From 4ed03033dd3ccb24e94dff78d923461aeb25ac7d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 13 2012 11:11:04 +0000 Subject: - Add own type for rdate port - Allow sssd setrlimit - Allow jaberrd-router to read kernel network state - Started to backport userdom_home_reader and userdom_home_manager concept from f17 - Allow system_mail to send log msgs --- diff --git a/policy-F16.patch b/policy-F16.patch index da8f6b8..c63b62d 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -14411,7 +14411,7 @@ index 4f3b542..f4e36ee 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..009f8b7 100644 +index 99b71cb..a96b835 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14545,7 +14545,8 @@ index 99b71cb..009f8b7 100644 +network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) - network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) +-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) ++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) +network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) network_port(ipmi, udp,623,s0, udp,664,s0) @@ -14614,10 +14615,11 @@ index 99b71cb..009f8b7 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -179,34 +238,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,34 +238,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) ++network_port(rdate, tcp,37,s0, udp,37,s0) +network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) @@ -14660,7 +14662,7 @@ index 99b71cb..009f8b7 100644 network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) -@@ -215,9 +280,12 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +281,12 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -14674,7 +14676,7 @@ index 99b71cb..009f8b7 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +297,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +298,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -14682,7 +14684,7 @@ index 99b71cb..009f8b7 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +307,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +308,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -14695,7 +14697,7 @@ index 99b71cb..009f8b7 100644 ######################################## # -@@ -282,9 +357,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +358,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -36624,7 +36626,7 @@ index e1d7dc5..bd08e31 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index acf6d4f..aa446e9 100644 +index acf6d4f..e993e2d 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -36700,7 +36702,16 @@ index acf6d4f..aa446e9 100644 corenet_tcp_bind_sieve_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) -@@ -160,6 +168,15 @@ optional_policy(` +@@ -153,6 +161,8 @@ userdom_manage_user_home_content_pipes(dovecot_t) + userdom_manage_user_home_content_sockets(dovecot_t) + userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) + ++userdom_home_manager(dovecot_t) ++ + mta_manage_spool(dovecot_t) + + optional_policy(` +@@ -160,6 +170,15 @@ optional_policy(` ') optional_policy(` @@ -36716,7 +36727,7 @@ index acf6d4f..aa446e9 100644 postgresql_stream_connect(dovecot_t) ') -@@ -180,8 +197,8 @@ optional_policy(` +@@ -180,8 +199,8 @@ optional_policy(` # dovecot auth local policy # @@ -36727,7 +36738,7 @@ index acf6d4f..aa446e9 100644 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -190,6 +207,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -190,6 +209,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -36737,7 +36748,7 @@ index acf6d4f..aa446e9 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -201,9 +221,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) +@@ -201,9 +223,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) @@ -36750,7 +36761,7 @@ index acf6d4f..aa446e9 100644 dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -218,6 +241,8 @@ files_read_var_lib_files(dovecot_auth_t) +@@ -218,6 +243,8 @@ files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) @@ -36759,7 +36770,7 @@ index acf6d4f..aa446e9 100644 init_rw_utmp(dovecot_auth_t) miscfiles_read_localization(dovecot_auth_t) -@@ -236,6 +261,8 @@ optional_policy(` +@@ -236,6 +263,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -36768,7 +36779,7 @@ index acf6d4f..aa446e9 100644 ') optional_policy(` -@@ -243,6 +270,8 @@ optional_policy(` +@@ -243,6 +272,8 @@ optional_policy(` ') optional_policy(` @@ -36777,7 +36788,7 @@ index acf6d4f..aa446e9 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,23 +279,42 @@ optional_policy(` +@@ -250,23 +281,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -36822,7 +36833,16 @@ index acf6d4f..aa446e9 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -302,5 +350,19 @@ tunable_policy(`use_samba_home_dirs',` +@@ -283,6 +333,8 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) + userdom_manage_user_home_content_sockets(dovecot_deliver_t) + userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) + ++userdom_home_manager(dovecot_deliver_t) ++ + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(dovecot_deliver_t) + fs_manage_nfs_files(dovecot_deliver_t) +@@ -302,5 +354,19 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -40815,10 +40835,19 @@ index df48e5e..878d9df 100644 type inetd_t; ') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te -index c51a7b2..5f71f35 100644 +index c51a7b2..5547c35 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te -@@ -149,7 +149,10 @@ miscfiles_read_localization(inetd_t) +@@ -89,6 +89,8 @@ corenet_tcp_bind_ftp_port(inetd_t) + corenet_udp_bind_ftp_port(inetd_t) + corenet_tcp_bind_inetd_child_port(inetd_t) + corenet_udp_bind_inetd_child_port(inetd_t) +++corenet_tcp_bind_rdate_port(inetd_t) +++corenet_udp_bind_rdate_port(inetd_t) + corenet_tcp_bind_ircd_port(inetd_t) + corenet_udp_bind_ktalkd_port(inetd_t) + corenet_tcp_bind_printer_port(inetd_t) +@@ -149,7 +151,10 @@ miscfiles_read_localization(inetd_t) mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) @@ -41217,10 +41246,10 @@ index 9878499..81fcd0f 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..24e20b0 100644 +index da2127e..91bdd44 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te -@@ -5,90 +5,148 @@ policy_module(jabber, 1.8.0) +@@ -5,90 +5,150 @@ policy_module(jabber, 1.8.0) # Declarations # @@ -41298,40 +41327,42 @@ index da2127e..24e20b0 100644 -corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) - --dev_read_sysfs(jabberd_t) --# For SSL --dev_read_rand(jabberd_t) ++ ++kernel_read_network_state(jabberd_router_t) ++ +corenet_tcp_bind_jabber_client_port(jabberd_router_t) +corenet_tcp_bind_jabber_router_port(jabberd_router_t) +corenet_tcp_connect_jabber_router_port(jabberd_router_t) +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) --domain_use_interactive_fds(jabberd_t) +-dev_read_sysfs(jabberd_t) +-# For SSL +-dev_read_rand(jabberd_t) +fs_getattr_all_fs(jabberd_router_t) --files_read_etc_files(jabberd_t) --files_read_etc_runtime_files(jabberd_t) +-domain_use_interactive_fds(jabberd_t) +miscfiles_read_generic_certs(jabberd_router_t) --fs_getattr_all_fs(jabberd_t) --fs_search_auto_mountpoints(jabberd_t) +-files_read_etc_files(jabberd_t) +-files_read_etc_runtime_files(jabberd_t) +optional_policy(` + kerberos_use(jabberd_router_t) +') --logging_send_syslog_msg(jabberd_t) +-fs_getattr_all_fs(jabberd_t) +-fs_search_auto_mountpoints(jabberd_t) +optional_policy(` + nis_use_ypbind(jabberd_router_t) +') --miscfiles_read_localization(jabberd_t) +-logging_send_syslog_msg(jabberd_t) +##################################### +# +# Local policy for other jabberd components +# -+ + +-miscfiles_read_localization(jabberd_t) +manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) @@ -41350,8 +41381,8 @@ index da2127e..24e20b0 100644 optional_policy(` - seutil_sigchld_newrole(jabberd_t) + udev_read_db(jabberd_t) -+') -+ + ') + +###################################### +# +# Local policy for pyicq-t @@ -41382,12 +41413,12 @@ index da2127e..24e20b0 100644 +libs_use_shared_libs(pyicqt_t) + +# needed for pyicq-t-mysql -+optional_policy(` -+ corenet_tcp_connect_mysqld_port(pyicqt_t) - ') - optional_policy(` - udev_read_db(jabberd_t) ++ corenet_tcp_connect_mysqld_port(pyicqt_t) ++') ++ ++optional_policy(` + sysnet_use_ldap(pyicqt_t) ') + @@ -61344,7 +61375,7 @@ index 941380a..ce8c972 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..d0c7e39 100644 +index 8ffa257..2d420f6 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -17,6 +17,7 @@ files_pid_file(sssd_public_t) @@ -61360,10 +61391,11 @@ index 8ffa257..d0c7e39 100644 # sssd local policy # -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; +-allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; +-allow sssd_t self:fifo_file rw_file_perms; + +allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; - allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; --allow sssd_t self:fifo_file rw_file_perms; ++allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; +allow sssd_t self:fifo_file rw_fifo_file_perms; +allow sssd_t self:key manage_key_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -77731,7 +77763,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..88476fe 100644 +index 4b2878a..c4d63ba 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -80146,7 +80178,7 @@ index 4b2878a..88476fe 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3934,1165 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3934,1201 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -81312,8 +81344,44 @@ index 4b2878a..88476fe 100644 + # gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin") + #') +') ++ ++######################################## ++## ++## Make the specified type able to read content in user home dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_home_reader',` ++ gen_require(` ++ attribute userdom_home_reader_type; ++ ') ++ ++ typeattribute $1 userdom_home_reader_type; ++') ++ ++######################################## ++## ++## Make the specified type able to manage content in user home dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_home_manager',` ++ gen_require(` ++ attribute userdom_home_manager_type; ++ ') ++ ++ typeattribute $1 userdom_home_manager_type; ++') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 9b4a930..107f262 100644 +index 9b4a930..8525f8a 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2) @@ -81353,10 +81421,13 @@ index 9b4a930..107f262 100644 # all user domains attribute userdomain; -@@ -59,6 +74,19 @@ attribute unpriv_userdomain; +@@ -59,6 +74,22 @@ attribute unpriv_userdomain; attribute untrusted_content_type; attribute untrusted_content_tmp_type; ++attribute userdom_home_reader_type; ++attribute userdom_home_manager_type; ++ +# unprivileged user domains +attribute user_home_type; +attribute user_tmp_type; @@ -81373,7 +81444,7 @@ index 9b4a930..107f262 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +99,77 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +102,108 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -81453,6 +81524,37 @@ index 9b4a930..107f262 100644 +optional_policy(` + xserver_filetrans_home_content(userdomain) +') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(userdom_home_reader_type) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(userdom_home_reader_type) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_read_fusefs_files(userdom_home_reader_type) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(userdom_home_manager_type) ++ fs_manage_nfs_dirs(userdom_home_manager_type) ++ fs_manage_nfs_files(userdom_home_manager_type) ++ fs_manage_nfs_symlinks(userdom_home_manager_type) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(userdom_home_manager_type) ++ fs_manage_cifs_files(userdom_home_manager_type) ++ fs_manage_cifs_symlinks(userdom_home_manager_type) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_manage_fusefs_dirs(userdom_home_manager_type) ++ fs_manage_fusefs_files(userdom_home_manager_type) ++ fs_manage_fusefs_symlinks(userdom_home_manager_type) ++') diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc index a865da7..a5ed06e 100644 --- a/policy/modules/system/xen.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index e49622f..a27d796 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 79%{?dist} +Release: 80%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 13 2012 Miroslav Grepl 3.10.0-80 +- Add own type for rdate port +- Allow sssd setrlimit +- Allow jaberrd-router to read kernel network state +- Started to backport userdom_home_reader and userdom_home_manager concept from f17 +- Allow system_mail to send log msgs + * Wed Mar 7 2012 Miroslav Grepl 3.10.0-79 - Allow system_mail to send log msgs - Add login_userdomain attribute