From c9ca0a09c6e52f65c3e637b263dc1030f702f08b Mon Sep 17 00:00:00 2001 From: rhatdan Date: Oct 11 2012 17:21:49 +0000 Subject: Merge branch 'f18' of ssh://pkgs.fedoraproject.org/selinux-policy into f18 --- diff --git a/policy-rawhide.patch b/policy-rawhide.patch index b3a78dd..9978ecb 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -108181,10 +108181,10 @@ index 0960199..aa51ab2 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..7baf533 100644 +index d9fce57..8ae7673 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,99 @@ attribute sudodomain; +@@ -7,3 +7,100 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -108272,6 +108272,7 @@ index d9fce57..7baf533 100644 +userdom_manage_user_tmp_symlinks(sudodomain) +userdom_use_user_terminals(sudodomain) +userdom_signal_all_users(sudodomain) ++userdom_exec_user_home_content_files(sudodomain) +# for some PAM modules and for cwd +userdom_search_user_home_content(sudodomain) +userdom_search_admin_dir(sudodomain) @@ -134872,7 +134873,7 @@ index 3822072..702e0e0 100644 + logging_send_syslog_msg($1) +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..397f91c 100644 +index ec01d0b..b28ba84 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,17 @@ gen_require(` @@ -135375,7 +135376,7 @@ index ec01d0b..397f91c 100644 ') ######################################## -@@ -522,108 +599,171 @@ ifdef(`distro_ubuntu',` +@@ -522,108 +599,172 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -135573,9 +135574,9 @@ index ec01d0b..397f91c 100644 - optional_policy(` - udev_dontaudit_rw_dgram_sockets(setfiles_t) - ') -+allow policy_manager_domain self:capability { dac_override sys_resource }; ++allow policy_manager_domain self:capability { dac_override sys_nice sys_resource }; +dontaudit policy_manager_domain self:capability sys_tty_config; -+allow policy_manager_domain self:process signal; ++allow policy_manager_domain self:process { signal setsched }; +allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms; +allow policy_manager_domain self:unix_dgram_socket create_socket_perms; +allow policy_manager_domain self:fifo_file rw_fifo_file_perms; @@ -135618,6 +135619,7 @@ index ec01d0b..397f91c 100644 +fs_getattr_all_fs(policy_manager_domain) + +selinux_validate_context(policy_manager_domain) ++selinux_read_policy(policy_manager_domain) + +term_use_all_inherited_terms(policy_manager_domain) + @@ -139132,7 +139134,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..a55dd07 100644 +index e720dcd..c614a1a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -139541,7 +139543,7 @@ index e720dcd..a55dd07 100644 ') ####################################### -@@ -317,6 +425,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -139549,7 +139551,31 @@ index e720dcd..a55dd07 100644 files_search_tmp($1) ') -@@ -348,59 +457,60 @@ interface(`userdom_exec_user_tmp_files',` + ####################################### + ## ++## Manage user temporary file system files ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_manage_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ allow $1 user_tmpfs_t:file manage_file_perms; ++') ++ ++####################################### ++## + ## Role access for the user tmpfs type + ## that the user has full access. + ## +@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -139640,7 +139666,7 @@ index e720dcd..a55dd07 100644 ') ####################################### -@@ -431,6 +541,7 @@ template(`userdom_xwindows_client_template',` +@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -139648,7 +139674,7 @@ index e720dcd..a55dd07 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -463,8 +574,8 @@ template(`userdom_change_password_template',` +@@ -463,8 +593,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -139659,7 +139685,7 @@ index e720dcd..a55dd07 100644 ') ') -@@ -491,7 +602,8 @@ template(`userdom_common_user_template',` +@@ -491,7 +621,8 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -139669,7 +139695,7 @@ index e720dcd..a55dd07 100644 ############################## # -@@ -501,41 +613,51 @@ template(`userdom_common_user_template',` +@@ -501,41 +632,51 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -139744,7 +139770,7 @@ index e720dcd..a55dd07 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,100 +668,140 @@ template(`userdom_common_user_template',` +@@ -546,100 +687,140 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -139814,29 +139840,35 @@ index e720dcd..a55dd07 100644 + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; -+ -+ optional_policy(` + + optional_policy(` +- bluetooth_dbus_chat($1_t) + avahi_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- evolution_dbus_chat($1_t) +- evolution_alarm_dbus_chat($1_t) + policykit_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- cups_dbus_chat_config($1_t) + bluetooth_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- hal_dbus_chat($1_t) + consolekit_dbus_chat($1_usertype) + consolekit_read_log($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- networkmanager_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_power($1_usertype) + devicekit_dbus_chat_disk($1_usertype) -+ ') + ') + + optional_policy(` + evolution_dbus_chat($1_usertype) @@ -139846,42 +139878,36 @@ index e720dcd..a55dd07 100644 + optional_policy(` + gnome_dbus_chat_gconfdefault($1_usertype) + ') - - optional_policy(` -- bluetooth_dbus_chat($1_t) ++ ++ optional_policy(` + hal_dbus_chat($1_usertype) - ') - - optional_policy(` -- evolution_dbus_chat($1_t) -- evolution_alarm_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + kde_dbus_chat_backlighthelper($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat_config($1_t) ++ ') ++ ++ optional_policy(` + modemmanager_dbus_chat($1_usertype) - ') - - optional_policy(` -- hal_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat($1_usertype) + networkmanager_read_lib_files($1_usertype) - ') - - optional_policy(` -- networkmanager_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + vpn_dbus_chat($1_usertype) - ') ++ ') ++ ') ++ ++ optional_policy(` ++ git_session_role($1_r, $1_usertype) ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) -+ git_session_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) ') @@ -139923,7 +139949,7 @@ index e720dcd..a55dd07 100644 mysql_stream_connect($1_t) ') ') -@@ -651,40 +813,52 @@ template(`userdom_common_user_template',` +@@ -651,40 +832,52 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -139988,7 +140014,7 @@ index e720dcd..a55dd07 100644 ') ') -@@ -709,17 +883,33 @@ template(`userdom_common_user_template',` +@@ -709,17 +902,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -140027,7 +140053,7 @@ index e720dcd..a55dd07 100644 userdom_change_password_template($1) -@@ -727,82 +917,96 @@ template(`userdom_login_user_template', ` +@@ -727,82 +936,96 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -140160,7 +140186,7 @@ index e720dcd..a55dd07 100644 ') ') -@@ -834,6 +1038,12 @@ template(`userdom_restricted_user_template',` +@@ -834,6 +1057,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -140173,7 +140199,7 @@ index e720dcd..a55dd07 100644 ############################## # # Local policy -@@ -874,46 +1084,114 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,46 +1103,114 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -140301,7 +140327,7 @@ index e720dcd..a55dd07 100644 ') ') -@@ -948,27 +1226,33 @@ template(`userdom_unpriv_user_template', ` +@@ -948,27 +1245,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -140339,7 +140365,7 @@ index e720dcd..a55dd07 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -979,23 +1263,56 @@ template(`userdom_unpriv_user_template', ` +@@ -979,23 +1282,56 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -140406,7 +140432,7 @@ index e720dcd..a55dd07 100644 ') # Run pppd in pppd_t by default for user -@@ -1004,7 +1321,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1004,7 +1340,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -140417,7 +140443,7 @@ index e720dcd..a55dd07 100644 ') ') -@@ -1040,7 +1359,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1040,7 +1378,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -140426,7 +140452,7 @@ index e720dcd..a55dd07 100644 ') ############################## -@@ -1067,6 +1386,7 @@ template(`userdom_admin_user_template',` +@@ -1067,6 +1405,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -140434,7 +140460,7 @@ index e720dcd..a55dd07 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1075,6 +1395,9 @@ template(`userdom_admin_user_template',` +@@ -1075,6 +1414,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -140444,7 +140470,7 @@ index e720dcd..a55dd07 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1412,7 @@ template(`userdom_admin_user_template',` +@@ -1089,6 +1431,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -140452,7 +140478,7 @@ index e720dcd..a55dd07 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,10 +1430,14 @@ template(`userdom_admin_user_template',` +@@ -1106,10 +1449,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -140467,7 +140493,7 @@ index e720dcd..a55dd07 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1120,29 +1448,38 @@ template(`userdom_admin_user_template',` +@@ -1120,30 +1467,39 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -140503,14 +140529,16 @@ index e720dcd..a55dd07 100644 logging_send_syslog_msg($1_t) - modutils_domtrans_insmod($1_t) +- + optional_policy(` + modutils_domtrans_insmod($1_t) + modutils_domtrans_depmod($1_t) + ') - ++ # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1152,6 +1489,8 @@ template(`userdom_admin_user_template',` + # cannot directly manipulate policy files with arbitrary programs. +@@ -1152,6 +1508,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -140519,7 +140547,7 @@ index e720dcd..a55dd07 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1159,13 +1498,17 @@ template(`userdom_admin_user_template',` +@@ -1159,13 +1517,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -140538,7 +140566,7 @@ index e720dcd..a55dd07 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1554,8 @@ template(`userdom_security_admin_template',` +@@ -1211,6 +1573,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -140547,7 +140575,7 @@ index e720dcd..a55dd07 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1223,8 +1568,10 @@ template(`userdom_security_admin_template',` +@@ -1223,8 +1587,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -140559,7 +140587,7 @@ index e720dcd..a55dd07 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1235,29 +1582,31 @@ template(`userdom_security_admin_template',` +@@ -1235,29 +1601,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -140602,7 +140630,7 @@ index e720dcd..a55dd07 100644 ') optional_policy(` -@@ -1317,12 +1666,15 @@ interface(`userdom_user_application_domain',` +@@ -1317,12 +1685,15 @@ interface(`userdom_user_application_domain',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -140619,20 +140647,17 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -1363,13 +1715,58 @@ interface(`userdom_user_tmpfs_file',` +@@ -1363,6 +1734,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## --## +## - ## --## Domain allowed access. ++## +## Type to be used as a file in the +## generic temporary directory. - ## - ## - # --interface(`userdom_attach_admin_tun_iface',` ++## ++## ++# +interface(`userdom_user_tmp_content',` + gen_require(` + attribute user_tmp_type; @@ -140671,17 +140696,10 @@ index e720dcd..a55dd07 100644 +## +## Allow domain to attach to TUN devices created by administrative users. +## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_attach_admin_tun_iface',` - gen_require(` - attribute admindomain; - ') -@@ -1467,11 +1864,31 @@ interface(`userdom_search_user_home_dirs',` + ## + ## + ## Domain allowed access. +@@ -1467,11 +1883,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -140713,7 +140731,7 @@ index e720dcd..a55dd07 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1513,6 +1930,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1513,6 +1949,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -140728,7 +140746,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -1528,9 +1953,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1528,9 +1972,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -140740,7 +140758,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -1587,6 +2014,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1587,6 +2033,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -140783,7 +140801,7 @@ index e720dcd..a55dd07 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1666,6 +2129,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1666,6 +2148,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -140792,7 +140810,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -1680,10 +2145,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1680,10 +2164,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -140807,7 +140825,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -1726,6 +2193,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1726,6 +2212,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -140851,7 +140869,7 @@ index e720dcd..a55dd07 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1745,6 +2249,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1745,6 +2268,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -140877,7 +140895,7 @@ index e720dcd..a55dd07 100644 ## Mmap user home files. ## ## -@@ -1775,14 +2298,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1775,14 +2317,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -140915,7 +140933,7 @@ index e720dcd..a55dd07 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1793,11 +2338,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1793,11 +2357,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -140933,7 +140951,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -1856,6 +2404,78 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1856,6 +2423,78 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -141012,7 +141030,7 @@ index e720dcd..a55dd07 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1887,8 +2507,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1887,8 +2526,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -141022,7 +141040,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -1904,20 +2523,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1904,20 +2542,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -141047,7 +141065,7 @@ index e720dcd..a55dd07 100644 ######################################## ## -@@ -2018,6 +2631,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -2018,6 +2650,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -141072,7 +141090,7 @@ index e720dcd..a55dd07 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2250,11 +2881,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2250,11 +2900,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -141087,7 +141105,7 @@ index e720dcd..a55dd07 100644 files_search_tmp($1) ') -@@ -2274,7 +2905,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2274,7 +2924,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -141096,15 +141114,19 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -2521,6 +3152,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2521,13 +3171,32 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') +-######################################## +####################################### -+## + ## +-## Read user tmpfs files. +## Getattr user tmpfs files. -+## -+## + ## + ## +-## +-## Domain allowed access. +## +## Domain allowed access. +## @@ -141119,10 +141141,17 @@ index e720dcd..a55dd07 100644 + fs_search_tmpfs($1) +') + - ######################################## - ## - ## Read user tmpfs files. -@@ -2537,13 +3187,14 @@ interface(`userdom_read_user_tmpfs_files',` ++######################################## ++## ++## Read user tmpfs files. ++## ++## ++## ++## Domain allowed access. + ## + ## + # +@@ -2537,13 +3206,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -141138,7 +141167,7 @@ index e720dcd..a55dd07 100644 ## ## ## -@@ -2564,7 +3215,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2564,7 +3234,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -141147,7 +141176,7 @@ index e720dcd..a55dd07 100644 ## ## ## -@@ -2572,19 +3223,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2572,14 +3242,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -141161,32 +141190,11 @@ index e720dcd..a55dd07 100644 - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + allow $1 user_tmpfs_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Get the attributes of a user domain tty. -+## Execute user tmpfs files. - ## - ## - ## -@@ -2592,9 +3241,27 @@ interface(`userdom_manage_user_tmpfs_files',` - ## - ## - # --interface(`userdom_getattr_user_ttys',` -+interface(`userdom_execute_user_tmpfs_files',` - gen_require(` -- type user_tty_device_t; -+ type user_tmpfs_t; -+ ') -+ -+ allow $1 user_tmpfs_t:file execute; +') + +######################################## +## -+## Get the attributes of a user domain tty. ++## Execute user tmpfs files. +## +## +## @@ -141194,13 +141202,16 @@ index e720dcd..a55dd07 100644 +## +## +# -+interface(`userdom_getattr_user_ttys',` ++interface(`userdom_execute_user_tmpfs_files',` + gen_require(` -+ type user_tty_device_t; - ') ++ type user_tmpfs_t; ++ ') ++ ++ allow $1 user_tmpfs_t:file execute; + ') - allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; -@@ -2674,6 +3341,24 @@ interface(`userdom_use_user_ttys',` + ######################################## +@@ -2674,6 +3360,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -141225,7 +141236,7 @@ index e720dcd..a55dd07 100644 ## Read and write a user domain pty. ## ## -@@ -2692,22 +3377,34 @@ interface(`userdom_use_user_ptys',` +@@ -2692,22 +3396,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -141268,7 +141279,7 @@ index e720dcd..a55dd07 100644 ## ## ## -@@ -2716,14 +3413,33 @@ interface(`userdom_use_user_ptys',` +@@ -2716,14 +3432,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -141306,7 +141317,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -2742,8 +3458,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2742,8 +3477,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -141336,7 +141347,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -2815,69 +3550,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2815,69 +3569,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -141437,7 +141448,7 @@ index e720dcd..a55dd07 100644 ## ## ## -@@ -2885,12 +3619,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2885,12 +3638,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -141452,7 +141463,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -2954,7 +3688,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2954,7 +3707,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -141461,7 +141472,7 @@ index e720dcd..a55dd07 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2970,29 +3704,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2970,29 +3723,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -141495,7 +141506,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -3074,7 +3792,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3074,7 +3811,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -141504,7 +141515,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -3129,7 +3847,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3129,7 +3866,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -141551,7 +141562,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -3147,7 +3903,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3147,7 +3922,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -141560,7 +141571,7 @@ index e720dcd..a55dd07 100644 ') ######################################## -@@ -3166,6 +3922,7 @@ interface(`userdom_read_all_users_state',` +@@ -3166,6 +3941,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -141568,7 +141579,7 @@ index e720dcd..a55dd07 100644 kernel_search_proc($1) ') -@@ -3242,6 +3999,42 @@ interface(`userdom_signal_all_users',` +@@ -3242,6 +4018,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -141611,7 +141622,7 @@ index e720dcd..a55dd07 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3262,6 +4055,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3262,6 +4074,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -141636,7 +141647,7 @@ index e720dcd..a55dd07 100644 ## Create keys for all user domains. ## ## -@@ -3296,3 +4107,1300 @@ interface(`userdom_dbus_send_all_users',` +@@ -3296,3 +4126,1331 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -142937,6 +142948,37 @@ index e720dcd..a55dd07 100644 + + typeattribute $1 userdom_home_manager_type; +') ++ ++######################################## ++## ++## Create objects in the temporary filesystem directory ++## with an automatic type transition to ++## the user temporary filesystem type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`userdom_tmpfs_filetrans',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3) ++') ++ diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 6a4bd85..662afd7 100644 --- a/policy/modules/system/userdomain.te diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 0efbdda..ad94e53 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -3000,7 +3000,7 @@ index 6480167..604d2bd 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..b075368 100644 +index 0833afb..d53ed27 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3709,7 +3709,7 @@ index 0833afb..b075368 100644 ') optional_policy(` -@@ -594,6 +927,42 @@ optional_policy(` +@@ -594,6 +927,51 @@ optional_policy(` ') optional_policy(` @@ -3741,6 +3741,15 @@ index 0833afb..b075368 100644 +') + +optional_policy(` ++ pki_apache_domain_signal(httpd_t) ++ pki_apache_domain_signal(httpd_t) ++ pki_manage_apache_run(httpd_t) ++ pki_manage_apache_config_files(httpd_t) ++ pki_manage_apache_log_files(httpd_t) ++ pki_manage_apache_lib(httpd_t) ++') ++ ++optional_policy(` + puppet_read_lib(httpd_t) +') + @@ -3752,7 +3761,7 @@ index 0833afb..b075368 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -608,6 +977,11 @@ optional_policy(` +@@ -608,6 +986,11 @@ optional_policy(` ') optional_policy(` @@ -3764,7 +3773,7 @@ index 0833afb..b075368 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -620,6 +994,12 @@ optional_policy(` +@@ -620,6 +1003,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3777,7 +3786,7 @@ index 0833afb..b075368 100644 ######################################## # # Apache helper local policy -@@ -633,7 +1013,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1022,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -3790,7 +3799,7 @@ index 0833afb..b075368 100644 ######################################## # -@@ -671,28 +1055,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1064,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -3834,7 +3843,7 @@ index 0833afb..b075368 100644 ') ######################################## -@@ -702,6 +1088,7 @@ optional_policy(` +@@ -702,6 +1097,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -3842,7 +3851,7 @@ index 0833afb..b075368 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1103,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1112,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -3871,7 +3880,7 @@ index 0833afb..b075368 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1133,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -738,15 +1142,14 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -3889,7 +3898,7 @@ index 0833afb..b075368 100644 corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1151,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1160,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -3922,7 +3931,7 @@ index 0833afb..b075368 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1198,25 @@ optional_policy(` +@@ -786,6 +1207,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3948,7 +3957,7 @@ index 0833afb..b075368 100644 ######################################## # # Apache system script local policy -@@ -806,12 +1237,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1246,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -3966,7 +3975,7 @@ index 0833afb..b075368 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1256,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1265,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -4025,7 +4034,7 @@ index 0833afb..b075368 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1307,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1316,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -4066,7 +4075,7 @@ index 0833afb..b075368 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -859,10 +1352,20 @@ optional_policy(` +@@ -859,10 +1361,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -4087,7 +4096,7 @@ index 0833afb..b075368 100644 ') ######################################## -@@ -878,11 +1381,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,11 +1390,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -4099,7 +4108,7 @@ index 0833afb..b075368 100644 ######################################## # -@@ -908,11 +1409,138 @@ optional_policy(` +@@ -908,11 +1418,138 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -7601,7 +7610,7 @@ index 7a6e5ba..7475aa5 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index c3e3f79..ce333bd 100644 +index c3e3f79..6cfcb87 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,12 +18,17 @@ files_pid_file(certmonger_var_run_t) @@ -7674,7 +7683,7 @@ index c3e3f79..ce333bd 100644 optional_policy(` dbus_system_bus_client(certmonger_t) -@@ -64,9 +91,42 @@ optional_policy(` +@@ -64,9 +91,46 @@ optional_policy(` ') optional_policy(` @@ -7693,6 +7702,10 @@ index c3e3f79..ce333bd 100644 pcscd_stream_connect(certmonger_t) ') + ++optional_policy(` ++ pki_rw_tomcat_cert(certmonger_t) ++') ++ +######################################## +# +# certmonger_unconfined_script_t local policy @@ -15369,7 +15382,7 @@ index fb4bf82..126d543 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 625cb32..be84a05 100644 +index 625cb32..530fbfa 100644 --- a/dbus.te +++ b/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -15485,7 +15498,7 @@ index 625cb32..be84a05 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -150,12 +182,157 @@ optional_policy(` +@@ -150,12 +182,159 @@ optional_policy(` ') optional_policy(` @@ -15613,6 +15626,8 @@ index 625cb32..be84a05 100644 +userdom_manage_user_home_content_dirs(session_bus_type) +userdom_manage_user_home_content_files(session_bus_type) +userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file }) ++userdom_manage_tmpfs_files(session_bus_type, file) ++userdom_tmpfs_filetrans(session_bus_type, file) + +optional_policy(` + gnome_read_gconf_home_files(session_bus_type) @@ -43627,6 +43642,574 @@ index 0000000..9ab2c4d +files_read_etc_files(pkcsslotd_t) + +logging_send_syslog_msg(pkcsslotd_t) +diff --git a/pki.fc b/pki.fc +new file mode 100644 +index 0000000..20d2c79 +--- /dev/null ++++ b/pki.fc +@@ -0,0 +1,51 @@ ++/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/log/pki gen_context(system_u:object_r:pki_log_t,s0) ++/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0) ++/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++ ++/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) ++/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) ++/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) ++/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0) ++/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) ++/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0) ++ ++/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) ++/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) ++/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) ++/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0) ++/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) ++/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0) ++ ++# default labeling for nCipher ++/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0) ++/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0) ++/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0) ++/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0) ++ ++# old paths (for migration) ++/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++ +diff --git a/pki.if b/pki.if +new file mode 100644 +index 0000000..2e2927f +--- /dev/null ++++ b/pki.if +@@ -0,0 +1,228 @@ ++ ++## policy for pki ++######################################## ++## ++## Allow read and write pki cert files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_rw_tomcat_cert',` ++ gen_require(` ++ type pki_tomcat_cert_t; ++ ') ++ ++ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) ++') ++ ++######################################## ++## ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`pki_apache_template',` ++ gen_require(` ++ attribute pki_apache_domain; ++ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run; ++ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log; ++ ') ++ ++ ######################################## ++ # ++ # Declarations ++ # ++ ++ type $1_t, pki_apache_domain; ++ type $1_exec_t, pki_apache_executable; ++ domain_type($1_t) ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ type $1_script_exec_t, pki_apache_script; ++ init_script_file($1_script_exec_t) ++ ++ type $1_etc_rw_t, pki_apache_config; ++ files_type($1_etc_rw_t) ++ ++ type $1_var_run_t, pki_apache_var_run; ++ files_pid_file($1_var_run_t) ++ ++ type $1_var_lib_t, pki_apache_var_lib; ++ files_type($1_var_lib_t) ++ ++ type $1_log_t, pki_apache_var_log; ++ logging_log_file($1_log_t) ++ ++ type $1_lock_t; ++ files_lock_file($1_lock_t) ++ ++ ######################################## ++ # ++ # $1 local policy ++ # ++ ++ files_read_etc_files($1_t) ++ allow $1_t $1_etc_rw_t:lnk_file read; ++ ++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t,$1_var_run_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) ++ ++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) ++ manage_files_pattern($1_t, $1_log_t, $1_log_t) ++ logging_log_filetrans($1_t, $1_log_t, { file dir } ) ++ ++ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t) ++ manage_files_pattern($1_t, $1_lock_t, $1_lock_t) ++ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t) ++ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file }) ++ ++ #talk to lunasa hsm ++ logging_send_syslog_msg($1_t) ++ ++ kernel_read_kernel_sysctls($1_t) ++ kernel_read_system_state($1_t) ++ ++ corenet_all_recvfrom_unlabeled($1_t) ++ ++ # need to resolve addresses? ++ auth_use_nsswitch($1_t) ++ ++ #pki_apache_domain_signal(httpd_t) ++ #pki_apache_domain_signal(httpd_t) ++ #pki_manage_apache_run(httpd_t) ++ #pki_manage_apache_config_files(httpd_t) ++ #pki_manage_apache_log_files(httpd_t) ++ #pki_manage_apache_lib(httpd_t) ++') ++ ++####################################### ++## ++## Send a null signal to pki apache domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_apache_domain_signal',` ++ gen_require(` ++ attribute pki_apache_domain; ++ ') ++ ++ allow $1 pki_apache_domain:process signal; ++') ++ ++####################################### ++## ++## Send a null signal to pki apache domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_apache_domain_signull',` ++ gen_require(` ++ attribute pki_apache_domain; ++ ') ++ ++ allow $1 pki_apache_domain:process signull; ++') ++ ++################################### ++## ++## Allow domain to read pki apache subsystem pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_apache_run',` ++ gen_require(` ++ attribute pki_apache_var_run; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run) ++') ++ ++#################################### ++## ++## Allow domain to manage pki apache subsystem lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_apache_lib',` ++ gen_require(` ++ attribute pki_apache_var_lib; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib) ++ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib) ++') ++ ++################################### ++## ++## Allow domain to manage pki apache subsystem log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_apache_log_files',` ++ gen_require(` ++ attribute pki_apache_var_log; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log) ++') ++ ++################################## ++## ++## Allow domain to manage pki apache subsystem config files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_apache_config_files',` ++ gen_require(` ++ attribute pki_apache_config; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pki_apache_config, pki_apache_config) ++') ++ +diff --git a/pki.te b/pki.te +new file mode 100644 +index 0000000..0f407c1 +--- /dev/null ++++ b/pki.te +@@ -0,0 +1,271 @@ ++policy_module(pki,10.0.11) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute pki_apache_domain; ++attribute pki_apache_config; ++attribute pki_apache_executable; ++attribute pki_apache_var_lib; ++attribute pki_apache_var_log; ++attribute pki_apache_var_run; ++attribute pki_apache_pidfiles; ++attribute pki_apache_script; ++ ++type pki_log_t; ++files_type(pki_log_t) ++ ++type pki_common_t; ++files_type(pki_common_t) ++ ++type pki_common_dev_t; ++files_type(pki_common_dev_t) ++ ++type pki_tomcat_etc_rw_t; ++files_type(pki_tomcat_etc_rw_t) ++ ++type pki_tomcat_cert_t; ++files_type(pki_tomcat_cert_t) ++ ++tomcat_domain_template(pki_tomcat) ++ ++type pki_tomcat_lock_t; ++files_lock_file(pki_tomcat_lock_t) ++ ++# old type aliases for migration ++typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; ++typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t }; ++typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; ++typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; ++typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; ++# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; ++ ++ ++# pki policy types ++type pki_tps_tomcat_exec_t; ++files_type(pki_tps_tomcat_exec_t) ++ ++pki_apache_template(pki_tps) ++ ++# ra policy types ++type pki_ra_tomcat_exec_t; ++files_type(pki_ra_tomcat_exec_t) ++ ++pki_apache_template(pki_ra) ++ ++######################################## ++# ++# pki-tomcat local policy ++# ++ ++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; ++allow pki_tomcat_t self:process { signal setsched signull execmem }; ++ ++allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; ++allow pki_tomcat_t self:tcp_socket { accept listen }; ++ ++# allow writing to the kernel keyring ++allow pki_tomcat_t self:key { write read }; ++ ++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++ ++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) ++manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) ++ ++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) ++manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) ++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) ++files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file }) ++ ++# allow java subsystems to talk to the ncipher hsm ++allow pki_tomcat_t pki_common_dev_t:sock_file write; ++allow pki_tomcat_t pki_common_dev_t:dir search; ++allow pki_tomcat_t pki_common_t:dir create_dir_perms; ++manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t) ++can_exec(pki_tomcat_t, pki_common_t) ++init_stream_connect_script(pki_tomcat_t) ++ ++search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t) ++ ++kernel_read_kernel_sysctls(pki_tomcat_t) ++ ++corenet_tcp_connect_http_cache_port(pki_tomcat_t) ++corenet_tcp_connect_ldap_port(pki_tomcat_t) ++corenet_tcp_connect_smtp_port(pki_tomcat_t) ++ ++selinux_get_enforce_mode(pki_tomcat_t) ++ ++logging_send_audit_msgs(pki_tomcat_t) ++ ++miscfiles_read_hwdata(pki_tomcat_t) ++ ++# is this really needed? ++userdom_manage_user_tmp_dirs(pki_tomcat_t) ++userdom_manage_user_tmp_files(pki_tomcat_t) ++ ++# forward proxy ++# need to define ports to fix this ++#corenet_tcp_connect_pki_tomcat_port(httpd_t) ++ ++# for crl publishing ++allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; ++ ++# for ECC ++auth_getattr_shadow(pki_tomcat_t) ++ ++optional_policy(` ++ consoletype_exec(pki_tomcat_t) ++') ++ ++optional_policy(` ++ dirsrv_manage_var_lib(pki_tomcat_t) ++') ++ ++optional_policy(` ++ hostname_exec(pki_tomcat_t) ++') ++ ++# install/ uninstall instance ++# WHY? leak? ++#allow load_policy_t pki_log_t:file write; ++#allow setfiles_t pki_log_t:file write; ++ ++####################################### ++# ++# tps local policy ++# ++ ++# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment ++allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; ++ ++corenet_tcp_bind_pki_tps_port(pki_tps_t) ++# customer may run an ldap server on 389 ++corenet_tcp_connect_ldap_port(pki_tps_t) ++# connect to other subsystems ++corenet_tcp_connect_pki_ca_port(pki_tps_t) ++corenet_tcp_connect_pki_kra_port(pki_tps_t) ++corenet_tcp_connect_pki_tks_port(pki_tps_t) ++ ++files_exec_usr_files(pki_tps_t) ++files_read_usr_files(pki_tps_t) ++ ++# why do I need to add this? ++#allow httpd_t httpd_config_t:file execute; ++ ++###################################### ++# ++# ra local policy ++# ++ ++# RA specific? talking to mysql? ++allow pki_ra_t self:udp_socket { write read create connect }; ++allow pki_ra_t self:unix_dgram_socket { write create connect }; ++ ++corenet_tcp_bind_pki_ra_port(pki_ra_t) ++# talk to other subsystems ++corenet_tcp_connect_pki_ca_port(pki_ra_t) ++corenet_tcp_connect_smtp_port(pki_ra_t) ++ ++fs_getattr_xattr_fs(pki_ra_t) ++ ++files_search_spool(pki_ra_t) ++files_exec_usr_files(pki_ra_t) ++ ++optional_policy(` ++ mta_send_mail(pki_ra_t) ++ mta_manage_spool(pki_ra_t) ++ mta_manage_queue(pki_ra_t) ++ mta_read_config(pki_ra_t) ++') ++ ++##################################### ++# ++# pki_apache_domain local policy ++# ++ ++ ++allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown}; ++allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill}; ++ ++allow pki_apache_domain self:sem all_sem_perms; ++allow pki_apache_domain self:tcp_socket create_stream_socket_perms; ++allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read }; ++ ++# allow writing to the kernel keyring ++allow pki_apache_domain self:key { write read }; ++ ++## internal communication is often done using fifo and unix sockets. ++allow pki_apache_domain self:fifo_file rw_file_perms; ++allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms; ++ ++# talk to the hsm ++allow pki_apache_domain pki_common_dev_t:sock_file write; ++allow pki_apache_domain pki_common_dev_t:dir search; ++allow pki_apache_domain pki_common_t:dir create_dir_perms; ++manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t) ++can_exec(pki_apache_domain, pki_common_t) ++init_stream_connect_script(pki_apache_domain) ++ ++corenet_sendrecv_unlabeled_packets(pki_apache_domain) ++corenet_tcp_bind_all_nodes(pki_apache_domain) ++corenet_tcp_sendrecv_all_if(pki_apache_domain) ++corenet_tcp_sendrecv_all_nodes(pki_apache_domain) ++corenet_tcp_sendrecv_all_ports(pki_apache_domain) ++#corenet_all_recvfrom_unlabeled(pki_apache_domain) ++corenet_tcp_connect_generic_port(pki_apache_domain) ++ ++# Init script handling ++domain_use_interactive_fds(pki_apache_domain) ++ ++seutil_exec_setfiles(pki_apache_domain) ++ ++init_dontaudit_write_utmp(pki_apache_domain) ++ ++libs_use_ld_so(pki_apache_domain) ++libs_use_shared_libs(pki_apache_domain) ++libs_exec_ld_so(pki_apache_domain) ++libs_exec_lib_files(pki_apache_domain) ++ ++fs_search_cgroup_dirs(pki_apache_domain) ++ ++corecmd_exec_bin(pki_apache_domain) ++corecmd_exec_shell(pki_apache_domain) ++ ++dev_read_urand(pki_apache_domain) ++dev_read_rand(pki_apache_domain) ++ ++# shutdown script uses ps ++domain_dontaudit_read_all_domains_state(pki_apache_domain) ++ps_process_pattern(pki_apache_domain, pki_apache_domain) ++ ++miscfiles_read_localization(pki_apache_domain) ++ ++sysnet_read_config(pki_apache_domain) ++ ++ifdef(`targeted_policy',` ++ term_dontaudit_use_unallocated_ttys(pki_apache_domain) ++ term_dontaudit_use_generic_ptys(pki_apache_domain) ++') ++ ++optional_policy(` ++ # apache permissions ++ apache_exec_modules(pki_apache_domain) ++ apache_list_modules(pki_apache_domain) ++ apache_read_config(pki_apache_domain) ++ apache_exec(pki_apache_domain) ++ apache_entrypoint(pki_apache_domain) ++ ++ # should be started using a script which will execute httpd ++ # start up httpd in pki_apache_domain mode ++ #can_exec(pki_apache_domain, httpd_config_t) ++ #can_exec(pki_apache_domain, httpd_suexec_exec_t) ++') ++ ++# allow rpm -q in init scripts ++optional_policy(` ++ rpm_exec(pki_apache_domain) ++') ++ diff --git a/plymouthd.fc b/plymouthd.fc index 5702ca4..498d856 100644 --- a/plymouthd.fc @@ -54289,7 +54872,7 @@ index b2a0b6a..ee55335 100644 /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) diff --git a/rpm.if b/rpm.if -index 951d8f6..8ba0f86 100644 +index 951d8f6..bedc8ae 100644 --- a/rpm.if +++ b/rpm.if @@ -13,10 +13,13 @@ @@ -54328,7 +54911,7 @@ index 951d8f6..8ba0f86 100644 ') ######################################## -@@ -178,6 +189,41 @@ interface(`rpm_rw_pipes',` +@@ -178,6 +189,42 @@ interface(`rpm_rw_pipes',` ######################################## ## @@ -54361,6 +54944,7 @@ index 951d8f6..8ba0f86 100644 + dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; + dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms; + dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms; ++ dontaudit $1 rpm_var_lib_t:dir getattr; + dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms; + dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms; +') @@ -54370,7 +54954,7 @@ index 951d8f6..8ba0f86 100644 ## Send and receive messages from ## rpm over dbus. ## -@@ -274,8 +320,7 @@ interface(`rpm_append_log',` +@@ -274,8 +321,7 @@ interface(`rpm_append_log',` type rpm_log_t; ') @@ -54380,7 +54964,7 @@ index 951d8f6..8ba0f86 100644 ') ######################################## -@@ -332,7 +377,9 @@ interface(`rpm_manage_script_tmp_files',` +@@ -332,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -54390,7 +54974,7 @@ index 951d8f6..8ba0f86 100644 ') ##################################### -@@ -351,8 +398,7 @@ interface(`rpm_append_tmp_files',` +@@ -351,8 +399,7 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -54400,7 +54984,7 @@ index 951d8f6..8ba0f86 100644 ') ######################################## -@@ -372,7 +418,9 @@ interface(`rpm_manage_tmp_files',` +@@ -372,7 +419,9 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -54410,7 +54994,7 @@ index 951d8f6..8ba0f86 100644 ') ######################################## -@@ -456,6 +504,7 @@ interface(`rpm_read_db',` +@@ -456,6 +505,7 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -54418,7 +55002,7 @@ index 951d8f6..8ba0f86 100644 ') ######################################## -@@ -513,7 +562,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -513,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -54427,7 +55011,7 @@ index 951d8f6..8ba0f86 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -573,3 +622,66 @@ interface(`rpm_pid_filetrans',` +@@ -573,3 +623,66 @@ interface(`rpm_pid_filetrans',` files_pid_filetrans($1, rpm_var_run_t, file) ') @@ -64607,7 +65191,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/tuned.te b/tuned.te -index db9d2a5..3a15a1c 100644 +index db9d2a5..805473b 100644 --- a/tuned.te +++ b/tuned.te @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -64623,14 +65207,14 @@ index db9d2a5..3a15a1c 100644 type tuned_log_t; logging_log_file(tuned_log_t) -@@ -22,34 +28,51 @@ files_pid_file(tuned_var_run_t) +@@ -22,34 +28,52 @@ files_pid_file(tuned_var_run_t) # # tuned local policy # - +allow tuned_t self:capability { sys_admin sys_nice }; dontaudit tuned_t self:capability { dac_override sys_tty_config }; -+allow tuned_t self:process signal; ++allow tuned_t self:process { setsched signal }; +allow tuned_t self:fifo_file rw_fifo_file_perms; +allow tuned_t self:udp_socket create_socket_perms; + @@ -64672,9 +65256,10 @@ index db9d2a5..3a15a1c 100644 -files_read_etc_files(tuned_t) files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) ++files_list_tmp(tuned_t) -logging_send_syslog_msg(tuned_t) -+fs_getattr_xattr_fs(tuned_t) ++fs_getattr_all_fs(tuned_t) -miscfiles_read_localization(tuned_t) +auth_use_nsswitch(tuned_t) @@ -64683,7 +65268,7 @@ index db9d2a5..3a15a1c 100644 userdom_dontaudit_search_user_home_dirs(tuned_t) -@@ -58,6 +81,14 @@ optional_policy(` +@@ -58,6 +82,14 @@ optional_policy(` fstools_domtrans(tuned_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 44b8398..3922e63 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 34%{?dist} +Release: 36%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -522,6 +522,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Oct 11 2012 Miroslav Grepl 3.11.1-36 +- Allow semanage to verify types +- Allow sudo domain to execute user home files +- Allow session_bus_type to transition to user_tmpfs_t +- Add dontaudit caused by yum updates +- Implement pki policy but not activated + +* Wed Oct 10 2012 Miroslav Grepl 3.11.1-35 +- tuned wants to getattr on all filesystems +- tuned needs also setsched. The build is needed for test day + * Wed Oct 10 2012 Miroslav Grepl 3.11.1-34 - Add policy for qemu-qa - Allow razor to write own config files