- Allow fprintd to access sys_ptrace
- Add sandbox policy
This commit is contained in:
Daniel J Walsh
parent
9d1a7ed54e
commit
eead2a6f25
@ -1187,6 +1187,13 @@ rwho = module
|
|||||||
#
|
#
|
||||||
samba = module
|
samba = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: sandbox
|
||||||
|
#
|
||||||
|
# Experimental policy for running apps within a sandbox
|
||||||
|
#
|
||||||
|
sandbox = module
|
||||||
|
|
||||||
# Layer: apps
|
# Layer: apps
|
||||||
# Module: sambagui
|
# Module: sambagui
|
||||||
#
|
#
|
||||||
|
|||||||
@ -4578,6 +4578,134 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+permissive sambagui_t;
|
+permissive sambagui_t;
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.12/policy/modules/apps/sandbox.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.fc 2009-05-20 13:18:54.000000000 -0400
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+# No types are sandbox_exec_t
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if
|
||||||
|
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if 2009-05-20 13:19:04.000000000 -0400
|
||||||
|
@@ -0,0 +1,75 @@
|
||||||
|
+
|
||||||
|
+## <summary>policy for sandbox</summary>
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute a domain transition to run sandbox.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`sandbox_domtrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type sandbox_t;
|
||||||
|
+ type sandbox_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ domtrans_pattern($1,sandbox_exec_t,sandbox_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute sandbox in the sandbox domain, and
|
||||||
|
+## allow the specified role the sandbox domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="role">
|
||||||
|
+## <summary>
|
||||||
|
+## The role to be allowed the sandbox domain.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`sandbox_run',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type sandbox_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ sandbox_domtrans($1)
|
||||||
|
+ role $2 types sandbox_t;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Role access for sandbox
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="role">
|
||||||
|
+## <summary>
|
||||||
|
+## Role allowed access
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## User domain for the role
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`sandbox_role',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type sandbox_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ role $2 types sandbox_t;
|
||||||
|
+
|
||||||
|
+ sandbox_domtrans($1)
|
||||||
|
+
|
||||||
|
+ ps_process_pattern($2, sandbox_t)
|
||||||
|
+ allow $2 sandbox_t:process signal;
|
||||||
|
+')
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
|
||||||
|
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-05-20 13:27:01.000000000 -0400
|
||||||
|
@@ -0,0 +1,40 @@
|
||||||
|
+policy_module(sandbox,1.0.0)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# Declarations
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+type sandbox_t;
|
||||||
|
+type sandbox_exec_t;
|
||||||
|
+application_domain(sandbox_t, sandbox_exec_t)
|
||||||
|
+init_daemon_domain(sandbox_t, sandbox_exec_t)
|
||||||
|
+role system_r types sandbox_t;
|
||||||
|
+
|
||||||
|
+type sandbox_file_t;
|
||||||
|
+files_type(sandbox_file_t)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# sandbox local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+## internal communication is often done using fifo and unix sockets.
|
||||||
|
+allow sandbox_t self:fifo_file rw_file_perms;
|
||||||
|
+allow sandbox_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
|
||||||
|
+manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
|
||||||
|
+manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
|
||||||
|
+manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
|
||||||
|
+manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
|
||||||
|
+
|
||||||
|
+files_rw_all_inherited_files(sandbox_t)
|
||||||
|
+files_entrypoint_all_files(sandbox_t)
|
||||||
|
+
|
||||||
|
+libs_use_ld_so(sandbox_t)
|
||||||
|
+libs_use_shared_libs(sandbox_t)
|
||||||
|
+
|
||||||
|
+miscfiles_read_localization(sandbox_t)
|
||||||
|
+
|
||||||
|
+userdom_use_user_ptys(sandbox_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-12 15:30:13.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-12 15:30:13.000000000 -0400
|
||||||
@ -5575,7 +5703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-14 08:50:17.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-20 13:26:43.000000000 -0400
|
||||||
@@ -110,6 +110,11 @@
|
@@ -110,6 +110,11 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -5857,7 +5985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -4921,3 +5078,132 @@
|
@@ -4921,3 +5078,172 @@
|
||||||
|
|
||||||
typeattribute $1 files_unconfined_type;
|
typeattribute $1 files_unconfined_type;
|
||||||
')
|
')
|
||||||
@ -5990,6 +6118,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ dontaudit $1 security_file_type:file read_file_perms;
|
+ dontaudit $1 security_file_type:file read_file_perms;
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## rw any files inherited from another process
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`files_rw_all_inherited_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute file_type;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 file_type:file { getattr read write append lock };
|
||||||
|
+ allow $1 file_type:fifo_file { getattr read write append ioctl lock };
|
||||||
|
+ allow $1 file_type:sock_file { getattr read write append ioctl lock };
|
||||||
|
+ allow $1 file_type:chr_file { getattr read write append ioctl lock };
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow any file point to be the entrypoint of this domain
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`files_entrypoint_all_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute file_type;
|
||||||
|
+ ')
|
||||||
|
+ allow $1 file_type:file entrypoint;
|
||||||
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.12/policy/modules/kernel/files.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.12/policy/modules/kernel/files.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500
|
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/kernel/files.te 2009-05-12 15:30:13.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/kernel/files.te 2009-05-12 15:30:13.000000000 -0400
|
||||||
@ -7727,8 +7895,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
|
||||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-12 15:30:13.000000000 -0400
|
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-20 13:21:29.000000000 -0400
|
||||||
@@ -0,0 +1,397 @@
|
@@ -0,0 +1,401 @@
|
||||||
+policy_module(unconfineduser, 1.0.0)
|
+policy_module(unconfineduser, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -8008,6 +8176,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ sandbox_run(unconfined_t, unconfined_r)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ sendmail_run_unconfined(unconfined_t, unconfined_r)
|
+ sendmail_run_unconfined(unconfined_t, unconfined_r)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
|||||||
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.12
|
Version: 3.6.12
|
||||||
Release: 38%{?dist}
|
Release: 39%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -473,6 +473,10 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed May 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-39
|
||||||
|
- Allow fprintd to access sys_ptrace
|
||||||
|
- Add sandbox policy
|
||||||
|
|
||||||
* Mon May 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-38
|
* Mon May 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-38
|
||||||
- Add varnishd policy
|
- Add varnishd policy
|
||||||
|
|
||||||
@ -484,7 +488,6 @@ exit 0
|
|||||||
|
|
||||||
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-35
|
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-35
|
||||||
- Add /usr/share/selinux/packages
|
- Add /usr/share/selinux/packages
|
||||||
- Turn on nsplugin boolean
|
|
||||||
|
|
||||||
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-34
|
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-34
|
||||||
- Allow rpcd_t to send signals to kernel threads
|
- Allow rpcd_t to send signals to kernel threads
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user