From c1c5a5613810cb493a7b2be3e397a06111336b93 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Jan 16 2012 13:11:10 +0000 Subject: - Allow deltacloudd dac_override, setuid, setgid caps - Allow aisexec to execute shell - Add use_nfs_home_dirs boolean for ssh-keygen - Allow xguest execmod on execmem_exec_t - Dontaudit X domains trying to access dri device in a sandbox --- diff --git a/policy-F16.patch b/policy-F16.patch index 2475a02..ad6b068 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -4771,10 +4771,10 @@ index 0000000..5901e21 +/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if new file mode 100644 -index 0000000..1553356 +index 0000000..a03aec4 --- /dev/null +++ b/policy/modules/apps/chrome.if -@@ -0,0 +1,133 @@ +@@ -0,0 +1,137 @@ + +## policy for chrome + @@ -4889,6 +4889,10 @@ index 0000000..1553356 +interface(`chrome_role',` + chrome_role_notrans($1, $2) + chrome_domtrans_sandbox($2) ++ ++ optional_policy(` ++ execmem_execmod($2) ++ ') +') + +######################################## @@ -10658,10 +10662,10 @@ index 0000000..809784d +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..5e75113 +index 0000000..a53f663 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,488 @@ +@@ -0,0 +1,489 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -10871,6 +10875,7 @@ index 0000000..5e75113 +dev_read_urand(sandbox_x_domain) +dev_dontaudit_read_rand(sandbox_x_domain) +dev_read_sysfs(sandbox_x_domain) ++dev_dontaudit_rw_dri(sandbox_x_domain) + +files_search_home(sandbox_x_domain) +files_dontaudit_list_all_mountpoints(sandbox_x_domain) @@ -14751,7 +14756,7 @@ index 6cf8784..fa24001 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..d29862e 100644 +index f820f3b..a0e6bde 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -15257,7 +15262,15 @@ index f820f3b..d29862e 100644 ## Search the sysfs directories. ## ## -@@ -3902,25 +4176,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3860,6 +4134,7 @@ interface(`dev_list_sysfs',` + type sysfs_t; + ') + ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) + list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + +@@ -3902,25 +4177,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -15283,7 +15296,7 @@ index f820f3b..d29862e 100644 ## Read hardware state information. ## ## -@@ -3972,6 +4227,42 @@ interface(`dev_rw_sysfs',` +@@ -3972,6 +4228,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -15326,7 +15339,7 @@ index f820f3b..d29862e 100644 ## Read and write the TPM device. ## ## -@@ -4069,6 +4360,25 @@ interface(`dev_write_urand',` +@@ -4069,6 +4361,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -15352,7 +15365,7 @@ index f820f3b..d29862e 100644 ## Getattr generic the USB devices. ## ## -@@ -4103,6 +4413,24 @@ interface(`dev_setattr_generic_usb_dev',` +@@ -4103,6 +4414,24 @@ interface(`dev_setattr_generic_usb_dev',` setattr_chr_files_pattern($1, device_t, usb_device_t) ') @@ -15377,7 +15390,7 @@ index f820f3b..d29862e 100644 ######################################## ## ## Read generic the USB devices. -@@ -4495,6 +4823,24 @@ interface(`dev_rw_vhost',` +@@ -4495,6 +4824,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -15402,7 +15415,7 @@ index f820f3b..d29862e 100644 ## Read and write VMWare devices. ## ## -@@ -4695,6 +5041,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4695,6 +5042,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -15429,7 +15442,7 @@ index f820f3b..d29862e 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4784,3 +5150,822 @@ interface(`dev_unconfined',` +@@ -4784,3 +5151,822 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -24612,10 +24625,18 @@ index 0370dba..af5d229 100644 # interface(`aisexec_domtrans',` diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te -index 64953f7..99a750b 100644 +index 64953f7..244259f 100644 --- a/policy/modules/services/aisexec.te +++ b/policy/modules/services/aisexec.te -@@ -89,6 +89,10 @@ optional_policy(` +@@ -64,6 +64,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) + kernel_read_system_state(aisexec_t) + + corecmd_exec_bin(aisexec_t) ++corecmd_exec_shell(aisexec_t) + + corenet_udp_bind_netsupport_port(aisexec_t) + corenet_tcp_bind_reserved_port(aisexec_t) +@@ -89,6 +90,10 @@ optional_policy(` ') optional_policy(` @@ -30046,10 +30067,10 @@ index 0000000..6451167 +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..e1974d3 +index 0000000..f772371 --- /dev/null +++ b/policy/modules/services/cloudform.te -@@ -0,0 +1,223 @@ +@@ -0,0 +1,225 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -30122,6 +30143,8 @@ index 0000000..e1974d3 +# deltacloudd local policy +# + ++allow deltacloudd_t self:capability { dac_override setuid setgid }; ++ +allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; +allow deltacloudd_t self:udp_socket create_socket_perms; + @@ -35042,7 +35065,7 @@ index 5e2cea8..7a18800 100644 + dhcpd_systemctl($1) ') diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te -index d4424ad..f90959a 100644 +index d4424ad..5d01064 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te @@ -12,6 +12,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -35060,7 +35083,7 @@ index d4424ad..f90959a 100644 # -allow dhcpd_t self:capability { net_raw sys_resource }; -+allow dhcpd_t self:capability { sys_chroot net_raw setgid setuid sys_resource }; ++allow dhcpd_t self:capability { dac_override sys_chroot net_raw setgid setuid sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; -allow dhcpd_t self:process signal_perms; +allow dhcpd_t self:process { getcap setcap signal_perms }; @@ -43284,10 +43307,10 @@ index 0000000..0d771fd +') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te new file mode 100644 -index 0000000..215407c +index 0000000..ea433bd --- /dev/null +++ b/policy/modules/services/matahari.te -@@ -0,0 +1,100 @@ +@@ -0,0 +1,97 @@ +policy_module(matahari,1.0.0) + +######################################## @@ -43318,8 +43341,6 @@ index 0000000..215407c + +allow matahari_hostd_t self:capability sys_ptrace; + -+kernel_read_network_state(matahari_hostd_t) -+ +dev_read_sysfs(matahari_hostd_t) +dev_rw_mtrr(matahari_hostd_t) + @@ -43345,16 +43366,13 @@ index 0000000..215407c +# +# matahari_serviced local policy +# -+allow matahari_serviced_t self:process setpgid; + -+kernel_read_network_state(matahari_serviced_t) ++allow matahari_serviced_t self:process setpgid; + +dev_read_sysfs(matahari_serviced_t) + +domain_use_interactive_fds(matahari_serviced_t) + -+files_read_etc_runtime_files(matahari_serviced_t) -+ +init_domtrans_script(matahari_serviced_t) + +systemd_config_all_services(matahari_serviced_t) @@ -43376,12 +43394,14 @@ index 0000000..215407c +allow matahari_domain self:unix_stream_socket create_stream_socket_perms; + +kernel_read_system_state(matahari_domain) ++kernel_read_network_state(matahari_domain) + +corenet_tcp_connect_matahari_port(matahari_domain) + +dev_read_urand(matahari_domain) + +files_read_etc_files(matahari_domain) ++files_read_etc_runtime_files(matahari_domain) + +logging_send_syslog_msg(matahari_domain) + @@ -60012,7 +60032,7 @@ index 22adaca..9001bca 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..02e70c9 100644 +index 2dad3c8..e411df0 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0) @@ -60350,10 +60370,6 @@ index 2dad3c8..02e70c9 100644 - - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, userdomain) -- ') --',` -- optional_policy(` -- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) + tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to @@ -60374,6 +60390,10 @@ index 2dad3c8..02e70c9 100644 + # some versions of sshd on the new SE Linux require setattr + allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; ') +-',` +- optional_policy(` +- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) +- ') - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. @@ -60411,22 +60431,25 @@ index 2dad3c8..02e70c9 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,15 +422,91 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,9 +422,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +userdom_use_user_terminals(ssh_keygen_t) - optional_policy(` +-optional_policy(` - nscd_socket_use(ssh_keygen_t) -+ seutil_sigchld_newrole(ssh_keygen_t) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files(ssh_keygen_t) ++ fs_manage_nfs_dirs(ssh_keygen_t) ') optional_policy(` -- seutil_sigchld_newrole(ssh_keygen_t) -+ udev_read_db(ssh_keygen_t) +@@ -363,3 +436,82 @@ optional_policy(` + optional_policy(` + udev_read_db(ssh_keygen_t) ') - ++ +#################################### +# +# ssh_dyntransition domain local policy @@ -60436,8 +60459,7 @@ index 2dad3c8..02e70c9 100644 + +allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; + - optional_policy(` -- udev_read_db(ssh_keygen_t) ++optional_policy(` + ssh_rw_stream_sockets(ssh_dyntransition_domain) + ssh_rw_tcp_sockets(ssh_dyntransition_domain) +') @@ -60505,7 +60527,7 @@ index 2dad3c8..02e70c9 100644 + +optional_policy(` + ssh_rw_dgram_sockets(chroot_user_t) - ') ++') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index 941380a..ce8c972 100644 --- a/policy/modules/services/sssd.if diff --git a/selinux-policy.spec b/selinux-policy.spec index 5eff3e4..c49e147 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 71%{?dist} +Release: 72%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jan 16 2012 Miroslav Grepl 3.10.0-72 +- Allow deltacloudd dac_override, setuid, setgid caps +- Allow aisexec to execute shell +- Add use_nfs_home_dirs boolean for ssh-keygen +- Allow xguest execmod on execmem_exec_t +- Dontaudit X domains trying to access dri device in a sandbox + * Wed Jan 4 2012 Miroslav Grepl 3.10.0-71 - New fix for seunshare, requires seunshare_domains to be able to mounton /