From daf4fb3e32f40a2290c04010d0eb7d63fd554b06 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 26 2014 10:17:45 +0000 Subject: - add gnome_append_home_config() - Allow thumb to append GNOME config home files - Allow rasdaemon to rw /dev/cpu//msr - fix /var/log/pki file spec - make bacula_t as auth_nsswitch domain - Identify pki_tomcat_cert_t as a cert_type - Define speech-dispater_exec_t as an application executable - Add a new file context for /var/named/chroot/run directory - update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices - Allow nsswitch_domains to stream connect to nmbd - Allow unprivusers to connect to memcached - label /var/lib/dirsrv/scripts-INSTANCE as bin_t --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index c90d25e..10e99c5 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -3412,7 +3412,7 @@ index 7590165..fb30c11 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..6e7dd83 100644 +index 644d4d7..ad789c2 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3724,7 +3724,7 @@ index 644d4d7..6e7dd83 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -383,11 +458,15 @@ ifdef(`distro_suse', ` +@@ -383,11 +458,16 @@ ifdef(`distro_suse', ` # # /var # @@ -3734,6 +3734,7 @@ index 644d4d7..6e7dd83 100644 /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3741,7 +3742,7 @@ index 644d4d7..6e7dd83 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -397,3 +476,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +477,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -18723,7 +18724,7 @@ index 54f1827..39faa3f 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 1700ef2..63e1b75 100644 +index 1700ef2..13caedd 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -18852,7 +18853,7 @@ index 1700ef2..63e1b75 100644 ######################################## ## ## Allow the caller to directly read -@@ -808,3 +892,411 @@ interface(`storage_unconfined',` +@@ -808,3 +892,452 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -19197,6 +19198,47 @@ index 1700ef2..63e1b75 100644 + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50") + dev_filetrans($1, removable_device_t, blk_file, "sr0") + dev_filetrans($1, removable_device_t, blk_file, "sr1") + dev_filetrans($1, removable_device_t, blk_file, "sr2") @@ -28802,7 +28844,7 @@ index 3efd5b6..08c3e93 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 104037e..dde9309 100644 +index 104037e..9b993c6 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2) @@ -29105,7 +29147,7 @@ index 104037e..dde9309 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,6 +499,8 @@ optional_policy(` +@@ -456,10 +499,145 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -29114,7 +29156,8 @@ index 104037e..dde9309 100644 ') optional_policy(` -@@ -463,3 +508,135 @@ optional_policy(` + samba_stream_connect_winbind(nsswitch_domain) ++ samba_stream_connect_nmbd(nsswitch_domain) samba_read_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain) ') @@ -34980,7 +35023,7 @@ index 4e94884..b144ffe 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..d94978c 100644 +index 39ea221..80f47a6 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -35048,16 +35091,18 @@ index 39ea221..d94978c 100644 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; -@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +134,9 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) -term_use_all_terms(auditctl_t) ++storage_getattr_removable_dev(auditctl_t) ++ +term_use_all_inherited_terms(auditctl_t) init_dontaudit_use_fds(auditctl_t) -@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t) +@@ -148,6 +173,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) @@ -35065,7 +35110,7 @@ index 39ea221..d94978c 100644 dev_read_sysfs(auditd_t) -@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t) +@@ -155,9 +181,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) @@ -35075,7 +35120,7 @@ index 39ea221..d94978c 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +206,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -35097,7 +35142,7 @@ index 39ea221..d94978c 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +261,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -35128,7 +35173,7 @@ index 39ea221..d94978c 100644 ') ######################################## -@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) +@@ -268,7 +302,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) corecmd_exec_bin(audisp_remote_t) @@ -35136,7 +35181,7 @@ index 39ea221..d94978c 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,10 +313,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -35156,7 +35201,7 @@ index 39ea221..d94978c 100644 sysnet_dns_name_resolve(audisp_remote_t) -@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +367,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -35164,7 +35209,7 @@ index 39ea221..d94978c 100644 mls_file_read_all_levels(klogd_t) -@@ -354,12 +392,12 @@ optional_policy(` +@@ -354,12 +394,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -35180,7 +35225,7 @@ index 39ea221..d94978c 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms; +@@ -369,6 +409,7 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; @@ -35188,7 +35233,7 @@ index 39ea221..d94978c 100644 # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -377,6 +418,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -35196,7 +35241,7 @@ index 39ea221..d94978c 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -386,28 +426,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -386,28 +428,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -35241,7 +35286,7 @@ index 39ea221..d94978c 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -417,6 +472,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -35250,7 +35295,7 @@ index 39ea221..d94978c 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,9 +484,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -35278,7 +35323,7 @@ index 39ea221..d94978c 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +516,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -35298,7 +35343,7 @@ index 39ea221..d94978c 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +538,11 @@ init_use_fds(syslogd_t) +@@ -461,11 +540,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -35313,7 +35358,7 @@ index 39ea221..d94978c 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -492,6 +569,8 @@ optional_policy(` +@@ -492,6 +571,8 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -35322,7 +35367,7 @@ index 39ea221..d94978c 100644 ') optional_policy(` -@@ -502,15 +581,40 @@ optional_policy(` +@@ -502,15 +583,40 @@ optional_policy(` ') optional_policy(` @@ -35363,7 +35408,7 @@ index 39ea221..d94978c 100644 ') optional_policy(` -@@ -521,3 +625,26 @@ optional_policy(` +@@ -521,3 +627,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -43448,7 +43493,7 @@ index db75976..e4eb903 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..8d7c4a7 100644 +index 3c5dba7..1aa193b 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -44126,7 +44171,7 @@ index 3c5dba7..8d7c4a7 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +726,124 @@ template(`userdom_common_user_template',` +@@ -546,93 +726,128 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -44239,6 +44284,10 @@ index 3c5dba7..8d7c4a7 100644 + kde_dbus_chat_backlighthelper($1_usertype) ') ++ optional_policy(` ++ memcached_stream_connect($1_usertype) ++ ') ++ optional_policy(` - cups_dbus_chat_config($1_t) + modemmanager_dbus_chat($1_usertype) @@ -44289,7 +44338,7 @@ index 3c5dba7..8d7c4a7 100644 ') optional_policy(` -@@ -642,23 +853,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +857,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -44318,7 +44367,7 @@ index 3c5dba7..8d7c4a7 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +880,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +884,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -44327,7 +44376,7 @@ index 3c5dba7..8d7c4a7 100644 ') optional_policy(` -@@ -680,9 +889,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +893,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -44340,7 +44389,7 @@ index 3c5dba7..8d7c4a7 100644 ') ') -@@ -693,32 +902,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +906,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -44387,7 +44436,7 @@ index 3c5dba7..8d7c4a7 100644 ') ') -@@ -743,17 +955,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +959,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -44425,7 +44474,7 @@ index 3c5dba7..8d7c4a7 100644 userdom_change_password_template($1) -@@ -761,83 +989,107 @@ template(`userdom_login_user_template', ` +@@ -761,83 +993,107 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -44514,62 +44563,62 @@ index 3c5dba7..8d7c4a7 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) - -- seutil_read_config($1_t) ++ + seutil_read_config($1_usertype) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) ++ ++ optional_policy(` ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ++ ') ++ ++ optional_policy(` ++ kerberos_use($1_usertype) ++ init_write_key($1_usertype) ++ ') + +- seutil_read_config($1_t) ++ optional_policy(` ++ mysql_filetrans_named_content($1_usertype) ++ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ kerberos_use($1_usertype) -+ init_write_key($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ mysql_filetrans_named_content($1_usertype) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ oddjob_run_mkhomedir($1_t, $1_r) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) -+ quota_dontaudit_getattr_db($1_usertype) - ') -+ -+ optional_policy(` -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) -+ ') -+ -+ optional_policy(` -+ oddjob_run_mkhomedir($1_t, $1_r) -+ ') -+ -+ optional_policy(` + wine_filetrans_named_content($1_usertype) -+ ') + ') + ') ####################################### -@@ -868,6 +1120,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1124,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -44582,7 +44631,7 @@ index 3c5dba7..8d7c4a7 100644 ############################## # # Local policy -@@ -907,42 +1165,99 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1169,99 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -44671,31 +44720,31 @@ index 3c5dba7..8d7c4a7 100644 + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) -+ ') optional_policy(` - consolekit_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) -+ fprintd_dbus_chat($1_t) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ') optional_policy(` - gnome_role_template($1, $1_r, $1_t) ++ fprintd_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + realmd_dbus_chat($1_t) ') optional_policy(` -@@ -951,18 +1266,39 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,17 +1270,38 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -44713,7 +44762,6 @@ index 3c5dba7..8d7c4a7 100644 -####################################### -## -## The template for creating a unprivileged user roughly --## equivalent to a regular linux user. + optional_policy(` + rtkit_scheduled($1_usertype) + ') @@ -44738,11 +44786,10 @@ index 3c5dba7..8d7c4a7 100644 +####################################### +## +## The template for creating a unprivileged user roughly -+## equivalent to a regular linux user. + ## equivalent to a regular linux user. ## ## - ##

-@@ -990,27 +1326,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1330,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -44780,7 +44827,7 @@ index 3c5dba7..8d7c4a7 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1363,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1367,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -44832,16 +44879,16 @@ index 3c5dba7..8d7c4a7 100644 + + optional_policy(` + gpm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ mount_run_fusermount($1_t, $1_r) -+ mount_read_pid_files($1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) ++ mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) ++ ') ++ ++ optional_policy(` + wine_role_template($1, $1_r, $1_t) + ') + @@ -44851,7 +44898,7 @@ index 3c5dba7..8d7c4a7 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1425,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1429,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -44862,7 +44909,7 @@ index 3c5dba7..8d7c4a7 100644 ') ') -@@ -1082,7 +1463,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1467,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -44873,7 +44920,7 @@ index 3c5dba7..8d7c4a7 100644 ') ############################## -@@ -1098,6 +1481,7 @@ template(`userdom_admin_user_template',` +@@ -1098,6 +1485,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -44881,7 +44928,7 @@ index 3c5dba7..8d7c4a7 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1108,14 +1492,8 @@ template(`userdom_admin_user_template',` +@@ -1108,14 +1496,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -44898,7 +44945,7 @@ index 3c5dba7..8d7c4a7 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1513,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -44906,7 +44953,7 @@ index 3c5dba7..8d7c4a7 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1531,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -44921,7 +44968,7 @@ index 3c5dba7..8d7c4a7 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1549,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -44964,7 +45011,7 @@ index 3c5dba7..8d7c4a7 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1590,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -44973,7 +45020,7 @@ index 3c5dba7..8d7c4a7 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1599,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -44992,7 +45039,7 @@ index 3c5dba7..8d7c4a7 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',` +@@ -1243,7 +1645,7 @@ template(`userdom_admin_user_template',` ##

## # @@ -45001,7 +45048,7 @@ index 3c5dba7..8d7c4a7 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1655,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -45010,7 +45057,7 @@ index 3c5dba7..8d7c4a7 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1669,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -45022,7 +45069,7 @@ index 3c5dba7..8d7c4a7 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1683,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -45065,7 +45112,7 @@ index 3c5dba7..8d7c4a7 100644 ') optional_policy(` -@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1768,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -45084,7 +45131,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1819,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -45136,7 +45183,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1968,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -45168,7 +45215,7 @@ index 3c5dba7..8d7c4a7 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +2034,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -45183,7 +45230,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2057,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -45195,7 +45242,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2118,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -45238,7 +45285,7 @@ index 3c5dba7..8d7c4a7 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2233,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -45247,7 +45294,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2268,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -45262,7 +45309,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2298,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -45289,7 +45336,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,53 +2326,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -45372,7 +45419,7 @@ index 3c5dba7..8d7c4a7 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2409,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -45398,7 +45445,7 @@ index 3c5dba7..8d7c4a7 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2458,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -45436,7 +45483,7 @@ index 3c5dba7..8d7c4a7 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2498,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -45454,7 +45501,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2546,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -45463,7 +45510,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1949,19 +2554,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -45487,7 +45534,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -1969,21 +2568,75 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,21 +2572,75 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -45568,7 +45615,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## # -@@ -2010,8 +2663,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2667,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -45578,7 +45625,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -2027,20 +2679,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2683,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -45603,7 +45650,7 @@ index 3c5dba7..8d7c4a7 100644 ######################################## ## -@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2773,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -45612,7 +45659,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2781,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -45636,7 +45683,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2799,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -45652,7 +45699,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +3041,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -45667,7 +45714,7 @@ index 3c5dba7..8d7c4a7 100644 files_search_tmp($1) ') -@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3065,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -45676,7 +45723,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3312,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -45702,7 +45749,7 @@ index 3c5dba7..8d7c4a7 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3347,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -45718,7 +45765,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3375,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -45727,7 +45774,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3383,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -45762,7 +45809,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3501,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -45787,7 +45834,7 @@ index 3c5dba7..8d7c4a7 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3537,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -45830,7 +45877,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3573,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -45868,7 +45915,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3618,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -45898,7 +45945,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3710,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -45999,7 +46046,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3779,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -46014,7 +46061,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3848,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -46023,7 +46070,7 @@ index 3c5dba7..8d7c4a7 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3864,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -46057,7 +46104,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3952,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -46084,7 +46131,7 @@ index 3c5dba7..8d7c4a7 100644 ') ######################################## -@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,12 +4025,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -46100,7 +46147,7 @@ index 3c5dba7..8d7c4a7 100644 ## ## ## -@@ -3285,40 +4035,116 @@ interface(`userdom_write_user_tmp_files',` +@@ -3285,44 +4039,120 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -46150,9 +46197,10 @@ index 3c5dba7..8d7c4a7 100644 ## -## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`userdom_getattr_all_users',` +interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` + type user_tmp_t; @@ -46225,10 +46273,14 @@ index 3c5dba7..8d7c4a7 100644 +## +## +## Domain allowed access. - ## - ## - # -@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',` ++## ++## ++# ++interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; + ') +@@ -3385,6 +4215,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -46271,7 +46323,7 @@ index 3c5dba7..8d7c4a7 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4271,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -46296,7 +46348,7 @@ index 3c5dba7..8d7c4a7 100644 ## Create keys for all user domains. ## ## -@@ -3423,6 +4303,24 @@ interface(`userdom_create_all_users_keys',` +@@ -3423,6 +4307,24 @@ interface(`userdom_create_all_users_keys',` ######################################## ## @@ -46321,7 +46373,7 @@ index 3c5dba7..8d7c4a7 100644 ## Send a dbus message to all user domains. ## ## -@@ -3438,4 +4336,1661 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4340,1661 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -48490,7 +48542,7 @@ index e79d545..101086d 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e91317..64e135a 100644 +index 6e91317..018d0a6 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -48600,7 +48652,7 @@ index 6e91317..64e135a 100644 +# +# Service +# -+define(`manage_service_perms', `{ start stop status reload } ') ++define(`manage_service_perms', `{ start stop status reload enable disable } ') diff --git a/policy/users b/policy/users index c4ebc7e..30d6d7a 100644 --- a/policy/users diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 8a515fb..8573e4b 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -8452,7 +8452,7 @@ index dcd774e..c240ffa 100644 allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te -index 3beba2f..5c5bd6e 100644 +index 3beba2f..12cd4f6 100644 --- a/bacula.te +++ b/bacula.te @@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t; @@ -8475,7 +8475,15 @@ index 3beba2f..5c5bd6e 100644 corenet_sendrecv_hplip_server_packets(bacula_t) corenet_tcp_bind_hplip_port(bacula_t) corenet_udp_bind_hplip_port(bacula_t) -@@ -148,9 +152,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) +@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t) + fs_getattr_xattr_fs(bacula_t) + fs_list_all(bacula_t) + ++auth_use_nsswitch(bacula_t) + auth_read_shadow(bacula_t) + + logging_send_syslog_msg(bacula_t) +@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) domain_use_interactive_fds(bacula_admin_t) @@ -8591,10 +8599,10 @@ index 536ec3c..271b976 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..ab80059 100644 +index 2b9a3a1..f755e6b 100644 --- a/bind.fc +++ b/bind.fc -@@ -1,54 +1,74 @@ +@@ -1,54 +1,75 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -8695,6 +8703,7 @@ index 2b9a3a1..ab80059 100644 -/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) ++/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) +/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) @@ -28299,7 +28308,7 @@ index e39de43..6a6db28 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..394cbf1 100644 +index d03fd43..a41306b 100644 --- a/gnome.if +++ b/gnome.if @@ -1,123 +1,157 @@ @@ -29362,7 +29371,7 @@ index d03fd43..394cbf1 100644 ## ## ## -@@ -704,12 +778,931 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +778,948 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -29755,6 +29764,23 @@ index d03fd43..394cbf1 100644 + read_files_pattern($1, config_home_t, config_home_t) + read_lnk_files_pattern($1, config_home_t, config_home_t) +') ++####################################### ++## ++## append gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_append_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ append_files_pattern($1, config_home_t, config_home_t) ++') + +####################################### +## @@ -61297,7 +61323,7 @@ index 0000000..a82ca85 +userdom_read_all_users_state(pkcsslotd_t) diff --git a/pki.fc b/pki.fc new file mode 100644 -index 0000000..726d992 +index 0000000..e6592ea --- /dev/null +++ b/pki.fc @@ -0,0 +1,56 @@ @@ -61306,7 +61332,7 @@ index 0000000..726d992 +/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0) ++/var/log/pki(/.*)? gen_context(system_u:object_r:pki_log_t,s0) +/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0) +/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) + @@ -61659,7 +61685,7 @@ index 0000000..b975b85 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..33d2867 +index 0000000..010ddc9 --- /dev/null +++ b/pki.te @@ -0,0 +1,287 @@ @@ -61692,7 +61718,7 @@ index 0000000..33d2867 +files_type(pki_tomcat_etc_rw_t) + +type pki_tomcat_cert_t; -+files_type(pki_tomcat_cert_t) ++miscfiles_cert_type(pki_tomcat_cert_t) + +tomcat_domain_template(pki_tomcat) + @@ -73917,10 +73943,10 @@ index 0000000..a073efd +') diff --git a/rasdaemon.te b/rasdaemon.te new file mode 100644 -index 0000000..7b1fa9e +index 0000000..6731d5c --- /dev/null +++ b/rasdaemon.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,46 @@ +policy_module(rasdaemon, 1.0.0) + +######################################## @@ -73952,16 +73978,17 @@ index 0000000..7b1fa9e +kernel_read_system_state(rasdaemon_t) +kernel_manage_debugfs(rasdaemon_t) + -+auth_use_nsswitch(rasdaemon_t) -+ +dev_read_raw_memory(rasdaemon_t) +dev_read_sysfs(rasdaemon_t) +dev_read_urand(rasdaemon_t) -+ -+logging_send_syslog_msg(rasdaemon_t) ++dev_rw_cpu_microcode(rasdaemon_t) + +modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277 + ++auth_use_nsswitch(rasdaemon_t) ++ ++logging_send_syslog_msg(rasdaemon_t) ++ +optional_policy(` + dmidecode_exec(rasdaemon_t) +') @@ -91660,10 +91687,10 @@ index 0000000..ddfed09 +') diff --git a/speech-dispatcher.te b/speech-dispatcher.te new file mode 100644 -index 0000000..57372d0 +index 0000000..931fa6c --- /dev/null +++ b/speech-dispatcher.te -@@ -0,0 +1,50 @@ +@@ -0,0 +1,51 @@ +policy_module(speech-dispatcher, 1.0.0) + +######################################## @@ -91674,6 +91701,7 @@ index 0000000..57372d0 +type speech-dispatcher_t; +type speech-dispatcher_exec_t; +init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t) ++application_executable_file(speech-dispatcher_exec_t) + +type speech-dispatcher_log_t; +logging_log_file(speech-dispatcher_log_t) @@ -95633,10 +95661,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..bb3e477 +index 0000000..0e30ce2 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,156 @@ +@@ -0,0 +1,157 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -95766,6 +95794,7 @@ index 0000000..bb3e477 + # .config + gnome_dontaudit_search_config(thumb_t) + gnome_dontaudit_write_config_files(thumb_t) ++ gnome_append_home_config(thumb_t) + gnome_append_generic_cache_files(thumb_t) + gnome_read_generic_data_home_files(thumb_t) + gnome_dontaudit_rw_generic_cache_files(thumb_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 610ad91..c902d39 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 145%{?dist} +Release: 146%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,21 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 26 2014 Miroslav Grepl 3.12.1-146 +- add gnome_append_home_config() +- Allow thumb to append GNOME config home files +- Allow rasdaemon to rw /dev/cpu//msr +- fix /var/log/pki file spec +- make bacula_t as auth_nsswitch domain +- Identify pki_tomcat_cert_t as a cert_type +- Define speech-dispater_exec_t as an application executable +- Add a new file context for /var/named/chroot/run directory +- update storage_filetrans_all_named_dev for sg* devices +- Allow auditctl_t to getattr on all removeable devices +- Allow nsswitch_domains to stream connect to nmbd +- Allow unprivusers to connect to memcached +- label /var/lib/dirsrv/scripts-INSTANCE as bin_t + * Mon Mar 24 2014 Miroslav Grepl 3.12.1-145 - Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo