From 2ec0a73b77c7c2e75802d69de240751342d2ac44 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 20 2013 12:54:29 +0000 Subject: * Fri Sep 20 2013 Miroslav Grepl 3.12.1-74.6 - Keep initrc_domain if init_t executes bin_t --- diff --git a/policy-f19-base.patch b/policy-f19-base.patch index 151a236..a7f173d 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -27602,7 +27602,7 @@ index 24e7804..c4155c7 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..3ec4566 100644 +index dd3be8d..ee26201 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -27690,7 +27690,16 @@ index dd3be8d..3ec4566 100644 type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) -@@ -98,7 +130,8 @@ ifdef(`enable_mls',` +@@ -66,6 +98,8 @@ role system_r types initrc_t; + # of the below init_upstart tunable + # but this has a typeattribute in it + corecmd_shell_entry_type(initrc_t) ++corecmd_bin_entry_type(initrc_t) ++corecmd_bin_domtrans(init_t, initrc_t) + + type initrc_devpts_t; + term_pty(initrc_devpts_t) +@@ -98,7 +132,8 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -27700,7 +27709,7 @@ index dd3be8d..3ec4566 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -110,12 +143,33 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -27740,7 +27749,7 @@ index dd3be8d..3ec4566 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +179,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -27759,7 +27768,7 @@ index dd3be8d..3ec4566 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +197,20 @@ domain_signal_all_domains(init_t) +@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -27780,7 +27789,7 @@ index dd3be8d..3ec4566 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +220,49 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -27833,7 +27842,7 @@ index dd3be8d..3ec4566 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +271,187 @@ ifdef(`distro_gentoo',` +@@ -186,29 +273,186 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -27997,7 +28006,6 @@ index dd3be8d..3ec4566 100644 + +auth_use_nsswitch(init_t) +auth_rw_login_records(init_t) -+auth_domtrans_chk_passwd(init_t) + +optional_policy(` + lvm_rw_pipes(init_t) @@ -28029,7 +28037,7 @@ index dd3be8d..3ec4566 100644 ') optional_policy(` -@@ -216,6 +459,27 @@ optional_policy(` +@@ -216,6 +460,27 @@ optional_policy(` ') optional_policy(` @@ -28057,7 +28065,7 @@ index dd3be8d..3ec4566 100644 unconfined_domain(init_t) ') -@@ -225,8 +489,9 @@ optional_policy(` +@@ -225,8 +490,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28069,7 +28077,7 @@ index dd3be8d..3ec4566 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +522,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +523,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28086,7 +28094,7 @@ index dd3be8d..3ec4566 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +547,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +548,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28129,7 +28137,7 @@ index dd3be8d..3ec4566 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +584,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +585,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28141,7 +28149,7 @@ index dd3be8d..3ec4566 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +596,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +597,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28152,7 +28160,7 @@ index dd3be8d..3ec4566 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +607,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +608,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28162,7 +28170,7 @@ index dd3be8d..3ec4566 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +616,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +617,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28170,7 +28178,7 @@ index dd3be8d..3ec4566 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +623,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +624,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28178,7 +28186,7 @@ index dd3be8d..3ec4566 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +631,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +632,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28196,7 +28204,7 @@ index dd3be8d..3ec4566 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +649,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +650,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28210,7 +28218,7 @@ index dd3be8d..3ec4566 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +664,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +665,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -28224,7 +28232,7 @@ index dd3be8d..3ec4566 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +677,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +678,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -28232,7 +28240,7 @@ index dd3be8d..3ec4566 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +689,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +690,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -28240,7 +28248,7 @@ index dd3be8d..3ec4566 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +708,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +709,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -28264,7 +28272,7 @@ index dd3be8d..3ec4566 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +741,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +742,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -28272,7 +28280,7 @@ index dd3be8d..3ec4566 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +775,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +776,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -28283,7 +28291,7 @@ index dd3be8d..3ec4566 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +799,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +800,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -28292,7 +28300,7 @@ index dd3be8d..3ec4566 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +814,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +815,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -28300,7 +28308,7 @@ index dd3be8d..3ec4566 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +835,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +836,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -28308,7 +28316,7 @@ index dd3be8d..3ec4566 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +845,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +846,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -28353,7 +28361,7 @@ index dd3be8d..3ec4566 100644 ') optional_policy(` -@@ -558,14 +890,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +891,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -28385,7 +28393,7 @@ index dd3be8d..3ec4566 100644 ') ') -@@ -576,6 +925,39 @@ ifdef(`distro_suse',` +@@ -576,6 +926,39 @@ ifdef(`distro_suse',` ') ') @@ -28425,7 +28433,7 @@ index dd3be8d..3ec4566 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +970,8 @@ optional_policy(` +@@ -588,6 +971,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28434,7 +28442,7 @@ index dd3be8d..3ec4566 100644 ') optional_policy(` -@@ -609,6 +993,7 @@ optional_policy(` +@@ -609,6 +994,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28442,7 +28450,7 @@ index dd3be8d..3ec4566 100644 ') optional_policy(` -@@ -625,6 +1010,17 @@ optional_policy(` +@@ -625,6 +1011,17 @@ optional_policy(` ') optional_policy(` @@ -28460,7 +28468,7 @@ index dd3be8d..3ec4566 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1037,13 @@ optional_policy(` +@@ -641,9 +1038,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28474,7 +28482,7 @@ index dd3be8d..3ec4566 100644 ') optional_policy(` -@@ -656,15 +1056,11 @@ optional_policy(` +@@ -656,15 +1057,11 @@ optional_policy(` ') optional_policy(` @@ -28492,7 +28500,7 @@ index dd3be8d..3ec4566 100644 ') optional_policy(` -@@ -685,6 +1081,15 @@ optional_policy(` +@@ -685,6 +1082,15 @@ optional_policy(` ') optional_policy(` @@ -28508,7 +28516,7 @@ index dd3be8d..3ec4566 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1130,7 @@ optional_policy(` +@@ -725,6 +1131,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28516,7 +28524,7 @@ index dd3be8d..3ec4566 100644 ') optional_policy(` -@@ -742,7 +1148,14 @@ optional_policy(` +@@ -742,7 +1149,14 @@ optional_policy(` ') optional_policy(` @@ -28531,7 +28539,7 @@ index dd3be8d..3ec4566 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1178,10 @@ optional_policy(` +@@ -765,6 +1179,10 @@ optional_policy(` ') optional_policy(` @@ -28542,7 +28550,7 @@ index dd3be8d..3ec4566 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1191,20 @@ optional_policy(` +@@ -774,10 +1192,20 @@ optional_policy(` ') optional_policy(` @@ -28563,7 +28571,7 @@ index dd3be8d..3ec4566 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1213,10 @@ optional_policy(` +@@ -786,6 +1214,10 @@ optional_policy(` ') optional_policy(` @@ -28574,7 +28582,7 @@ index dd3be8d..3ec4566 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1238,6 @@ optional_policy(` +@@ -807,8 +1239,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -28583,7 +28591,7 @@ index dd3be8d..3ec4566 100644 ') optional_policy(` -@@ -817,6 +1246,10 @@ optional_policy(` +@@ -817,6 +1247,10 @@ optional_policy(` ') optional_policy(` @@ -28594,7 +28602,7 @@ index dd3be8d..3ec4566 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1259,12 @@ optional_policy(` +@@ -826,10 +1260,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -28607,7 +28615,7 @@ index dd3be8d..3ec4566 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1291,27 @@ optional_policy(` +@@ -856,12 +1292,27 @@ optional_policy(` ') optional_policy(` @@ -28636,7 +28644,7 @@ index dd3be8d..3ec4566 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1321,18 @@ optional_policy(` +@@ -871,6 +1322,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -28655,7 +28663,7 @@ index dd3be8d..3ec4566 100644 ') optional_policy(` -@@ -886,6 +1348,10 @@ optional_policy(` +@@ -886,6 +1349,10 @@ optional_policy(` ') optional_policy(` @@ -28666,7 +28674,7 @@ index dd3be8d..3ec4566 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1362,196 @@ optional_policy(` +@@ -896,3 +1363,196 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 963aa3c..24f563c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.5%{?dist} +Release: 74.6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,12 +539,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Sep 20 2013 Miroslav Grepl 3.12.1-74.6 +- Keep initrc_domain if init_t executes bin_t + * Fri Sep 20 2013 Lukas Vrabec 3.12.1-74.5 - Fix label on pam_krb5 helper apps - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Fix label on pam_krb5 helper apps -- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t - Allow init_t to run crash utility - Call neutron interfaces instead of quantum - Allow users to communicate with journald using tmpfs files