From f015714438b84fd33b8172ce6f8abb0e178de43c Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 28 2012 11:53:09 +0000 Subject: * Wed Mar 28 2012 Miroslav Grepl 3.10.0-107 - Add numad policy and numad man page - Add fixes for interface bugs discovered by SEWatch - Add /tmp support for squid - Add fix for #799102 * change default labeling for /var/run/slapd.* sockets - Make thumb_t as userdom_home_reader - label /var/lib/sss/mc same as pubconf, so getpw domains can read it - Allow smbspool running as cups_t to stream connect to nmbd - accounts needs to be able to execute passwd on behalf of users - Allow systemd_tmpfiles_t to delete boot flags - Allow dnssec_trigger to connect to apache ports - Allow gnome keyring to create sock_files in ~/.cache - google_authenticator is using .google_authenticator - sandbox running from within firefox is exposing more leaks - Dontaudit thumb to read/write /dev/card0 - Dontaudit getattr on init_exec_t for gnomeclock_t - Allow certmonger to do a transition to certmonger_unconfined_t - Allow dhcpc setsched which is caused by nmcli - Add rpm_exec_t for /usr/sbin/bcfg2 - system cronjobs are sending dbus messages to systemd_logind - Thumnailers read /dev/urand --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 76e373d..900d323 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2508,3 +2508,10 @@ sge = module # policy for jockey-backend # jockey = module + +# Layer: services +# Module: numad +# +# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology +# +numad = module diff --git a/policy-F16.patch b/policy-F16.patch index 5f9ad72..b48f2e1 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -31873,6 +31873,113 @@ index 0000000..515419d + +.SH "SEE ALSO" +selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8 +new file mode 100644 +index 0000000..7a63255 +--- /dev/null ++++ b/man/man8/numad_selinux.8 +@@ -0,0 +1,101 @@ ++.TH "numad_selinux" "8" "numad" "dwalsh@redhat.com" "numad SELinux Policy documentation" ++.SH "NAME" ++numad_selinux \- Security Enhanced Linux Policy for the numad processes ++.SH "DESCRIPTION" ++ ++ ++SELinux Linux secures ++.B numad ++(policy for numad) ++processes via flexible mandatory access ++control. ++ ++ ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible. ++.PP ++The following file types are defined for numad: ++ ++ ++.EX ++.PP ++.B numad_exec_t ++.EE ++ ++- Set files with the numad_exec_t type, if you want to transition an executable to the numad_t domain. ++ ++ ++.EX ++.PP ++.B numad_unit_file_t ++.EE ++ ++- Set files with the numad_unit_file_t type, if you want to treat the files as numad unit content. ++ ++ ++.EX ++.PP ++.B numad_var_log_t ++.EE ++ ++- Set files with the numad_var_log_t type, if you want to treat the data as numad var log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B numad_var_run_t ++.EE ++ ++- Set files with the numad_var_run_t type, if you want to store the numad files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible. ++.PP ++The following process types are defined for numad: ++ ++.EX ++.B numad_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), numad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nut_selinux.8 b/man/man8/nut_selinux.8 new file mode 100644 index 0000000..fe354e5 @@ -60651,7 +60758,7 @@ index b4ac57e..ef944a4 100644 logging_send_syslog_msg(readahead_t) logging_set_audit_parameters(readahead_t) diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc -index b206bf6..2ba67e7 100644 +index b206bf6..0bc863c 100644 --- a/policy/modules/admin/rpm.fc +++ b/policy/modules/admin/rpm.fc @@ -6,7 +6,9 @@ @@ -60664,10 +60771,11 @@ index b206bf6..2ba67e7 100644 /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -19,14 +21,20 @@ +@@ -19,14 +21,21 @@ /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` ++/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -60685,7 +60793,7 @@ index b206bf6..2ba67e7 100644 /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -@@ -36,6 +44,8 @@ ifdef(`distro_redhat', ` +@@ -36,6 +45,8 @@ ifdef(`distro_redhat', ` /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) @@ -63537,10 +63645,10 @@ index 00a19e3..3681873 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..0932ebe 100644 +index f5afe78..3850fd9 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,880 @@ +@@ -1,44 +1,899 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -63970,6 +64078,25 @@ index f5afe78..0932ebe 100644 + +######################################## +## ++## Manage a sock_file in the generic cache home files (.cache) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_generic_cache_sockets',` ++ gen_require(` ++ type cache_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_sock_files_pattern($1, cache_home_t, cache_home_t) ++') ++ ++######################################## ++## +## Dontaudit read/write to generic cache home files (.cache) +## +## @@ -64439,7 +64566,7 @@ index f5afe78..0932ebe 100644 ## ## ## -@@ -46,37 +882,92 @@ interface(`gnome_role',` +@@ -46,37 +901,92 @@ interface(`gnome_role',` ## ## # @@ -64543,7 +64670,7 @@ index f5afe78..0932ebe 100644 ## ## ## -@@ -84,37 +975,53 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +994,53 @@ template(`gnome_read_gconf_config',` ## ## # @@ -64608,7 +64735,7 @@ index f5afe78..0932ebe 100644 ## ## ## -@@ -122,17 +1029,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +1048,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -64630,7 +64757,7 @@ index f5afe78..0932ebe 100644 ## ## ## -@@ -140,51 +1047,301 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1066,301 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -64949,7 +65076,7 @@ index f5afe78..0932ebe 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..70bc435 100644 +index 2505654..0bc94b0 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0) @@ -65020,7 +65147,7 @@ index 2505654..70bc435 100644 ############################## # # Local Policy -@@ -75,3 +116,152 @@ optional_policy(` +@@ -75,3 +116,153 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -65164,6 +65291,7 @@ index 2505654..70bc435 100644 + gnome_read_home_config(gkeyringd_domain) + gnome_read_generic_cache_files(gkeyringd_domain) + gnome_write_generic_cache_files(gkeyringd_domain) ++ gnome_manage_generic_cache_sockets(gkeyringd_domain) +') + +optional_policy(` @@ -68897,10 +69025,10 @@ index 0000000..809784d +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..4e9f4a1 +index 0000000..3203ede --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,503 @@ +@@ -0,0 +1,509 @@ +policy_module(sandbox,1.0.0) + +dbus_stub() @@ -69012,6 +69140,7 @@ index 0000000..4e9f4a1 + +userdom_use_inherited_user_terminals(sandbox_xserver_t) +userdom_dontaudit_search_user_home_content(sandbox_xserver_t) ++userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t) + +xserver_entry_type(sandbox_xserver_t) + @@ -69210,6 +69339,7 @@ index 0000000..4e9f4a1 +userdom_dontaudit_use_user_terminals(sandbox_x_domain) +userdom_read_user_home_content_symlinks(sandbox_x_domain) +userdom_search_user_home_content(sandbox_x_domain) ++userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain) + +fs_search_auto_mountpoints(sandbox_x_domain) + @@ -69256,6 +69386,10 @@ index 0000000..4e9f4a1 +auth_use_nsswitch(sandbox_x_client_t) + +optional_policy(` ++ colord_dbus_chat(sandbox_x_client_t) ++') ++ ++optional_policy(` + hal_dbus_chat(sandbox_x_client_t) +') + @@ -69747,10 +69881,10 @@ index 1dc7a85..a01511f 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..f40af5b 100644 +index 7590165..59539e8 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,63 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -69784,6 +69918,7 @@ index 7590165..f40af5b 100644 -files_read_etc_files(seunshare_t) -files_mounton_all_poly_members(seunshare_t) +dev_read_urand(seunshare_domain) ++dev_dontaudit_rw_dri(seunshare_domain) -auth_use_nsswitch(seunshare_t) +files_search_all(seunshare_domain) @@ -69804,6 +69939,7 @@ index 7590165..f40af5b 100644 -userdom_use_user_terminals(seunshare_t) +miscfiles_read_localization(seunshare_domain) ++userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain) +userdom_use_inherited_user_terminals(seunshare_domain) +userdom_list_user_home_content(seunshare_domain) ifdef(`hide_broken_symptoms', ` @@ -70402,10 +70538,10 @@ index 0000000..79515db +') diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te new file mode 100644 -index 0000000..4d84806 +index 0000000..95befd6 --- /dev/null +++ b/policy/modules/apps/thumb.te -@@ -0,0 +1,93 @@ +@@ -0,0 +1,96 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -70461,6 +70597,8 @@ index 0000000..4d84806 +corecmd_exec_shell(thumb_t) + +dev_read_sysfs(thumb_t) ++dev_read_urand(thumb_t) ++dev_dontaudit_rw_dri(thumb_t) + +domain_use_interactive_fds(thumb_t) + @@ -70480,6 +70618,7 @@ index 0000000..4d84806 +userdom_read_user_home_content_files(thumb_t) +userdom_write_user_tmp_files(thumb_t) +userdom_read_home_audio_files(thumb_t) ++userdom_home_reader(thumb_t) + +userdom_use_inherited_user_ptys(thumb_t) + @@ -89550,7 +89689,7 @@ index 7a6e5ba..e238dfd 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te -index c3e3f79..bbed82f 100644 +index c3e3f79..7d6e85e 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te @@ -18,12 +18,16 @@ files_pid_file(certmonger_var_run_t) @@ -89606,7 +89745,7 @@ index c3e3f79..bbed82f 100644 logging_send_syslog_msg(certmonger_t) miscfiles_read_localization(certmonger_t) -@@ -58,15 +72,54 @@ miscfiles_manage_generic_cert_files(certmonger_t) +@@ -58,15 +72,57 @@ miscfiles_manage_generic_cert_files(certmonger_t) sysnet_dns_name_resolve(certmonger_t) @@ -89655,9 +89794,12 @@ index c3e3f79..bbed82f 100644 + domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t) + role system_r types certmonger_unconfined_t; + ++ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t) ++ + unconfined_domain(certmonger_unconfined_t) + + allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms; ++ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms; + + unconfined_domain(certmonger_unconfined_t) +') @@ -93564,7 +93706,7 @@ index 35241ed..2f6f038 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..8946846 100644 +index f7583ab..86c5a58 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -94004,10 +94146,14 @@ index f7583ab..8946846 100644 ') optional_policy(` -@@ -502,7 +611,13 @@ optional_policy(` +@@ -502,7 +611,17 @@ optional_policy(` ') optional_policy(` ++ systemd_dbus_chat_logind(system_cronjob_t) ++') ++ ++optional_policy(` + unconfined_domain(crond_t) unconfined_domain(system_cronjob_t) +') @@ -94018,7 +94164,7 @@ index f7583ab..8946846 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +710,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +714,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -94650,7 +94796,7 @@ index 305ddf4..4d70951 100644 + filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat") ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..f9eb73f 100644 +index 0f28095..c50598f 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -94783,7 +94929,16 @@ index 0f28095..f9eb73f 100644 mta_send_mail(cupsd_t) ') -@@ -371,8 +390,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -322,6 +341,8 @@ optional_policy(` + # cups execs smbtool which reads samba_etc_t files + samba_read_config(cupsd_t) + samba_rw_var_files(cupsd_t) ++ # needed by smbspool ++ samba_stream_connect_nmbd(cupsd_t) + ') + + optional_policy(` +@@ -371,8 +392,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -94794,7 +94949,7 @@ index 0f28095..f9eb73f 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -393,6 +413,10 @@ dev_read_sysfs(cupsd_config_t) +@@ -393,6 +415,10 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) @@ -94805,7 +94960,7 @@ index 0f28095..f9eb73f 100644 files_search_all_mountpoints(cupsd_config_t) -@@ -425,11 +449,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +451,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -94819,7 +94974,7 @@ index 0f28095..f9eb73f 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +477,10 @@ optional_policy(` +@@ -453,6 +479,10 @@ optional_policy(` ') optional_policy(` @@ -94830,7 +94985,7 @@ index 0f28095..f9eb73f 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +495,10 @@ optional_policy(` +@@ -467,6 +497,10 @@ optional_policy(` ') optional_policy(` @@ -94841,7 +94996,7 @@ index 0f28095..f9eb73f 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -537,6 +569,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +@@ -537,6 +571,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) corenet_tcp_bind_generic_node(cupsd_lpd_t) corenet_udp_bind_generic_node(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) @@ -94849,7 +95004,7 @@ index 0f28095..f9eb73f 100644 dev_read_urand(cupsd_lpd_t) dev_read_rand(cupsd_lpd_t) -@@ -587,23 +620,22 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,23 +622,22 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -94882,7 +95037,7 @@ index 0f28095..f9eb73f 100644 ') ######################################## -@@ -639,7 +671,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -94891,7 +95046,7 @@ index 0f28095..f9eb73f 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +717,9 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +719,9 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -94901,7 +95056,7 @@ index 0f28095..f9eb73f 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -97072,10 +97227,10 @@ index 0000000..c2ac646 + diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc new file mode 100644 -index 0000000..3aae725 +index 0000000..6fc4865 --- /dev/null +++ b/policy/modules/services/dirsrv.fc -@@ -0,0 +1,20 @@ +@@ -0,0 +1,23 @@ +/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) + +/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) @@ -97089,6 +97244,9 @@ index 0000000..3aae725 +/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) +/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) + ++# BZ: ++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) ++ +/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) + +/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) @@ -97931,10 +98089,10 @@ index 0000000..a9dbcf2 +') diff --git a/policy/modules/services/dnssec.te b/policy/modules/services/dnssec.te new file mode 100755 -index 0000000..8aa75f3 +index 0000000..98ba6e1 --- /dev/null +++ b/policy/modules/services/dnssec.te -@@ -0,0 +1,60 @@ +@@ -0,0 +1,61 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -97972,6 +98130,7 @@ index 0000000..8aa75f3 +corenet_tcp_bind_generic_node(dnssec_trigger_t) +corenet_tcp_bind_dnssec_port(dnssec_trigger_t) +corenet_tcp_connect_rndc_port(dnssec_trigger_t) ++corenet_tcp_connect_http_port(dnssec_trigger_t) + +dev_read_urand(dnssec_trigger_t) + @@ -98409,10 +98568,10 @@ index 0000000..60c19b9 + diff --git a/policy/modules/services/drbd.if b/policy/modules/services/drbd.if new file mode 100644 -index 0000000..f92ef50 +index 0000000..659d051 --- /dev/null +++ b/policy/modules/services/drbd.if -@@ -0,0 +1,133 @@ +@@ -0,0 +1,127 @@ + +## policy for drbd + @@ -98522,12 +98681,6 @@ index 0000000..f92ef50 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`drbd_admin',` + gen_require(` @@ -99608,10 +99761,10 @@ index 0000000..83279fb +/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0) diff --git a/policy/modules/services/fcoemon.if b/policy/modules/services/fcoemon.if new file mode 100644 -index 0000000..f25a1cb +index 0000000..33508c1 --- /dev/null +++ b/policy/modules/services/fcoemon.if -@@ -0,0 +1,94 @@ +@@ -0,0 +1,88 @@ + +## policy for fcoemon + @@ -99682,12 +99835,6 @@ index 0000000..f25a1cb +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`fcoemon_admin',` + gen_require(` @@ -101744,7 +101891,7 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..a250b06 100644 +index 4fde46b..a6022e7 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te @@ -14,19 +14,28 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) @@ -101780,7 +101927,7 @@ index 4fde46b..a250b06 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +44,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -101807,6 +101954,7 @@ index 4fde46b..a250b06 100644 + ntp_domtrans_ntpdate(gnomeclock_t) + ntp_initrc_domtrans(gnomeclock_t) + init_dontaudit_getattr_all_script_files(gnomeclock_t) ++ init_dontaudit_getattr_exec(gnomeclock_t) + ntp_systemctl(gnomeclock_t) +') + @@ -104602,7 +104750,7 @@ index 0000000..deb55ee + ppp_signal(l2tpd_t) +') diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc -index c62f23e..63e3be1 100644 +index c62f23e..276a021 100644 --- a/policy/modules/services/ldap.fc +++ b/policy/modules/services/ldap.fc @@ -1,6 +1,12 @@ @@ -104623,7 +104771,7 @@ index c62f23e..63e3be1 100644 /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) -+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) ++#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if index 3aa8fa7..27cb806 100644 --- a/policy/modules/services/ldap.if @@ -111407,6 +111555,152 @@ index c61adc8..09bb140 100644 auth_use_nsswitch(ntpd_t) +diff --git a/policy/modules/services/numad.fc b/policy/modules/services/numad.fc +new file mode 100644 +index 0000000..d4aeefc +--- /dev/null ++++ b/policy/modules/services/numad.fc +@@ -0,0 +1,7 @@ ++/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) ++ ++/usr/lib/systemd/system/numad\.service -- gen_context(system_u:object_r:numad_unit_file_t,s0) ++ ++/var/log/numad\.log -- gen_context(system_u:object_r:numad_var_log_t,s0) ++ ++/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) +diff --git a/policy/modules/services/numad.if b/policy/modules/services/numad.if +new file mode 100644 +index 0000000..2f2fb49 +--- /dev/null ++++ b/policy/modules/services/numad.if +@@ -0,0 +1,78 @@ ++ ++## policy for numad ++ ++######################################## ++## ++## Transition to numad. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`numad_domtrans',` ++ gen_require(` ++ type numad_t, numad_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, numad_exec_t, numad_t) ++') ++######################################## ++## ++## Execute numad server in the numad domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`numad_systemctl',` ++ gen_require(` ++ type numad_t; ++ type numad_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 numad_unit_file_t:file read_file_perms; ++ allow $1 numad_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, numad_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an numad environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`numad_admin',` ++ gen_require(` ++ type numad_t; ++ type numad_unit_file_t; ++ ') ++ ++ allow $1 numad_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, numad_t) ++ ++ numad_systemctl($1) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/policy/modules/services/numad.te b/policy/modules/services/numad.te +new file mode 100644 +index 0000000..e3ac955 +--- /dev/null ++++ b/policy/modules/services/numad.te +@@ -0,0 +1,43 @@ ++policy_module(numad, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type numad_t; ++type numad_exec_t; ++init_daemon_domain(numad_t, numad_exec_t) ++ ++type numad_unit_file_t; ++systemd_unit_file(numad_unit_file_t) ++ ++type numad_var_log_t; ++logging_log_file(numad_var_log_t) ++ ++type numad_var_run_t; ++files_pid_file(numad_var_run_t) ++ ++######################################## ++# ++# numad local policy ++# ++ ++allow numad_t self:process { fork }; ++allow numad_t self:fifo_file rw_fifo_file_perms; ++allow numad_t self:msgq create_msgq_perms; ++allow numad_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t) ++logging_log_filetrans(numad_t, numad_var_log_t, { file }) ++ ++manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) ++files_pid_filetrans(numad_t, numad_var_run_t, { file }) ++ ++kernel_read_system_state(numad_t) ++ ++domain_use_interactive_fds(numad_t) ++ ++files_read_etc_files(numad_t) ++ ++miscfiles_read_localization(numad_t) diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc index 0a929ef..371119d 100644 --- a/policy/modules/services/nut.fc @@ -122099,10 +122393,36 @@ index 69a6074..a314e70 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if -index 82cb169..219a8d8 100644 +index 82cb169..0ed7e14 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if -@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',` +@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',` + + ######################################## + ## ++## Connect to nmbd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_stream_connect_nmbd',` ++ gen_require(` ++ type nmbd_t, nmbd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++') ++ ++######################################## ++## + ## Execute samba server in the samba domain. + ## + ## +@@ -60,6 +79,29 @@ interface(`samba_initrc_domtrans',` ######################################## ## @@ -122132,7 +122452,7 @@ index 82cb169..219a8d8 100644 ## Execute samba net in the samba_net domain. ## ## -@@ -79,6 +102,25 @@ interface(`samba_domtrans_net',` +@@ -79,6 +121,25 @@ interface(`samba_domtrans_net',` ######################################## ## @@ -122158,7 +122478,7 @@ index 82cb169..219a8d8 100644 ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## -@@ -103,6 +145,51 @@ interface(`samba_run_net',` +@@ -103,6 +164,51 @@ interface(`samba_run_net',` role $2 types samba_net_t; ') @@ -122210,7 +122530,7 @@ index 82cb169..219a8d8 100644 ######################################## ## ## Execute smbmount in the smbmount domain. -@@ -327,7 +414,6 @@ interface(`samba_search_var',` +@@ -327,7 +433,6 @@ interface(`samba_search_var',` type samba_var_t; ') @@ -122218,7 +122538,7 @@ index 82cb169..219a8d8 100644 files_search_var_lib($1) allow $1 samba_var_t:dir search_dir_perms; ') -@@ -348,7 +434,6 @@ interface(`samba_read_var_files',` +@@ -348,7 +453,6 @@ interface(`samba_read_var_files',` type samba_var_t; ') @@ -122226,7 +122546,7 @@ index 82cb169..219a8d8 100644 files_search_var_lib($1) read_files_pattern($1, samba_var_t, samba_var_t) ') -@@ -388,7 +473,6 @@ interface(`samba_rw_var_files',` +@@ -388,7 +492,6 @@ interface(`samba_rw_var_files',` type samba_var_t; ') @@ -122234,7 +122554,7 @@ index 82cb169..219a8d8 100644 files_search_var_lib($1) rw_files_pattern($1, samba_var_t, samba_var_t) ') -@@ -409,9 +493,9 @@ interface(`samba_manage_var_files',` +@@ -409,9 +512,9 @@ interface(`samba_manage_var_files',` type samba_var_t; ') @@ -122245,7 +122565,7 @@ index 82cb169..219a8d8 100644 ') ######################################## -@@ -419,15 +503,14 @@ interface(`samba_manage_var_files',` +@@ -419,15 +522,14 @@ interface(`samba_manage_var_files',` ## Execute a domain transition to run smbcontrol. ## ## @@ -122264,7 +122584,7 @@ index 82cb169..219a8d8 100644 ') domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -@@ -564,6 +647,7 @@ interface(`samba_domtrans_winbind_helper',` +@@ -564,6 +666,7 @@ interface(`samba_domtrans_winbind_helper',` ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) @@ -122272,7 +122592,7 @@ index 82cb169..219a8d8 100644 ') ######################################## -@@ -644,6 +728,37 @@ interface(`samba_stream_connect_winbind',` +@@ -644,6 +747,37 @@ interface(`samba_stream_connect_winbind',` ######################################## ## @@ -122310,7 +122630,7 @@ index 82cb169..219a8d8 100644 ## All of the rules required to administrate ## an samba environment ## -@@ -661,33 +776,33 @@ interface(`samba_stream_connect_winbind',` +@@ -661,33 +795,33 @@ interface(`samba_stream_connect_winbind',` # interface(`samba_admin',` gen_require(` @@ -122365,7 +122685,7 @@ index 82cb169..219a8d8 100644 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) -@@ -709,9 +824,6 @@ interface(`samba_admin',` +@@ -709,9 +843,6 @@ interface(`samba_admin',` admin_pattern($1, samba_var_t) files_list_var($1) @@ -122375,7 +122695,7 @@ index 82cb169..219a8d8 100644 admin_pattern($1, smbd_var_run_t) files_list_pids($1) -@@ -727,4 +839,9 @@ interface(`samba_admin',` +@@ -727,4 +858,9 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -123229,10 +123549,10 @@ index 0000000..d5c3c3f +/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if new file mode 100644 -index 0000000..fe23f5a +index 0000000..182057f --- /dev/null +++ b/policy/modules/services/sblim.if -@@ -0,0 +1,82 @@ +@@ -0,0 +1,76 @@ + +## policy for SBLIM Gatherer + @@ -123286,12 +123606,6 @@ index 0000000..fe23f5a +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`sblim_admin',` + gen_require(` @@ -125284,7 +125598,7 @@ index d2496bd..c7614d7 100644 init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te -index 4b2230e..7b3d2db 100644 +index 4b2230e..51dc8d8 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -6,17 +6,17 @@ policy_module(squid, 1.10.0) @@ -125321,7 +125635,26 @@ index 4b2230e..7b3d2db 100644 type squid_initrc_exec_t; init_script_file(squid_initrc_exec_t) -@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file) +@@ -40,6 +40,9 @@ logging_log_file(squid_log_t) + type squid_tmpfs_t; + files_tmpfs_file(squid_tmpfs_t) + ++type squid_tmp_t; ++files_tmp_file(squid_tmp_t) ++ + type squid_var_run_t; + files_pid_file(squid_var_run_t) + +@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir }) + manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) + fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) + ++manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) ++manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) ++files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) ++ + manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) + files_pid_filetrans(squid_t, squid_var_run_t, file) kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) @@ -125329,7 +125662,7 @@ index 4b2230e..7b3d2db 100644 files_dontaudit_getattr_boot_dirs(squid_t) -@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) +@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) corenet_tcp_bind_all_ports(squid_t) @@ -125339,7 +125672,7 @@ index 4b2230e..7b3d2db 100644 ') tunable_policy(`squid_use_tproxy',` -@@ -185,6 +187,7 @@ optional_policy(` +@@ -185,6 +194,7 @@ optional_policy(` corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_connect_http_cache_port(httpd_squid_script_t) @@ -125347,7 +125680,7 @@ index 4b2230e..7b3d2db 100644 sysnet_dns_name_resolve(httpd_squid_script_t) -@@ -206,3 +209,7 @@ optional_policy(` +@@ -206,3 +216,7 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -127784,10 +128117,10 @@ index 0000000..2ba852c + diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if new file mode 100644 -index 0000000..c6be180 +index 0000000..8c74340 --- /dev/null +++ b/policy/modules/services/vdagent.if -@@ -0,0 +1,128 @@ +@@ -0,0 +1,122 @@ + +## policy for vdagent + @@ -127895,12 +128228,6 @@ index 0000000..c6be180 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`vdagent_admin',` + gen_require(` @@ -133653,16 +133980,18 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..29f3011 100644 +index 28ad538..bb13287 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -1,3 +1,5 @@ +@@ -1,3 +1,7 @@ +HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) ++HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -@@ -5,7 +7,12 @@ +@@ -5,7 +9,12 @@ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) @@ -133675,7 +134004,7 @@ index 28ad538..29f3011 100644 /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) -@@ -16,13 +23,22 @@ ifdef(`distro_suse', ` +@@ -16,13 +25,22 @@ ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') @@ -133700,7 +134029,7 @@ index 28ad538..29f3011 100644 /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -@@ -30,6 +46,8 @@ ifdef(`distro_gentoo', ` +@@ -30,6 +48,8 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -133709,7 +134038,7 @@ index 28ad538..29f3011 100644 /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -@@ -39,11 +57,13 @@ ifdef(`distro_gentoo', ` +@@ -39,11 +59,13 @@ ifdef(`distro_gentoo', ` /var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) @@ -133725,7 +134054,7 @@ index 28ad538..29f3011 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..02e667b 100644 +index 73554ec..dec450c 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -134172,7 +134501,7 @@ index 73554ec..02e667b 100644 ##

## ## -@@ -1575,87 +1808,200 @@ interface(`auth_relabel_login_records',` +@@ -1575,87 +1808,202 @@ interface(`auth_relabel_login_records',` ## Domain allowed access. ## ## @@ -134384,6 +134713,7 @@ index 73554ec..02e667b 100644 ') + + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") ++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") ') ######################################## @@ -134422,6 +134752,7 @@ index 73554ec..02e667b 100644 - typeattribute $1 can_write_shadow_passwords; - typeattribute $1 can_relabelto_shadow_passwords; + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") ++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index b7a5f00..a22fe6d 100644 @@ -135117,7 +135448,7 @@ index 354ce93..4738083 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..6248940 100644 +index 94fd8dd..6acffdb 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,44 @@ interface(`init_script_domain',` @@ -135329,7 +135660,15 @@ index 94fd8dd..6248940 100644 ######################################## ## ## Execute init (/sbin/init) with a domain transition. -@@ -451,6 +501,10 @@ interface(`init_exec',` +@@ -442,7 +492,6 @@ interface(`init_domtrans',` + ## Domain allowed access. + ## + ## +-## + # + interface(`init_exec',` + gen_require(` +@@ -451,6 +500,29 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -135337,10 +135676,29 @@ index 94fd8dd..6248940 100644 + tunable_policy(`init_systemd',` + systemd_exec_systemctl($1) + ') ++') ++ ++####################################### ++## ++## Dontaudit getattr on the init program. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`init_dontaudit_getattr_exec',` ++ gen_require(` ++ type init_exec_t; ++ ') ++ ++ dontaudit $1 init_exec_t:file getattr; ') ######################################## -@@ -509,6 +563,24 @@ interface(`init_sigchld',` +@@ -509,6 +581,24 @@ interface(`init_sigchld',` ######################################## ## @@ -135365,7 +135723,7 @@ index 94fd8dd..6248940 100644 ## Connect to init with a unix socket. ## ## -@@ -519,10 +591,66 @@ interface(`init_sigchld',` +@@ -519,10 +609,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -135434,7 +135792,7 @@ index 94fd8dd..6248940 100644 ') ######################################## -@@ -688,19 +816,25 @@ interface(`init_telinit',` +@@ -688,19 +834,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -135461,7 +135819,7 @@ index 94fd8dd..6248940 100644 ') ') -@@ -730,7 +864,7 @@ interface(`init_rw_initctl',` +@@ -730,7 +882,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -135470,7 +135828,7 @@ index 94fd8dd..6248940 100644 ## ## # -@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +925,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -135494,7 +135852,7 @@ index 94fd8dd..6248940 100644 ') ') -@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,23 +953,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -135517,11 +135875,11 @@ index 94fd8dd..6248940 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -135534,13 +135892,17 @@ index 94fd8dd..6248940 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## -@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',` ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -868,9 +1043,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -135555,7 +135917,7 @@ index 94fd8dd..6248940 100644 files_search_etc($1) ') -@@ -961,7 +1123,9 @@ interface(`init_ptrace',` +@@ -961,7 +1141,9 @@ interface(`init_ptrace',` type init_t; ') @@ -135566,7 +135928,7 @@ index 94fd8dd..6248940 100644 ') ######################################## -@@ -1079,6 +1243,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1261,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -135591,7 +135953,7 @@ index 94fd8dd..6248940 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1312,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1330,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -135605,7 +135967,7 @@ index 94fd8dd..6248940 100644 ') ######################################## -@@ -1375,6 +1552,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1570,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -135633,7 +135995,7 @@ index 94fd8dd..6248940 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1659,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1677,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -135659,7 +136021,7 @@ index 94fd8dd..6248940 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1736,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1754,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -135684,7 +136046,7 @@ index 94fd8dd..6248940 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1586,6 +1821,24 @@ interface(`init_read_utmp',` +@@ -1586,6 +1839,24 @@ interface(`init_read_utmp',` ######################################## ## @@ -135709,7 +136071,7 @@ index 94fd8dd..6248940 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1674,7 +1927,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1945,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -135718,7 +136080,7 @@ index 94fd8dd..6248940 100644 ') ######################################## -@@ -1715,6 +1968,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1986,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -135847,7 +136209,7 @@ index 94fd8dd..6248940 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2124,266 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2142,266 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -142372,7 +142734,7 @@ index ff80d0a..22c9f0d 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..9291d3a 100644 +index 34d0ec5..40d2d20 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -142399,7 +142761,7 @@ index 34d0ec5..9291d3a 100644 type dhcpc_state_t; files_type(dhcpc_state_t) -@@ -34,18 +44,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) +@@ -34,17 +44,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; type net_conf_t alias resolv_conf_t; @@ -142416,12 +142778,11 @@ index 34d0ec5..9291d3a 100644 # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; -- -+allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms }; ++allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms }; + allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; - allow dhcpc_t self:udp_socket create_socket_perms; -@@ -57,8 +66,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -142433,7 +142794,7 @@ index 34d0ec5..9291d3a 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -66,6 +78,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) +@@ -66,6 +79,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -142442,7 +142803,7 @@ index 34d0ec5..9291d3a 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -91,25 +105,28 @@ corecmd_exec_shell(dhcpc_t) +@@ -91,25 +106,28 @@ corecmd_exec_shell(dhcpc_t) corenet_all_recvfrom_unlabeled(dhcpc_t) corenet_all_recvfrom_netlabel(dhcpc_t) @@ -142479,7 +142840,7 @@ index 34d0ec5..9291d3a 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -129,14 +146,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -129,14 +147,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -142499,7 +142860,7 @@ index 34d0ec5..9291d3a 100644 userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -151,7 +171,18 @@ ifdef(`distro_ubuntu',` +@@ -151,7 +172,18 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -142519,7 +142880,7 @@ index 34d0ec5..9291d3a 100644 ') optional_policy(` -@@ -171,6 +202,8 @@ optional_policy(` +@@ -171,6 +203,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -142528,7 +142889,7 @@ index 34d0ec5..9291d3a 100644 ') optional_policy(` -@@ -192,17 +225,31 @@ optional_policy(` +@@ -192,17 +226,31 @@ optional_policy(` ') optional_policy(` @@ -142560,7 +142921,7 @@ index 34d0ec5..9291d3a 100644 ') optional_policy(` -@@ -213,6 +260,11 @@ optional_policy(` +@@ -213,6 +261,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -142572,7 +142933,7 @@ index 34d0ec5..9291d3a 100644 ') optional_policy(` -@@ -255,6 +307,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -255,6 +308,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -142580,7 +142941,7 @@ index 34d0ec5..9291d3a 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,8 +329,12 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +330,12 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -142593,7 +142954,7 @@ index 34d0ec5..9291d3a 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -290,7 +347,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -290,7 +348,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -142602,7 +142963,7 @@ index 34d0ec5..9291d3a 100644 init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) -@@ -301,11 +358,11 @@ logging_send_syslog_msg(ifconfig_t) +@@ -301,11 +359,11 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -142617,7 +142978,7 @@ index 34d0ec5..9291d3a 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +371,18 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +372,18 @@ ifdef(`distro_ubuntu',` ') ') @@ -142636,7 +142997,7 @@ index 34d0ec5..9291d3a 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +393,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +394,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -142651,7 +143012,7 @@ index 34d0ec5..9291d3a 100644 ') optional_policy(` -@@ -335,7 +409,15 @@ optional_policy(` +@@ -335,7 +410,15 @@ optional_policy(` ') optional_policy(` @@ -142668,7 +143029,7 @@ index 34d0ec5..9291d3a 100644 ') optional_policy(` -@@ -356,3 +438,9 @@ optional_policy(` +@@ -356,3 +439,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 7499c0a..d1f9902 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 106%{?dist} +Release: 107%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -484,6 +484,29 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 28 2012 Miroslav Grepl 3.10.0-107 +- Add numad policy and numad man page +- Add fixes for interface bugs discovered by SEWatch +- Add /tmp support for squid +- Add fix for #799102 + * change default labeling for /var/run/slapd.* sockets +- Make thumb_t as userdom_home_reader +- label /var/lib/sss/mc same as pubconf, so getpw domains can read it +- Allow smbspool running as cups_t to stream connect to nmbd +- accounts needs to be able to execute passwd on behalf of users +- Allow systemd_tmpfiles_t to delete boot flags +- Allow dnssec_trigger to connect to apache ports +- Allow gnome keyring to create sock_files in ~/.cache +- google_authenticator is using .google_authenticator +- sandbox running from within firefox is exposing more leaks +- Dontaudit thumb to read/write /dev/card0 +- Dontaudit getattr on init_exec_t for gnomeclock_t +- Allow certmonger to do a transition to certmonger_unconfined_t +- Allow dhcpc setsched which is caused by nmcli +- Add rpm_exec_t for /usr/sbin/bcfg2 +- system cronjobs are sending dbus messages to systemd_logind +- Thumnailers read /dev/urand + * Thu Mar 22 2012 Miroslav Grepl 3.10.0-106 - Allow auditctl getcap - Allow vdagent to use libsystemd-login