From 45b429ef46e25ef7bc2d135e3d60ce59a22eb7ff Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 26 2014 15:39:34 +0000 Subject: * Tue Aug 26 2014 Lukas Vrabec 3.13.1-76 - Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Add a port definition for shellinaboxd - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories - Allow thumb_t to read/write video devices - fail2ban 0.9 reads the journal by default. - Allow sandbox net domains to bind to rawip socket --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2c29dbf..ab46f09 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5461,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..9ae3918 100644 +index b191055..68b9da6 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5721,7 +5721,7 @@ index b191055..9ae3918 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -213,68 +267,78 @@ network_port(postgrey, tcp,60000,s0) +@@ -213,68 +267,79 @@ network_port(postgrey, tcp,60000,s0) network_port(pptp, tcp,1723,s0, udp,1723,s0) network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) @@ -5758,6 +5758,7 @@ index b191055..9ae3918 100644 +network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0) network_port(servistaitsm, tcp,3636,s0, udp,3636,s0) +network_port(sge, tcp,6444,s0, tcp,6445,s0) ++network_port(shellinaboxd, tcp,4200,s0) network_port(sieve, tcp,4190,s0) network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0) @@ -5811,7 +5812,7 @@ index b191055..9ae3918 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +352,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +353,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5838,7 +5839,7 @@ index b191055..9ae3918 100644 ######################################## # -@@ -333,6 +401,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +402,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5847,7 +5848,7 @@ index b191055..9ae3918 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +415,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +416,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -44850,10 +44851,10 @@ index 5fe902d..fcc9efe 100644 + rpm_transition_script(unconfined_service_t, system_r) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..8f5380f 100644 +index db75976..1ee08ec 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,34 @@ +@@ -1,4 +1,36 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -44877,6 +44878,8 @@ index db75976..8f5380f 100644 +HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) +HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) +HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) ++HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0) ++HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0) + +/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0) +/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) @@ -44890,7 +44893,7 @@ index db75976..8f5380f 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..c198c77 100644 +index 9dc60c6..ce8b28d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -48183,7 +48186,7 @@ index 9dc60c6..c198c77 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4482,1684 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4482,1686 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -48206,7 +48209,7 @@ index 9dc60c6..c198c77 100644 + ') + + allow $1 userdomain:process rlimitinh; - ') ++') + +######################################## +## @@ -49669,6 +49672,7 @@ index 9dc60c6..c198c77 100644 + type home_bin_t; + type audio_home_t; + type home_cert_t; ++ type user_tmp_t; + ') + + userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") @@ -49677,6 +49681,8 @@ index 9dc60c6..c198c77 100644 + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") ++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp") ++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp") +') + +######################################## @@ -49866,10 +49872,9 @@ index 9dc60c6..c198c77 100644 + optional_policy(` + samhain_run($1, $2) + ') -+') -+ + ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..6c2695d 100644 +index f4ac38d..7f49cde 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -49958,7 +49963,7 @@ index f4ac38d..6c2695d 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,392 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,394 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -50131,6 +50136,8 @@ index f4ac38d..6c2695d 100644 +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012") +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013") +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp") + +optional_policy(` + gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 257921b..556ffe5 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -26998,7 +26998,7 @@ index 50d0084..94e1936 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e567..a743483 100644 +index cf0e567..9ebb247 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -27026,12 +27026,13 @@ index cf0e567..a743483 100644 files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) -@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t) +@@ -92,24 +90,38 @@ fs_getattr_all_fs(fail2ban_t) auth_use_nsswitch(fail2ban_t) logging_read_all_logs(fail2ban_t) +logging_read_audit_log(fail2ban_t) logging_send_syslog_msg(fail2ban_t) ++logging_read_syslog_pid(fail2ban_t) +logging_dontaudit_search_audit_logs(fail2ban_t) -miscfiles_read_localization(fail2ban_t) @@ -27068,7 +27069,7 @@ index cf0e567..a743483 100644 iptables_domtrans(fail2ban_t) ') -@@ -118,6 +129,10 @@ optional_policy(` +@@ -118,6 +130,10 @@ optional_policy(` ') optional_policy(` @@ -27079,7 +27080,7 @@ index cf0e567..a743483 100644 shorewall_domtrans(fail2ban_t) ') -@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -131,22 +147,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -98911,10 +98912,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..ebb001b +index 0000000..bc96302 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,158 @@ +@@ -0,0 +1,160 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -98990,6 +98991,8 @@ index 0000000..ebb001b +dev_read_urand(thumb_t) +dev_dontaudit_rw_dri(thumb_t) +dev_rw_xserver_misc(thumb_t) ++dev_read_video_dev(thumb_t) ++dev_write_video_dev(thumb_t) + +domain_use_interactive_fds(thumb_t) +domain_dontaudit_read_all_domains_state(thumb_t) @@ -103604,7 +103607,7 @@ index facdee8..c43ef2e 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..eef3cb7 100644 +index f03dcf5..329e056 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,227 @@ @@ -105568,7 +105571,7 @@ index f03dcf5..eef3cb7 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1508,218 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1508,219 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -105774,6 +105777,7 @@ index f03dcf5..eef3cb7 100644 + +corenet_tcp_bind_generic_node(sandbox_net_domain) +corenet_udp_bind_generic_node(sandbox_net_domain) ++corenet_raw_bind_generic_node(sandbox_net_domain) +corenet_tcp_sendrecv_all_ports(sandbox_net_domain) +corenet_udp_sendrecv_all_ports(sandbox_net_domain) +corenet_udp_bind_all_ports(sandbox_net_domain) diff --git a/selinux-policy.spec b/selinux-policy.spec index 69569e9..1f04f86 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 75%{?dist} +Release: 76%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Aug 26 2014 Lukas Vrabec 3.13.1-76 +- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t +- Add a port definition for shellinaboxd +- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories +- Allow thumb_t to read/write video devices +- fail2ban 0.9 reads the journal by default. +- Allow sandbox net domains to bind to rawip socket + * Fri Aug 22 2014 Lukas Vrabec 3.13.1-75 - Allow haproxy to read /dev/random and /dev/urandom. - Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.