fixes from gentoo strict testing:
- Allow semanage to read from /root on strict non-MLS for local policy modules. - Gentoo init script fixes for udev. - Allow udev to read kernel modules.inputmap. - Dnsmasq fixes from testing. - Allow kernel NFS server to getattr filesystems so df can work on clients.
This commit is contained in:
parent
0f9a2be65d
commit
ed38ca9f3d
|
@ -1,3 +1,10 @@
|
||||||
|
- Allow semanage to read from /root on strict non-MLS for
|
||||||
|
local policy modules.
|
||||||
|
- Gentoo init script fixes for udev.
|
||||||
|
- Allow udev to read kernel modules.inputmap.
|
||||||
|
- Dnsmasq fixes from testing.
|
||||||
|
- Allow kernel NFS server to getattr filesystems so df can work
|
||||||
|
on clients.
|
||||||
- Patch from Matt Anderson for a MLS constraint exemption on a
|
- Patch from Matt Anderson for a MLS constraint exemption on a
|
||||||
file that can be written to from a subject whose range is
|
file that can be written to from a subject whose range is
|
||||||
within the object's range.
|
within the object's range.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(logrotate,1.3.0)
|
policy_module(logrotate,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -118,6 +118,7 @@ seutil_dontaudit_read_config(logrotate_t)
|
||||||
|
|
||||||
sysnet_read_config(logrotate_t)
|
sysnet_read_config(logrotate_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
|
||||||
userdom_use_unpriv_users_fds(logrotate_t)
|
userdom_use_unpriv_users_fds(logrotate_t)
|
||||||
|
|
||||||
cron_system_entry(logrotate_t, logrotate_exec_t)
|
cron_system_entry(logrotate_t, logrotate_exec_t)
|
||||||
|
|
|
@ -325,6 +325,8 @@ interface(`portage_main_domain',`
|
||||||
|
|
||||||
# run setfiles -r
|
# run setfiles -r
|
||||||
seutil_domtrans_setfiles($1)
|
seutil_domtrans_setfiles($1)
|
||||||
|
# run semodule
|
||||||
|
seutil_domtrans_semanage($1)
|
||||||
|
|
||||||
portage_domtrans_gcc_config($1)
|
portage_domtrans_gcc_config($1)
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(portage,1.1.0)
|
policy_module(portage,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -629,6 +629,26 @@ interface(`fs_read_cifs_files',`
|
||||||
allow $1 cifs_t:file r_file_perms;
|
allow $1 cifs_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of filesystems that
|
||||||
|
## do not have extended attribute support.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`fs_getattr_noxattr_fs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute noxattrfs;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 noxattrfs:filesystem getattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read all noxattrfs directories.
|
## Read all noxattrfs directories.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(filesystem,1.4.1)
|
policy_module(filesystem,1.4.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(kernel,1.4.0)
|
policy_module(kernel,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -287,6 +287,8 @@ optional_policy(`
|
||||||
corenet_sendrecv_portmap_client_packets(kernel_t)
|
corenet_sendrecv_portmap_client_packets(kernel_t)
|
||||||
corenet_sendrecv_generic_server_packets(kernel_t)
|
corenet_sendrecv_generic_server_packets(kernel_t)
|
||||||
|
|
||||||
|
fs_getattr_xattr_fs(kernel_t)
|
||||||
|
|
||||||
auth_dontaudit_getattr_shadow(kernel_t)
|
auth_dontaudit_getattr_shadow(kernel_t)
|
||||||
|
|
||||||
sysnet_read_config(kernel_t)
|
sysnet_read_config(kernel_t)
|
||||||
|
@ -296,19 +298,21 @@ optional_policy(`
|
||||||
rpc_udp_rw_nfs_sockets(kernel_t)
|
rpc_udp_rw_nfs_sockets(kernel_t)
|
||||||
|
|
||||||
tunable_policy(`nfs_export_all_ro',`
|
tunable_policy(`nfs_export_all_ro',`
|
||||||
fs_list_noxattr_fs(kernel_t)
|
fs_getattr_noxattr_fs(kernel_t)
|
||||||
fs_read_noxattr_fs_files(kernel_t)
|
fs_list_noxattr_fs(kernel_t)
|
||||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
fs_read_noxattr_fs_files(kernel_t)
|
||||||
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||||
|
|
||||||
auth_read_all_dirs_except_shadow(kernel_t)
|
auth_read_all_dirs_except_shadow(kernel_t)
|
||||||
auth_read_all_files_except_shadow(kernel_t)
|
auth_read_all_files_except_shadow(kernel_t)
|
||||||
auth_read_all_symlinks_except_shadow(kernel_t)
|
auth_read_all_symlinks_except_shadow(kernel_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`nfs_export_all_rw',`
|
tunable_policy(`nfs_export_all_rw',`
|
||||||
fs_list_noxattr_fs(kernel_t)
|
fs_getattr_noxattr_fs(kernel_t)
|
||||||
fs_read_noxattr_fs_files(kernel_t)
|
fs_list_noxattr_fs(kernel_t)
|
||||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
fs_read_noxattr_fs_files(kernel_t)
|
||||||
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||||
|
|
||||||
auth_manage_all_files_except_shadow(kernel_t)
|
auth_manage_all_files_except_shadow(kernel_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(dnsmasq,1.1.0)
|
policy_module(dnsmasq,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -21,9 +21,11 @@ files_pid_file(dnsmasq_var_run_t)
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
|
allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
|
||||||
dontaudit dnsmasq_t self:capability sys_tty_config;
|
dontaudit dnsmasq_t self:capability sys_tty_config;
|
||||||
allow dnsmasq_t self:process signal_perms;
|
allow dnsmasq_t self:process { setcap signal_perms };
|
||||||
|
allow dnsmasq_t self:fifo_file { read write };
|
||||||
|
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
|
||||||
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
|
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow dnsmasq_t self:udp_socket create_socket_perms;
|
allow dnsmasq_t self:udp_socket create_socket_perms;
|
||||||
allow dnsmasq_t self:packet_socket create_socket_perms;
|
allow dnsmasq_t self:packet_socket create_socket_perms;
|
||||||
|
|
|
@ -160,3 +160,21 @@ interface(`hotplug_read_config',`
|
||||||
allow $1 hotplug_etc_t:lnk_file r_file_perms;
|
allow $1 hotplug_etc_t:lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search the hotplug PIDs.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`hotplug_search_pids',`
|
||||||
|
gen_require(`
|
||||||
|
type hotplug_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 hotplug_var_run_t:dir search_dir_perms;
|
||||||
|
files_search_pids($1)
|
||||||
|
')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(hotplug,1.3.0)
|
policy_module(hotplug,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1072,6 +1072,26 @@ interface(`init_read_script_files',`
|
||||||
allow $1 initrc_exec_t:file r_file_perms;
|
allow $1 initrc_exec_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of init script
|
||||||
|
## status files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`init_getattr_script_status_files',`
|
||||||
|
gen_require(`
|
||||||
|
type initrc_state_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 initrc_state_t:dir search_dir_perms;
|
||||||
|
allow $1 initrc_state_t:file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to read init script
|
## Do not audit attempts to read init script
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(init,1.4.2)
|
policy_module(init,1.4.3)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(selinuxutil,1.3.3)
|
policy_module(selinuxutil,1.3.4)
|
||||||
|
|
||||||
ifdef(`strict_policy',`
|
ifdef(`strict_policy',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -617,10 +617,13 @@ seutil_manage_default_contexts(semanage_t)
|
||||||
|
|
||||||
userdom_search_sysadm_home_dirs(semanage_t)
|
userdom_search_sysadm_home_dirs(semanage_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
# cjp: need a more general way to handle this:
|
||||||
|
ifdef(`enable_mls',`
|
||||||
|
# read secadm tmp files
|
||||||
|
',`
|
||||||
# Handle pp files created in homedir and /tmp
|
# Handle pp files created in homedir and /tmp
|
||||||
files_read_generic_tmp_files(semanage_t)
|
userdom_read_sysadm_home_content_files(semanage_t)
|
||||||
userdom_read_generic_user_home_content_files(semanage_t)
|
userdom_read_sysadm_tmp_files(semanage_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(udev,1.4.0)
|
policy_module(udev,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -136,6 +136,8 @@ logging_send_syslog_msg(udev_t)
|
||||||
miscfiles_read_localization(udev_t)
|
miscfiles_read_localization(udev_t)
|
||||||
|
|
||||||
modutils_domtrans_insmod(udev_t)
|
modutils_domtrans_insmod(udev_t)
|
||||||
|
# read modules.inputmap:
|
||||||
|
modutils_read_module_deps(udev_t)
|
||||||
|
|
||||||
seutil_read_config(udev_t)
|
seutil_read_config(udev_t)
|
||||||
seutil_read_default_contexts(udev_t)
|
seutil_read_default_contexts(udev_t)
|
||||||
|
@ -148,6 +150,12 @@ sysnet_domtrans_dhcpc(udev_t)
|
||||||
userdom_use_sysadm_ttys(udev_t)
|
userdom_use_sysadm_ttys(udev_t)
|
||||||
userdom_dontaudit_search_all_users_home_content(udev_t)
|
userdom_dontaudit_search_all_users_home_content(udev_t)
|
||||||
|
|
||||||
|
ifdef(`distro_gentoo',`
|
||||||
|
# during boot, init scripts use /dev/.rcsysinit
|
||||||
|
# existance to determine if we are in early booting
|
||||||
|
init_getattr_script_status_files(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
fs_manage_tmpfs_dirs(udev_t)
|
fs_manage_tmpfs_dirs(udev_t)
|
||||||
fs_manage_tmpfs_files(udev_t)
|
fs_manage_tmpfs_files(udev_t)
|
||||||
|
@ -183,6 +191,8 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
hotplug_read_config(udev_t)
|
hotplug_read_config(udev_t)
|
||||||
|
# usb.agent searches /var/run/usb
|
||||||
|
hotplug_search_pids(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|
|
@ -4486,13 +4486,41 @@ interface(`userdom_search_sysadm_home_content_dirs',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`userdom_read_sysadm_home_content_files',`
|
interface(`userdom_read_sysadm_home_content_files',`
|
||||||
gen_require(`
|
ifdef(`strict_policy',`
|
||||||
type sysadm_home_dir_t, sysadm_home_t;
|
gen_require(`
|
||||||
')
|
type sysadm_home_dir_t, sysadm_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
|
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
|
||||||
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
|
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
|
||||||
|
',`
|
||||||
|
userdom_read_generic_user_home_content_files($1)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read files in the sysadm users home directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_read_sysadm_tmp_files',`
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
|
allow $1 sysadm_tmp_t:dir list_dir_perms;
|
||||||
|
allow $1 sysadm_tmp_t:{ file lnk_file } r_file_perms;
|
||||||
|
',`
|
||||||
|
files_read_generic_tmp_files($1)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(userdomain,2.0.1)
|
policy_module(userdomain,2.0.2)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
|
|
Loading…
Reference in New Issue