From 0e68611763c1a40ace89daae3d73e74208a7fee5 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 07 2013 20:49:53 +0000 Subject: - Fix allow rules for postfix_var_run - Allow cobblerd to read /etc/passwd - Allow keystonte_t to execute rpm - Allow tcpd to execute leafnode - Allow glance-api to connect to http port to make glance image-create workin - Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid - Allow virsh to read xen lock file - Allow qemu-ga to create files in /run with proper labeling - Allow glusterd to connect to own socket in /tmp - Allow unbound net_admin capability because of setsockopt syscall - Allow mout to stream connect to rpcbind --- diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch index 5c2edfb..b04d97d 100644 --- a/policy-f18-contrib.patch +++ b/policy-f18-contrib.patch @@ -6195,7 +6195,7 @@ index 44a1e3d..bc50fd6 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 0968cb4..b68812a 100644 +index 0968cb4..895ac30 100644 --- a/bind.te +++ b/bind.te @@ -6,6 +6,13 @@ policy_module(bind, 1.11.0) @@ -6239,9 +6239,12 @@ index 0968cb4..b68812a 100644 type named_log_t; logging_log_file(named_log_t) -@@ -62,6 +73,7 @@ role system_r types ndc_t; +@@ -60,8 +71,9 @@ role system_r types ndc_t; + # Named local policy + # - allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; +-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; ++allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; +allow named_t self:capability2 block_suspend; allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; @@ -24120,7 +24123,7 @@ index 7ff9d6d..b1c97f2 100644 allow $1 glance_api_t:process signal_perms; ps_process_pattern($1, glance_api_t) diff --git a/glance.te b/glance.te -index 4afb81f..dfddf79 100644 +index 4afb81f..aae5156 100644 --- a/glance.te +++ b/glance.te @@ -7,8 +7,7 @@ policy_module(glance, 1.0.0) @@ -24205,13 +24208,16 @@ index 4afb81f..dfddf79 100644 ######################################## # -@@ -94,11 +119,11 @@ can_exec(glance_api_t, glance_tmp_t) +@@ -94,11 +119,14 @@ can_exec(glance_api_t, glance_tmp_t) corecmd_exec_shell(glance_api_t) corenet_tcp_bind_generic_node(glance_api_t) +corenet_tcp_bind_glance_port(glance_api_t) corenet_tcp_bind_hplip_port(glance_api_t) corenet_tcp_connect_glance_registry_port(glance_api_t) ++corenet_tcp_connect_mysqld_port(glance_api_t) ++corenet_tcp_connect_http_port(glance_api_t) ++ +corenet_tcp_connect_all_ephemeral_ports(glance_api_t) dev_read_urand(glance_api_t) @@ -24396,10 +24402,10 @@ index 0000000..e15bbb0 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..63aa5b0 +index 0000000..5200157 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,142 @@ +@@ -0,0 +1,141 @@ +policy_module(glusterd, 1.0.0) + +## @@ -24461,13 +24467,12 @@ index 0000000..63aa5b0 +allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner }; +allow glusterd_t self:capability2 block_suspend; +allow glusterd_t self:process { setrlimit signal }; -+allow glusterd_t self:capability sys_resource; + +allow glusterd_t self:fifo_file rw_fifo_file_perms; +allow glusterd_t self:netlink_route_socket r_netlink_socket_perms; +allow glusterd_t self:tcp_socket create_stream_socket_perms; +allow glusterd_t self:udp_socket create_socket_perms; -+allow glusterd_t self:unix_stream_socket create_stream_socket_perms; ++allow glusterd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow glusterd_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) @@ -31249,10 +31254,10 @@ index 0000000..f20248c +') diff --git a/keystone.te b/keystone.te new file mode 100644 -index 0000000..28af309 +index 0000000..7b7cc8d --- /dev/null +++ b/keystone.te -@@ -0,0 +1,83 @@ +@@ -0,0 +1,87 @@ +policy_module(keystone, 1.0.0) + +######################################## @@ -31336,6 +31341,10 @@ index 0000000..28af309 +optional_policy(` + postgresql_stream_connect(keystone_t) +') ++ ++optional_policy(` ++ rpm_exec(keystone_t) ++') diff --git a/kismet.if b/kismet.if index c18c920..582f7f3 100644 --- a/kismet.if @@ -43270,7 +43279,7 @@ index 0a929ef..371119d 100644 /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) diff --git a/nut.te b/nut.te -index ff962dd..7c6ea74 100644 +index ff962dd..f7f4b87 100644 --- a/nut.te +++ b/nut.te @@ -29,6 +29,7 @@ files_pid_file(nut_var_run_t) @@ -43297,7 +43306,7 @@ index ff962dd..7c6ea74 100644 mta_send_mail(nut_upsmon_t) -@@ -133,6 +132,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t) +@@ -133,10 +132,12 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t) # /sbin/upsdrvctl executes other drivers corecmd_exec_bin(nut_upsdrvctl_t) @@ -43305,7 +43314,12 @@ index ff962dd..7c6ea74 100644 dev_read_urand(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) -@@ -144,7 +144,6 @@ init_sigchld(nut_upsdrvctl_t) + term_use_unallocated_ttys(nut_upsdrvctl_t) ++term_use_usb_ttys(nut_upsdrvctl_t) + + auth_use_nsswitch(nut_upsdrvctl_t) + +@@ -144,7 +145,6 @@ init_sigchld(nut_upsdrvctl_t) logging_send_syslog_msg(nut_upsdrvctl_t) @@ -43313,7 +43327,7 @@ index ff962dd..7c6ea74 100644 ####################################### # -@@ -157,7 +156,6 @@ optional_policy(` +@@ -157,7 +157,6 @@ optional_policy(` read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) @@ -50861,7 +50875,7 @@ index 46bee12..20a3ccd 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index a1e0f60..63051d9 100644 +index a1e0f60..7308619 100644 --- a/postfix.te +++ b/postfix.te @@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0) @@ -51293,7 +51307,15 @@ index a1e0f60..63051d9 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +624,9 @@ postfix_list_spool(postfix_showq_t) +@@ -532,6 +617,7 @@ allow postfix_showq_t self:capability { setuid setgid }; + allow postfix_showq_t self:tcp_socket create_socket_perms; + + allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; ++rw_files_pattern(postfix_showq_t, postfix_var_run_t, postfix_var_run_t) + + allow postfix_showq_t postfix_spool_t:file read_file_perms; + +@@ -539,7 +625,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -51304,7 +51326,7 @@ index a1e0f60..63051d9 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +645,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +646,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -51317,7 +51339,7 @@ index a1e0f60..63051d9 100644 files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +658,14 @@ optional_policy(` +@@ -565,6 +659,14 @@ optional_policy(` ') optional_policy(` @@ -51332,7 +51354,7 @@ index a1e0f60..63051d9 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +682,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, +@@ -581,17 +683,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) # for prng_exch @@ -51359,7 +51381,7 @@ index a1e0f60..63051d9 100644 ') optional_policy(` -@@ -599,6 +708,11 @@ optional_policy(` +@@ -599,6 +709,11 @@ optional_policy(` ') optional_policy(` @@ -51371,7 +51393,7 @@ index a1e0f60..63051d9 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +725,6 @@ optional_policy(` +@@ -611,7 +726,6 @@ optional_policy(` # Postfix virtual local policy # @@ -51379,7 +51401,7 @@ index a1e0f60..63051d9 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -622,7 +735,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } +@@ -622,7 +736,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) @@ -51387,7 +51409,7 @@ index a1e0f60..63051d9 100644 files_read_usr_files(postfix_virtual_t) mta_read_aliases(postfix_virtual_t) -@@ -630,3 +742,80 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +743,80 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -72987,7 +73009,7 @@ index 32a3c13..0cbca75 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index 2124b6a..014e40c 100644 +index 2124b6a..d60e3e4 100644 --- a/virt.fc +++ b/virt.fc @@ -1,6 +1,14 @@ @@ -73007,7 +73029,7 @@ index 2124b6a..014e40c 100644 /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +20,61 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t +@@ -12,18 +20,62 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -73071,6 +73093,7 @@ index 2124b6a..014e40c 100644 + +/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) ++/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if index 6f0736b..bb1421c 100644 @@ -74001,7 +74024,7 @@ index 6f0736b..bb1421c 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 947bbc6..8ec8313 100644 +index 947bbc6..7763a39 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,97 @@ policy_module(virt, 1.5.0) @@ -74249,7 +74272,8 @@ index 947bbc6..8ec8313 100644 -userdom_search_user_home_content(svirt_t) -userdom_read_user_home_content_symlinks(svirt_t) -userdom_read_all_users_state(svirt_t) -- ++miscfiles_read_generic_certs(svirt_t) + -tunable_policy(`virt_use_comm',` - term_use_unallocated_ttys(svirt_t) - dev_rw_printer(svirt_t) @@ -74258,37 +74282,36 @@ index 947bbc6..8ec8313 100644 -tunable_policy(`virt_use_fusefs',` - fs_read_fusefs_files(svirt_t) - fs_read_fusefs_symlinks(svirt_t) --') -- ++optional_policy(` ++ nscd_use(svirt_t) + ') + -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(svirt_t) - fs_manage_nfs_files(svirt_t) -') -+miscfiles_read_generic_certs(svirt_t) ++####################################### ++# ++# svirt_prot_exec local policy ++# -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(svirt_t) - fs_manage_cifs_files(svirt_t) -+optional_policy(` -+ nscd_use(svirt_t) - ') +-') ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; -tunable_policy(`virt_use_sysfs',` - dev_rw_sysfs(svirt_t) -') -+####################################### -+# -+# svirt_prot_exec local policy -+# - +- -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(svirt_t) - fs_manage_dos_dirs(svirt_t) - fs_manage_dos_files(svirt_t) -') -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - +- -optional_policy(` - xen_rw_image_files(svirt_t) -') @@ -74694,7 +74717,7 @@ index 947bbc6..8ec8313 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,34 +662,648 @@ dev_write_sound(virt_domain) +@@ -438,34 +662,654 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -74754,7 +74777,7 @@ index 947bbc6..8ec8313 100644 virt_read_content(virt_domain) virt_stream_connect(virt_domain) + virt_domtrans_bridgehelper(virt_domain) -+') + ') + +optional_policy(` + xserver_rw_shm(virt_domain) @@ -74927,6 +74950,7 @@ index 947bbc6..8ec8313 100644 + +optional_policy(` + xen_manage_image_dirs(virsh_t) ++ xen_read_image_files(virsh_t) + xen_append_log(virsh_t) + xen_domtrans(virsh_t) + xen_read_pid_files_xenstored(virsh_t) @@ -74940,7 +74964,7 @@ index 947bbc6..8ec8313 100644 + optional_policy(` + hal_dbus_chat(virsh_t) + ') - ') ++') + +optional_policy(` + vhostmd_rw_tmpfs_files(virsh_t) @@ -75293,7 +75317,7 @@ index 947bbc6..8ec8313 100644 + +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) -+filetrans_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t,{ dir file } ) ++files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } ) + +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) +logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file ) @@ -75344,6 +75368,11 @@ index 947bbc6..8ec8313 100644 + shutdown_domtrans(virt_qemu_ga_t) +') + ++####################################### ++# ++# tye for svirt sockets ++# ++ +type svirt_socket_t; +role system_r types svirt_socket_t; +allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; diff --git a/selinux-policy.spec b/selinux-policy.spec index 2df75a0..74fd685 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 93%{?dist} +Release: 94%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,19 @@ SELinux Reference policy mls base module. %endif %Changelog +* Tue May 7 2013 Miroslav Grepl 3.11.1-94 +- Fix allow rules for postfix_var_run +- Allow cobblerd to read /etc/passwd +- Allow keystonte_t to execute rpm +- Allow tcpd to execute leafnode +- Allow glance-api to connect to http port to make glance image-create working- Allow NUT to use serial ports +- Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid +- Allow virsh to read xen lock file +- Allow qemu-ga to create files in /run with proper labeling +- Allow glusterd to connect to own socket in /tmp +- Allow unbound net_admin capability because of setsockopt syscall +- Allow mout to stream connect to rpcbind + * Thu May 2 2013 Miroslav Grepl 3.11.1-93 - Allow pki apache domain to create own tmp files and execute httpd_suexec - Allow NM and openvpn to acces files on encrypt /home