From f125066d3cea127878da28756076e8bd9f5a9a19 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 30 Jan 2013 12:41:36 +0100 Subject: [PATCH] * Wed Jan 30 2013 Miroslav Grepl 3.12.1-9 - boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Create tmpfs file while running as wine as user_tmpfs_t - Dontaudit attempts by readahead to read sock_files - libmpg ships badly created librarie --- policy-rawhide-base.patch | 341 +++++++++++++++++++---------------- policy-rawhide-contrib.patch | 129 ++++++++++--- selinux-policy.spec | 14 +- 3 files changed, 296 insertions(+), 188 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 3ca93a0f..a8ed5053 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -210991,7 +210991,7 @@ index c2c6e05..d0e6d1c 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..6e07122 100644 +index 64ff4d7..cb04ef9 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -211184,7 +211184,33 @@ index 64ff4d7..6e07122 100644 ## Get the attributes of all named sockets. ## ## -@@ -1073,10 +1220,8 @@ interface(`files_relabel_all_files',` +@@ -991,6 +1138,25 @@ interface(`files_dontaudit_getattr_all_sockets',` + + ######################################## + ## ++## Do not audit attempts to read ++## of all named sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_read_all_sockets',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ dontaudit $1 file_type:sock_file read; ++') ++ ++######################################## ++## + ## Do not audit attempts to get the attributes + ## of non security named sockets. + ## +@@ -1073,10 +1239,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -211197,7 +211223,7 @@ index 64ff4d7..6e07122 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1182,24 +1327,6 @@ interface(`files_list_all',` +@@ -1182,24 +1346,6 @@ interface(`files_list_all',` ######################################## ## @@ -211222,7 +211248,7 @@ index 64ff4d7..6e07122 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1443,9 +1570,6 @@ interface(`files_relabel_non_auth_files',` +@@ -1443,9 +1589,6 @@ interface(`files_relabel_non_auth_files',` # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) @@ -211232,7 +211258,7 @@ index 64ff4d7..6e07122 100644 ') ############################################# -@@ -1673,6 +1797,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1673,6 +1816,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -211257,7 +211283,7 @@ index 64ff4d7..6e07122 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1691,6 +1833,24 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1691,6 +1852,24 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -211282,7 +211308,7 @@ index 64ff4d7..6e07122 100644 ## List the contents of the root directory. ## ## -@@ -1874,25 +2034,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1874,25 +2053,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -211314,7 +211340,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -1905,7 +2065,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2084,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -211323,7 +211349,7 @@ index 64ff4d7..6e07122 100644 ') ######################################## -@@ -1928,6 +2088,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2107,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -211348,7 +211374,7 @@ index 64ff4d7..6e07122 100644 ## Get attributes of the /boot directory. ## ## -@@ -2627,6 +2805,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +2824,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -211373,7 +211399,7 @@ index 64ff4d7..6e07122 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +2894,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +2913,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -211381,7 +211407,7 @@ index 64ff4d7..6e07122 100644 ') ######################################## -@@ -2706,7 +2903,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +2922,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -211390,7 +211416,7 @@ index 64ff4d7..6e07122 100644 ## ## # -@@ -2762,6 +2959,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +2978,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -211416,7 +211442,7 @@ index 64ff4d7..6e07122 100644 ## Delete system configuration files in /etc. ## ## -@@ -2780,6 +2996,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +3015,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -211441,7 +211467,7 @@ index 64ff4d7..6e07122 100644 ## Execute generic files in /etc. ## ## -@@ -2945,24 +3179,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,26 +3198,8 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -211463,10 +211489,14 @@ index 64ff4d7..6e07122 100644 - -######################################## -## - ## Read files in /etc that are dynamically - ## created on boot, such as mtab. +-## Read files in /etc that are dynamically +-## created on boot, such as mtab. ++## Read files in /etc that are dynamically ++## created on boot, such as mtab. ## -@@ -3003,9 +3219,7 @@ interface(`files_read_etc_runtime_files',` + ## + ##

+@@ -3003,9 +3238,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ##

@@ -211477,7 +211507,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -3013,18 +3227,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3246,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -211499,11 +211529,10 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -3042,7 +3255,27 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3274,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## --## Read and write files in /etc that are dynamically +## Do not audit attempts to read files +## in /etc that are dynamically +## created on boot, such as mtab. @@ -211524,11 +211553,10 @@ index 64ff4d7..6e07122 100644 + +######################################## +## -+## Read and write files in /etc that are dynamically + ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## - ## -@@ -3059,6 +3292,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3059,6 +3311,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -211536,7 +211564,7 @@ index 64ff4d7..6e07122 100644 ') ######################################## -@@ -3080,6 +3314,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3333,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -211544,7 +211572,7 @@ index 64ff4d7..6e07122 100644 ') ######################################## -@@ -3132,6 +3367,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3386,25 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -211570,7 +211598,7 @@ index 64ff4d7..6e07122 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3208,6 +3462,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3208,6 +3481,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -211596,7 +211624,7 @@ index 64ff4d7..6e07122 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3455,6 +3728,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +3747,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -211622,7 +211650,7 @@ index 64ff4d7..6e07122 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4088,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4107,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -211666,7 +211694,7 @@ index 64ff4d7..6e07122 100644 ') ######################################## -@@ -4199,6 +4509,133 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,6 +4528,133 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -211800,7 +211828,7 @@ index 64ff4d7..6e07122 100644 ######################################## ## ## Allow the specified type to associate -@@ -4221,6 +4658,26 @@ interface(`files_associate_tmp',` +@@ -4221,6 +4677,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -211827,7 +211855,7 @@ index 64ff4d7..6e07122 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4234,17 +4691,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4234,17 +4710,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -211866,7 +211894,7 @@ index 64ff4d7..6e07122 100644 ## ## # -@@ -4271,6 +4748,7 @@ interface(`files_search_tmp',` +@@ -4271,6 +4767,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -211874,7 +211902,7 @@ index 64ff4d7..6e07122 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4307,6 +4785,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +4804,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -211882,7 +211910,7 @@ index 64ff4d7..6e07122 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4316,7 +4795,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +4814,7 @@ interface(`files_list_tmp',` ## ## ## @@ -211891,7 +211919,7 @@ index 64ff4d7..6e07122 100644 ## ## # -@@ -4328,6 +4807,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,6 +4826,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -211917,7 +211945,7 @@ index 64ff4d7..6e07122 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4343,6 +4841,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4343,6 +4860,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -211925,7 +211953,7 @@ index 64ff4d7..6e07122 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4384,6 +4883,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,6 +4902,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -211958,7 +211986,7 @@ index 64ff4d7..6e07122 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4438,7 +4963,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4438,7 +4982,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -211967,7 +211995,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -4446,17 +4971,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4446,17 +4990,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -211989,7 +212017,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -4464,59 +4989,53 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4464,59 +5008,53 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -212060,7 +212088,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -4524,54 +5043,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4524,18 +5062,96 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -212079,50 +212107,39 @@ index 64ff4d7..6e07122 100644 -## Relabel to and from all temporary -## file types. +## List all tmp directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_tmp_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_list_all_tmp',` - gen_require(` - attribute tmpfile; -- type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_files_pattern($1, tmpfile, tmpfile) ++ gen_require(` ++ attribute tmpfile; ++ ') ++ + allow $1 tmpfile:dir list_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of all tmp sock_file. ++') ++ ++######################################## ++## +## Relabel to and from all temporary +## directory types. - ## - ## - ## --## Domain not to audit. ++## ++## ++## +## Domain allowed access. - ## - ## ++## ++## +## - # --interface(`files_dontaudit_getattr_all_tmp_sockets',` ++# +interface(`files_relabel_all_tmp_dirs',` - gen_require(` - attribute tmpfile; ++ gen_require(` ++ attribute tmpfile; + type var_t; - ') - -- dontaudit $1 tmpfile:sock_file getattr; --') ++ ') ++ + allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) +') @@ -212169,46 +212186,19 @@ index 64ff4d7..6e07122 100644 +## +## Relabel to and from all temporary +## file types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_relabel_all_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ type var_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ relabel_files_pattern($1, tmpfile, tmpfile) -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of all tmp sock_file. -+## -+## -+## + ## + ## + ## +@@ -4561,7 +5177,7 @@ interface(`files_relabel_all_tmp_files',` + ## + ## + ## +-## Domain not to audit. +## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_all_tmp_sockets',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ dontaudit $1 tmpfile:sock_file getattr; -+') - - ######################################## - ## -@@ -4646,6 +5243,16 @@ interface(`files_purge_tmp',` + ## + ## + # +@@ -4646,6 +5262,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -212225,7 +212215,7 @@ index 64ff4d7..6e07122 100644 ') ######################################## -@@ -5223,6 +5830,24 @@ interface(`files_list_var',` +@@ -5223,6 +5849,24 @@ interface(`files_list_var',` ######################################## ## @@ -212250,7 +212240,7 @@ index 64ff4d7..6e07122 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5578,6 +6203,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5578,6 +6222,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -212276,7 +212266,7 @@ index 64ff4d7..6e07122 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5623,7 +6267,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6286,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -212285,7 +212275,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -5631,12 +6275,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6294,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -212301,7 +212291,7 @@ index 64ff4d7..6e07122 100644 ') ######################################## -@@ -5654,6 +6299,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6318,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -212309,7 +212299,7 @@ index 64ff4d7..6e07122 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5680,7 +6326,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6345,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -212337,7 +212327,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -5688,13 +6353,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6372,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -212354,7 +212344,7 @@ index 64ff4d7..6e07122 100644 ') ######################################## -@@ -5713,7 +6377,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6396,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -212363,7 +212353,7 @@ index 64ff4d7..6e07122 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5746,7 +6410,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6429,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -212371,7 +212361,7 @@ index 64ff4d7..6e07122 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5774,8 +6437,7 @@ interface(`files_getattr_generic_locks',` +@@ -5774,8 +6456,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -212381,7 +212371,7 @@ index 64ff4d7..6e07122 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6453,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6472,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -212399,7 +212389,7 @@ index 64ff4d7..6e07122 100644 ') ######################################## -@@ -5816,9 +6477,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6496,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -212410,7 +212400,7 @@ index 64ff4d7..6e07122 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +6519,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +6538,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -212420,7 +212410,7 @@ index 64ff4d7..6e07122 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6541,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +6560,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -212430,7 +212420,7 @@ index 64ff4d7..6e07122 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6578,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +6597,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -212440,7 +212430,7 @@ index 64ff4d7..6e07122 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5985,6 +6641,43 @@ interface(`files_search_pids',` +@@ -5985,6 +6660,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -212484,7 +212474,7 @@ index 64ff4d7..6e07122 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,6 +6700,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +6719,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -212510,7 +212500,7 @@ index 64ff4d7..6e07122 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6122,7 +6834,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +6853,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -212518,7 +212508,7 @@ index 64ff4d7..6e07122 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6231,55 +6942,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +6961,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -212581,7 +212571,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -6287,42 +6986,35 @@ interface(`files_delete_all_pids',` +@@ -6287,42 +7005,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -212631,7 +212621,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -6330,18 +7022,18 @@ interface(`files_manage_all_pids',` +@@ -6330,18 +7041,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -212655,7 +212645,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -6349,37 +7041,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6349,37 +7060,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -212707,7 +212697,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -6387,18 +7082,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6387,18 +7101,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -212730,7 +212720,7 @@ index 64ff4d7..6e07122 100644 ## ## ## -@@ -6406,18 +7100,284 @@ interface(`files_list_spool',` +@@ -6406,18 +7119,18 @@ interface(`files_list_spool',` ## ## # @@ -212751,13 +212741,14 @@ index 64ff4d7..6e07122 100644 -## Read generic spool files. +## manage all pidfiles +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6425,7 +7138,273 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_manage_all_pids',` + gen_require(` + attribute pidfile; @@ -213017,10 +213008,18 @@ index 64ff4d7..6e07122 100644 +######################################## +## +## Read generic spool files. - ## - ## - ## -@@ -6562,3 +7522,459 @@ interface(`files_unconfined',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_spool',` + gen_require(` + type var_t, var_spool_t; + ') +@@ -6562,3 +7541,459 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -220309,7 +220308,7 @@ index 76d9f66..c61ed66 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..2b21421 100644 +index fe0c682..da12170 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -220938,7 +220937,7 @@ index fe0c682..2b21421 100644 + type sshd_devpts_t; + ') + -+ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl }; ++ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 5fc0391..f0a738c 100644 @@ -224328,10 +224327,10 @@ index 1b6619e..be02b96 100644 + allow $1 application_domain_type:socket_class_set getattr; +') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te -index c6fdab7..fc63d59 100644 +index c6fdab7..cd80b96 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te -@@ -6,7 +6,27 @@ attribute application_domain_type; +@@ -6,12 +6,33 @@ attribute application_domain_type; # Executables to be run by user attribute application_exec_type; @@ -224346,6 +224345,8 @@ index c6fdab7..fc63d59 100644 + +files_dontaudit_search_non_security_dirs(application_domain_type) + ++auth_login_pgm_sigchld(application_domain_type) ++ +optional_policy(` + afs_rw_udp_sockets(application_domain_type) +') @@ -224359,6 +224360,11 @@ index c6fdab7..fc63d59 100644 cron_sigchld(application_domain_type) ') + optional_policy(` +- ssh_sigchld(application_domain_type) + ssh_rw_stream_sockets(application_domain_type) + ') + diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 28ad538..ebe81bf 100644 --- a/policy/modules/system/authlogin.fc @@ -224451,7 +224457,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..de75e59 100644 +index 3efd5b6..792df83 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -224969,7 +224975,7 @@ index 3efd5b6..de75e59 100644 ') ######################################## -@@ -1805,3 +1975,200 @@ interface(`auth_unconfined',` +@@ -1805,3 +1975,219 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -225170,6 +225176,25 @@ index 3efd5b6..de75e59 100644 + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") +') ++ ++######################################## ++## ++## Send a SIGCHLD signal to login programs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_login_pgm_sigchld',` ++ gen_require(` ++ attribute login_pgm; ++ ') ++ ++ allow $1 login_pgm:process sigchld; ++') ++ diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 104037e..d10bb17 100644 --- a/policy/modules/system/authlogin.te diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 972f2b9e..fe2816cc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2432,10 +2432,10 @@ index 0000000..3929b7e +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..fa4edf1 +index 0000000..bd752cd --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,243 @@ +@@ -0,0 +1,244 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2531,6 +2531,7 @@ index 0000000..fa4edf1 + +can_exec(antivirus_domain, antivirus_exec_t) + ++kernel_read_net_sysctls(antivirus_t) +kernel_read_kernel_sysctls(antivirus_domain) +kernel_read_sysctl(antivirus_domain) +kernel_read_system_state(antivirus_t) @@ -8600,7 +8601,7 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 7c92aa1..69f0a40 100644 +index 7c92aa1..1dc00c7 100644 --- a/boinc.te +++ b/boinc.te @@ -1,11 +1,13 @@ @@ -8619,7 +8620,7 @@ index 7c92aa1..69f0a40 100644 type boinc_exec_t; init_daemon_domain(boinc_t, boinc_exec_t) -@@ -21,31 +23,64 @@ files_tmpfs_file(boinc_tmpfs_t) +@@ -21,31 +23,65 @@ files_tmpfs_file(boinc_tmpfs_t) type boinc_var_lib_t; files_type(boinc_var_lib_t) @@ -8650,6 +8651,7 @@ index 7c92aa1..69f0a40 100644 + +allow boinc_domain self:fifo_file rw_fifo_file_perms; +allow boinc_domain self:sem create_sem_perms; ++allow boinc_domain self:process execmem; + +manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) +manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) @@ -8693,7 +8695,7 @@ index 7c92aa1..69f0a40 100644 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -54,74 +89,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) +@@ -54,74 +90,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -8787,7 +8789,7 @@ index 7c92aa1..69f0a40 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -130,55 +136,61 @@ init_read_utmp(boinc_t) +@@ -130,55 +137,61 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -8816,7 +8818,7 @@ index 7c92aa1..69f0a40 100644 +allow boinc_t boinc_project_t:process noatsecure; + +allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop }; -+allow boinc_project_t self:process { execmem execstack }; ++allow boinc_project_t self:process { execstack }; manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) @@ -27273,7 +27275,7 @@ index 1a5ed62..9762e4a 100644 optional_policy(` unconfined_domain(inetd_child_t) diff --git a/inn.if b/inn.if -index eb87f23..8e11e4b 100644 +index eb87f23..d3d32c3 100644 --- a/inn.if +++ b/inn.if @@ -124,6 +124,7 @@ interface(`inn_read_config',` @@ -27284,7 +27286,7 @@ index eb87f23..8e11e4b 100644 allow $1 innd_etc_t:dir list_dir_perms; allow $1 innd_etc_t:file read_file_perms; allow $1 innd_etc_t:lnk_file read_lnk_file_perms; -@@ -144,6 +145,7 @@ interface(`inn_read_news_lib',` +@@ -144,12 +145,31 @@ interface(`inn_read_news_lib',` type innd_var_lib_t; ') @@ -27292,7 +27294,31 @@ index eb87f23..8e11e4b 100644 allow $1 innd_var_lib_t:dir list_dir_perms; allow $1 innd_var_lib_t:file read_file_perms; ') -@@ -163,6 +165,7 @@ interface(`inn_read_news_spool',` + + ######################################## + ## ++## Write innd inherited news library content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`inn_write_inherited_news_lib',` ++ gen_require(` ++ type innd_var_lib_t; ++ ') ++ ++ allow $1 innd_var_lib_t:file write_inherited_file_perms; ++') ++ ++######################################## ++## + ## Read innd news spool content. + ## + ## +@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',` type news_spool_t; ') @@ -27300,7 +27326,7 @@ index eb87f23..8e11e4b 100644 allow $1 news_spool_t:dir list_dir_perms; allow $1 news_spool_t:file read_file_perms; allow $1 news_spool_t:lnk_file read_lnk_file_perms; -@@ -226,8 +229,15 @@ interface(`inn_domtrans',` +@@ -226,8 +247,15 @@ interface(`inn_domtrans',` interface(`inn_admin',` gen_require(` type innd_t, innd_etc_t, innd_log_t; @@ -61608,7 +61634,7 @@ index 661bb88..06f69c4 100644 +') + diff --git a/readahead.te b/readahead.te -index f1512d6..ba3b9b2 100644 +index f1512d6..93f1ee6 100644 --- a/readahead.te +++ b/readahead.te @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; @@ -61638,7 +61664,7 @@ index f1512d6..ba3b9b2 100644 dev_getattr_generic_chr_files(readahead_t) dev_getattr_generic_blk_files(readahead_t) dev_getattr_all_chr_files(readahead_t) -@@ -51,12 +56,21 @@ domain_use_interactive_fds(readahead_t) +@@ -51,12 +56,22 @@ domain_use_interactive_fds(readahead_t) domain_read_all_domains_state(readahead_t) files_create_boot_flag(readahead_t) @@ -61651,6 +61677,7 @@ index f1512d6..ba3b9b2 100644 files_dontaudit_getattr_non_security_blk_files(readahead_t) +files_dontaudit_all_access_check(readahead_t) +files_dontaudit_read_security_files(readahead_t) ++files_dontaudit_read_all_sockets(readahead_t) + +ifdef(`hide_broken_symptoms', ` + files_dontaudit_write_all_files(readahead_t) @@ -61660,7 +61687,7 @@ index f1512d6..ba3b9b2 100644 fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) -@@ -66,13 +80,12 @@ fs_read_cgroup_files(readahead_t) +@@ -66,13 +81,12 @@ fs_read_cgroup_files(readahead_t) fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) @@ -61675,7 +61702,7 @@ index f1512d6..ba3b9b2 100644 mls_file_read_all_levels(readahead_t) storage_raw_read_fixed_disk(readahead_t) -@@ -84,13 +97,13 @@ auth_dontaudit_read_shadow(readahead_t) +@@ -84,13 +98,13 @@ auth_dontaudit_read_shadow(readahead_t) init_use_fds(readahead_t) init_use_script_ptys(readahead_t) init_getattr_initctl(readahead_t) @@ -71923,7 +71950,7 @@ index 88e753f..ca74cd9 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 5f35d78..7bffa0b 100644 +index 5f35d78..d4003d0 100644 --- a/sendmail.te +++ b/sendmail.te @@ -1,18 +1,10 @@ @@ -72090,7 +72117,18 @@ index 5f35d78..7bffa0b 100644 ') optional_policy(` -@@ -166,6 +159,11 @@ optional_policy(` +@@ -158,6 +151,10 @@ optional_policy(` + ') + + optional_policy(` ++ inn_write_inherited_news_lib(sendmail_t) ++') ++ ++optional_policy(` + milter_stream_connect_all(sendmail_t) + ') + +@@ -166,6 +163,11 @@ optional_policy(` ') optional_policy(` @@ -72102,7 +72140,7 @@ index 5f35d78..7bffa0b 100644 postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_domtrans_postqueue(sendmail_t) -@@ -187,21 +185,13 @@ optional_policy(` +@@ -187,21 +189,13 @@ optional_policy(` ') optional_policy(` @@ -74691,7 +74729,7 @@ index 1499b0b..82fc7f6 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index 4faa7e0..258b449 100644 +index 4faa7e0..9e4d192 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -1,4 +1,4 @@ @@ -75394,7 +75432,7 @@ index 4faa7e0..258b449 100644 ') optional_policy(` -@@ -474,32 +552,29 @@ optional_policy(` +@@ -474,32 +552,30 @@ optional_policy(` ######################################## # @@ -75418,6 +75456,7 @@ index 4faa7e0..258b449 100644 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) -kernel_read_system_state(spamd_update_t) ++allow spamd_update_t spamc_home_t:dir search_dir_perms; +allow spamd_update_t spamd_tmp_t:file read_file_perms; -corenet_all_recvfrom_unlabeled(spamd_update_t) @@ -75434,7 +75473,7 @@ index 4faa7e0..258b449 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +583,20 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +584,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -75447,6 +75486,7 @@ index 4faa7e0..258b449 100644 +mta_read_config(spamd_update_t) -userdom_use_user_terminals(spamd_update_t) ++userdom_search_admin_dir(spamd_update_t) +userdom_use_inherited_user_ptys(spamd_update_t) optional_policy(` @@ -75723,7 +75763,7 @@ index dbb005a..45291bb 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..54c45f6 100644 +index a240455..6c2da43 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -75978,18 +76018,36 @@ index a240455..54c45f6 100644 ## ## ## -@@ -317,8 +352,8 @@ interface(`sssd_stream_connect',` +@@ -317,8 +352,26 @@ interface(`sssd_stream_connect',` ######################################## ## -## All of the rules required to -## administrate an sssd environment. ++## Dontaudit attempts to connect to sssd over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_dontaudit_stream_connect',` ++ gen_require(` ++ type sssd_t; ++ ') ++ ++ dontaudit $1 sssd_t:unix_stream_socket connectto; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an sssd environment ## ## ## -@@ -327,7 +362,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +380,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -75998,7 +76056,7 @@ index a240455..54c45f6 100644 ## ## ## -@@ -335,27 +370,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +388,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -78828,10 +78886,10 @@ index 0000000..72c42ad +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..4f8e329 +index 0000000..aaf768a --- /dev/null +++ b/thumb.te -@@ -0,0 +1,132 @@ +@@ -0,0 +1,137 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -78949,6 +79007,7 @@ index 0000000..4f8e329 + gnome_dontaudit_search_config(thumb_t) + gnome_append_generic_cache_files(thumb_t) + gnome_read_generic_data_home_files(thumb_t) ++ gnome_dontaudit_rw_generic_cache_files(thumb_t) + gnome_manage_gstreamer_home_files(thumb_t) + gnome_manage_gstreamer_home_dirs(thumb_t) + gnome_exec_gstreamer_home_files(thumb_t) @@ -78957,6 +79016,10 @@ index 0000000..4f8e329 +') + +optional_policy(` ++ sssd_dontaudit_stream_connect(thumb_t) ++') ++ ++optional_policy(` + nscd_dontaudit_write_sock_file(thumb_t) +') + @@ -85603,10 +85666,18 @@ index fd2b6cc..4b83bb0 100644 ######################################## diff --git a/wine.te b/wine.te -index b51923c..22e9047 100644 +index b51923c..bdbac3a 100644 --- a/wine.te +++ b/wine.te -@@ -48,7 +48,7 @@ domain_mmap_low(wine_t) +@@ -39,6 +39,7 @@ allow wine_t self:fifo_file manage_fifo_file_perms; + can_exec(wine_t, wine_exec_t) + + userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") ++userdom_tmpfs_filetrans(wine_t, file) + + manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) + manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) +@@ -48,7 +49,7 @@ domain_mmap_low(wine_t) files_execmod_all_files(wine_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index d24a3c2c..00cba9aa 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jan 30 2013 Miroslav Grepl 3.12.1-9 +- boinc_cliean wants also execmem as boinc projecs have +- Allow sa-update to search admin home for /root/.spamassassin +- Allow sa-update to search admin home for /root/.spamassassin +- Allow antivirus domain to read net sysctl +- Dontaudit attempts from thumb_t to connect to ssd +- Dontaudit attempts by readahead to read sock_files +- Dontaudit attempts by readahead to read sock_files +- Create tmpfs file while running as wine as user_tmpfs_t +- Dontaudit attempts by readahead to read sock_files +- libmpg ships badly created librarie + * Mon Jan 28 2013 Miroslav Grepl 3.12.1-8 - Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information