- firewalld needs to relabel own config files. BZ(#1250537)

- Allow rhsmcertd to send signull to unconfined_service
- Allow lsm_plugin_t to rw raw_fixed_disk.
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
This commit is contained in:
Miroslav Grepl 2015-08-05 16:03:40 +02:00
parent cfb63d8e0e
commit d8af5a753a
3 changed files with 310 additions and 12 deletions

View File

@ -37060,7 +37060,7 @@ index 6b91740..5c1669a 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f..a4ec06e 100644
index 58bc27f..4e1936d 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -1,5 +1,22 @@
@ -37163,7 +37163,7 @@ index 58bc27f..a4ec06e 100644
######################################
## <summary>
## Execute a domain transition to run clvmd.
@@ -123,3 +203,131 @@ interface(`lvm_domtrans_clvmd',`
@@ -123,3 +203,154 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@ -37295,6 +37295,29 @@ index 58bc27f..a4ec06e 100644
+ ps_process_pattern($1, lvm_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## lvm lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_manage_lock',`
+ gen_require(`
+ type lvm_lock_t;
+ ')
+
+ files_search_locks($1)
+ manage_files_pattern($1, lvm_lock_t, lvm_lock_t)
+ manage_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
+')
+
+
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c4..6cf8b94 100644
--- a/policy/modules/system/lvm.te

View File

@ -27934,7 +27934,7 @@ index c62c567..6460877 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
index 98072a3..a0c36b3 100644
index 98072a3..1b550dd 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@ -27957,7 +27957,7 @@ index 98072a3..a0c36b3 100644
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+relabelfrom_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+relabel_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
allow firewalld_t firewalld_var_log_t:file append_file_perms;
@ -44249,7 +44249,7 @@ index d314333..27ede09 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
index 4ec0eea..0c195ed 100644
index 4ec0eea..022172c 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@ -44284,7 +44284,7 @@ index 4ec0eea..0c195ed 100644
########################################
#
# Local policy
@@ -26,4 +44,61 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
@@ -26,4 +44,67 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@ -44303,6 +44303,7 @@ index 4ec0eea..0c195ed 100644
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
+allow lsmd_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow lsmd_plugin_t self:capability { sys_rawio } ;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
@ -44325,6 +44326,7 @@ index 4ec0eea..0c195ed 100644
+auth_read_passwd(lsmd_plugin_t)
+
+dev_read_urand(lsmd_plugin_t)
+dev_read_sysfs(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
@ -44343,9 +44345,13 @@ index 4ec0eea..0c195ed 100644
+logging_send_syslog_msg(lsmd_plugin_t)
+
+miscfiles_read_certs(lsmd_plugin_t)
+miscfiles_read_hwdata(lsmd_plugin_t)
+
+sysnet_read_config(lsmd_plugin_t)
+
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
+storage_read_scsi_generic(lsmd_plugin_t)
+storage_write_scsi_generic(lsmd_plugin_t)
diff --git a/mailman.fc b/mailman.fc
index 995d0a5..3d40d59 100644
--- a/mailman.fc
@ -61002,17 +61008,22 @@ index 3b6920e..3e9b17f 100644
userdom_dontaudit_search_user_home_dirs(openct_t)
diff --git a/openhpi.te b/openhpi.te
index 8de6191..13fa6d2 100644
index 8de6191..af7f2a8 100644
--- a/openhpi.te
+++ b/openhpi.te
@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
@@ -50,8 +50,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
dev_read_urand(openhpid_t)
-files_read_etc_files(openhpid_t)
-
logging_send_syslog_msg(openhpid_t)
miscfiles_read_localization(openhpid_t)
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(openhpid_t)
+')
diff --git a/openhpid.fc b/openhpid.fc
new file mode 100644
index 0000000..9441fd7
@ -84654,7 +84665,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
index d32e1a2..96227fa 100644
index d32e1a2..e44a0d9 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@ -84693,7 +84704,7 @@ index d32e1a2..96227fa 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
@@ -50,25 +56,71 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -50,25 +56,75 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@ -84769,6 +84780,10 @@ index d32e1a2..96227fa 100644
+
+optional_policy(`
+ virt_signull(rhsmcertd_t)
+')
+
+optional_policy(`
+ unconfined_signull(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
index 2ab3ed1..23d579c 100644
@ -100963,6 +100978,258 @@ index ffde368..0000000
-optional_policy(`
- rpm_exec(stapserver_t)
-')
diff --git a/targetd.fc b/targetd.fc
new file mode 100644
index 0000000..c1ef053
--- /dev/null
+++ b/targetd.fc
@@ -0,0 +1,5 @@
+/etc/target(/.*)? gen_context(system_u:object_r:targetd_etc_rw_t,s0)
+
+/usr/bin/targetd -- gen_context(system_u:object_r:targetd_exec_t,s0)
+
+/usr/lib/systemd/system/targetd.* -- gen_context(system_u:object_r:targetd_unit_file_t,s0)
diff --git a/targetd.if b/targetd.if
new file mode 100644
index 0000000..a6e216c
--- /dev/null
+++ b/targetd.if
@@ -0,0 +1,167 @@
+
+## <summary> Targetd is a service to allow the remote configuration of block device volumes and file systems within dedicated pools </summary>
+
+########################################
+## <summary>
+## Execute targetd_exec_t in the targetd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`targetd_domtrans',`
+ gen_require(`
+ type targetd_t, targetd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, targetd_exec_t, targetd_t)
+')
+
+######################################
+## <summary>
+## Execute targetd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`targetd_exec',`
+ gen_require(`
+ type targetd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, targetd_exec_t)
+')
+
+########################################
+## <summary>
+## Search targetd conf directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`targetd_search_conf',`
+ gen_require(`
+ type targetd_etc_rw_t;
+ ')
+
+ allow $1 targetd_etc_rw_t:dir search_dir_perms;
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read targetd conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`targetd_read_conf_files',`
+ gen_require(`
+ type targetd_etc_rw_t;
+ ')
+
+ allow $1 targetd_etc_rw_t:dir list_dir_perms;
+ read_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Manage targetd conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`targetd_manage_conf_files',`
+ gen_require(`
+ type targetd_etc_rw_t;
+ ')
+
+ manage_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Execute targetd server in the targetd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`targetd_systemctl',`
+ gen_require(`
+ type targetd_t;
+ type targetd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 targetd_unit_file_t:file read_file_perms;
+ allow $1 targetd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, targetd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an targetd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`targetd_admin',`
+ gen_require(`
+ type targetd_t;
+ type targetd_etc_rw_t;
+ type targetd_unit_file_t;
+ ')
+
+ allow $1 targetd_t:process { signal_perms };
+ ps_process_pattern($1, targetd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 targetd_t:process ptrace;
+ ')
+
+ files_search_etc($1)
+ admin_pattern($1, targetd_etc_rw_t)
+
+ targetd_systemctl($1)
+ admin_pattern($1, targetd_unit_file_t)
+ allow $1 targetd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
index 0000000..a2cb50c
--- /dev/null
+++ b/targetd.te
@@ -0,0 +1,62 @@
+policy_module(targetd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type targetd_t;
+type targetd_exec_t;
+init_daemon_domain(targetd_t, targetd_exec_t)
+
+type targetd_etc_rw_t;
+files_type(targetd_etc_rw_t)
+
+type targetd_unit_file_t;
+systemd_unit_file(targetd_unit_file_t)
+
+########################################
+#
+# targetd local policy
+#
+
+allow targetd_t self:fifo_file rw_fifo_file_perms;
+allow targetd_t self:unix_stream_socket create_stream_socket_perms;
+allow targetd_t self:tcp_socket listen;
+allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
+allow targetd_t self:process setfscreate;
+
+manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
+
+kernel_read_system_state(targetd_t)
+
+auth_use_nsswitch(targetd_t)
+
+corecmd_exec_shell(targetd_t)
+
+corenet_tcp_bind_generic_node(targetd_t)
+corenet_tcp_bind_lsm_plugin_port(targetd_t)
+
+dev_read_sysfs(targetd_t)
+dev_read_urand(targetd_t)
+
+libs_exec_ldconfig(targetd_t)
+
+storage_getattr_fixed_disk_dev(targetd_t)
+storage_getattr_removable_dev(targetd_t)
+
+sysnet_read_config(targetd_t)
+
+optional_policy(`
+ lvm_read_config(targetd_t)
+ lvm_read_metadata(targetd_t)
+ lvm_manage_lock(targetd_t)
+ lvm_stream_connect(targetd_t)
+')
+
+optional_policy(`
+ udev_read_pid_files(targetd_t)
+')
+
diff --git a/tcpd.te b/tcpd.te
index 2d6d2c2..db18a80 100644
--- a/tcpd.te

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 139%{?dist}
Release: 140%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -647,6 +647,14 @@ exit 0
%endif
%changelog
* Wed Aug 05 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-140
- firewalld needs to relabel own config files. BZ(#1250537)
- Allow rhsmcertd to send signull to unconfined_service
- Allow lsm_plugin_t to rw raw_fixed_disk.
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
* Tue Aug 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-139
- Add header for sslh.if file
- Fix sslh_admin() interface