From c4631256709fb9ba0cfdba622fb613396abfdbd2 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 24 2013 20:59:50 +0000 Subject: - Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example - Allow cobbler to execute apache with domain transition --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 26a665e..5de1404 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -20635,7 +20635,7 @@ index 5fc0391..994eec2 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index d1f64a0..156a29f 100644 +index d1f64a0..8f50bb9 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -20725,7 +20725,7 @@ index d1f64a0..156a29f 100644 + /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) -+/usr/bin/razor-lightdm-* -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -30922,7 +30922,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index e8c59a5..5c935e3 100644 +index e8c59a5..d2df072 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -30984,17 +30984,17 @@ index e8c59a5..5c935e3 100644 corenet_all_recvfrom_netlabel(clvmd_t) corenet_tcp_sendrecv_generic_if(clvmd_t) corenet_udp_sendrecv_generic_if(clvmd_t) -@@ -120,9 +129,7 @@ init_dontaudit_getattr_initctl(clvmd_t) +@@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t) logging_send_syslog_msg(clvmd_t) -miscfiles_read_localization(clvmd_t) - +- -seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) seutil_read_config(clvmd_t) seutil_read_file_contexts(clvmd_t) -@@ -141,6 +148,11 @@ ifdef(`distro_redhat',` +@@ -141,6 +147,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -31006,7 +31006,7 @@ index e8c59a5..5c935e3 100644 ccs_stream_connect(clvmd_t) ') -@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config; +@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -31014,17 +31014,19 @@ index e8c59a5..5c935e3 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -179,6 +192,9 @@ allow lvm_t self:sem create_sem_perms; +@@ -179,6 +191,11 @@ allow lvm_t self:sem create_sem_perms; allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; +allow lvm_t lvm_unit_file_t:file manage_file_perms; +systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file) ++systemd_create_unit_file_dirs(lvm_t) ++systemd_create_unit_file_lnk(lvm_t) + manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) -@@ -191,10 +207,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,10 +208,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -31037,7 +31039,7 @@ index e8c59a5..5c935e3 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -202,8 +220,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -202,8 +221,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -31049,7 +31051,7 @@ index e8c59a5..5c935e3 100644 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +240,7 @@ kernel_read_kernel_sysctls(lvm_t) +@@ -220,6 +241,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -31057,7 +31059,7 @@ index e8c59a5..5c935e3 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -230,11 +251,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +252,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -31072,7 +31074,7 @@ index e8c59a5..5c935e3 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -246,6 +269,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +270,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -31080,7 +31082,7 @@ index e8c59a5..5c935e3 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -255,17 +279,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +280,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -31103,7 +31105,7 @@ index e8c59a5..5c935e3 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -285,7 +313,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +314,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -31112,7 +31114,7 @@ index e8c59a5..5c935e3 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +321,22 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +322,22 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -31136,7 +31138,7 @@ index e8c59a5..5c935e3 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -313,6 +348,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +349,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -31148,7 +31150,7 @@ index e8c59a5..5c935e3 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +373,26 @@ optional_policy(` +@@ -333,14 +374,26 @@ optional_policy(` ') optional_policy(` @@ -31590,7 +31592,7 @@ index 7449974..6375786 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a49e28..1d374a0 100644 +index 7a49e28..de1dcdd 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3) @@ -31730,10 +31732,12 @@ index 7a49e28..1d374a0 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -151,30 +162,37 @@ files_read_etc_runtime_files(insmod_t) +@@ -151,30 +162,38 @@ files_read_etc_runtime_files(insmod_t) files_read_etc_files(insmod_t) files_read_usr_files(insmod_t) files_exec_etc_files(insmod_t) ++# users installing vbox put kernel modules in /var/lib ++files_read_var_lib_files(insmod_t) +files_read_kernel_symbol_table(insmod_t) # for nscd: files_dontaudit_search_pids(insmod_t) @@ -31762,7 +31766,7 @@ index 7a49e28..1d374a0 100644 logging_search_logs(insmod_t) -miscfiles_read_localization(insmod_t) - +- seutil_read_file_contexts(insmod_t) -userdom_use_user_terminals(insmod_t) @@ -31771,7 +31775,7 @@ index 7a49e28..1d374a0 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +202,33 @@ optional_policy(` +@@ -184,28 +203,33 @@ optional_policy(` ') optional_policy(` @@ -31795,24 +31799,24 @@ index 7a49e28..1d374a0 100644 optional_policy(` - mount_domtrans(insmod_t) + hal_write_log(insmod_t) -+') -+ -+optional_policy(` -+ hotplug_search_config(insmod_t) ') optional_policy(` - nis_use_ypbind(insmod_t) -+ kdump_manage_kdumpctl_tmp_files(insmod_t) ++ hotplug_search_config(insmod_t) ') optional_policy(` - nscd_use(insmod_t) ++ kdump_manage_kdumpctl_tmp_files(insmod_t) ++') ++ ++optional_policy(` + mount_domtrans(insmod_t) ') optional_policy(` -@@ -225,6 +248,7 @@ optional_policy(` +@@ -225,6 +249,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -31820,7 +31824,7 @@ index 7a49e28..1d374a0 100644 ') optional_policy(` -@@ -233,6 +257,10 @@ optional_policy(` +@@ -233,6 +258,10 @@ optional_policy(` ') optional_policy(` @@ -31831,7 +31835,7 @@ index 7a49e28..1d374a0 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -291,11 +319,10 @@ init_use_script_ptys(update_modules_t) +@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t) logging_send_syslog_msg(update_modules_t) @@ -34897,10 +34901,10 @@ index 0000000..4e12420 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..2e5b822 +index 0000000..6862d53 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1195 @@ +@@ -0,0 +1,1231 @@ +## SELinux policy for systemd components + +###################################### @@ -35782,6 +35786,42 @@ index 0000000..2e5b822 + filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4) +') + ++####################################### ++## ++## Create a directory in the /usr/lib/systemd/system directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_create_unit_file_dirs',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t) ++') ++ ++####################################### ++## ++## Create a link in the /usr/lib/systemd/system directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_create_unit_file_lnk',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t) ++') ++ +######################################## +## +## Transition to systemd named content diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 7033d16..25a1ae2 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -11978,7 +11978,7 @@ index c223f81..3bcdf6a 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 2a71346..4218733 100644 +index 2a71346..9f877a1 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -11998,7 +11998,13 @@ index 2a71346..4218733 100644 corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) -@@ -117,9 +118,7 @@ dev_read_urand(cobblerd_t) +@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t) + corenet_tcp_connect_http_port(cobblerd_t) + corenet_sendrecv_http_client_packets(cobblerd_t) + ++dev_read_sysfs(cobblerd_t) + dev_read_urand(cobblerd_t) + files_list_boot(cobblerd_t) files_list_tmp(cobblerd_t) files_read_boot_files(cobblerd_t) @@ -12008,7 +12014,7 @@ index 2a71346..4218733 100644 fs_getattr_all_fs(cobblerd_t) fs_read_iso9660_files(cobblerd_t) -@@ -128,6 +127,8 @@ selinux_get_enforce_mode(cobblerd_t) +@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t) term_use_console(cobblerd_t) @@ -12017,7 +12023,15 @@ index 2a71346..4218733 100644 logging_send_syslog_msg(cobblerd_t) miscfiles_read_localization(cobblerd_t) -@@ -188,17 +189,20 @@ optional_policy(` +@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',` + ') + + optional_policy(` ++ apache_domtrans(cobblerd_t) + apache_search_sys_content(cobblerd_t) + ') + +@@ -188,17 +191,20 @@ optional_policy(` ') optional_policy(` @@ -16397,10 +16411,18 @@ index b25b01d..4f7d237 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 6ce66e7..1d0337a 100644 +index 6ce66e7..f2a7a61 100644 --- a/ctdb.te +++ b/ctdb.te -@@ -85,12 +85,10 @@ dev_read_urand(ctdbd_t) +@@ -75,6 +75,7 @@ corenet_tcp_bind_generic_node(ctdbd_t) + + corenet_sendrecv_ctdb_server_packets(ctdbd_t) + corenet_tcp_bind_ctdb_port(ctdbd_t) ++corenet_udp_bind_ctdb_port(ctdbd_t) + corenet_tcp_sendrecv_ctdb_port(ctdbd_t) + + corecmd_exec_bin(ctdbd_t) +@@ -85,12 +86,10 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -16413,7 +16435,7 @@ index 6ce66e7..1d0337a 100644 miscfiles_read_public_files(ctdbd_t) optional_policy(` -@@ -109,6 +107,7 @@ optional_policy(` +@@ -109,6 +108,7 @@ optional_policy(` samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) @@ -29834,10 +29856,18 @@ index 57304e4..46e5e3d 100644 optional_policy(` tgtd_manage_semaphores(iscsid_t) diff --git a/isns.te b/isns.te -index bc11034..e393434 100644 +index bc11034..107ed2f 100644 --- a/isns.te +++ b/isns.te -@@ -46,8 +46,6 @@ corenet_tcp_bind_generic_node(isnsd_t) +@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) + allow isnsd_t self:capability kill; + allow isnsd_t self:process signal; + allow isnsd_t self:fifo_file rw_fifo_file_perms; ++allow isnsd_t self:tcp_socket { listen }; + allow isnsd_t self:udp_socket { accept listen }; + allow isnsd_t self:unix_stream_socket { accept listen }; + +@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t) @@ -37659,10 +37689,10 @@ index 4462c0e..84944d1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..bb33a48 100644 +index 6ffaba2..99d4eeb 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,65 @@ +@@ -1,38 +1,66 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -37702,6 +37732,7 @@ index 6ffaba2..bb33a48 100644 +HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + @@ -37763,7 +37794,7 @@ index 6ffaba2..bb33a48 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..af1201e 100644 +index 6194b80..5fe7031 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -38402,7 +38433,7 @@ index 6194b80..af1201e 100644 ## ## ## -@@ -530,45 +448,52 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +448,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -38471,6 +38502,7 @@ index 6194b80..af1201e 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx") @@ -44432,7 +44464,7 @@ index 0e8508c..0b68b86 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..eac844a 100644 +index 0b48a30..c71f8e5 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -44581,7 +44613,7 @@ index 0b48a30..eac844a 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +144,16 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,6 +144,17 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -44594,11 +44626,12 @@ index 0b48a30..eac844a 100644 +files_read_etc_runtime_files(NetworkManager_t) +files_read_system_conf_files(NetworkManager_t) +files_read_usr_src_files(NetworkManager_t) ++files_read_isid_type_files(NetworkManager_t) + storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +162,11 @@ init_domtrans_script(NetworkManager_t) +@@ -148,10 +163,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -44611,7 +44644,7 @@ index 0b48a30..eac844a 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +181,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +182,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -44648,7 +44681,7 @@ index 0b48a30..eac844a 100644 ') optional_policy(` -@@ -196,10 +222,6 @@ optional_policy(` +@@ -196,10 +223,6 @@ optional_policy(` ') optional_policy(` @@ -44659,7 +44692,7 @@ index 0b48a30..eac844a 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +232,11 @@ optional_policy(` +@@ -210,16 +233,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -44678,7 +44711,7 @@ index 0b48a30..eac844a 100644 ') ') -@@ -231,18 +248,19 @@ optional_policy(` +@@ -231,18 +249,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -44701,7 +44734,7 @@ index 0b48a30..eac844a 100644 ') optional_policy(` -@@ -250,6 +268,10 @@ optional_policy(` +@@ -250,6 +269,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -44712,7 +44745,7 @@ index 0b48a30..eac844a 100644 ') optional_policy(` -@@ -257,11 +279,10 @@ optional_policy(` +@@ -257,11 +280,10 @@ optional_policy(` ') optional_policy(` @@ -44728,7 +44761,7 @@ index 0b48a30..eac844a 100644 ') optional_policy(` -@@ -274,10 +295,17 @@ optional_policy(` +@@ -274,10 +296,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -44746,7 +44779,7 @@ index 0b48a30..eac844a 100644 ') optional_policy(` -@@ -289,6 +317,7 @@ optional_policy(` +@@ -289,6 +318,7 @@ optional_policy(` ') optional_policy(` @@ -44754,7 +44787,7 @@ index 0b48a30..eac844a 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +325,7 @@ optional_policy(` +@@ -296,7 +326,7 @@ optional_policy(` ') optional_policy(` @@ -44763,7 +44796,7 @@ index 0b48a30..eac844a 100644 ') optional_policy(` -@@ -307,6 +336,7 @@ optional_policy(` +@@ -307,6 +337,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -44771,7 +44804,7 @@ index 0b48a30..eac844a 100644 ') optional_policy(` -@@ -320,13 +350,19 @@ optional_policy(` +@@ -320,13 +351,19 @@ optional_policy(` ') optional_policy(` @@ -44795,7 +44828,7 @@ index 0b48a30..eac844a 100644 ') optional_policy(` -@@ -356,6 +392,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +393,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -51947,10 +51980,10 @@ index 96db654..ff3aadd 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..9515043 100644 +index dfd46e4..173813f 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,12 @@ +@@ -1,15 +1,15 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) - @@ -51972,6 +52005,9 @@ index dfd46e4..9515043 100644 +/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++ ++#openlmi agents ++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) diff --git a/pegasus.if b/pegasus.if index d2fc677..ded726f 100644 --- a/pegasus.if @@ -52073,7 +52109,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..ebc50dc 100644 +index 7bcf327..fa856e9 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -52161,7 +52197,8 @@ index 7bcf327..ebc50dc 100644 allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; dontaudit pegasus_t self:capability sys_tty_config; - allow pegasus_t self:process signal; +-allow pegasus_t self:process signal; ++allow pegasus_t self:process { setsched signal }; allow pegasus_t self:fifo_file rw_fifo_file_perms; -allow pegasus_t self:unix_stream_socket { connectto accept listen }; -allow pegasus_t self:tcp_socket { accept listen }; @@ -52316,6 +52353,176 @@ index 7bcf327..ebc50dc 100644 ') optional_policy(` +diff --git a/pesign.fc b/pesign.fc +new file mode 100644 +index 0000000..7b54c39 +--- /dev/null ++++ b/pesign.fc +@@ -0,0 +1,6 @@ ++/usr/bin/pesign -- gen_context(system_u:object_r:pesign_exec_t,s0) ++ ++/usr/lib/systemd/system/pesign.service -- gen_context(system_u:object_r:pesign_unit_file_t,s0) ++ ++/var/run/pesign(/.*)? gen_context(system_u:object_r:pesign_var_run_t,s0) ++/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0) +diff --git a/pesign.if b/pesign.if +new file mode 100644 +index 0000000..c20674c +--- /dev/null ++++ b/pesign.if +@@ -0,0 +1,103 @@ ++ ++## pesign utility for signing UEFI binaries as well as other associated tools ++ ++######################################## ++## ++## Execute TEMPLATE in the pesign domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pesign_domtrans',` ++ gen_require(` ++ type pesign_t, pesign_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pesign_exec_t, pesign_t) ++') ++######################################## ++## ++## Read pesign PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pesign_read_pid_files',` ++ gen_require(` ++ type pesign_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, pesign_var_run_t, pesign_var_run_t) ++') ++ ++######################################## ++## ++## Execute pesign server in the pesign domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pesign_systemctl',` ++ gen_require(` ++ type pesign_t; ++ type pesign_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 pesign_unit_file_t:file read_file_perms; ++ allow $1 pesign_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, pesign_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pesign environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`pesign_admin',` ++ gen_require(` ++ type pesign_t; ++ type pesign_var_run_t; ++ type pesign_unit_file_t; ++ ') ++ ++ allow $1 pesign_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pesign_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, pesign_var_run_t) ++ ++ pesign_systemctl($1) ++ admin_pattern($1, pesign_unit_file_t) ++ allow $1 pesign_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/pesign.te b/pesign.te +new file mode 100644 +index 0000000..513887d +--- /dev/null ++++ b/pesign.te +@@ -0,0 +1,43 @@ ++policy_module(pesign, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type pesign_t; ++type pesign_exec_t; ++init_daemon_domain(pesign_t, pesign_exec_t) ++ ++type pesign_var_run_t; ++files_pid_file(pesign_var_run_t) ++ ++type pesign_unit_file_t; ++systemd_unit_file(pesign_unit_file_t) ++ ++######################################## ++# ++# pesign local policy ++# ++ ++allow pesign_t self:capability { setgid setuid }; ++allow pesign_t self:process setsched; ++allow pesign_t self:fifo_file rw_fifo_file_perms; ++allow pesign_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir }) ++ ++dev_read_urand(pesign_t) ++ ++files_dontaudit_list_tmp(pesign_t) ++ ++auth_use_nsswitch(pesign_t) ++ ++logging_send_syslog_msg(pesign_t) ++ ++miscfiles_read_certs(pesign_t) ++miscfiles_read_localization(pesign_t) diff --git a/pingd.if b/pingd.if index 21a6ecb..b99e4cb 100644 --- a/pingd.if @@ -75845,7 +76052,7 @@ index 98c9e0a..df51942 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 4a23d84..bc26091 100644 +index 4a23d84..49c7362 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3) @@ -75875,7 +76082,7 @@ index 4a23d84..bc26091 100644 corenet_tcp_sendrecv_generic_if(sblim_domain) corenet_tcp_sendrecv_generic_node(sblim_domain) -@@ -44,12 +37,6 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) +@@ -44,19 +37,13 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) dev_read_sysfs(sblim_domain) @@ -75888,6 +76095,15 @@ index 4a23d84..bc26091 100644 ######################################## # # Gatherd local policy + # + +-allow sblim_gatherd_t self:capability dac_override; +-allow sblim_gatherd_t self:process signal; ++allow sblim_gatherd_t self:capability { dac_override sys_nice }; ++allow sblim_gatherd_t self:process { setsched signal }; + allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; + allow sblim_gatherd_t self:unix_stream_socket { accept listen }; + @@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) init_read_utmp(sblim_gatherd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 18c4861..4571417 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 55%{?dist} +Release: 56%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -535,6 +535,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jun 24 2013 Miroslav Grepl 3.12.1-56 +- Allow lvm_t to create default targets for filesystem handling +- Fix labeling for razor-lightdm binaries +- Allow insmod_t to read any file labeled var_lib_t +- Add policy for pesign +- Activate policy for cmpiLMI_Account-cimprovagt +- Allow isnsd syscall=listen +- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler +- Allow ctdbd to use udp/4379 +- gatherd wants sys_nice and setsched +- Add support for texlive2012 +- Allow NM to read file_t (usb stick with no labels used to transfer keys for example) +- Allow cobbler to execute apache with domain transition + * Fri Jun 21 2013 Miroslav Grepl 3.12.1-55 - condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now