From f0a56ee31d93d7ed004288cbbdb2ad9c8ac6ad72 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 12 Oct 2010 16:10:57 -0400 Subject: [PATCH] -Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access - dovecot-auth_t needs ipc_lock - gpm needs to use the user terminal - Allow system_mail_t to append ~/dead.letter - Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf - Add pid file to vnstatd - Allow mount to communicate with gfs_controld - Dontaudit hal leaks in setfiles --- policy-F14.patch | 451 +++++++++++++++++++++++++++----------------- selinux-policy.spec | 11 +- 2 files changed, 288 insertions(+), 174 deletions(-) diff --git a/policy-F14.patch b/policy-F14.patch index 384f6258..c9db2fc8 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -8291,7 +8291,7 @@ index 3517db2..bd4c23d 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 5302dac..2bf2d69 100644 +index 5302dac..c0b844e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -8375,7 +8375,32 @@ index 5302dac..2bf2d69 100644 ## Execute generic files in /etc. ## ## -@@ -3086,6 +3138,7 @@ interface(`files_getattr_home_dir',` +@@ -2605,6 +2657,24 @@ interface(`files_read_etc_runtime_files',` + + ######################################## + ## ++## Do not audit attempts to set the attributes of the etc_runtime files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_setattr_etc_runtime_files',` ++ gen_require(` ++ type etc_runtime_t; ++ ') ++ ++ dontaudit $1 etc_runtime_t:file setattr; ++') ++ ++######################################## ++## + ## Do not audit attempts to read files + ## in /etc that are dynamically + ## created on boot, such as mtab. +@@ -3086,6 +3156,7 @@ interface(`files_getattr_home_dir',` ') allow $1 home_root_t:dir getattr; @@ -8383,7 +8408,7 @@ index 5302dac..2bf2d69 100644 ') ######################################## -@@ -3106,6 +3159,7 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3106,6 +3177,7 @@ interface(`files_dontaudit_getattr_home_dir',` ') dontaudit $1 home_root_t:dir getattr; @@ -8391,7 +8416,7 @@ index 5302dac..2bf2d69 100644 ') ######################################## -@@ -3347,6 +3401,24 @@ interface(`files_list_mnt',` +@@ -3347,6 +3419,24 @@ interface(`files_list_mnt',` allow $1 mnt_t:dir list_dir_perms; ') @@ -8416,7 +8441,7 @@ index 5302dac..2bf2d69 100644 ######################################## ## ## Mount a filesystem on /mnt. -@@ -3420,6 +3492,24 @@ interface(`files_read_mnt_files',` +@@ -3420,6 +3510,24 @@ interface(`files_read_mnt_files',` read_files_pattern($1, mnt_t, mnt_t) ') @@ -8441,7 +8466,7 @@ index 5302dac..2bf2d69 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3711,6 +3801,100 @@ interface(`files_read_world_readable_sockets',` +@@ -3711,6 +3819,100 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -8542,7 +8567,7 @@ index 5302dac..2bf2d69 100644 ######################################## ## ## Allow the specified type to associate -@@ -3896,6 +4080,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3896,6 +4098,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -8575,7 +8600,7 @@ index 5302dac..2bf2d69 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4109,6 +4319,13 @@ interface(`files_purge_tmp',` +@@ -4109,6 +4337,13 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -8589,7 +8614,7 @@ index 5302dac..2bf2d69 100644 ') ######################################## -@@ -4718,6 +4935,24 @@ interface(`files_read_var_files',` +@@ -4718,6 +4953,24 @@ interface(`files_read_var_files',` ######################################## ## @@ -8614,7 +8639,7 @@ index 5302dac..2bf2d69 100644 ## Read and write files in the /var directory. ## ## -@@ -5053,6 +5288,24 @@ interface(`files_manage_mounttab',` +@@ -5053,6 +5306,24 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -8639,7 +8664,7 @@ index 5302dac..2bf2d69 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5138,12 +5391,12 @@ interface(`files_getattr_generic_locks',` +@@ -5138,12 +5409,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -8656,7 +8681,7 @@ index 5302dac..2bf2d69 100644 ') ######################################## -@@ -5317,6 +5570,43 @@ interface(`files_search_pids',` +@@ -5317,6 +5588,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -8700,7 +8725,7 @@ index 5302dac..2bf2d69 100644 ######################################## ## ## Do not audit attempts to search -@@ -5524,6 +5814,26 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5524,6 +5832,26 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -8727,7 +8752,7 @@ index 5302dac..2bf2d69 100644 ## Read all process ID files. ## ## -@@ -5541,6 +5851,7 @@ interface(`files_read_all_pids',` +@@ -5541,6 +5869,7 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -8735,7 +8760,7 @@ index 5302dac..2bf2d69 100644 ') ######################################## -@@ -5826,3 +6137,247 @@ interface(`files_unconfined',` +@@ -5826,3 +6155,247 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -18797,10 +18822,10 @@ index 9bd812b..c808b31 100644 ') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te -index fdaeeba..a50a8a7 100644 +index fdaeeba..1f6f6f3 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te -@@ -96,6 +96,10 @@ optional_policy(` +@@ -96,10 +96,18 @@ optional_policy(` ') optional_policy(` @@ -18811,6 +18836,14 @@ index fdaeeba..a50a8a7 100644 dbus_system_bus_client(dnsmasq_t) ') + optional_policy(` ++ ppp_read_pid_files(dnsmasq_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(dnsmasq_t) + ') + diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc index bfc880b..9a1dcba 100644 --- a/policy/modules/services/dovecot.fc @@ -18893,7 +18926,7 @@ index e1d7dc5..ee51a19 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index cbe14e4..396f956 100644 +index cbe14e4..dd7fe41 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -18959,6 +18992,15 @@ index cbe14e4..396f956 100644 postgresql_stream_connect(dovecot_t) ') +@@ -179,7 +189,7 @@ optional_policy(` + # dovecot auth local policy + # + +-allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; ++allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid }; + allow dovecot_auth_t self:process { signal_perms getcap setcap }; + allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; + allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; @@ -242,6 +252,7 @@ optional_policy(` ') @@ -20348,6 +20390,18 @@ index 7d97298..d6b2959 100644 - allow $1 gpmctl_t:sock_file setattr; + allow $1 gpmctl_t:sock_file setattr_sock_file_perms; ') +diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te +index a627b34..c899c61 100644 +--- a/policy/modules/services/gpm.te ++++ b/policy/modules/services/gpm.te +@@ -69,6 +69,7 @@ miscfiles_read_localization(gpm_t) + + userdom_dontaudit_use_unpriv_user_fds(gpm_t) + userdom_dontaudit_search_user_home_dirs(gpm_t) ++userdom_use_user_terminals(gpm_t) + + optional_policy(` + seutil_sigchld_newrole(gpm_t) diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te index 03742d8..7b9c543 100644 --- a/policy/modules/services/gpsd.te @@ -23240,7 +23294,7 @@ index 343cee3..2f948ad 100644 + ') +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..36e64e9 100644 +index 64268e4..a765618 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,8 +20,8 @@ files_type(etc_aliases_t) @@ -23254,13 +23308,14 @@ index 64268e4..36e64e9 100644 type mqueue_spool_t; files_mountpoint(mqueue_spool_t) -@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t) +@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t) # newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; -allow system_mail_t self:fifo_file rw_fifo_file_perms; -- + -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) ++append_files_pattern(system_mail_t, mail_home_t, mail_home_t) read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) @@ -23277,7 +23332,7 @@ index 64268e4..36e64e9 100644 dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -82,6 +69,9 @@ init_use_script_ptys(system_mail_t) +@@ -82,6 +71,9 @@ init_use_script_ptys(system_mail_t) userdom_use_user_terminals(system_mail_t) userdom_dontaudit_search_user_home_dirs(system_mail_t) @@ -23287,7 +23342,7 @@ index 64268e4..36e64e9 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,17 +82,28 @@ optional_policy(` +@@ -92,17 +84,28 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -23317,7 +23372,7 @@ index 64268e4..36e64e9 100644 clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -111,6 +112,8 @@ optional_policy(` +@@ -111,6 +114,8 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -23326,7 +23381,7 @@ index 64268e4..36e64e9 100644 ') optional_policy(` -@@ -124,12 +127,8 @@ optional_policy(` +@@ -124,12 +129,8 @@ optional_policy(` ') optional_policy(` @@ -23340,7 +23395,7 @@ index 64268e4..36e64e9 100644 ') optional_policy(` -@@ -146,6 +145,10 @@ optional_policy(` +@@ -146,6 +147,10 @@ optional_policy(` ') optional_policy(` @@ -23351,7 +23406,7 @@ index 64268e4..36e64e9 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +161,6 @@ optional_policy(` +@@ -158,18 +163,6 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -23370,7 +23425,7 @@ index 64268e4..36e64e9 100644 ') optional_policy(` -@@ -189,6 +180,10 @@ optional_policy(` +@@ -189,6 +182,10 @@ optional_policy(` ') optional_policy(` @@ -23381,7 +23436,7 @@ index 64268e4..36e64e9 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,7 +194,7 @@ optional_policy(` +@@ -199,7 +196,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -23390,7 +23445,7 @@ index 64268e4..36e64e9 100644 arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') -@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +217,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -23400,7 +23455,7 @@ index 64268e4..36e64e9 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -249,11 +245,16 @@ optional_policy(` +@@ -249,11 +247,16 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -23417,7 +23472,7 @@ index 64268e4..36e64e9 100644 domain_use_interactive_fds(user_mail_t) userdom_use_user_terminals(user_mail_t) -@@ -292,3 +293,42 @@ optional_policy(` +@@ -292,3 +295,42 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -24012,11 +24067,14 @@ index da5b33d..3b620e3 100644 optional_policy(` diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc -index 386543b..d15cc4b 100644 +index 386543b..e0aab89 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc -@@ -2,6 +2,10 @@ +@@ -1,7 +1,13 @@ + /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++/etc/NetworkManager(/.*) gen_context(system_u:object_r:NetworkManager_etc_t,s0) ++/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) /etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) @@ -24124,10 +24182,23 @@ index 2324d9e..8069487 100644 + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..02ae4e0 100644 +index 0619395..a074153 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te -@@ -35,7 +35,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) + type NetworkManager_initrc_exec_t; + init_script_file(NetworkManager_initrc_exec_t) + ++type NetworkManager_etc_t; ++files_config_file(NetworkManager_etc_t) ++ ++type NetworkManager_etc_rw_t; ++files_config_file(NetworkManager_etc_rw_t) ++ + type NetworkManager_log_t; + logging_log_file(NetworkManager_log_t) + +@@ -35,7 +41,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) @@ -24136,7 +24207,7 @@ index 0619395..02ae4e0 100644 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -@@ -44,7 +44,7 @@ allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; +@@ -44,7 +50,7 @@ allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; allow NetworkManager_t self:tcp_socket create_stream_socket_perms; @@ -24145,7 +24216,19 @@ index 0619395..02ae4e0 100644 allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -55,6 +55,7 @@ can_exec(NetworkManager_t, NetworkManager_exec_t) +@@ -52,9 +58,19 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; + + can_exec(NetworkManager_t, NetworkManager_exec_t) + ++list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) ++read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) ++read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) ++ ++manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) ++filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, file) ++ ++logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) ++ manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -24153,7 +24236,7 @@ index 0619395..02ae4e0 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -141,22 +142,32 @@ sysnet_domtrans_ifconfig(NetworkManager_t) +@@ -141,22 +157,32 @@ sysnet_domtrans_ifconfig(NetworkManager_t) sysnet_domtrans_dhcpc(NetworkManager_t) sysnet_signal_dhcpc(NetworkManager_t) sysnet_read_dhcpc_pid(NetworkManager_t) @@ -24186,7 +24269,7 @@ index 0619395..02ae4e0 100644 ') optional_policy(` -@@ -172,12 +183,14 @@ optional_policy(` +@@ -172,12 +198,14 @@ optional_policy(` ') optional_policy(` @@ -24202,7 +24285,7 @@ index 0619395..02ae4e0 100644 optional_policy(` consolekit_dbus_chat(NetworkManager_t) ') -@@ -202,6 +215,13 @@ optional_policy(` +@@ -202,6 +230,13 @@ optional_policy(` ') optional_policy(` @@ -24216,7 +24299,7 @@ index 0619395..02ae4e0 100644 iptables_domtrans(NetworkManager_t) ') -@@ -263,6 +283,7 @@ optional_policy(` +@@ -263,6 +298,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -27346,7 +27429,7 @@ index ad15fde..6f55445 100644 allow $1 postgrey_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if -index b524673..09699d1 100644 +index b524673..29e0761 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -66,7 +66,6 @@ interface(`ppp_sigchld',` @@ -27367,14 +27450,16 @@ index b524673..09699d1 100644 optional_policy(` ddclient_run(pppd_t, $2) -@@ -281,6 +279,7 @@ interface(`ppp_read_pid_files',` +@@ -281,7 +279,8 @@ interface(`ppp_read_pid_files',` type pppd_var_run_t; ') +- allow $1 pppd_var_run_t:file read_file_perms; + files_search_pids($1) - allow $1 pppd_var_run_t:file read_file_perms; ++ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t) ') + ######################################## @@ -299,6 +298,7 @@ interface(`ppp_manage_pid_files',` type pppd_var_run_t; ') @@ -34884,16 +34969,18 @@ index 3eca020..62e349a 100644 +') diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc new file mode 100644 -index 0000000..7667c31 +index 0000000..4d81b99 --- /dev/null +++ b/policy/modules/services/vnstatd.fc -@@ -0,0 +1,6 @@ +@@ -0,0 +1,8 @@ + +/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) + +/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) + +/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) ++ ++/var/run/vnstat\.pid gen_context(system_u:object_r:vnstatd_var_run_t,s0) diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if new file mode 100644 index 0000000..b9104b7 @@ -35046,10 +35133,10 @@ index 0000000..b9104b7 +') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te new file mode 100644 -index 0000000..8ec07ff +index 0000000..d861cf6 --- /dev/null +++ b/policy/modules/services/vnstatd.te -@@ -0,0 +1,65 @@ +@@ -0,0 +1,72 @@ +policy_module(vnstatd, 1.0.0) + +######################################## @@ -35066,6 +35153,9 @@ index 0000000..8ec07ff +type vnstatd_var_lib_t; +files_type(vnstatd_var_lib_t) + ++type vnstatd_var_run_t; ++files_pid_file(vnstatd_var_run_t) ++ +type vnstat_t; +type vnstat_exec_t; +application_domain(vnstat_t, vnstat_exec_t) @@ -35079,6 +35169,10 @@ index 0000000..8ec07ff +allow vnstatd_t self:fifo_file rw_fifo_file_perms; +allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; + ++manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) ++manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) ++files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) ++ +manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) @@ -37730,7 +37824,7 @@ index 1c4b1e7..2997dd7 100644 /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..c411b5e 100644 +index bea0ade..ce67a96 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -37794,7 +37888,7 @@ index bea0ade..c411b5e 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -151,8 +165,38 @@ interface(`auth_login_pgm_domain',` +@@ -151,8 +165,39 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -37804,6 +37898,7 @@ index bea0ade..c411b5e 100644 + userdom_read_user_home_content_symlinks($1) + userdom_delete_user_tmp_files($1) + userdom_search_admin_dir($1) ++ userdom_stream_connect($1) + + optional_policy(` + afs_rw_udp_sockets($1) @@ -37835,7 +37930,7 @@ index bea0ade..c411b5e 100644 ') ') -@@ -365,13 +409,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -365,13 +410,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -37852,7 +37947,7 @@ index bea0ade..c411b5e 100644 ') ######################################## -@@ -418,6 +464,7 @@ interface(`auth_run_chk_passwd',` +@@ -418,6 +465,7 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -37860,7 +37955,7 @@ index bea0ade..c411b5e 100644 ') ######################################## -@@ -694,7 +741,7 @@ interface(`auth_relabel_shadow',` +@@ -694,7 +742,7 @@ interface(`auth_relabel_shadow',` ') files_search_etc($1) @@ -37869,7 +37964,7 @@ index bea0ade..c411b5e 100644 typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -736,6 +783,25 @@ interface(`auth_rw_faillog',` +@@ -736,6 +784,25 @@ interface(`auth_rw_faillog',` allow $1 faillog_t:file rw_file_perms; ') @@ -37895,7 +37990,7 @@ index bea0ade..c411b5e 100644 ####################################### ## ## Read the last logins log. -@@ -874,6 +940,26 @@ interface(`auth_exec_pam',` +@@ -874,6 +941,26 @@ interface(`auth_exec_pam',` ######################################## ## @@ -37922,7 +38017,7 @@ index bea0ade..c411b5e 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -1500,6 +1586,8 @@ interface(`auth_manage_login_records',` +@@ -1500,6 +1587,8 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -37931,7 +38026,7 @@ index bea0ade..c411b5e 100644 files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1619,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1620,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -38713,7 +38808,7 @@ index 8419a01..5865dba 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 698c11e..d92e0c3 100644 +index 698c11e..63030ba 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -38842,7 +38937,7 @@ index 698c11e..d92e0c3 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +220,79 @@ tunable_policy(`init_upstart',` +@@ -186,12 +220,81 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -38861,10 +38956,12 @@ index 698c11e..d92e0c3 100644 + kernel_list_unlabeled(init_t) + kernel_read_network_state(init_t) + kernel_rw_kernel_sysctl(init_t) ++ kernel_rw_net_sysctls(init_t) + kernel_read_all_sysctls(init_t) + kernel_unmount_debugfs(init_t) + + dev_write_kmsg(init_t) ++ dev_write_urand(init_t) + dev_rw_autofs(init_t) + dev_manage_generic_dirs(init_t) + dev_manage_generic_files(init_t) @@ -38922,7 +39019,7 @@ index 698c11e..d92e0c3 100644 ') optional_policy(` -@@ -199,10 +300,19 @@ optional_policy(` +@@ -199,10 +302,19 @@ optional_policy(` ') optional_policy(` @@ -38942,7 +39039,7 @@ index 698c11e..d92e0c3 100644 unconfined_domain(init_t) ') -@@ -212,7 +322,7 @@ optional_policy(` +@@ -212,7 +324,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38951,7 +39048,7 @@ index 698c11e..d92e0c3 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,6 +351,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,6 +353,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38959,7 +39056,7 @@ index 698c11e..d92e0c3 100644 can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -258,11 +369,23 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,11 +371,23 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38983,7 +39080,7 @@ index 698c11e..d92e0c3 100644 corecmd_exec_all_executables(initrc_t) -@@ -291,6 +414,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +416,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -38991,7 +39088,7 @@ index 698c11e..d92e0c3 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +422,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +424,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -39007,7 +39104,7 @@ index 698c11e..d92e0c3 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +447,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +449,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -39019,7 +39116,7 @@ index 698c11e..d92e0c3 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +466,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +468,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -39033,7 +39130,7 @@ index 698c11e..d92e0c3 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +481,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +483,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -39042,7 +39139,7 @@ index 698c11e..d92e0c3 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +495,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +497,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -39050,7 +39147,7 @@ index 698c11e..d92e0c3 100644 selinux_get_enforce_mode(initrc_t) -@@ -380,6 +513,7 @@ auth_read_pam_pid(initrc_t) +@@ -380,6 +515,7 @@ auth_read_pam_pid(initrc_t) auth_delete_pam_pid(initrc_t) auth_delete_pam_console_data(initrc_t) auth_use_nsswitch(initrc_t) @@ -39058,7 +39155,7 @@ index 698c11e..d92e0c3 100644 libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) -@@ -394,13 +528,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +530,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -39074,7 +39171,7 @@ index 698c11e..d92e0c3 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -473,7 +608,7 @@ ifdef(`distro_redhat',` +@@ -473,7 +610,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -39083,7 +39180,7 @@ index 698c11e..d92e0c3 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -519,6 +654,19 @@ ifdef(`distro_redhat',` +@@ -519,6 +656,19 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -39103,7 +39200,7 @@ index 698c11e..d92e0c3 100644 ') optional_policy(` -@@ -526,10 +674,17 @@ ifdef(`distro_redhat',` +@@ -526,10 +676,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -39121,7 +39218,7 @@ index 698c11e..d92e0c3 100644 ') optional_policy(` -@@ -544,6 +699,35 @@ ifdef(`distro_suse',` +@@ -544,6 +701,35 @@ ifdef(`distro_suse',` ') ') @@ -39157,7 +39254,7 @@ index 698c11e..d92e0c3 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -556,6 +740,8 @@ optional_policy(` +@@ -556,6 +742,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -39166,7 +39263,7 @@ index 698c11e..d92e0c3 100644 ') optional_policy(` -@@ -572,6 +758,7 @@ optional_policy(` +@@ -572,6 +760,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -39174,7 +39271,7 @@ index 698c11e..d92e0c3 100644 ') optional_policy(` -@@ -584,6 +771,11 @@ optional_policy(` +@@ -584,6 +773,11 @@ optional_policy(` ') optional_policy(` @@ -39186,7 +39283,7 @@ index 698c11e..d92e0c3 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -600,6 +792,9 @@ optional_policy(` +@@ -600,6 +794,9 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -39196,7 +39293,7 @@ index 698c11e..d92e0c3 100644 optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -701,7 +896,13 @@ optional_policy(` +@@ -701,7 +898,13 @@ optional_policy(` ') optional_policy(` @@ -39210,7 +39307,7 @@ index 698c11e..d92e0c3 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -724,6 +925,10 @@ optional_policy(` +@@ -724,6 +927,10 @@ optional_policy(` ') optional_policy(` @@ -39221,7 +39318,7 @@ index 698c11e..d92e0c3 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -745,6 +950,10 @@ optional_policy(` +@@ -745,6 +952,10 @@ optional_policy(` ') optional_policy(` @@ -39232,7 +39329,7 @@ index 698c11e..d92e0c3 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -766,8 +975,6 @@ optional_policy(` +@@ -766,8 +977,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39241,7 +39338,7 @@ index 698c11e..d92e0c3 100644 ') optional_policy(` -@@ -776,14 +983,21 @@ optional_policy(` +@@ -776,14 +985,21 @@ optional_policy(` ') optional_policy(` @@ -39263,7 +39360,7 @@ index 698c11e..d92e0c3 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,11 +1019,19 @@ optional_policy(` +@@ -805,11 +1021,19 @@ optional_policy(` ') optional_policy(` @@ -39284,7 +39381,7 @@ index 698c11e..d92e0c3 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -819,6 +1041,25 @@ optional_policy(` +@@ -819,6 +1043,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -39310,7 +39407,7 @@ index 698c11e..d92e0c3 100644 ') optional_policy(` -@@ -844,3 +1085,55 @@ optional_policy(` +@@ -844,3 +1087,55 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -39870,7 +39967,7 @@ index 57c645b..7682697 100644 dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 9df8c4d..1d2236b 100644 +index 9df8c4d..0199a7d 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -129,15 +129,13 @@ ifdef(`distro_redhat',` @@ -39932,7 +40029,7 @@ index 9df8c4d..1d2236b 100644 ') dnl end distro_redhat # -@@ -319,14 +315,149 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -40084,6 +40181,7 @@ index 9df8c4d..1d2236b 100644 +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index d97d16d..8b174c8 100644 --- a/policy/modules/system/libraries.if @@ -40293,7 +40391,7 @@ index 3fb1915..26e9f79 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 362614c..ca6409c 100644 +index 362614c..c5757eb 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -17,6 +17,10 @@ @@ -40311,7 +40409,7 @@ index 362614c..ca6409c 100644 /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -+/var/lib/syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) ++/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) ifdef(`distro_suse', ` @@ -41112,7 +41210,7 @@ index 8b5c196..3490497 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index fca6947..8848e14 100644 +index fca6947..cfb8758 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -41339,7 +41437,7 @@ index fca6947..8848e14 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -180,13 +272,36 @@ optional_policy(` +@@ -180,13 +272,40 @@ optional_policy(` ') ') @@ -41351,6 +41449,10 @@ index fca6947..8848e14 100644 +optional_policy(` + lvm_domtrans(mount_t) +') ++ ++optional_policy(` ++ rhcs_stream_connect_gfs_controld(mount_t) ++') + # for kernel package installation optional_policy(` @@ -41376,7 +41478,7 @@ index fca6947..8848e14 100644 ') ######################################## -@@ -195,6 +310,42 @@ optional_policy(` +@@ -195,6 +314,42 @@ optional_policy(` # optional_policy(` @@ -41925,7 +42027,7 @@ index 170e2c7..bbaa8cf 100644 +') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ff5d72d..edee963 100644 +index ff5d72d..51a1496 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -42089,15 +42191,15 @@ index ff5d72d..edee963 100644 - -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) -- --corecmd_exec_bin(semanage_t) +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; --dev_read_urand(semanage_t) +-corecmd_exec_bin(semanage_t) +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +-dev_read_urand(semanage_t) +- -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) @@ -42119,15 +42221,15 @@ index ff5d72d..edee963 100644 - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) -+# Admins are creating pp files in random locations -+auth_read_all_files_except_shadow(semanage_t) - +- -locallogin_use_fds(semanage_t) - -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) -- ++# Admins are creating pp files in random locations ++auth_read_all_files_except_shadow(semanage_t) + -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) @@ -42166,7 +42268,7 @@ index ff5d72d..edee963 100644 # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -498,112 +492,50 @@ ifdef(`enable_mls',` +@@ -498,112 +492,54 @@ ifdef(`enable_mls',` userdom_read_user_tmp_files(semanage_t) ') @@ -42241,54 +42343,56 @@ index ff5d72d..edee963 100644 -init_exec_script_files(setfiles_t) - -logging_send_syslog_msg(setfiles_t) -- --miscfiles_read_localization(setfiles_t) +init_dontaudit_use_fds(setsebool_t) --seutil_libselinux_linked(setfiles_t) +-miscfiles_read_localization(setfiles_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) --userdom_use_all_users_fds(setfiles_t) --# for config files in a home directory --userdom_read_user_home_content_files(setfiles_t) +-seutil_libselinux_linked(setfiles_t) +######################################## +# +# Setfiles local policy +# +-userdom_use_all_users_fds(setfiles_t) +-# for config files in a home directory +-userdom_read_user_home_content_files(setfiles_t) ++seutil_setfiles(setfiles_t) ++# During boot in Rawhide ++term_use_generic_ptys(setfiles_t) + -ifdef(`distro_debian',` - # udev tmpfs is populated with static device nodes - # and then relabeled afterwards; thus - # /dev/console has the tmpfs type - fs_rw_tmpfs_chr_files(setfiles_t) -') -+seutil_setfiles(setfiles_t) -+# During boot in Rawhide -+term_use_generic_ptys(setfiles_t) ++seutil_setfiles(setfiles_mac_t) ++allow setfiles_mac_t self:capability2 mac_admin; ++kernel_relabelto_unlabeled(setfiles_mac_t) -ifdef(`distro_redhat', ` - fs_rw_tmpfs_chr_files(setfiles_t) - fs_rw_tmpfs_blk_files(setfiles_t) - fs_relabel_tmpfs_blk_file(setfiles_t) - fs_relabel_tmpfs_chr_file(setfiles_t) --') -+seutil_setfiles(setfiles_mac_t) -+allow setfiles_mac_t self:capability2 mac_admin; -+kernel_relabelto_unlabeled(setfiles_mac_t) ++optional_policy(` ++ files_dontaudit_write_isid_chr_files(setfiles_mac_t) ++ livecd_dontaudit_leaks(setfiles_mac_t) ++ livecd_rw_tmp_files(setfiles_mac_t) ++ dev_dontaudit_write_all_chr_files(setfiles_mac_t) + ') -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(setfiles_t) - ') +optional_policy(` -+ files_dontaudit_write_isid_chr_files(setfiles_mac_t) -+ livecd_dontaudit_leaks(setfiles_mac_t) -+ livecd_rw_tmp_files(setfiles_mac_t) -+ dev_dontaudit_write_all_chr_files(setfiles_mac_t) ++ hal_dontaudit_leaks(setfiles_t) ') ifdef(`hide_broken_symptoms',` @@ -43965,7 +44069,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 35f1476..8d157ff 100644 +index 35f1476..ad3b474 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -43979,7 +44083,7 @@ index 35f1476..8d157ff 100644 domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,98 @@ template(`userdom_base_user_template',` +@@ -43,69 +44,99 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -44098,6 +44202,7 @@ index 35f1476..8d157ff 100644 + files_dontaudit_getattr_non_security_symlinks($1_usertype) + files_dontaudit_getattr_non_security_pipes($1_usertype) + files_dontaudit_getattr_non_security_sockets($1_usertype) ++ files_dontaudit_setattr_etc_runtime_files($1_usertype) + + files_exec_usr_files($1_t) + @@ -44127,7 +44232,7 @@ index 35f1476..8d157ff 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +146,16 @@ template(`userdom_base_user_template',` +@@ -116,6 +147,16 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -44144,7 +44249,7 @@ index 35f1476..8d157ff 100644 ') ####################################### -@@ -149,6 +189,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +190,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -44153,7 +44258,7 @@ index 35f1476..8d157ff 100644 ############################## # # Domain access to home dir -@@ -166,27 +208,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +209,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -44181,7 +44286,7 @@ index 35f1476..8d157ff 100644 ') ####################################### -@@ -218,8 +239,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +240,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -44193,7 +44298,7 @@ index 35f1476..8d157ff 100644 ############################## # # Domain access to home dir -@@ -228,17 +252,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +253,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -44225,7 +44330,7 @@ index 35f1476..8d157ff 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +274,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +275,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -44255,7 +44360,7 @@ index 35f1476..8d157ff 100644 ') ') -@@ -289,6 +315,8 @@ interface(`userdom_manage_tmp_role',` +@@ -289,6 +316,8 @@ interface(`userdom_manage_tmp_role',` type user_tmp_t; ') @@ -44264,7 +44369,7 @@ index 35f1476..8d157ff 100644 files_poly_member_tmp($2, user_tmp_t) manage_dirs_pattern($2, user_tmp_t, user_tmp_t) -@@ -297,6 +325,45 @@ interface(`userdom_manage_tmp_role',` +@@ -297,6 +326,45 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -44310,7 +44415,7 @@ index 35f1476..8d157ff 100644 ') ####################################### -@@ -316,6 +383,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +384,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -44318,7 +44423,7 @@ index 35f1476..8d157ff 100644 files_search_tmp($1) ') -@@ -350,6 +418,8 @@ interface(`userdom_manage_tmpfs_role',` +@@ -350,6 +419,8 @@ interface(`userdom_manage_tmpfs_role',` type user_tmpfs_t; ') @@ -44327,7 +44432,7 @@ index 35f1476..8d157ff 100644 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -@@ -360,46 +430,41 @@ interface(`userdom_manage_tmpfs_role',` +@@ -360,46 +431,41 @@ interface(`userdom_manage_tmpfs_role',` ####################################### ## @@ -44396,7 +44501,7 @@ index 35f1476..8d157ff 100644 ') ####################################### -@@ -430,6 +495,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +496,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -44404,7 +44509,7 @@ index 35f1476..8d157ff 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -490,7 +556,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +557,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -44413,7 +44518,7 @@ index 35f1476..8d157ff 100644 ############################## # -@@ -500,73 +566,78 @@ template(`userdom_common_user_template',` +@@ -500,73 +567,78 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -44531,7 +44636,7 @@ index 35f1476..8d157ff 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +645,110 @@ template(`userdom_common_user_template',` +@@ -574,67 +646,110 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -44660,7 +44765,7 @@ index 35f1476..8d157ff 100644 ') optional_policy(` -@@ -650,41 +764,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +765,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -44722,7 +44827,7 @@ index 35f1476..8d157ff 100644 ') ####################################### -@@ -712,13 +835,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +836,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -44754,7 +44859,7 @@ index 35f1476..8d157ff 100644 userdom_change_password_template($1) -@@ -736,72 +872,71 @@ template(`userdom_login_user_template', ` +@@ -736,72 +873,71 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -44863,7 +44968,7 @@ index 35f1476..8d157ff 100644 ') ') -@@ -833,6 +968,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +969,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -44873,7 +44978,7 @@ index 35f1476..8d157ff 100644 ############################## # # Local policy -@@ -874,45 +1012,105 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1013,105 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -44990,7 +45095,7 @@ index 35f1476..8d157ff 100644 ') ') -@@ -947,7 +1145,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1146,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -44999,7 +45104,7 @@ index 35f1476..8d157ff 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1154,77 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1155,77 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -45107,7 +45212,7 @@ index 35f1476..8d157ff 100644 ') ') -@@ -1039,7 +1260,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1261,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -45116,7 +45221,7 @@ index 35f1476..8d157ff 100644 ') ############################## -@@ -1074,6 +1295,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1296,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -45126,7 +45231,7 @@ index 35f1476..8d157ff 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1312,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1313,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -45134,7 +45239,7 @@ index 35f1476..8d157ff 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1119,10 +1344,13 @@ template(`userdom_admin_user_template',` +@@ -1119,10 +1345,13 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -45148,7 +45253,7 @@ index 35f1476..8d157ff 100644 fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1142,6 +1370,7 @@ template(`userdom_admin_user_template',` +@@ -1142,6 +1371,7 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -45156,7 +45261,7 @@ index 35f1476..8d157ff 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1439,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1440,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -45165,7 +45270,7 @@ index 35f1476..8d157ff 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1237,6 +1468,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1469,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -45173,7 +45278,7 @@ index 35f1476..8d157ff 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1275,12 +1507,15 @@ template(`userdom_security_admin_template',` +@@ -1275,12 +1508,15 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -45190,7 +45295,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -1391,6 +1626,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1391,6 +1627,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -45198,7 +45303,7 @@ index 35f1476..8d157ff 100644 files_search_home($1) ') -@@ -1437,6 +1673,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1437,6 +1674,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -45213,7 +45318,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -1452,9 +1696,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1452,9 +1697,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -45225,7 +45330,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -1511,6 +1757,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1511,6 +1758,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -45268,7 +45373,7 @@ index 35f1476..8d157ff 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1585,6 +1867,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1585,6 +1868,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -45277,7 +45382,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -1599,10 +1883,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1599,10 +1884,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -45292,7 +45397,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -1645,34 +1931,53 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1645,34 +1932,53 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -45354,7 +45459,7 @@ index 35f1476..8d157ff 100644 gen_require(` type user_home_dir_t, user_home_t; ') -@@ -1696,12 +2001,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1696,12 +2002,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -45387,7 +45492,7 @@ index 35f1476..8d157ff 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1712,11 +2037,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1712,11 +2038,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -45405,7 +45510,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -1806,8 +2134,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1806,8 +2135,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -45415,7 +45520,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -1823,20 +2150,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1823,20 +2151,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -45440,7 +45545,7 @@ index 35f1476..8d157ff 100644 ######################################## ## -@@ -2178,7 +2499,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2178,7 +2500,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -45449,7 +45554,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -2431,13 +2752,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2431,13 +2753,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -45465,7 +45570,7 @@ index 35f1476..8d157ff 100644 ## ## ## -@@ -2458,26 +2780,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2458,26 +2781,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -45492,7 +45597,7 @@ index 35f1476..8d157ff 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2811,7 +3113,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2811,7 +3114,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -45501,7 +45606,7 @@ index 35f1476..8d157ff 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2827,11 +3129,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2827,11 +3130,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -45517,7 +45622,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -2913,7 +3217,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2913,7 +3218,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -45526,7 +45631,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -2968,7 +3272,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2968,7 +3273,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -45573,7 +45678,7 @@ index 35f1476..8d157ff 100644 ') ######################################## -@@ -3005,6 +3347,7 @@ interface(`userdom_read_all_users_state',` +@@ -3005,6 +3348,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -45581,7 +45686,7 @@ index 35f1476..8d157ff 100644 kernel_search_proc($1) ') -@@ -3135,3 +3478,854 @@ interface(`userdom_dbus_send_all_users',` +@@ -3135,3 +3479,854 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index e0cb57e1..47f2acbd 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.6 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,15 @@ exit 0 %endif %changelog +* Tue Oct 12 2010 Dan Walsh 3.9.6-3 +-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access +- dovecot-auth_t needs ipc_lock +- gpm needs to use the user terminal +- Allow system_mail_t to append ~/dead.letter +- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf +- Add pid file to vnstatd +- Allow mount to communicate with gfs_controld +- Dontaudit hal leaks in setfiles * Fri Oct 8 2010 Dan Walsh 3.9.6-2 - Lots of fixes for systemd