From 9d0057f462a67b83ecce65a0003a38492c887e47 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 06 2014 16:39:47 +0000 Subject: - selinux_unconfined_type should not be able to set booleans if the securemode is set - Update sandbox_transition() to call sandbox_dyntrasition(). #885288. --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f7786c2..04c0ead 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -16831,7 +16831,7 @@ index 6d0811d..f67bd8f 100644 + mls_trusted_object($1) ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te -index e0a973b..0fcd621 100644 +index e0a973b..7d3e431 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false) @@ -16855,6 +16855,15 @@ index e0a973b..0fcd621 100644 ######################################## # +@@ -52,7 +53,7 @@ allow selinux_unconfined_type boolean_type:file read_file_perms; + allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; + + # Access the security API. +-allow selinux_unconfined_type security_t:security ~{ load_policy setenforce }; ++allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; + + ifdef(`distro_rhel4',` + # needed for systems without audit support @@ -60,11 +61,28 @@ ifdef(`distro_rhel4',` ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 8be0c99..dff30d4 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -7477,7 +7477,7 @@ index f3c0aba..2b3352b 100644 + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..c85265d 100644 +index 080bc4d..0b6be35 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t) @@ -7524,11 +7524,13 @@ index 080bc4d..c85265d 100644 corenet_udp_bind_snmp_port(apcupsd_t) corenet_sendrecv_snmp_server_packets(apcupsd_t) -@@ -74,19 +82,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) +@@ -74,19 +82,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) dev_rw_generic_usb_dev(apcupsd_t) -files_read_etc_files(apcupsd_t) ++domain_signull_all_domains(apcupsd_t) ++ files_manage_etc_runtime_files(apcupsd_t) files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin") @@ -7552,7 +7554,7 @@ index 080bc4d..c85265d 100644 optional_policy(` hostname_exec(apcupsd_t) -@@ -101,6 +113,11 @@ optional_policy(` +@@ -101,6 +115,11 @@ optional_policy(` shutdown_domtrans(apcupsd_t) ') @@ -7564,7 +7566,7 @@ index 080bc4d..c85265d 100644 ######################################## # # CGI local policy -@@ -108,20 +125,20 @@ optional_policy(` +@@ -108,20 +127,20 @@ optional_policy(` optional_policy(` apache_content_template(apcupsd_cgi) @@ -38387,7 +38389,7 @@ index e88fb16..f20248c 100644 + ') ') diff --git a/keystone.te b/keystone.te -index 9929647..ff98be8 100644 +index 9929647..0907a30 100644 --- a/keystone.te +++ b/keystone.te @@ -21,10 +21,14 @@ files_type(keystone_var_lib_t) @@ -38405,13 +38407,12 @@ index 9929647..ff98be8 100644 allow keystone_t self:fifo_file rw_fifo_file_perms; allow keystone_t self:unix_stream_socket { accept listen }; -@@ -57,20 +61,30 @@ corenet_all_recvfrom_netlabel(keystone_t) +@@ -57,20 +61,33 @@ corenet_all_recvfrom_netlabel(keystone_t) corenet_tcp_sendrecv_generic_if(keystone_t) corenet_tcp_sendrecv_generic_node(keystone_t) corenet_tcp_bind_generic_node(keystone_t) +corenet_tcp_connect_mysqld_port(keystone_t) -+ -+corenet_tcp_connect_mysqld_port(keystone_t) ++corenet_tcp_connect_ldap_port(keystone_t) corenet_sendrecv_commplex_main_server_packets(keystone_t) corenet_tcp_bind_commplex_main_port(keystone_t) @@ -38425,11 +38426,14 @@ index 9929647..ff98be8 100644 libs_exec_ldconfig(keystone_t) -miscfiles_read_localization(keystone_t) -- ++optional_policy(` ++ ldap_stream_connect(keystone_t) ++') + optional_policy(` mysql_stream_connect(keystone_t) mysql_tcp_connect(keystone_t) -+ mysql_read_db_lnk_files(keystone_t) ++ mysql_read_db_lnk_files(keystone_t) +') + +optional_policy(` @@ -73461,10 +73465,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..96f804c 100644 +index 8644d8b..d76fab5 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,131 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,132 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -73509,15 +73513,16 @@ index 8644d8b..96f804c 100644 -allow quantum_t self:key manage_key_perms; -allow quantum_t self:tcp_socket { accept listen }; -allow quantum_t self:unix_stream_socket { accept listen }; -+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw }; -+ ++allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit signal_perms }; ++ +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; +allow neutron_t self:tcp_socket { accept listen }; +allow neutron_t self:unix_stream_socket { accept listen }; +allow neutron_t self:netlink_route_socket rw_netlink_socket_perms; ++allow neutron_t self:rawip_socket create_socket_perms; + +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) @@ -85604,10 +85609,10 @@ index 0000000..b7db254 +# Empty diff --git a/sandbox.if b/sandbox.if new file mode 100644 -index 0000000..89bc443 +index 0000000..a2cb772 --- /dev/null +++ b/sandbox.if -@@ -0,0 +1,57 @@ +@@ -0,0 +1,85 @@ + +## policy for sandbox + @@ -85632,14 +85637,42 @@ index 0000000..89bc443 + attribute sandbox_domain; + ') + -+ allow $1 sandbox_domain:process transition; -+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; -+ role $2 types sandbox_domain; -+ allow sandbox_domain $1:process { sigchld signull }; -+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; -+ dontaudit sandbox_domain $1:process signal; -+ dontaudit sandbox_domain $1:key { link read search view }; -+ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms; ++ sandbox_dyntransition($1) #885288 ++ allow $1 sandbox_domain:process transition; ++ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; ++ ++ role $2 types sandbox_domain; ++ ++ allow sandbox_domain $1:process { sigchld signull }; ++ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; ++ ++ dontaudit sandbox_domain $1:process signal; ++ dontaudit sandbox_domain $1:key { link read search view }; ++ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms; ++') ++ ++######################################## ++## ++## Execute sandbox in the sandbox domain, and ++## allow the specified role the sandbox domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ++## ++## ++# ++interface(`sandbox_dyntransition',` ++ gen_require(` ++ attribute sandbox_domain; ++ ') ++ ++ allow $1 sandbox_domain:process dyntransition; +') + +######################################## diff --git a/selinux-policy.spec b/selinux-policy.spec index 69704c9..089604a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 49%{?dist} +Release: 50%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -588,6 +588,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue May 6 2014 Miroslav Grepl 3.13.1-50 +- selinux_unconfined_type should not be able to set booleans if the securemode is set +- Update sandbox_transition() to call sandbox_dyntrasition(). #885288. + * Mon May 5 2014 Miroslav Grepl 3.13.1-49 - Fix labeling for /root/\.yubico - userdom_search_admin_dir() calling needs to be optional in kernel.te