From fb7e97f251620f6f73096b947017ee99977c326c Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 4 Apr 2011 17:35:35 +0000 Subject: [PATCH] - Fix label for /var/run/udev to udev_var_run_t - Mock needs to be able to read network state --- policy-F16.patch | 321 +++++++++++++++++++++++++++++--------------- selinux-policy.spec | 6 +- 2 files changed, 219 insertions(+), 108 deletions(-) diff --git a/policy-F16.patch b/policy-F16.patch index 59703ba0..2e87799f 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -32212,7 +32212,7 @@ index 8581040..2367841 100644 allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index bf64a4c..f1eff62 100644 +index bf64a4c..8a9789c 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) @@ -32284,7 +32284,15 @@ index bf64a4c..f1eff62 100644 dev_read_sysfs(nrpe_t) dev_read_urand(nrpe_t) -@@ -270,12 +273,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -211,6 +214,7 @@ domain_read_all_domains_state(nrpe_t) + + files_read_etc_runtime_files(nrpe_t) + files_read_etc_files(nrpe_t) ++files_read_usr_files(nrpe_t) + + fs_getattr_all_fs(nrpe_t) + fs_search_auto_mountpoints(nrpe_t) +@@ -270,12 +274,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -32297,7 +32305,7 @@ index bf64a4c..f1eff62 100644 kernel_read_kernel_sysctls(nagios_mail_plugin_t) corecmd_read_bin_files(nagios_mail_plugin_t) -@@ -299,7 +300,7 @@ optional_policy(` +@@ -299,7 +301,7 @@ optional_policy(` optional_policy(` postfix_stream_connect_master(nagios_mail_plugin_t) @@ -32306,7 +32314,7 @@ index bf64a4c..f1eff62 100644 ') ###################################### -@@ -310,6 +311,9 @@ optional_policy(` +@@ -310,6 +312,9 @@ optional_policy(` # needed by ioctl() allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; @@ -32316,7 +32324,7 @@ index bf64a4c..f1eff62 100644 files_read_etc_runtime_files(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t) -@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; allow nagios_services_plugin_t self:process { signal sigkill }; @@ -32324,7 +32332,7 @@ index bf64a4c..f1eff62 100644 allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms; -@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t) +@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t) optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) @@ -32333,7 +32341,7 @@ index bf64a4c..f1eff62 100644 ') optional_policy(` -@@ -363,7 +368,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -363,7 +369,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -40048,7 +40056,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..2c24007 100644 +index e30bb63..941f823 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -40082,7 +40090,7 @@ index e30bb63..2c24007 100644 # smbd Local policy # -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -41756,7 +41764,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..80b2f2e 100644 +index 22adaca..68ad7a7 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -41958,7 +41966,7 @@ index 22adaca..80b2f2e 100644 libs_read_lib_files($1_ssh_agent_t) -@@ -393,14 +408,11 @@ template(`ssh_role_template',` +@@ -393,14 +408,13 @@ template(`ssh_role_template',` seutil_dontaudit_read_config($1_ssh_agent_t) # Write to the user domain tty. @@ -41971,10 +41979,12 @@ index 22adaca..80b2f2e 100644 - allow $3 $1_ssh_agent_t:fd use; - allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; - allow $3 $1_ssh_agent_t:process sigchld; ++ ++ ssh_run_keygen($3,$2) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) -@@ -477,8 +489,9 @@ interface(`ssh_read_pipes',` +@@ -477,8 +491,9 @@ interface(`ssh_read_pipes',` type sshd_t; ') @@ -41985,7 +41995,7 @@ index 22adaca..80b2f2e 100644 ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -494,7 +507,7 @@ interface(`ssh_rw_pipes',` +@@ -494,7 +509,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -41994,7 +42004,7 @@ index 22adaca..80b2f2e 100644 ') ######################################## -@@ -586,6 +599,24 @@ interface(`ssh_domtrans',` +@@ -586,6 +601,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -42019,7 +42029,7 @@ index 22adaca..80b2f2e 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -618,7 +649,7 @@ interface(`ssh_setattr_key_files',` +@@ -618,7 +651,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -42028,7 +42038,7 @@ index 22adaca..80b2f2e 100644 files_search_pids($1) ') -@@ -680,6 +711,32 @@ interface(`ssh_domtrans_keygen',` +@@ -680,6 +713,32 @@ interface(`ssh_domtrans_keygen',` domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') @@ -42061,7 +42071,7 @@ index 22adaca..80b2f2e 100644 ######################################## ## ## Read ssh server keys -@@ -695,7 +752,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +754,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -42070,7 +42080,7 @@ index 22adaca..80b2f2e 100644 ') ###################################### -@@ -735,3 +792,21 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +794,21 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -42093,7 +42103,7 @@ index 22adaca..80b2f2e 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..7f14c83 100644 +index 2dad3c8..594aa01 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -42422,7 +42432,7 @@ index 2dad3c8..7f14c83 100644 ') dnl endif TODO ######################################## -@@ -322,14 +369,18 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,14 +369,19 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -42438,11 +42448,12 @@ index 2dad3c8..7f14c83 100644 +manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) +manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) ++userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) + kernel_read_kernel_sysctls(ssh_keygen_t) fs_search_auto_mountpoints(ssh_keygen_t) -@@ -353,7 +404,7 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -353,7 +405,7 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -49359,7 +49370,7 @@ index cc83689..3388f34 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..55561ae 100644 +index ea29513..819a8d5 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -50078,7 +50089,15 @@ index ea29513..55561ae 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -810,11 +1103,19 @@ optional_policy(` +@@ -800,7 +1093,6 @@ optional_policy(` + ') + + optional_policy(` +- udev_rw_db(initrc_t) + udev_manage_pid_files(initrc_t) + udev_manage_rules_files(initrc_t) + ') +@@ -810,11 +1102,19 @@ optional_policy(` ') optional_policy(` @@ -50099,7 +50118,7 @@ index ea29513..55561ae 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1125,25 @@ optional_policy(` +@@ -824,6 +1124,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -50125,7 +50144,7 @@ index ea29513..55561ae 100644 ') optional_policy(` -@@ -849,3 +1169,42 @@ optional_policy(` +@@ -849,3 +1168,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -53434,7 +53453,7 @@ index 170e2c7..0aa893a 100644 +') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..1d43b4b 100644 +index 7ed9819..5ae4038 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -53617,7 +53636,7 @@ index 7ed9819..1d43b4b 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -353,7 +382,7 @@ optional_policy(` +@@ -353,16 +382,19 @@ optional_policy(` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -53626,7 +53645,11 @@ index 7ed9819..1d43b4b 100644 # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -363,6 +392,7 @@ dontaudit run_init_t self:capability { dac_override dac_read_search }; + # the failed access to the current directory + dontaudit run_init_t self:capability { dac_override dac_read_search }; + ++kernel_dontaudit_getattr_core_if(run_init_t) ++ corecmd_exec_bin(run_init_t) corecmd_exec_shell(run_init_t) @@ -53634,7 +53657,7 @@ index 7ed9819..1d43b4b 100644 dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) -@@ -380,6 +410,8 @@ selinux_compute_create_context(run_init_t) +@@ -380,6 +412,8 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -53643,7 +53666,15 @@ index 7ed9819..1d43b4b 100644 auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) auth_domtrans_upd_passwd(run_init_t) -@@ -396,7 +428,7 @@ miscfiles_read_localization(run_init_t) +@@ -388,6 +422,7 @@ auth_dontaudit_read_shadow(run_init_t) + init_spec_domtrans_script(run_init_t) + # for utmp + init_rw_utmp(run_init_t) ++init_dontaudit_getattr_initctl(run_init_t) + + logging_send_syslog_msg(run_init_t) + +@@ -396,7 +431,7 @@ miscfiles_read_localization(run_init_t) seutil_libselinux_linked(run_init_t) seutil_read_default_contexts(run_init_t) @@ -53652,7 +53683,7 @@ index 7ed9819..1d43b4b 100644 ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` -@@ -405,6 +437,15 @@ ifndef(`direct_sysadm_daemon',` +@@ -405,6 +440,19 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -53662,13 +53693,17 @@ index 7ed9819..1d43b4b 100644 +') + +optional_policy(` ++ gpm_dontaudit_getattr_gpmctl(run_init_t) ++') ++ ++optional_policy(` + rpm_domtrans(run_init_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -420,61 +461,22 @@ optional_policy(` +@@ -420,61 +468,22 @@ optional_policy(` # semodule local policy # @@ -53678,22 +53713,22 @@ index 7ed9819..1d43b4b 100644 -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -allow semanage_t policy_config_t:file rw_file_perms; -- ++seutil_semanage_policy(semanage_t) ++allow semanage_t self:fifo_file rw_fifo_file_perms; + -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) -- ++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) + -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - -corecmd_exec_bin(semanage_t) -+seutil_semanage_policy(semanage_t) -+allow semanage_t self:fifo_file rw_fifo_file_perms; - +- -dev_read_urand(semanage_t) -+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) - +- -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) @@ -53715,13 +53750,13 @@ index 7ed9819..1d43b4b 100644 - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) -+# Admins are creating pp files in random locations -+auth_read_all_files_except_shadow(semanage_t) - +- -locallogin_use_fds(semanage_t) - -logging_send_syslog_msg(semanage_t) -- ++# Admins are creating pp files in random locations ++auth_read_all_files_except_shadow(semanage_t) + -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) @@ -53738,7 +53773,7 @@ index 7ed9819..1d43b4b 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -487,118 +489,69 @@ ifdef(`distro_debian',` +@@ -487,118 +496,69 @@ ifdef(`distro_debian',` files_read_var_lib_symlinks(semanage_t) ') @@ -53787,19 +53822,13 @@ index 7ed9819..1d43b4b 100644 - -domain_use_interactive_fds(setfiles_t) -domain_dontaudit_search_all_domains_state(setfiles_t) -+init_dontaudit_use_fds(setsebool_t) - +- -files_read_etc_runtime_files(setfiles_t) -files_read_etc_files(setfiles_t) -files_list_all(setfiles_t) -files_relabel_all_files(setfiles_t) -files_read_usr_symlinks(setfiles_t) -+# Bug in semanage -+seutil_domtrans_setfiles(setsebool_t) -+seutil_manage_file_contexts(setsebool_t) -+seutil_manage_default_contexts(setsebool_t) -+seutil_manage_config(setsebool_t) - +- -fs_getattr_xattr_fs(setfiles_t) -fs_list_all(setfiles_t) -fs_search_auto_mountpoints(setfiles_t) @@ -53827,9 +53856,15 @@ index 7ed9819..1d43b4b 100644 -init_use_script_fds(setfiles_t) -init_use_script_ptys(setfiles_t) -init_exec_script_files(setfiles_t) -- ++init_dontaudit_use_fds(setsebool_t) + -logging_send_syslog_msg(setfiles_t) -- ++# Bug in semanage ++seutil_domtrans_setfiles(setsebool_t) ++seutil_manage_file_contexts(setsebool_t) ++seutil_manage_default_contexts(setsebool_t) ++seutil_manage_config(setsebool_t) + -miscfiles_read_localization(setfiles_t) +######################################## +# @@ -54753,26 +54788,29 @@ index 0000000..1e5b954 + readahead_manage_pid_files(systemd_notify_t) +') diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 0291685..ff75c28 100644 +index 0291685..7e94f4b 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc -@@ -11,6 +11,9 @@ +@@ -1,6 +1,6 @@ +-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) +-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) +-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) ++/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0) ++/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0) ++/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0) - /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) + /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) + +@@ -21,4 +21,6 @@ -+/run/udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) -+/run/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) -+ - /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) -@@ -22,3 +25,4 @@ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) - /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ++/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ++/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 025348a..8b50d5f 100644 +index 025348a..4e2ca03 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -54793,26 +54831,29 @@ index 025348a..8b50d5f 100644 ') ######################################## -@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',` - interface(`udev_read_db',` +@@ -160,10 +160,10 @@ interface(`udev_manage_rules_files',` + # + interface(`udev_dontaudit_search_db',` gen_require(` - type udev_tbl_t; -+ type device_t; +- type udev_tbl_t; ++ type udev_var_run_t; ') - dev_list_all_dev_nodes($1) - allow $1 udev_tbl_t:dir list_dir_perms; - read_files_pattern($1, udev_tbl_t, udev_tbl_t) - read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) -+ allow $1 device_t:file read_file_perms; +- dontaudit $1 udev_tbl_t:dir search_dir_perms; ++ dontaudit $1 udev_var_run_t:dir search_dir_perms; ') ######################################## -@@ -214,6 +216,24 @@ interface(`udev_rw_db',` - - ######################################## - ## -+## Allow process to modify relabelto udev database +@@ -183,19 +183,32 @@ interface(`udev_dontaudit_search_db',` + ## + # + interface(`udev_read_db',` ++ udev_read_pid_files($1) ++') ++ ++######################################## ++## ++## Allow process to modify list of devices. +## +## +## @@ -54820,21 +54861,73 @@ index 025348a..8b50d5f 100644 +## +## +# ++interface(`udev_rw_db',` + gen_require(` +- type udev_tbl_t; ++ type udev_var_run_t; + ') + ++ files_search_pids($1) + dev_list_all_dev_nodes($1) +- allow $1 udev_tbl_t:dir list_dir_perms; +- read_files_pattern($1, udev_tbl_t, udev_tbl_t) +- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) ++ rw_files_pattern($1, udev_var_run_t, udev_var_run_t) + ') + + ######################################## + ## +-## Allow process to modify list of devices. ++## Allow process to modify relabelto udev database + ## + ## + ## +@@ -203,13 +216,36 @@ interface(`udev_read_db',` + ## + ## + # +-interface(`udev_rw_db',` +interface(`udev_relabelto_db',` + gen_require(` -+ type udev_tbl_t; ++ type udev_var_run_t; + ') + -+ allow $1 udev_tbl_t:file relabelto_file_perms; ++ files_search_pids($1) ++ allow $1 udev_var_run_t:file relabelto_file_perms; +') + +######################################## +## - ## Create, read, write, and delete - ## udev pid files. - ## -@@ -231,3 +251,62 @@ interface(`udev_manage_pid_files',` - files_search_var_lib($1) ++## Create, read, write, and delete ++## udev pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udev_read_pid_files',` + gen_require(` +- type udev_tbl_t; ++ type udev_var_run_t; + ') + + dev_list_all_dev_nodes($1) +- allow $1 udev_tbl_t:file rw_file_perms; ++ files_search_pids($1) ++ allow $1 udev_var_run_t:dir list_dir_perms; ++ read_files_pattern($1, udev_var_run_t, udev_var_run_t) ++ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t) + ') + + ######################################## +@@ -228,6 +264,65 @@ interface(`udev_manage_pid_files',` + type udev_var_run_t; + ') + +- files_search_var_lib($1) ++ files_search_pids($1) manage_files_pattern($1, udev_var_run_t, udev_var_run_t) ') + @@ -54897,10 +54990,10 @@ index 025348a..8b50d5f 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..1cadaa2 100644 +index d88f7c3..b18dc17 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te -@@ -14,6 +14,8 @@ domain_entry_file(udev_t, udev_helper_exec_t) +@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) domain_interactive_fd(udev_t) init_daemon_domain(udev_t, udev_exec_t) @@ -54909,7 +55002,19 @@ index d88f7c3..1cadaa2 100644 type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) -@@ -38,6 +40,12 @@ ifdef(`enable_mcs',` +-type udev_tbl_t alias udev_tdb_t; +-files_type(udev_tbl_t) +- + type udev_rules_t; + files_type(udev_rules_t) + + type udev_var_run_t; + files_pid_file(udev_var_run_t) ++typealias udev_var_run_t alias udev_tbl_t; + + ifdef(`enable_mcs',` + kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) +@@ -38,6 +38,12 @@ ifdef(`enable_mcs',` allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; dontaudit udev_t self:capability sys_tty_config; @@ -54922,7 +55027,7 @@ index d88f7c3..1cadaa2 100644 allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; -@@ -52,6 +60,7 @@ allow udev_t self:unix_dgram_socket sendto; +@@ -52,6 +58,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -54930,27 +55035,29 @@ index d88f7c3..1cadaa2 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -64,7 +73,8 @@ allow udev_t udev_etc_t:file read_file_perms; +@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t) + # read udev config + allow udev_t udev_etc_t:file read_file_perms; - # create udev database in /dev/.udevdb - allow udev_t udev_tbl_t:file manage_file_perms; +-# create udev database in /dev/.udevdb +-allow udev_t udev_tbl_t:file manage_file_perms; -dev_filetrans(udev_t, udev_tbl_t, file) -+allow udev_t udev_tbl_t:lnk_file manage_file_perms; -+dev_filetrans(udev_t, udev_tbl_t, { file lnk_file } ) - +- list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) read_files_pattern(udev_t, udev_rules_t, udev_rules_t) -@@ -72,7 +82,8 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t) + manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) +files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) +allow udev_t udev_var_run_t:file mounton; ++dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } ) ++ kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) -@@ -87,6 +98,7 @@ kernel_rw_unix_dgram_sockets(udev_t) +@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) kernel_signal(udev_t) kernel_search_debugfs(udev_t) @@ -54958,7 +55065,7 @@ index d88f7c3..1cadaa2 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -111,15 +123,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) @@ -54980,7 +55087,7 @@ index d88f7c3..1cadaa2 100644 mcs_ptrace_all(udev_t) -@@ -143,6 +160,7 @@ auth_use_nsswitch(udev_t) +@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -54988,7 +55095,7 @@ index d88f7c3..1cadaa2 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -186,15 +204,16 @@ ifdef(`distro_redhat',` +@@ -186,15 +199,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -55008,7 +55115,7 @@ index d88f7c3..1cadaa2 100644 ') optional_policy(` -@@ -216,11 +235,16 @@ optional_policy(` +@@ -216,11 +230,16 @@ optional_policy(` ') optional_policy(` @@ -55025,7 +55132,7 @@ index d88f7c3..1cadaa2 100644 ') optional_policy(` -@@ -233,6 +257,10 @@ optional_policy(` +@@ -233,6 +252,10 @@ optional_policy(` ') optional_policy(` @@ -55036,7 +55143,7 @@ index d88f7c3..1cadaa2 100644 lvm_domtrans(udev_t) ') -@@ -259,6 +287,10 @@ optional_policy(` +@@ -259,6 +282,10 @@ optional_policy(` ') optional_policy(` @@ -55047,7 +55154,7 @@ index d88f7c3..1cadaa2 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +305,11 @@ optional_policy(` +@@ -273,6 +300,11 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 6d3fe779..3ceed1a9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,10 @@ exit 0 %endif %changelog +* Mon Apr 4 2011 Miroslav Grepl 3.9.16-11 +- Fix label for /var/run/udev to udev_var_run_t +- Mock needs to be able to read network state + * Fri Apr 1 2011 Miroslav Grepl 3.9.16-10 - Add file_contexts.subs to handle /run and /run/lock - Add other fixes relating to /run changes from F15 policy