From a59f536b012b7e080a45c7ccfe337a6768b204c7 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 25 2014 12:11:22 +0000 Subject: * Fri Apr 25 2014 Lukas Vrabec 3.12.1-158 - Fix bug in policy, needs back port to RHEL7/RHEL6 - optional can not be used in boolean. But we want to call ldap_read_certs() in sysnet_use_ldap - Add support for ~/.esmtp_queue directory - Allow net_raw for neutron - ALlow dac_override to neutron_t - Allow neutron to r/w net sysctls - Allow neutron to getattr on all filesystems - Allow swift to getattr on all filesystems - Clean up sysnet_use_ldap() --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 764520e..cc34165 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -28899,7 +28899,7 @@ index 3efd5b6..42803b7 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 104037e..cc09db4 100644 +index 104037e..837948b 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2) @@ -29170,17 +29170,37 @@ index 104037e..cc09db4 100644 files_list_var_lib(nsswitch_domain) # read /etc/nsswitch.conf -@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain) +@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain) sysnet_dns_name_resolve(nsswitch_domain) --tunable_policy(`authlogin_nsswitch_use_ldap',` -- files_list_var_lib(nsswitch_domain) +systemd_hostnamed_read_config(nsswitch_domain) ++ ++ + tunable_policy(`authlogin_nsswitch_use_ldap',` +- files_list_var_lib(nsswitch_domain) ++ allow nsswitch_domain self:tcp_socket create_socket_perms; ++') ++ ++tunable_policy(`authlogin_nsswitch_use_ldap',` ++ corenet_tcp_sendrecv_generic_if(nsswitch_domain) ++ corenet_tcp_sendrecv_generic_node(nsswitch_domain) ++ corenet_tcp_sendrecv_ldap_port(nsswitch_domain) ++ corenet_tcp_connect_ldap_port(nsswitch_domain) ++ corenet_sendrecv_ldap_client_packets(nsswitch_domain) ++') ++ ++tunable_policy(`authlogin_nsswitch_use_ldap',` ++ # Support for LDAPS ++ dev_read_rand(nsswitch_domain) ++ # LDAP Configuration using encrypted requires ++ dev_read_urand(nsswitch_domain) ++ sysnet_read_config(nsswitch_domain) ++') +tunable_policy(`authlogin_nsswitch_use_ldap',` miscfiles_read_generic_certs(nsswitch_domain) - sysnet_use_ldap(nsswitch_domain) +- sysnet_use_ldap(nsswitch_domain) ') optional_policy(` @@ -29191,10 +29211,11 @@ index 104037e..cc09db4 100644 + +optional_policy(` + tunable_policy(`authlogin_nsswitch_use_ldap',` ++ ldap_read_certs(nsswitch_domain) ldap_stream_connect(nsswitch_domain) ') ') -@@ -438,6 +480,7 @@ optional_policy(` +@@ -438,6 +501,7 @@ optional_policy(` likewise_stream_connect_lsassd(nsswitch_domain) ') @@ -29202,7 +29223,7 @@ index 104037e..cc09db4 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,10 +499,145 @@ optional_policy(` +@@ -456,10 +520,145 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -39275,7 +39296,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..07fa942 100644 +index 6944526..50b1c3c 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -39571,15 +39592,18 @@ index 6944526..07fa942 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -733,6 +904,11 @@ interface(`sysnet_use_ldap',` +@@ -730,9 +901,14 @@ interface(`sysnet_use_ldap',` + + # Support for LDAPS + dev_read_rand($1) ++ # LDAP Configuration using encrypted requires dev_read_urand($1) sysnet_read_config($1) + -+ # LDAP Configuration using encrypted requires -+ dev_read_urand($1) -+ -+ ldap_read_certs($1) ++ optional_policy(` ++ ldap_read_certs($1) ++ ') ') ######################################## diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 66de755..3873d91 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -21943,7 +21943,7 @@ index c697edb..31d45bf 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index c93c3db..cdb4d60 100644 +index c93c3db..5d61f10 100644 --- a/dhcp.te +++ b/dhcp.te @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -21972,23 +21972,39 @@ index c93c3db..cdb4d60 100644 files_read_etc_runtime_files(dhcpd_t) files_search_var_lib(dhcpd_t) -@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t) +@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t) logging_send_syslog_msg(dhcpd_t) -miscfiles_read_localization(dhcpd_t) - ++sysnet_read_config(dhcpd_t) sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',` - sysnet_use_ldap(dhcpd_t) - ') + userdom_dontaudit_search_user_home_dirs(dhcpd_t) -+ifdef(`distro_gentoo',` -+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; + tunable_policy(`dhcpd_use_ldap',` +- sysnet_use_ldap(dhcpd_t) ++ allow dhcpd_t self:tcp_socket create_socket_perms; ++') ++ ++tunable_policy(`dhcpd_use_ldap',` ++ corenet_tcp_sendrecv_generic_if(dhcpd_t) ++ corenet_tcp_sendrecv_generic_node(dhcpd_t) ++ corenet_tcp_sendrecv_ldap_port(dhcpd_t) ++ corenet_tcp_connect_ldap_port(dhcpd_t) ++ corenet_sendrecv_ldap_client_packets(dhcpd_t) ++') ++ ++tunable_policy(`dhcpd_use_ldap',` ++ ldap_read_certs(dhcpd_t) +') + ++ifdef(`distro_gentoo',` ++ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; + ') + optional_policy(` + # used for dynamic DNS bind_read_dnssec_keys(dhcpd_t) @@ -46493,15 +46509,17 @@ index c97c177..9411154 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index f42896c..cb2791a 100644 +index f42896c..36b363c 100644 --- a/mta.fc +++ b/mta.fc -@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) +@@ -1,34 +1,44 @@ +-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) -HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) -HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) ++HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) @@ -46523,10 +46541,10 @@ index f42896c..cb2791a 100644 +/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) +') + -+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) +/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) +/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) ++/root/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) + +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -46554,7 +46572,7 @@ index f42896c..cb2791a 100644 -/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..e968c28 100644 +index ed81cac..8f217ea 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -47494,7 +47512,7 @@ index ed81cac..e968c28 100644 ## ## ## -@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -1081,3 +1051,177 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -47621,6 +47639,7 @@ index ed81cac..e968c28 100644 + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") ++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue") +') + +######################################## @@ -47645,6 +47664,7 @@ index ed81cac..e968c28 100644 + userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") + userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") + userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") ++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue") +') + +######################################## @@ -73581,10 +73601,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..8c49752 100644 +index 769d1fd..495cac4 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,134 @@ +@@ -1,96 +1,137 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -73634,7 +73654,7 @@ index 769d1fd..8c49752 100644 -allow quantum_t self:key manage_key_perms; -allow quantum_t self:tcp_socket { accept listen }; -allow quantum_t self:unix_stream_socket { accept listen }; -+allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin }; ++allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw }; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit signal_perms }; +allow neutron_t self:fifo_file rw_fifo_file_perms; @@ -73648,39 +73668,38 @@ index 769d1fd..8c49752 100644 +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +logging_log_filetrans(neutron_t, neutron_log_t, dir) ++ ++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++files_tmp_filetrans(neutron_t, neutron_tmp_t, file) -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -logging_log_filetrans(quantum_t, quantum_log_t, dir) -+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+files_tmp_filetrans(neutron_t, neutron_tmp_t, file) - --manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) --files_tmp_filetrans(quantum_t, quantum_tmp_t, file) +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) +-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) +-files_tmp_filetrans(quantum_t, quantum_tmp_t, file) ++can_exec(neutron_t, neutron_tmp_t) + -manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) -+can_exec(neutron_t, neutron_tmp_t) - --can_exec(quantum_t, quantum_tmp_t) -+kernel_rw_kernel_sysctl(neutron_t) +kernel_read_system_state(neutron_t) +kernel_read_network_state(neutron_t) +kernel_request_load_module(neutron_t) ++kernel_rw_kernel_sysctl(neutron_t) ++kernel_rw_net_sysctls(neutron_t) --kernel_read_kernel_sysctls(quantum_t) --kernel_read_system_state(quantum_t) +-can_exec(quantum_t, quantum_tmp_t) +corecmd_exec_shell(neutron_t) +corecmd_exec_bin(neutron_t) --corecmd_exec_shell(quantum_t) --corecmd_exec_bin(quantum_t) +-kernel_read_kernel_sysctls(quantum_t) +-kernel_read_system_state(quantum_t) +corenet_all_recvfrom_unlabeled(neutron_t) +corenet_all_recvfrom_netlabel(neutron_t) +corenet_tcp_sendrecv_generic_if(neutron_t) @@ -73688,33 +73707,37 @@ index 769d1fd..8c49752 100644 +corenet_tcp_sendrecv_all_ports(neutron_t) +corenet_tcp_bind_generic_node(neutron_t) --corenet_all_recvfrom_unlabeled(quantum_t) --corenet_all_recvfrom_netlabel(quantum_t) --corenet_tcp_sendrecv_generic_if(quantum_t) --corenet_tcp_sendrecv_generic_node(quantum_t) --corenet_tcp_sendrecv_all_ports(quantum_t) --corenet_tcp_bind_generic_node(quantum_t) +-corecmd_exec_shell(quantum_t) +-corecmd_exec_bin(quantum_t) +corenet_tcp_bind_neutron_port(neutron_t) +corenet_tcp_connect_keystone_port(neutron_t) +corenet_tcp_connect_amqp_port(neutron_t) +corenet_tcp_connect_mysqld_port(neutron_t) +corenet_tcp_connect_osapi_compute_port(neutron_t) --dev_list_sysfs(quantum_t) --dev_read_urand(quantum_t) +-corenet_all_recvfrom_unlabeled(quantum_t) +-corenet_all_recvfrom_netlabel(quantum_t) +-corenet_tcp_sendrecv_generic_if(quantum_t) +-corenet_tcp_sendrecv_generic_node(quantum_t) +-corenet_tcp_sendrecv_all_ports(quantum_t) +-corenet_tcp_bind_generic_node(quantum_t) +domain_read_all_domains_state(neutron_t) +domain_named_filetrans(neutron_t) --files_read_usr_files(quantum_t) +-dev_list_sysfs(quantum_t) +-dev_read_urand(quantum_t) +dev_read_sysfs(neutron_t) +dev_read_urand(neutron_t) +dev_mounton_sysfs(neutron_t) +dev_mount_sysfs_fs(neutron_t) +dev_unmount_sysfs_fs(neutron_t) --auth_use_nsswitch(quantum_t) +-files_read_usr_files(quantum_t) +files_mounton_non_security(neutron_t) +-auth_use_nsswitch(quantum_t) ++fs_getattr_all_fs(neutron_t) + -libs_exec_ldconfig(quantum_t) +auth_use_nsswitch(neutron_t) @@ -73730,46 +73753,46 @@ index 769d1fd..8c49752 100644 +sysnet_exec_ifconfig(neutron_t) +sysnet_manage_ifconfig_run(neutron_t) +sysnet_filetrans_named_content_ifconfig(neutron_t) ++ ++optional_policy(` ++ brctl_domtrans(neutron_t) ++') optional_policy(` - brctl_domtrans(quantum_t) -+ brctl_domtrans(neutron_t) ++ dnsmasq_domtrans(neutron_t) ++ dnsmasq_signal(neutron_t) ++ dnsmasq_kill(neutron_t) ++ dnsmasq_read_state(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ dnsmasq_domtrans(neutron_t) -+ dnsmasq_signal(neutron_t) -+ dnsmasq_kill(neutron_t) -+ dnsmasq_read_state(neutron_t) ++ iptables_domtrans(neutron_t) +') - mysql_tcp_connect(quantum_t) +optional_policy(` -+ iptables_domtrans(neutron_t) - ') - - optional_policy(` -- postgresql_stream_connect(quantum_t) -- postgresql_unpriv_client(quantum_t) + mysql_stream_connect(neutron_t) + mysql_read_db_lnk_files(neutron_t) + mysql_read_config(neutron_t) + mysql_tcp_connect(neutron_t) -+') + ') -- postgresql_tcp_connect(quantum_t) -+optional_policy(` + optional_policy(` +- postgresql_stream_connect(quantum_t) +- postgresql_unpriv_client(quantum_t) + postgresql_stream_connect(neutron_t) + postgresql_unpriv_client(neutron_t) + postgresql_tcp_connect(neutron_t) - ') -+ ++') + +- postgresql_tcp_connect(quantum_t) +optional_policy(` + openvswitch_domtrans(neutron_t) + openvswitch_stream_connect(neutron_t) -+') + ') + +optional_policy(` + sudo_exec(neutron_t) @@ -94435,10 +94458,10 @@ index 0000000..df82c36 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..3faae22 +index 0000000..159ae72 --- /dev/null +++ b/swift.te -@@ -0,0 +1,87 @@ +@@ -0,0 +1,89 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -94515,6 +94538,8 @@ index 0000000..3faae22 + +files_dontaudit_search_home(swift_t) + ++fs_getattr_all_fs(swift_t) ++ +auth_use_nsswitch(swift_t) + +libs_exec_ldconfig(swift_t) @@ -101566,7 +101591,7 @@ index 9dec06c..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..57af4d0 100644 +index 1f22fba..b1ba89c 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,209 @@ @@ -102420,7 +102445,7 @@ index 1f22fba..57af4d0 100644 tunable_policy(`virt_use_samba',` - fs_manage_cifs_files(virtd_t) -+ fs_manage_nfs_files(virtd_t) ++ fs_manage_cifs_dirs(virtd_t) fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') @@ -102763,9 +102788,9 @@ index 1f22fba..57af4d0 100644 +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; - -+ps_process_pattern(virsh_t, svirt_sandbox_domain) + ++ps_process_pattern(virsh_t, svirt_sandbox_domain) + +can_exec(virsh_t, virsh_exec_t) virt_domtrans(virsh_t) virt_manage_images(virsh_t) @@ -102845,10 +102870,10 @@ index 1f22fba..57af4d0 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -103045,12 +103070,12 @@ index 1f22fba..57af4d0 100644 +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -103416,10 +103441,10 @@ index 1f22fba..57af4d0 100644 +fs_manage_cgroup_files(svirt_qemu_net_t) + +term_pty(svirt_sandbox_file_t) ++ ++auth_use_nsswitch(svirt_qemu_net_t) -allow svirt_prot_exec_t self:process { execmem execstack }; -+auth_use_nsswitch(svirt_qemu_net_t) -+ +rpm_read_db(svirt_qemu_net_t) + +logging_send_syslog_msg(svirt_qemu_net_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 97c4076..b32d916 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 157%{?dist} +Release: 158%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Apr 25 2014 Lukas Vrabec 3.12.1-158 +- Fix bug in policy, needs back port to RHEL7/RHEL6 +- optional can not be used in boolean. But we want to call ldap_read_certs() in sysnet_use_ldap +- Add support for ~/.esmtp_queue directory +- Allow net_raw for neutron +- ALlow dac_override to neutron_t +- Allow neutron to r/w net sysctls +- Allow neutron to getattr on all filesystems +- Allow swift to getattr on all filesystems +- Clean up sysnet_use_ldap() + * Fri Apr 25 2014 Lukas Vrabec 3.12.1-157 - Added fprintd dontaudit tmp dirs rule - Add interface to allow tools to check the processes state of bind/named