From 42be69d128d74f43b1387665b8af9d6661537310 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 13 2013 16:22:30 +0000 Subject: - Make sure users and unconfined domains create .hushlogin with the correct label - Allow pegaus to chat with realmd over DBus - Allow cobblerd to read network state - Allow boicn-client to stat on /dev/input/mice - Allow certwatch to read net_config_t when it executes apache - Allow readahead to create /run/systemd and then create its own directory with the correct label --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 459d84d..8b9cda6 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8069,7 +8069,7 @@ index 6a1e4d1..adafd25 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..3a38af0 100644 +index cf04cb5..8542b3d 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8197,7 +8197,7 @@ index cf04cb5..3a38af0 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +229,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +229,271 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8214,6 +8214,10 @@ index cf04cb5..3a38af0 100644 +dev_config_null_dev_service(unconfined_domain_type) + +optional_policy(` ++ locallogin_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` + seutil_filetrans_named_content(unconfined_domain_type) +') + @@ -28769,7 +28773,7 @@ index be6a81b..a5303e9 100644 +/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) +/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if -index 0e3c2a9..40adf5a 100644 +index 0e3c2a9..ea9bd57 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if @@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',` @@ -28830,8 +28834,8 @@ index 0e3c2a9..40adf5a 100644 + ') + + userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") ++ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') -+ diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index c04ac46..e06286c 100644 --- a/policy/modules/system/locallogin.te @@ -41322,7 +41326,7 @@ index 3c5dba7..e27d755 100644 + userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..2582882 100644 +index e2b538b..77626dd 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -41410,7 +41414,7 @@ index e2b538b..2582882 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +82,218 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +82,222 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -41482,6 +41486,10 @@ index e2b538b..2582882 100644 +') + +optional_policy(` ++ locallogin_filetrans_home_content(userdomain) ++') ++ ++optional_policy(` + ssh_filetrans_home_content(userdomain) + ssh_rw_tcp_sockets(userdomain) +') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e01db22..17919d9 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -8814,7 +8814,7 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 7c92aa1..0a48a05 100644 +index 7c92aa1..1a30d34 100644 --- a/boinc.te +++ b/boinc.te @@ -1,11 +1,13 @@ @@ -8909,7 +8909,7 @@ index 7c92aa1..0a48a05 100644 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -54,74 +91,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) +@@ -54,74 +91,47 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -8945,6 +8945,8 @@ index 7c92aa1..0a48a05 100644 kernel_search_vm_sysctl(boinc_t) -corenet_all_recvfrom_unlabeled(boinc_t) ++dev_getattr_mouse_dev(boinc_t) ++ +files_getattr_all_dirs(boinc_t) +files_getattr_all_files(boinc_t) + @@ -9003,7 +9005,7 @@ index 7c92aa1..0a48a05 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -130,55 +138,65 @@ init_read_utmp(boinc_t) +@@ -130,55 +140,65 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -9919,10 +9921,10 @@ index 2354e21..fb8c9ed 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 403af41..48a40cd 100644 +index 403af41..84b41e6 100644 --- a/certwatch.te +++ b/certwatch.te -@@ -20,33 +20,42 @@ role certwatch_roles types certwatch_t; +@@ -20,33 +20,44 @@ role certwatch_roles types certwatch_t; allow certwatch_t self:capability sys_nice; allow certwatch_t self:process { setsched getsched }; @@ -9953,6 +9955,8 @@ index 403af41..48a40cd 100644 -userdom_use_user_terminals(certwatch_t) -userdom_dontaudit_list_user_home_dirs(certwatch_t) ++sysnet_read_config(certwatch_t) ++ +userdom_use_inherited_user_terminals(certwatch_t) +userdom_dontaudit_list_admin_dir(certwatch_t) @@ -11679,7 +11683,7 @@ index c223f81..83d5104 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 2a71346..b3ad8cb 100644 +index 2a71346..c1eef8d 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -11690,6 +11694,15 @@ index 2a71346..b3ad8cb 100644 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) + logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) + + kernel_read_system_state(cobblerd_t) +-kernel_dontaudit_search_network_state(cobblerd_t) ++kernel_read_network_state(cobblerd_t) + + corecmd_exec_bin(cobblerd_t) + corecmd_exec_shell(cobblerd_t) @@ -117,9 +118,7 @@ dev_read_urand(cobblerd_t) files_list_boot(cobblerd_t) files_list_tmp(cobblerd_t) @@ -50835,7 +50848,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..832de74 100644 +index 7bcf327..ebc50dc 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -51041,7 +51054,7 @@ index 7bcf327..832de74 100644 ') optional_policy(` -@@ -151,16 +205,19 @@ optional_policy(` +@@ -151,16 +205,23 @@ optional_policy(` ') optional_policy(` @@ -51051,12 +51064,16 @@ index 7bcf327..832de74 100644 optional_policy(` - samba_manage_config(pegasus_t) -+ rpc_read_exports(pegasus_t) ++ realmd_dbus_chat(pegasus_t) ') optional_policy(` - seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) ++ rpc_read_exports(pegasus_t) ++') ++ ++optional_policy(` + rpm_exec(pegasus_t) +') + @@ -51065,7 +51082,7 @@ index 7bcf327..832de74 100644 ') optional_policy(` -@@ -168,7 +225,7 @@ optional_policy(` +@@ -168,7 +229,7 @@ optional_policy(` ') optional_policy(` @@ -63896,7 +63913,7 @@ index 661bb88..06f69c4 100644 +') + diff --git a/readahead.te b/readahead.te -index f1512d6..93f1ee6 100644 +index f1512d6..bc627d7 100644 --- a/readahead.te +++ b/readahead.te @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; @@ -63964,12 +63981,14 @@ index f1512d6..93f1ee6 100644 mls_file_read_all_levels(readahead_t) storage_raw_read_fixed_disk(readahead_t) -@@ -84,13 +98,13 @@ auth_dontaudit_read_shadow(readahead_t) +@@ -84,13 +98,15 @@ auth_dontaudit_read_shadow(readahead_t) init_use_fds(readahead_t) init_use_script_ptys(readahead_t) init_getattr_initctl(readahead_t) +# needs to write to /run/systemd/notify +init_write_pid_socket(readahead_t) ++init_create_pid_dirs(readahead_t) ++init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead") logging_send_syslog_msg(readahead_t) logging_set_audit_parameters(readahead_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index decbd3a..2be5adc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 43%{?dist} +Release: 44%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -530,7 +530,15 @@ SELinux Reference policy mls base module. %endif %changelog -* Mon May 10 2013 Miroslav Grepl 3.12.1-43 +* Mon May 13 2013 Miroslav Grepl 3.12.1-44 +- Make sure users and unconfined domains create .hushlogin with the correct label +- Allow pegaus to chat with realmd over DBus +- Allow cobblerd to read network state +- Allow boicn-client to stat on /dev/input/mice +- Allow certwatch to read net_config_t when it executes apache +- Allow readahead to create /run/systemd and then create its own directory with the correct label + +* Fri May 10 2013 Miroslav Grepl 3.12.1-43 - Transition directories and files when in a user_tmp_t directory - Change certwatch to domtrans to apache instead of just execute - Allow virsh_t to read xen lib files