Policy update should not modify local contexts
This commit is contained in:
parent
052e175084
commit
e1f17eb990
401
policy-F16.patch
401
policy-F16.patch
@ -322,10 +322,18 @@ index 63ef90e..a535b31 100644
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
|
||||
index 1392679..c94911d 100644
|
||||
index 1392679..e75873a 100644
|
||||
--- a/policy/modules/admin/alsa.if
|
||||
+++ b/policy/modules/admin/alsa.if
|
||||
@@ -206,3 +206,21 @@ interface(`alsa_read_lib',`
|
||||
@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
|
||||
|
||||
userdom_search_user_home_dirs($1)
|
||||
allow $1 alsa_home_t:file manage_file_perms;
|
||||
+ alsa_filetrans_home_content(unpriv_userdomain)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -206,3 +207,47 @@ interface(`alsa_read_lib',`
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
|
||||
')
|
||||
@ -340,13 +348,39 @@ index 1392679..c94911d 100644
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`alsa_filetrans_named_content',`
|
||||
+interface(`alsa_filetrans_home_content',`
|
||||
+ gen_require(`
|
||||
+ type alsa_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Transition to alsa named content
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`alsa_filetrans_named_content',`
|
||||
+ gen_require(`
|
||||
+ type alsa_home_t;
|
||||
+ type alsa_etc_rw_t;
|
||||
+ type alsa_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
|
||||
+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
|
||||
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
|
||||
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
|
||||
+ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
|
||||
+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
|
||||
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
|
||||
+')
|
||||
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
|
||||
index e3e0701..3fd0282 100644
|
||||
--- a/policy/modules/admin/amanda.fc
|
||||
@ -3658,7 +3692,7 @@ index 7bddc02..2b59ed0 100644
|
||||
+
|
||||
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
|
||||
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
||||
index 975af1a..2aa37b4 100644
|
||||
index 975af1a..634c47a 100644
|
||||
--- a/policy/modules/admin/sudo.if
|
||||
+++ b/policy/modules/admin/sudo.if
|
||||
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
|
||||
@ -3669,23 +3703,38 @@ index 975af1a..2aa37b4 100644
|
||||
attribute sudodomain;
|
||||
')
|
||||
|
||||
@@ -47,6 +48,15 @@ template(`sudo_role_template',`
|
||||
@@ -47,26 +48,11 @@ template(`sudo_role_template',`
|
||||
ubac_constrained($1_sudo_t)
|
||||
role $2 types $1_sudo_t;
|
||||
|
||||
- ##############################
|
||||
- #
|
||||
- # Local Policy
|
||||
- #
|
||||
+ type $1_sudo_tmp_t;
|
||||
+ files_tmp_file($1_sudo_tmp_t)
|
||||
+
|
||||
|
||||
- # Use capabilities.
|
||||
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
|
||||
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
- allow $1_sudo_t self:process { setexec setrlimit };
|
||||
- allow $1_sudo_t self:fd use;
|
||||
- allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
|
||||
- allow $1_sudo_t self:shm create_shm_perms;
|
||||
- allow $1_sudo_t self:sem create_sem_perms;
|
||||
- allow $1_sudo_t self:msgq create_msgq_perms;
|
||||
- allow $1_sudo_t self:msg { send receive };
|
||||
- allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
|
||||
- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
|
||||
- allow $1_sudo_t self:unix_dgram_socket sendto;
|
||||
- allow $1_sudo_t self:unix_stream_socket connectto;
|
||||
- allow $1_sudo_t self:key manage_key_perms;
|
||||
+ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
|
||||
+ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
|
||||
+
|
||||
+ manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
|
||||
+ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
|
||||
+
|
||||
##############################
|
||||
#
|
||||
# Local Policy
|
||||
@@ -76,6 +86,11 @@ template(`sudo_role_template',`
|
||||
|
||||
allow $1_sudo_t $3:key search;
|
||||
|
||||
@@ -76,88 +62,19 @@ template(`sudo_role_template',`
|
||||
# By default, revert to the calling domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_sudo_t, $3)
|
||||
corecmd_bin_domtrans($1_sudo_t, $3)
|
||||
@ -3697,50 +3746,90 @@ index 975af1a..2aa37b4 100644
|
||||
allow $3 $1_sudo_t:fd use;
|
||||
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
|
||||
allow $3 $1_sudo_t:process signal_perms;
|
||||
@@ -113,12 +128,15 @@ template(`sudo_role_template',`
|
||||
term_getattr_pty_fs($1_sudo_t)
|
||||
term_relabel_all_ttys($1_sudo_t)
|
||||
term_relabel_all_ptys($1_sudo_t)
|
||||
+ term_getattr_pty_fs($1_sudo_t)
|
||||
|
||||
- kernel_read_kernel_sysctls($1_sudo_t)
|
||||
- kernel_read_system_state($1_sudo_t)
|
||||
- kernel_link_key($1_sudo_t)
|
||||
-
|
||||
- corecmd_read_bin_symlinks($1_sudo_t)
|
||||
- corecmd_exec_all_executables($1_sudo_t)
|
||||
-
|
||||
- dev_getattr_fs($1_sudo_t)
|
||||
- dev_read_urand($1_sudo_t)
|
||||
- dev_rw_generic_usb_dev($1_sudo_t)
|
||||
- dev_read_sysfs($1_sudo_t)
|
||||
-
|
||||
- domain_use_interactive_fds($1_sudo_t)
|
||||
- domain_sigchld_interactive_fds($1_sudo_t)
|
||||
- domain_getattr_all_entry_files($1_sudo_t)
|
||||
-
|
||||
- files_read_etc_files($1_sudo_t)
|
||||
- files_read_var_files($1_sudo_t)
|
||||
- files_read_usr_symlinks($1_sudo_t)
|
||||
- files_getattr_usr_files($1_sudo_t)
|
||||
- # for some PAM modules and for cwd
|
||||
- files_dontaudit_search_home($1_sudo_t)
|
||||
- files_list_tmp($1_sudo_t)
|
||||
-
|
||||
- fs_search_auto_mountpoints($1_sudo_t)
|
||||
- fs_getattr_xattr_fs($1_sudo_t)
|
||||
-
|
||||
- selinux_validate_context($1_sudo_t)
|
||||
- selinux_compute_relabel_context($1_sudo_t)
|
||||
-
|
||||
- term_getattr_pty_fs($1_sudo_t)
|
||||
- term_relabel_all_ttys($1_sudo_t)
|
||||
- term_relabel_all_ptys($1_sudo_t)
|
||||
-
|
||||
auth_run_chk_passwd($1_sudo_t, $2)
|
||||
# sudo stores a token in the pam_pid directory
|
||||
auth_manage_pam_pid($1_sudo_t)
|
||||
- # sudo stores a token in the pam_pid directory
|
||||
- auth_manage_pam_pid($1_sudo_t)
|
||||
auth_use_nsswitch($1_sudo_t)
|
||||
|
||||
+ application_signal($1_sudo_t)
|
||||
+
|
||||
init_rw_utmp($1_sudo_t)
|
||||
|
||||
logging_send_audit_msgs($1_sudo_t)
|
||||
@@ -126,7 +144,7 @@ template(`sudo_role_template',`
|
||||
|
||||
miscfiles_read_localization($1_sudo_t)
|
||||
|
||||
- init_rw_utmp($1_sudo_t)
|
||||
-
|
||||
- logging_send_audit_msgs($1_sudo_t)
|
||||
- logging_send_syslog_msg($1_sudo_t)
|
||||
-
|
||||
- miscfiles_read_localization($1_sudo_t)
|
||||
-
|
||||
- seutil_search_default_contexts($1_sudo_t)
|
||||
+ seutil_read_default_contexts($1_sudo_t)
|
||||
seutil_libselinux_linked($1_sudo_t)
|
||||
|
||||
userdom_spec_domtrans_all_users($1_sudo_t)
|
||||
@@ -135,12 +153,13 @@ template(`sudo_role_template',`
|
||||
userdom_manage_user_tmp_files($1_sudo_t)
|
||||
userdom_manage_user_tmp_symlinks($1_sudo_t)
|
||||
userdom_use_user_terminals($1_sudo_t)
|
||||
+ userdom_signal_all_users($1_sudo_t)
|
||||
# for some PAM modules and for cwd
|
||||
- seutil_libselinux_linked($1_sudo_t)
|
||||
-
|
||||
- userdom_spec_domtrans_all_users($1_sudo_t)
|
||||
- userdom_manage_user_home_content_files($1_sudo_t)
|
||||
- userdom_manage_user_home_content_symlinks($1_sudo_t)
|
||||
- userdom_manage_user_tmp_files($1_sudo_t)
|
||||
- userdom_manage_user_tmp_symlinks($1_sudo_t)
|
||||
- userdom_use_user_terminals($1_sudo_t)
|
||||
- # for some PAM modules and for cwd
|
||||
- userdom_dontaudit_search_user_home_content($1_sudo_t)
|
||||
+ userdom_search_user_home_content($1_sudo_t)
|
||||
+ userdom_search_admin_dir($1_sudo_t)
|
||||
+ userdom_manage_all_users_keys($1_sudo_t)
|
||||
|
||||
-
|
||||
- ifdef(`hide_broken_symptoms', `
|
||||
- dontaudit $1_sudo_t $3:socket_class_set { read write };
|
||||
- ')
|
||||
-
|
||||
- tunable_policy(`use_nfs_home_dirs',`
|
||||
- fs_manage_nfs_files($1_sudo_t)
|
||||
- ')
|
||||
-
|
||||
- tunable_policy(`use_samba_home_dirs',`
|
||||
- fs_manage_cifs_files($1_sudo_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- dbus_system_bus_client($1_sudo_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- fprintd_dbus_chat($1_sudo_t)
|
||||
- ')
|
||||
-
|
||||
+ mta_role($2, $1_sudo_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files($1_sudo_t)
|
||||
@@ -177,3 +196,22 @@ interface(`sudo_sigchld',`
|
||||
########################################
|
||||
@@ -177,3 +94,22 @@ interface(`sudo_sigchld',`
|
||||
|
||||
allow $1 sudodomain:process sigchld;
|
||||
')
|
||||
@ -3764,10 +3853,10 @@ index 975af1a..2aa37b4 100644
|
||||
+ can_exec($1, sudo_exec_t)
|
||||
+')
|
||||
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
|
||||
index 2731fa1..3443ba2 100644
|
||||
index 2731fa1..22beabf 100644
|
||||
--- a/policy/modules/admin/sudo.te
|
||||
+++ b/policy/modules/admin/sudo.te
|
||||
@@ -7,3 +7,7 @@ attribute sudodomain;
|
||||
@@ -7,3 +7,110 @@ attribute sudodomain;
|
||||
|
||||
type sudo_exec_t;
|
||||
application_executable_file(sudo_exec_t)
|
||||
@ -3775,6 +3864,109 @@ index 2731fa1..3443ba2 100644
|
||||
+type sudo_db_t;
|
||||
+files_type(sudo_db_t)
|
||||
+
|
||||
+manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
|
||||
+manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
|
||||
+
|
||||
+##############################
|
||||
+#
|
||||
+# Local Policy
|
||||
+#
|
||||
+
|
||||
+# Use capabilities.
|
||||
+allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
|
||||
+allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
+allow sudodomain self:process { setexec setrlimit };
|
||||
+allow sudodomain self:fd use;
|
||||
+allow sudodomain self:fifo_file rw_fifo_file_perms;
|
||||
+allow sudodomain self:shm create_shm_perms;
|
||||
+allow sudodomain self:sem create_sem_perms;
|
||||
+allow sudodomain self:msgq create_msgq_perms;
|
||||
+allow sudodomain self:msg { send receive };
|
||||
+allow sudodomain self:unix_dgram_socket create_socket_perms;
|
||||
+allow sudodomain self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow sudodomain self:unix_dgram_socket sendto;
|
||||
+allow sudodomain self:unix_stream_socket connectto;
|
||||
+allow sudodomain self:key manage_key_perms;
|
||||
+
|
||||
+kernel_read_kernel_sysctls(sudodomain)
|
||||
+kernel_read_system_state(sudodomain)
|
||||
+kernel_link_key(sudodomain)
|
||||
+
|
||||
+corecmd_read_bin_symlinks(sudodomain)
|
||||
+corecmd_exec_all_executables(sudodomain)
|
||||
+
|
||||
+dev_getattr_fs(sudodomain)
|
||||
+dev_read_urand(sudodomain)
|
||||
+dev_rw_generic_usb_dev(sudodomain)
|
||||
+dev_read_sysfs(sudodomain)
|
||||
+
|
||||
+domain_use_interactive_fds(sudodomain)
|
||||
+domain_sigchld_interactive_fds(sudodomain)
|
||||
+domain_getattr_all_entry_files(sudodomain)
|
||||
+
|
||||
+files_read_etc_files(sudodomain)
|
||||
+files_read_var_files(sudodomain)
|
||||
+files_read_usr_symlinks(sudodomain)
|
||||
+files_getattr_usr_files(sudodomain)
|
||||
+# for some PAM modules and for cwd
|
||||
+files_dontaudit_search_home(sudodomain)
|
||||
+files_list_tmp(sudodomain)
|
||||
+
|
||||
+fs_search_auto_mountpoints(sudodomain)
|
||||
+fs_getattr_xattr_fs(sudodomain)
|
||||
+
|
||||
+selinux_validate_context(sudodomain)
|
||||
+selinux_compute_relabel_context(sudodomain)
|
||||
+
|
||||
+term_getattr_pty_fs(sudodomain)
|
||||
+term_relabel_all_ttys(sudodomain)
|
||||
+term_relabel_all_ptys(sudodomain)
|
||||
+term_getattr_pty_fs(sudodomain)
|
||||
+
|
||||
+#auth_run_chk_passwd(sudodomain)
|
||||
+# sudo stores a token in the pam_pid directory
|
||||
+auth_manage_pam_pid(sudodomain)
|
||||
+#auth_use_nsswitch(sudodomain)
|
||||
+
|
||||
+application_signal(sudodomain)
|
||||
+
|
||||
+init_rw_utmp(sudodomain)
|
||||
+
|
||||
+logging_send_audit_msgs(sudodomain)
|
||||
+logging_send_syslog_msg(sudodomain)
|
||||
+
|
||||
+miscfiles_read_localization(sudodomain)
|
||||
+
|
||||
+seutil_read_default_contexts(sudodomain)
|
||||
+seutil_libselinux_linked(sudodomain)
|
||||
+
|
||||
+userdom_spec_domtrans_all_users(sudodomain)
|
||||
+userdom_manage_user_home_content_files(sudodomain)
|
||||
+userdom_manage_user_home_content_symlinks(sudodomain)
|
||||
+userdom_manage_user_tmp_files(sudodomain)
|
||||
+userdom_manage_user_tmp_symlinks(sudodomain)
|
||||
+userdom_use_user_terminals(sudodomain)
|
||||
+userdom_signal_all_users(sudodomain)
|
||||
+# for some PAM modules and for cwd
|
||||
+userdom_search_user_home_content(sudodomain)
|
||||
+userdom_search_admin_dir(sudodomain)
|
||||
+userdom_manage_all_users_keys(sudodomain)
|
||||
+
|
||||
+tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_manage_nfs_files(sudodomain)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_manage_cifs_files(sudodomain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(sudodomain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ fprintd_dbus_chat(sudodomain)
|
||||
+')
|
||||
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
|
||||
index d5aaf0e..6b16aef 100644
|
||||
--- a/policy/modules/admin/sxid.te
|
||||
@ -4136,7 +4328,7 @@ index 81fb26f..66cf96c 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 441cf22..772a68e 100644
|
||||
index 441cf22..cd9d876 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
|
||||
@ -4147,7 +4339,7 @@ index 441cf22..772a68e 100644
|
||||
|
||||
selinux_get_fs_mount(chfn_t)
|
||||
selinux_validate_context(chfn_t)
|
||||
@@ -79,18 +80,17 @@ selinux_compute_create_context(chfn_t)
|
||||
@@ -79,18 +80,18 @@ selinux_compute_create_context(chfn_t)
|
||||
selinux_compute_relabel_context(chfn_t)
|
||||
selinux_compute_user_contexts(chfn_t)
|
||||
|
||||
@ -4155,6 +4347,7 @@ index 441cf22..772a68e 100644
|
||||
-term_use_all_ptys(chfn_t)
|
||||
+term_use_all_inherited_ttys(chfn_t)
|
||||
+term_use_all_inherited_ptys(chfn_t)
|
||||
+term_getattr_all_ptys(chfn_t)
|
||||
|
||||
fs_getattr_xattr_fs(chfn_t)
|
||||
fs_search_auto_mountpoints(chfn_t)
|
||||
@ -4170,7 +4363,7 @@ index 441cf22..772a68e 100644
|
||||
|
||||
# allow checking if a shell is executable
|
||||
corecmd_check_exec_shell(chfn_t)
|
||||
@@ -105,6 +105,7 @@ files_dontaudit_search_home(chfn_t)
|
||||
@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t)
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(chfn_t)
|
||||
@ -4178,7 +4371,7 @@ index 441cf22..772a68e 100644
|
||||
|
||||
miscfiles_read_localization(chfn_t)
|
||||
|
||||
@@ -118,6 +119,10 @@ userdom_use_unpriv_users_fds(chfn_t)
|
||||
@@ -118,6 +120,10 @@ userdom_use_unpriv_users_fds(chfn_t)
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_user_home_content(chfn_t)
|
||||
|
||||
@ -4189,17 +4382,18 @@ index 441cf22..772a68e 100644
|
||||
########################################
|
||||
#
|
||||
# Crack local policy
|
||||
@@ -194,8 +199,7 @@ selinux_compute_create_context(groupadd_t)
|
||||
@@ -194,8 +200,8 @@ selinux_compute_create_context(groupadd_t)
|
||||
selinux_compute_relabel_context(groupadd_t)
|
||||
selinux_compute_user_contexts(groupadd_t)
|
||||
|
||||
-term_use_all_ttys(groupadd_t)
|
||||
-term_use_all_ptys(groupadd_t)
|
||||
+term_use_all_inherited_terms(groupadd_t)
|
||||
+term_getattr_all_ptys(groupadd_t)
|
||||
|
||||
init_use_fds(groupadd_t)
|
||||
init_read_utmp(groupadd_t)
|
||||
@@ -277,6 +281,7 @@ kernel_read_kernel_sysctls(passwd_t)
|
||||
@@ -277,6 +283,7 @@ kernel_read_kernel_sysctls(passwd_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand(passwd_t)
|
||||
@ -4207,13 +4401,14 @@ index 441cf22..772a68e 100644
|
||||
|
||||
fs_getattr_xattr_fs(passwd_t)
|
||||
fs_search_auto_mountpoints(passwd_t)
|
||||
@@ -291,17 +296,18 @@ selinux_compute_create_context(passwd_t)
|
||||
@@ -291,17 +298,19 @@ selinux_compute_create_context(passwd_t)
|
||||
selinux_compute_relabel_context(passwd_t)
|
||||
selinux_compute_user_contexts(passwd_t)
|
||||
|
||||
-term_use_all_ttys(passwd_t)
|
||||
-term_use_all_ptys(passwd_t)
|
||||
+term_use_all_inherited_terms(passwd_t)
|
||||
+term_getattr_all_ptys(passwd_t)
|
||||
|
||||
-auth_domtrans_chk_passwd(passwd_t)
|
||||
auth_manage_shadow(passwd_t)
|
||||
@ -4230,7 +4425,7 @@ index 441cf22..772a68e 100644
|
||||
|
||||
domain_use_interactive_fds(passwd_t)
|
||||
|
||||
@@ -311,6 +317,8 @@ files_search_var(passwd_t)
|
||||
@@ -311,6 +320,8 @@ files_search_var(passwd_t)
|
||||
files_dontaudit_search_pids(passwd_t)
|
||||
files_relabel_etc_files(passwd_t)
|
||||
|
||||
@ -4239,7 +4434,7 @@ index 441cf22..772a68e 100644
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(passwd_t)
|
||||
@@ -323,7 +331,7 @@ miscfiles_read_localization(passwd_t)
|
||||
@@ -323,7 +334,7 @@ miscfiles_read_localization(passwd_t)
|
||||
|
||||
seutil_dontaudit_search_config(passwd_t)
|
||||
|
||||
@ -4248,7 +4443,7 @@ index 441cf22..772a68e 100644
|
||||
userdom_use_unpriv_users_fds(passwd_t)
|
||||
# make sure that getcon succeeds
|
||||
userdom_getattr_all_users(passwd_t)
|
||||
@@ -332,6 +340,7 @@ userdom_read_user_tmp_files(passwd_t)
|
||||
@@ -332,6 +343,7 @@ userdom_read_user_tmp_files(passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_user_home_content(passwd_t)
|
||||
@ -4256,17 +4451,18 @@ index 441cf22..772a68e 100644
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(passwd_t)
|
||||
@@ -381,8 +390,7 @@ dev_read_urand(sysadm_passwd_t)
|
||||
@@ -381,8 +393,8 @@ dev_read_urand(sysadm_passwd_t)
|
||||
fs_getattr_xattr_fs(sysadm_passwd_t)
|
||||
fs_search_auto_mountpoints(sysadm_passwd_t)
|
||||
|
||||
-term_use_all_ttys(sysadm_passwd_t)
|
||||
-term_use_all_ptys(sysadm_passwd_t)
|
||||
+term_use_all_inherited_terms(sysadm_passwd_t)
|
||||
+term_getattr_all_ptys(sysadm_passwd_t)
|
||||
|
||||
auth_manage_shadow(sysadm_passwd_t)
|
||||
auth_relabel_shadow(sysadm_passwd_t)
|
||||
@@ -426,7 +434,7 @@ optional_policy(`
|
||||
@@ -426,7 +438,7 @@ optional_policy(`
|
||||
# Useradd local policy
|
||||
#
|
||||
|
||||
@ -4275,7 +4471,7 @@ index 441cf22..772a68e 100644
|
||||
dontaudit useradd_t self:capability sys_tty_config;
|
||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow useradd_t self:process setfscreate;
|
||||
@@ -448,8 +456,12 @@ corecmd_exec_shell(useradd_t)
|
||||
@@ -448,8 +460,12 @@ corecmd_exec_shell(useradd_t)
|
||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||
corecmd_exec_bin(useradd_t)
|
||||
|
||||
@ -4288,7 +4484,7 @@ index 441cf22..772a68e 100644
|
||||
|
||||
files_manage_etc_files(useradd_t)
|
||||
files_search_var_lib(useradd_t)
|
||||
@@ -460,6 +472,7 @@ fs_search_auto_mountpoints(useradd_t)
|
||||
@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t)
|
||||
fs_getattr_xattr_fs(useradd_t)
|
||||
|
||||
mls_file_upgrade(useradd_t)
|
||||
@ -4296,17 +4492,18 @@ index 441cf22..772a68e 100644
|
||||
|
||||
# Allow access to context for shadow file
|
||||
selinux_get_fs_mount(useradd_t)
|
||||
@@ -469,8 +482,7 @@ selinux_compute_create_context(useradd_t)
|
||||
@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t)
|
||||
selinux_compute_relabel_context(useradd_t)
|
||||
selinux_compute_user_contexts(useradd_t)
|
||||
|
||||
-term_use_all_ttys(useradd_t)
|
||||
-term_use_all_ptys(useradd_t)
|
||||
+term_use_all_inherited_terms(useradd_t)
|
||||
+term_getattr_all_ptys(useradd_t)
|
||||
|
||||
auth_domtrans_chk_passwd(useradd_t)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
@@ -498,21 +510,11 @@ seutil_domtrans_setfiles(useradd_t)
|
||||
@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(useradd_t)
|
||||
# Add/remove user home directories
|
||||
@ -20755,10 +20952,10 @@ index 2be17d2..2c588ca 100644
|
||||
+ userdom_execmod_user_home_files(staff_usertype)
|
||||
+')
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index e14b961..f3980e0 100644
|
||||
index e14b961..f2aac71 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -24,20 +24,48 @@ ifndef(`enable_mls',`
|
||||
@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
@ -20802,12 +20999,16 @@ index e14b961..f3980e0 100644
|
||||
+userdom_manage_tmp_role(sysadm_r, sysadm_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ alsa_filetrans_named_content(sysadm_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ssh_filetrans_admin_home_content(sysadm_t)
|
||||
+')
|
||||
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
optional_policy(`
|
||||
@@ -55,6 +83,7 @@ ifndef(`enable_mls',`
|
||||
@@ -55,6 +87,7 @@ ifndef(`enable_mls',`
|
||||
logging_manage_audit_log(sysadm_t)
|
||||
logging_manage_audit_config(sysadm_t)
|
||||
logging_run_auditctl(sysadm_t, sysadm_r)
|
||||
@ -20815,7 +21016,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
tunable_policy(`allow_ptrace',`
|
||||
@@ -67,9 +96,9 @@ optional_policy(`
|
||||
@@ -67,9 +100,9 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
apache_run_helper(sysadm_t, sysadm_r)
|
||||
@ -20826,7 +21027,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -98,6 +127,10 @@ optional_policy(`
|
||||
@@ -98,6 +131,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20837,7 +21038,7 @@ index e14b961..f3980e0 100644
|
||||
certwatch_run(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
@@ -110,11 +143,19 @@ optional_policy(`
|
||||
@@ -110,11 +147,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20858,7 +21059,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -128,6 +169,10 @@ optional_policy(`
|
||||
@@ -128,6 +173,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20869,7 +21070,7 @@ index e14b961..f3980e0 100644
|
||||
dmesg_exec(sysadm_t)
|
||||
')
|
||||
|
||||
@@ -163,6 +208,13 @@ optional_policy(`
|
||||
@@ -163,6 +212,13 @@ optional_policy(`
|
||||
ipsec_stream_connect(sysadm_t)
|
||||
# for lsof
|
||||
ipsec_getattr_key_sockets(sysadm_t)
|
||||
@ -20883,7 +21084,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -170,15 +222,20 @@ optional_policy(`
|
||||
@@ -170,15 +226,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20907,7 +21108,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,22 +255,19 @@ optional_policy(`
|
||||
@@ -198,22 +259,19 @@ optional_policy(`
|
||||
modutils_run_depmod(sysadm_t, sysadm_r)
|
||||
modutils_run_insmod(sysadm_t, sysadm_r)
|
||||
modutils_run_update_mods(sysadm_t, sysadm_r)
|
||||
@ -20935,7 +21136,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -225,25 +279,47 @@ optional_policy(`
|
||||
@@ -225,25 +283,47 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -20983,7 +21184,7 @@ index e14b961..f3980e0 100644
|
||||
portage_run(sysadm_t, sysadm_r)
|
||||
portage_run_gcc_config(sysadm_t, sysadm_r)
|
||||
')
|
||||
@@ -253,19 +329,19 @@ optional_policy(`
|
||||
@@ -253,19 +333,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21007,7 +21208,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -274,10 +350,7 @@ optional_policy(`
|
||||
@@ -274,10 +354,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
rpm_run(sysadm_t, sysadm_r)
|
||||
@ -21019,7 +21220,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -302,12 +375,18 @@ optional_policy(`
|
||||
@@ -302,12 +379,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21039,7 +21240,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -332,7 +411,10 @@ optional_policy(`
|
||||
@@ -332,7 +415,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21051,7 +21252,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -343,19 +425,15 @@ optional_policy(`
|
||||
@@ -343,19 +429,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21073,7 +21274,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -367,45 +445,45 @@ optional_policy(`
|
||||
@@ -367,45 +449,45 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21130,7 +21331,7 @@ index e14b961..f3980e0 100644
|
||||
auth_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
|
||||
@@ -418,10 +496,6 @@ ifndef(`distro_redhat',`
|
||||
@@ -418,10 +500,6 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21141,7 +21342,7 @@ index e14b961..f3980e0 100644
|
||||
dbus_role_template(sysadm, sysadm_r, sysadm_t)
|
||||
')
|
||||
|
||||
@@ -439,6 +513,7 @@ ifndef(`distro_redhat',`
|
||||
@@ -439,6 +517,7 @@ ifndef(`distro_redhat',`
|
||||
|
||||
optional_policy(`
|
||||
gnome_role(sysadm_r, sysadm_t)
|
||||
@ -21149,7 +21350,7 @@ index e14b961..f3980e0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -446,11 +521,66 @@ ifndef(`distro_redhat',`
|
||||
@@ -446,11 +525,66 @@ ifndef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21172,8 +21373,9 @@ index e14b961..f3980e0 100644
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ mplayer_role(sysadm_r, sysadm_t)
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
-')
|
||||
|
||||
+ optional_policy(`
|
||||
+ pyzor_role(sysadm_r, sysadm_t)
|
||||
+ ')
|
||||
@ -21212,9 +21414,8 @@ index e14b961..f3980e0 100644
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ wireshark_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
-')
|
||||
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ xserver_role(sysadm_r, sysadm_t)
|
||||
+ ')
|
||||
@ -21928,10 +22129,10 @@ index 0000000..8b2cdf3
|
||||
+
|
||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||
new file mode 100644
|
||||
index 0000000..8d7dde1
|
||||
index 0000000..50c38f9
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/roles/unconfineduser.te
|
||||
@@ -0,0 +1,502 @@
|
||||
@@ -0,0 +1,498 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -22159,11 +22360,7 @@ index 0000000..8d7dde1
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ada_run(unconfined_t, unconfined_r)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ alsa_run(unconfined_t, unconfined_r)
|
||||
+ alsa_filetrans_named_content(unconfined_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -73110,10 +73307,10 @@ index 0000000..79c358c
|
||||
+
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..1449552
|
||||
index 0000000..a84b8e7
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,370 @@
|
||||
@@ -0,0 +1,371 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -73267,6 +73464,7 @@ index 0000000..1449552
|
||||
+
|
||||
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||||
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||||
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||||
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||||
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
|
||||
+
|
||||
@ -78167,7 +78365,7 @@ index 4b2878a..34d01ef 100644
|
||||
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
|
||||
index 9b4a930..04d748b 100644
|
||||
index 9b4a930..d6c3860 100644
|
||||
--- a/policy/modules/system/userdomain.te
|
||||
+++ b/policy/modules/system/userdomain.te
|
||||
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
|
||||
@ -78220,7 +78418,7 @@ index 9b4a930..04d748b 100644
|
||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
|
||||
fs_associate_tmpfs(user_home_dir_t)
|
||||
files_type(user_home_dir_t)
|
||||
@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t)
|
||||
@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t)
|
||||
|
||||
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
|
||||
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
|
||||
@ -78283,7 +78481,6 @@ index 9b4a930..04d748b 100644
|
||||
+ alsa_read_rw_config(unpriv_userdomain)
|
||||
+ alsa_manage_home_files(unpriv_userdomain)
|
||||
+ alsa_relabel_home_files(unpriv_userdomain)
|
||||
+ alsa_filetrans_named_content(unpriv_userdomain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 45.1%{?dist}
|
||||
Release: 46%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -176,8 +176,8 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts/files \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts/users \
|
||||
@ -481,6 +481,9 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Oct 20 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-46
|
||||
- Policy update should not modify local contexts
|
||||
|
||||
* Thu Oct 20 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-45.1
|
||||
- Remove ada policy
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user