From 496752533e3933e1a95c7416582ee46cb544f677 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 27 2009 21:22:47 +0000 Subject: - Further confinement of qemu images via svirt --- diff --git a/modules-minimum.conf b/modules-minimum.conf index bf68961..d8f2052 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1413,6 +1413,13 @@ xen = module # virt = module +# Layer: system +# Module: virtual +# +# Virtualization libraries +# +virtual = base + # Layer: apps # Module: qemu # diff --git a/modules-mls.conf b/modules-mls.conf index 4054839..debd8ff 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1399,6 +1399,13 @@ xen = module # virt = module +# Layer: system +# Module: virtual +# +# Virtualization libraries +# +virtual = base + # Layer: apps # Module: qemu # diff --git a/modules-targeted.conf b/modules-targeted.conf index bf68961..d8f2052 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1413,6 +1413,13 @@ xen = module # virt = module +# Layer: system +# Module: virtual +# +# Virtualization libraries +# +virtual = base + # Layer: apps # Module: qemu # diff --git a/policy-20090105.patch b/policy-20090105.patch index e458816..87ed535 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -420,17 +420,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.6/policy/mcs --- nsaserefpolicy/policy/mcs 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.6/policy/mcs 2009-02-16 13:18:06.000000000 -0500 -@@ -67,7 +67,7 @@ ++++ serefpolicy-3.6.6/policy/mcs 2009-02-27 15:49:53.000000000 -0500 +@@ -67,7 +67,8 @@ # Note that getattr on files is always permitted. # mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } - ( h1 dom h2 ); -+ (( h1 dom h2 ) or ( t1 == mlsfilewrite )); ++ ((( h1 dom h2 ) or ( t1 == mlsfilewrite )) ++ and ((t1 != virtualdomain) or (t2 != virtual_image_type) or (h1 == h2))); mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )); -@@ -75,7 +75,7 @@ +@@ -75,19 +76,20 @@ # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } @@ -439,7 +440,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # At this time we do not restrict "ps" type operations via MCS. This # will probably change in future. -@@ -84,10 +84,10 @@ + mlsconstrain file { read } +- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )); ++ ((( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )) ++ and ((t1 != virtualdomain) or (t2 != virtual_image_type) or (h1 == h2))); # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } @@ -3637,7 +3641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.6/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-20 11:37:20.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-26 17:53:22.000000000 -0500 @@ -40,6 +40,93 @@ qemu_domtrans($1) @@ -3824,7 +3828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -127,84 +290,84 @@ +@@ -127,84 +290,81 @@ # template(`qemu_domain_template',` @@ -3832,13 +3836,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - # - # Local Policy - # -+ gen_require(` -+ attribute qemutype; -+ ') - -- type $1_t; +- + type $1_t; - domain_type($1_t) -+ type $1_t, qemutype; ++ virtual_domain($1_t) type $1_tmp_t; files_tmp_file($1_tmp_t) @@ -3851,10 +3852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_tmpfs_file($1_tmpfs_t) + + type $1_image_t; -+ virt_image($1_image_t) -+ -+ allow $1_t self:capability kill; -+ allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; ++ virtual_image($1_image_t) - allow $1_t self:capability { dac_read_search dac_override }; - allow $1_t self:process { execstack execmem signal getsched }; @@ -3862,6 +3860,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; ++ allow $1_t self:capability kill; ++ allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; ++ + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) @@ -3891,21 +3892,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - files_read_usr_files($1_t) - files_read_var_files($1_t) - files_search_all($1_t) +- +- fs_list_inotifyfs($1_t) +- fs_rw_anon_inodefs_files($1_t) +- fs_rw_tmpfs_files($1_t) + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + fs_getattr_tmpfs($1_t) -- fs_list_inotifyfs($1_t) -- fs_rw_anon_inodefs_files($1_t) -- fs_rw_tmpfs_files($1_t) +- storage_raw_write_removable_device($1_t) +- storage_raw_read_removable_device($1_t) + userdom_read_user_tmpfs_files($1_t) + userdom_signull_unpriv_users($1_t) -- storage_raw_write_removable_device($1_t) -- storage_raw_read_removable_device($1_t) -- - term_use_ptmx($1_t) - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) @@ -3972,17 +3973,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.6/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-23 16:13:38.000000000 -0500 -@@ -6,6 +6,8 @@ - # Declarations - # - -+attribute qemutype; -+ - ## - ##

- ## Allow qemu to connect fully to the network -@@ -13,28 +15,162 @@ ++++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-26 17:38:52.000000000 -0500 +@@ -13,28 +13,101 @@ ## gen_tunable(qemu_full_network, false) @@ -4018,18 +4010,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type qemu_var_run_t; +files_pid_file(qemu_var_run_t) + -+######################################## -+# -+# qemu common policy -+# -+allow qemutype self:capability { dac_read_search dac_override }; -+allow qemutype self:process { execstack execmem signal getsched signull }; -+ -+allow qemutype self:fifo_file rw_file_perms; -+allow qemutype self:shm create_shm_perms; -+allow qemutype self:unix_stream_socket create_stream_socket_perms; -+allow qemutype self:tcp_socket create_stream_socket_perms; -+ + ######################################## + # + # qemu local policy + # + +manage_dirs_pattern(qemu_t, qemu_cache_t, qemu_cache_t) +manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t) +files_var_filetrans(qemu_t, qemu_cache_t, { file dir }) @@ -4039,60 +4024,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_lnk_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t) +files_pid_filetrans(qemu_t, qemu_var_run_t, { dir file }) + -+kernel_read_system_state(qemutype) -+ -+corenet_all_recvfrom_unlabeled(qemutype) -+corenet_all_recvfrom_netlabel(qemutype) -+corenet_tcp_sendrecv_generic_if(qemutype) -+corenet_tcp_sendrecv_generic_node(qemutype) -+corenet_tcp_sendrecv_all_ports(qemutype) -+corenet_tcp_bind_generic_node(qemutype) -+corenet_tcp_bind_vnc_port(qemutype) -+corenet_rw_tun_tap_dev(qemutype) -+ -+dev_read_sound(qemutype) -+dev_write_sound(qemutype) -+dev_rw_kvm(qemutype) -+dev_rw_qemu(qemutype) -+ -+domain_use_interactive_fds(qemutype) -+ -+files_read_etc_files(qemutype) -+files_read_usr_files(qemutype) -+files_read_var_files(qemutype) -+files_search_all(qemutype) -+ -+fs_list_inotifyfs(qemutype) -+fs_rw_anon_inodefs_files(qemutype) -+fs_rw_tmpfs_files(qemutype) -+ -+term_use_all_terms(qemutype) -+term_getattr_pty_fs(qemutype) -+term_use_generic_ptys(qemutype) -+term_use_ptmx(qemutype) -+ -+auth_use_nsswitch(qemutype) -+ -+miscfiles_read_localization(qemutype) -+ -+optional_policy(` -+ virt_read_config(qemutype) -+ virt_read_lib_files(qemutype) -+ virt_read_content(qemutype) -+') -+ -+optional_policy(` -+ xserver_stream_connect(qemutype) -+ xserver_read_xdm_tmp_files(qemutype) -+ xserver_read_xdm_pid(qemutype) -+ xserver_rw_shm(qemutype) -+') -+ - ######################################## - # - # qemu local policy - # - +storage_raw_write_removable_device(qemu_t) +storage_raw_read_removable_device(qemu_t) + @@ -5482,7 +5413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type power_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.6/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/kernel/domain.if 2009-02-16 17:42:39.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/kernel/domain.if 2009-02-26 17:54:41.000000000 -0500 @@ -629,6 +629,7 @@ dontaudit $1 unconfined_domain_type:dir search_dir_perms; @@ -12169,7 +12100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.6/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/dbus.if 2009-02-17 16:08:31.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/dbus.if 2009-02-26 10:05:58.000000000 -0500 @@ -44,6 +44,7 @@ attribute session_bus_type; @@ -12195,7 +12126,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files($1_dbusd_t) files_list_home($1_dbusd_t) -@@ -160,6 +162,10 @@ +@@ -145,6 +147,8 @@ + seutil_read_config($1_dbusd_t) + seutil_read_default_contexts($1_dbusd_t) + ++ term_use_all_terms($1_dbusd_t) ++ + userdom_read_user_home_content_files($1_dbusd_t) + + ifdef(`hide_broken_symptoms', ` +@@ -160,6 +164,10 @@ ') optional_policy(` @@ -12206,7 +12146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat($1_dbusd_t) ') -@@ -185,10 +191,12 @@ +@@ -185,10 +193,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -12220,7 +12160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -197,6 +205,10 @@ +@@ -197,6 +207,10 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) @@ -12231,7 +12171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -244,6 +256,35 @@ +@@ -244,6 +258,35 @@ ######################################## ##

@@ -12267,7 +12207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read dbus configuration. ## ## -@@ -318,3 +359,77 @@ +@@ -318,3 +361,77 @@ allow $1 system_dbusd_t:dbus *; ') @@ -12347,7 +12287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.6/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/dbus.te 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/dbus.te 2009-02-26 10:07:02.000000000 -0500 @@ -9,14 +9,15 @@ # # Delcarations @@ -22735,7 +22675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.6/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/ssh.if 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/ssh.if 2009-02-26 11:26:28.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -22860,9 +22800,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) - corenet_sendrecv_ssh_server_packets($1_t) -+ # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) ++ # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) + # tunnel feature and -w (net_admin capability also) + corenet_rw_tun_tap_dev($1_t) @@ -22896,7 +22836,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -611,3 +611,42 @@ +@@ -454,6 +454,24 @@ + + ######################################## + ## ++## Send a generic signal to the ssh server. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_signal',` ++ gen_require(` ++ type sshd_t; ++ ') ++ ++ allow $1 sshd_t:process signal; ++') ++ ++######################################## ++## + ## Read a ssh server unnamed pipe. + ## + ## +@@ -611,3 +629,42 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -23402,8 +23367,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.6/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/virt.if 2009-02-16 13:18:06.000000000 -0500 -@@ -117,12 +117,12 @@ ++++ serefpolicy-3.6.6/policy/modules/services/virt.if 2009-02-26 17:54:39.000000000 -0500 +@@ -2,28 +2,6 @@ + + ######################################## + ## +-## Make the specified type usable as a virt image +-## +-## +-## +-## Type to be used as a virtual image +-## +-## +-# +-interface(`virt_image',` +- gen_require(` +- attribute virt_image_type; +- ') +- +- typeattribute $1 virt_image_type; +- files_type($1) +- +- # virt images can be assigned to blk devices +- dev_node($1) +-') +- +-######################################## +-## + ## Execute a domain transition to run virt. + ## + ## +@@ -117,12 +95,12 @@ ') files_search_pids($1) @@ -23418,7 +23412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -135,6 +135,7 @@ +@@ -135,6 +113,7 @@ type virt_var_run_t; ') @@ -23426,7 +23420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ') -@@ -293,6 +294,41 @@ +@@ -293,6 +272,41 @@ ######################################## ## @@ -23470,19 +23464,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.6/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/virt.te 2009-02-17 15:29:03.000000000 -0500 -@@ -32,6 +32,10 @@ - type virt_image_t, virt_image_type; # customizable - virt_image(virt_image_t) ++++ serefpolicy-3.6.6/policy/modules/services/virt.te 2009-02-27 15:56:41.000000000 -0500 +@@ -20,8 +20,6 @@ + ## + gen_tunable(virt_use_samba, false) + +-attribute virt_image_type; +- + type virt_etc_t; + files_config_file(virt_etc_t) + +@@ -29,8 +27,12 @@ + files_type(virt_etc_rw_t) + # virt Image files +-type virt_image_t, virt_image_type; # customizable +-virt_image(virt_image_t) ++type virt_image_t; # customizable ++virtual_image(virt_image_t) ++ +# virt Image files +type virt_content_t; -+virt_image(virt_content_t) -+ ++virtual_image(virt_content_t) + type virt_log_t; logging_log_file(virt_log_t) - -@@ -48,12 +52,20 @@ +@@ -48,12 +50,20 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -23504,17 +23511,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow virtd_t self:process { getsched sigkill signal execmem }; allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; -@@ -69,6 +81,9 @@ - - manage_files_pattern(virtd_t, virt_image_type, virt_image_type) +@@ -67,7 +77,10 @@ + manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +-manage_files_pattern(virtd_t, virt_image_type, virt_image_type) ++virtual_manage_image(virtd_t) ++ +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) +manage_files_pattern(virtd_t, virt_content_t, virt_content_t) -+ + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) - logging_log_filetrans(virtd_t, virt_log_t, { file dir }) -@@ -96,7 +111,7 @@ +@@ -96,7 +109,7 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -23523,7 +23532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -110,11 +125,13 @@ +@@ -110,11 +123,13 @@ files_read_usr_files(virtd_t) files_read_etc_files(virtd_t) @@ -23537,7 +23546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_raw_write_removable_device(virtd_t) storage_raw_read_removable_device(virtd_t) -@@ -129,7 +146,11 @@ +@@ -129,7 +144,11 @@ logging_send_syslog_msg(virtd_t) @@ -23549,7 +23558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -173,16 +194,17 @@ +@@ -173,16 +192,17 @@ iptables_domtrans(virtd_t) ') @@ -29516,7 +29525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.6/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/system/userdomain.if 2009-02-17 17:06:13.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/system/userdomain.if 2009-02-26 11:25:59.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -29665,7 +29674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +131,11 @@ +@@ -116,6 +131,12 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -29673,11 +29682,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ssh_delete_tmp($1_t) ++ ssh_signal($1_t) + ') ') ####################################### -@@ -147,6 +167,7 @@ +@@ -147,6 +168,7 @@ interface(`userdom_ro_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -29685,7 +29695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') role $1 types { user_home_t user_home_dir_t }; -@@ -157,6 +178,7 @@ +@@ -157,6 +179,7 @@ # type_member $2 user_home_dir_t:dir user_home_dir_t; @@ -29693,7 +29703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; -@@ -168,27 +190,6 @@ +@@ -168,27 +191,6 @@ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -29721,7 +29731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -220,9 +221,10 @@ +@@ -220,9 +222,10 @@ interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -29733,7 +29743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -232,17 +234,20 @@ +@@ -232,17 +235,20 @@ type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -29764,7 +29774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -250,25 +255,23 @@ +@@ -250,25 +256,23 @@ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -29794,7 +29804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -303,6 +306,7 @@ +@@ -303,6 +307,7 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -29802,7 +29812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -368,46 +372,41 @@ +@@ -368,46 +373,41 @@ ####################################### ## @@ -29869,7 +29879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -420,34 +419,43 @@ +@@ -420,34 +420,43 @@ ## is the prefix for user_t). ## ## @@ -29931,7 +29941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -497,11 +505,7 @@ +@@ -497,11 +506,7 @@ attribute unpriv_userdomain; ') @@ -29944,7 +29954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +516,198 @@ +@@ -512,189 +517,198 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -30224,7 +30234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,15 +735,29 @@ +@@ -722,15 +736,29 @@ userdom_base_user_template($1) @@ -30260,7 +30270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -746,70 +773,72 @@ +@@ -746,70 +774,72 @@ allow $1_t self:context contains; @@ -30366,7 +30376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +875,28 @@ +@@ -846,6 +876,28 @@ # Local policy # @@ -30395,7 +30405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +927,7 @@ +@@ -876,7 +928,7 @@ userdom_restricted_user_template($1) @@ -30404,7 +30414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +935,19 @@ +@@ -884,14 +936,19 @@ # auth_role($1_r, $1_t) @@ -30429,7 +30439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +955,29 @@ +@@ -899,28 +956,29 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -30467,7 +30477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -931,8 +988,7 @@ +@@ -931,8 +989,7 @@ ## ## ##

@@ -30477,7 +30487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -954,8 +1010,8 @@ +@@ -954,8 +1011,8 @@ # Declarations # @@ -30487,7 +30497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1020,12 @@ +@@ -964,11 +1021,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -30502,7 +30512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1043,47 @@ +@@ -986,37 +1044,47 @@ ') ') @@ -30564,7 +30574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1117,7 @@ +@@ -1050,7 +1118,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -30573,7 +30583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1126,7 @@ +@@ -1059,8 +1127,7 @@ # # Inherit rules for ordinary users. @@ -30583,7 +30593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1149,8 @@ +@@ -1083,7 +1150,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -30593,7 +30603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1166,7 @@ +@@ -1099,6 +1167,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -30601,7 +30611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1174,6 @@ +@@ -1106,8 +1175,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -30610,7 +30620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1228,6 @@ +@@ -1162,20 +1229,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -30631,7 +30641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1273,7 @@ +@@ -1221,6 +1274,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -30639,7 +30649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1339,15 @@ +@@ -1286,11 +1340,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -30655,7 +30665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1444,7 @@ +@@ -1387,7 +1445,7 @@ ######################################## ##

@@ -30664,7 +30674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1477,14 @@ +@@ -1420,6 +1478,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -30679,7 +30689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1500,11 @@ +@@ -1435,9 +1501,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -30691,7 +30701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1561,25 @@ +@@ -1494,6 +1562,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -30717,7 +30727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1633,9 @@ +@@ -1547,9 +1634,9 @@ type user_home_dir_t, user_home_t; ') @@ -30729,7 +30739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1568,6 +1654,8 @@ +@@ -1568,6 +1655,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -30738,7 +30748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1731,7 @@ +@@ -1643,6 +1732,7 @@ type user_home_dir_t, user_home_t; ') @@ -30746,7 +30756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,6 +1830,62 @@ +@@ -1741,6 +1831,62 @@ ######################################## ## @@ -30809,7 +30819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1902,6 @@ +@@ -1757,14 +1903,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -30824,7 +30834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1924,46 @@ +@@ -1787,6 +1925,46 @@ ######################################## ## @@ -30871,7 +30881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1976,7 @@ +@@ -1799,6 +1977,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -30879,7 +30889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -1921,7 +2099,7 @@ +@@ -1921,7 +2100,7 @@ ######################################## ## @@ -30888,7 +30898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## with an automatic type transition to ## a specified private type. ## -@@ -1941,28 +2119,58 @@ +@@ -1941,28 +2120,58 @@ ## ## # @@ -30954,7 +30964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## The class of the object to be created. ## -@@ -2336,6 +2544,27 @@ +@@ -2336,6 +2545,27 @@ ## ## # @@ -30982,7 +30992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol interface(`userdom_rw_user_tmpfs_files',` gen_require(` type user_tmpfs_t; -@@ -2709,6 +2938,24 @@ +@@ -2709,6 +2939,24 @@ ######################################## ## @@ -31007,7 +31017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit the file descriptors from unprivileged user domains. ## ## -@@ -2814,7 +3061,43 @@ +@@ -2814,7 +3062,43 @@ type user_tmp_t; ') @@ -31052,7 +31062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2851,6 +3134,7 @@ +@@ -2851,6 +3135,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -31060,7 +31070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2965,6 +3249,24 @@ +@@ -2965,6 +3250,24 @@ ######################################## ## @@ -31085,7 +31095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3283,313 @@ +@@ -2981,3 +3284,313 @@ allow $1 userdomain:dbus send_msg; ') @@ -31485,6 +31495,161 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_cifs_named_sockets(userhomereader) + fs_read_cifs_named_pipes(userhomereader) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.6/policy/modules/system/virtual.fc +--- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/system/virtual.fc 2009-02-26 17:48:30.000000000 -0500 +@@ -0,0 +1 @@ ++# No application file contexts. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.6/policy/modules/system/virtual.if +--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/system/virtual.if 2009-02-26 17:56:43.000000000 -0500 +@@ -0,0 +1,70 @@ ++## Virtual machine emulator and virtualizer ++ ++######################################## ++## ++## Make the specified type a virtual domain ++## ++## ++##

++## Make the specified type a virtual domain ++##

++##

++## Gives the basic access required for a virtual operatins system ++##

++## ++## ++## ++## Type granted access ++## ++## ++# ++interface(`virtual_domain',` ++ gen_require(` ++ attribute virtualdomain; ++ ') ++ ++ typeattribute $1 virtualdomain; ++') ++ ++######################################## ++## ++## Make the specified type usable as a virtual os image ++## ++## ++## ++## Type to be used as a virtual image ++## ++## ++# ++interface(`virtual_image',` ++ gen_require(` ++ attribute virtual_image_type; ++ ') ++ ++ typeattribute $1 virtual_image_type; ++ files_type($1) ++ ++ # virt images can be assigned to blk devices ++ dev_node($1) ++') ++ ++######################################## ++## ++## Allow domain to manage virt image files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`virtual_manage_image',` ++ gen_require(` ++ type virtual_image_type; ++ ') ++ ++ manage_dirs_pattern($1, virtual_image_type, virtual_image_type) ++ manage_files_pattern($1, virtual_image_type, virtual_image_type) ++ manage_lnk_files_pattern($1, virtual_image_type, virtual_image_type) ++ rw_blk_files_pattern($1, virtual_image_type, virtual_image_type) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.6/policy/modules/system/virtual.te +--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/system/virtual.te 2009-02-26 17:57:06.000000000 -0500 +@@ -0,0 +1,72 @@ ++ ++policy_module(virtualization, 1.1.2) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute virtualdomain; ++attribute virtual_image_type; ++ ++######################################## ++# ++# qemu common policy ++# ++allow virtualdomain self:capability { dac_read_search dac_override }; ++allow virtualdomain self:process { execstack execmem signal getsched signull }; ++ ++allow virtualdomain self:fifo_file rw_file_perms; ++allow virtualdomain self:shm create_shm_perms; ++allow virtualdomain self:unix_stream_socket create_stream_socket_perms; ++allow virtualdomain self:tcp_socket create_stream_socket_perms; ++ ++kernel_read_system_state(virtualdomain) ++ ++corenet_all_recvfrom_unlabeled(virtualdomain) ++corenet_all_recvfrom_netlabel(virtualdomain) ++corenet_tcp_sendrecv_generic_if(virtualdomain) ++corenet_tcp_sendrecv_generic_node(virtualdomain) ++corenet_tcp_sendrecv_all_ports(virtualdomain) ++corenet_tcp_bind_generic_node(virtualdomain) ++corenet_tcp_bind_vnc_port(virtualdomain) ++corenet_rw_tun_tap_dev(virtualdomain) ++ ++dev_read_sound(virtualdomain) ++dev_write_sound(virtualdomain) ++dev_rw_kvm(virtualdomain) ++dev_rw_qemu(virtualdomain) ++ ++domain_use_interactive_fds(virtualdomain) ++ ++files_read_etc_files(virtualdomain) ++files_read_usr_files(virtualdomain) ++files_read_var_files(virtualdomain) ++files_search_all(virtualdomain) ++ ++fs_list_inotifyfs(virtualdomain) ++fs_rw_anon_inodefs_files(virtualdomain) ++fs_rw_tmpfs_files(virtualdomain) ++ ++term_use_all_terms(virtualdomain) ++term_getattr_pty_fs(virtualdomain) ++term_use_generic_ptys(virtualdomain) ++term_use_ptmx(virtualdomain) ++ ++auth_use_nsswitch(virtualdomain) ++ ++miscfiles_read_localization(virtualdomain) ++ ++optional_policy(` ++ virt_read_config(virtualdomain) ++ virt_read_lib_files(virtualdomain) ++ virt_read_content(virtualdomain) ++') ++ ++optional_policy(` ++ xserver_stream_connect(virtualdomain) ++ xserver_read_xdm_tmp_files(virtualdomain) ++ xserver_read_xdm_pid(virtualdomain) ++ xserver_rw_shm(virtualdomain) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.6/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.6/policy/modules/system/xen.fc 2009-02-16 13:18:06.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index 49c1949..c11579a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.6 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,9 @@ exit 0 %endif %changelog +* Fri Feb 27 2009 Dan Walsh 3.6.6-8 +- Further confinement of qemu images via svirt + * Wed Feb 25 2009 Fedora Release Engineering - 3.6.6-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild