quantum.te
@@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
@ -62047,11 +62084,12 @@ index 769d1fd..5bbd65f 100644
########################################
#
# Local policy
@@ -61,11 +64,12 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
corenet_tcp_sendrecv_all_ports(quantum_t)
corenet_tcp_bind_generic_node(quantum_t)
+corenet_tcp_bind_quantum_port(quantum_t)
+corenet_tcp_connect_keystone_port(quantum_t)
+corenet_tcp_connect_mysqld_port(quantum_t)
+
dev_list_sysfs(quantum_t)
@ -62062,7 +62100,7 @@ index 769d1fd..5bbd65f 100644
auth_use_nsswitch(quantum_t)
libs_exec_ldconfig(quantum_t)
@@ -73,8 +77,6 @@ libs_exec_ldconfig(quantum_t)
@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t)
logging_send_audit_msgs(quantum_t)
logging_send_syslog_msg(quantum_t)
@ -62071,7 +62109,7 @@ index 769d1fd..5bbd65f 100644
sysnet_domtrans_ifconfig(quantum_t)
optional_policy(`
@@ -94,3 +96,12 @@ optional_policy(`
@@ -94,3 +97,12 @@ optional_policy(`
postgresql_tcp_connect(quantum_t)
')
@ -81934,10 +81972,10 @@ index 0000000..bfcd2c7
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
index 0000000..797d761
index 0000000..4e9dc5e
--- /dev/null
+++ b/thumb.te
@@ -0,0 +1,142 @@
@@ -0,0 +1,143 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@ -82060,6 +82098,7 @@ index 0000000..797d761
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
+ gnome_exec_gstreamer_home_files(thumb_t)
+ gnome_create_generic_cache_dir(thumb_t)
+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
+ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
+')
@ -84231,10 +84270,24 @@ index 380902c..75545d6 100644
+ postfix_rw_inherited_master_pipes(uux_t)
+')
diff --git a/uuidd.if b/uuidd.if
index 6e48653..29e3648 100644
index 6e48653..6abf74a 100644
--- a/uuidd.if
+++ b/uuidd.if
@@ -180,6 +180,9 @@ interface(`uuidd_admin',`
@@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',`
#
interface(`uuidd_stream_connect_manager',`
gen_require(`
- type uuidd_t, uuidd_var_run_t;
+ type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
+ stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t)
')
########################################
@@ -180,6 +181,9 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
@ -86320,7 +86373,7 @@ index 9dec06c..fa2c674 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
index 1f22fba..64e638c 100644
index 1f22fba..f42e134 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@ -86526,7 +86579,7 @@ index 1f22fba..64e638c 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
@@ -155,251 +165,82 @@ type virt_qmf_exec_t;
@@ -155,290 +165,125 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
@ -86616,9 +86669,7 @@ index 1f22fba..64e638c 100644
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
-kernel_read_system_state(virt_domain)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
-fs_getattr_xattr_fs(virt_domain)
-
-corecmd_exec_bin(virt_domain)
@ -86736,17 +86787,15 @@ index 1f22fba..64e638c 100644
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
-
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain)
- ')
-')
-
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
@ -86756,20 +86805,24 @@ index 1f22fba..64e638c 100644
+corenet_tcp_connect_all_ports(svirt_t)
-optional_policy(`
- nscd_use(virt_domain)
- dbus_read_lib_files(virt_domain)
-')
+miscfiles_read_generic_certs(svirt_t)
optional_policy(`
- samba_domtrans_smbd(virt_domain)
- nscd_use(virt_domain)
+ xen_rw_image_files(svirt_t)
')
optional_policy(`
- xen_rw_image_files(virt_domain)
- samba_domtrans_smbd(virt_domain)
+ nscd_use(svirt_t)
')
-optional_policy(`
- xen_rw_image_files(virt_domain)
-')
-
-########################################
+#######################################
#
@ -86787,11 +86840,11 @@ index 1f22fba..64e638c 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
@ -86826,15 +86879,16 @@ index 1f22fba..64e638c 100644
########################################
#
@@ -407,38 +248,42 @@ corenet_tcp_connect_all_ports(svirt_t)
# virtd local policy
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:capability2 compromise_kernel;
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit virtd_t self:capability { sys_module sys_ptrace };
+ dontaudit virtd_t self:capability { sys_module };
+')
+
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };

11
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 30%{?dist}
Release: 31%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -526,6 +526,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Apr 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-31
- Fix description of deny_ptrace boolean
- Remove allow for execmod lib_t for now
- Allow quantum to connect to keystone port
- Allow nova-console to talk with mysql over unix stream socket
- Allow dirsrv to stream connect to uuidd
- thumb_t needs to be able to create ~/.cache if it does not exist
- virtd needs to be able to sys_ptrace when starting and stoping containers
* Mon Apr 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-30
- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms...
- Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets