diff --git a/policy-f18-base.patch b/policy-f18-base.patch index 1f60169..d0eb01f 100644 --- a/policy-f18-base.patch +++ b/policy-f18-base.patch @@ -113007,7 +113007,7 @@ index f9b25c1..9af1f7a 100644 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 07126bd..affff65 100644 +index 07126bd..97e23d2 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` @@ -114023,7 +114023,7 @@ index 07126bd..affff65 100644 ## Do not audit attempts to connect TCP sockets ## all rpc ports. ## -@@ -1993,6 +2584,41 @@ interface(`corenet_rw_tun_tap_dev',` +@@ -1993,6 +2584,24 @@ interface(`corenet_rw_tun_tap_dev',` ######################################## ## @@ -114042,8 +114042,18 @@ index 07126bd..affff65 100644 + + allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; +') ++ +######################################## +## + ## Do not audit attempts to read or write the TUN/TAP + ## virtual network device. + ## +@@ -2010,6 +2619,24 @@ interface(`corenet_dontaudit_rw_tun_tap_dev',` + dontaudit $1 tun_tap_device_t:chr_file { read write }; + ') + ++###################################### ++## +## Relabel to and from the TUN/TAP virtual network device. +## +## @@ -114059,13 +114069,11 @@ index 07126bd..affff65 100644 + + relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t) +') -+ -+######################################## -+## - ## Do not audit attempts to read or write the TUN/TAP - ## virtual network device. - ## -@@ -2049,6 +2675,25 @@ interface(`corenet_rw_ppp_dev',` ++ + ######################################## + ## + ## Getattr the point-to-point device. +@@ -2049,6 +2676,25 @@ interface(`corenet_rw_ppp_dev',` ######################################## ## @@ -114091,7 +114099,7 @@ index 07126bd..affff65 100644 ## Bind TCP sockets to all RPC ports. ## ## -@@ -2068,6 +2713,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` +@@ -2068,6 +2714,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` ######################################## ## @@ -114116,7 +114124,7 @@ index 07126bd..affff65 100644 ## Do not audit attempts to bind TCP sockets to all RPC ports. ## ## -@@ -2194,6 +2857,25 @@ interface(`corenet_tcp_recv_netlabel',` +@@ -2194,6 +2858,25 @@ interface(`corenet_tcp_recv_netlabel',` ######################################## ## @@ -114142,7 +114150,7 @@ index 07126bd..affff65 100644 ## Receive TCP packets from a NetLabel connection. ## ## -@@ -2213,7 +2895,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2213,7 +2896,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` ######################################## ## @@ -114151,7 +114159,7 @@ index 07126bd..affff65 100644 ## ## ## -@@ -2221,10 +2903,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2221,10 +2904,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` ## ## # @@ -114169,7 +114177,7 @@ index 07126bd..affff65 100644 # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems -@@ -2249,6 +2936,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` +@@ -2249,6 +2937,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` ######################################## ## @@ -114196,7 +114204,7 @@ index 07126bd..affff65 100644 ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## -@@ -2269,6 +2976,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` +@@ -2269,6 +2977,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` ######################################## ## @@ -114224,7 +114232,7 @@ index 07126bd..affff65 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2533,15 +3261,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` +@@ -2533,15 +3262,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## # interface(`corenet_all_recvfrom_unlabeled',` @@ -114244,7 +114252,7 @@ index 07126bd..affff65 100644 ') ######################################## -@@ -2567,11 +3290,34 @@ interface(`corenet_all_recvfrom_unlabeled',` +@@ -2567,11 +3291,34 @@ interface(`corenet_all_recvfrom_unlabeled',` # interface(`corenet_all_recvfrom_netlabel',` gen_require(` @@ -114282,7 +114290,7 @@ index 07126bd..affff65 100644 ') ######################################## -@@ -2585,6 +3331,7 @@ interface(`corenet_all_recvfrom_netlabel',` +@@ -2585,6 +3332,7 @@ interface(`corenet_all_recvfrom_netlabel',` ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` @@ -114290,7 +114298,7 @@ index 07126bd..affff65 100644 kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) -@@ -2613,7 +3360,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` +@@ -2613,7 +3361,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` ') dontaudit $1 netlabel_peer_t:peer recv; @@ -114327,7 +114335,7 @@ index 07126bd..affff65 100644 ') ######################################## -@@ -2727,6 +3502,7 @@ interface(`corenet_raw_recvfrom_labeled',` +@@ -2727,6 +3503,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## # interface(`corenet_all_recvfrom_labeled',` @@ -114335,7 +114343,7 @@ index 07126bd..affff65 100644 corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) -@@ -3134,3 +3910,53 @@ interface(`corenet_unconfined',` +@@ -3134,3 +3911,53 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') @@ -114943,7 +114951,7 @@ index 02b7ac1..1fc53d1 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index d820975..02a2acf 100644 +index d820975..a07675d 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -115881,28 +115889,27 @@ index d820975..02a2acf 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3927,23 +4304,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3927,8 +4304,31 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## -## Create, read, write, and delete sysfs -## directories. +## Read cpu online hardware state information. - ## ++## +## +##

+## Allow the specified domain to read /sys/devices/system/cpu/online file. +##

+## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`dev_manage_sysfs_dirs',` ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_read_cpu_online',` - gen_require(` ++ gen_require(` + type cpu_online_t; + ') + @@ -115913,15 +115920,16 @@ index d820975..02a2acf 100644 +######################################## +## +## Relabel cpu online hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -3936,14 +4336,17 @@ interface(`dev_dontaudit_write_sysfs_dirs',` + ## + ## + # +-interface(`dev_manage_sysfs_dirs',` +interface(`dev_relabel_cpu_online',` -+ gen_require(` + gen_require(` + type cpu_online_t; type sysfs_t; ') @@ -116049,12 +116057,10 @@ index d820975..02a2acf 100644 ######################################## ## ## Read generic the USB devices. -@@ -4407,6 +4903,23 @@ interface(`dev_rw_userio_dev',` +@@ -4410,6 +4906,25 @@ interface(`dev_rw_userio_dev',` - rw_chr_files_pattern($1, device_t, userio_device_t) - ') -+######################################## -+## + ######################################## + ## +## Read and write the VFIO devices. +## +## @@ -116068,12 +116074,16 @@ index d820975..02a2acf 100644 + type device_t, vfio_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, vfio_device_t) ++ rw_chr_files_pattern($1, device_t, vfio_device_t) +') - - ######################################## - ## -@@ -4520,6 +5033,24 @@ interface(`dev_rw_vhost',` ++ ++ ++######################################## ++## + ## Do not audit attempts to get the attributes + ## of video4linux device nodes. + ## +@@ -4520,6 +5035,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -116098,7 +116108,7 @@ index d820975..02a2acf 100644 ## Read and write VMWare devices. ## ## -@@ -4725,6 +5256,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4725,6 +5258,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -116125,7 +116135,7 @@ index d820975..02a2acf 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4814,3 +5365,917 @@ interface(`dev_unconfined',` +@@ -4814,3 +5367,917 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -136316,19 +136326,33 @@ index 4a88fa1..9c0b2c0 100644 + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index ec85acb..3451447 100644 +index ec85acb..ef9370d 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -1,7 +1,7 @@ +@@ -1,14 +1,19 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) -/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) - /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) +-/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) ++/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) ++ ++/etc/(strongswan)?/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/etc/(strongswan)?/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -@@ -26,11 +26,7 @@ + /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) + +-/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) ++ ++/etc/(strongswan)?/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) + + /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) + +@@ -26,17 +31,15 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -136341,14 +136365,22 @@ index ec85acb..3451447 100644 /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) -@@ -44,3 +40,5 @@ + /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) ++/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + + /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) ++/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) + + /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) + +@@ -44,3 +47,5 @@ /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..0c32fb4 100644 +index 0d4c8d3..a89c4a2 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',` @@ -136507,11 +136539,54 @@ index 0d4c8d3..0c32fb4 100644 ') ######################################## +@@ -369,3 +477,26 @@ interface(`ipsec_run_setkey',` + ipsec_domtrans_setkey($1) + role $2 types setkey_t; + ') ++ ++####################################### ++## ++## Execute strongswan in the ipsec_mgmt domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipsec_mgmt_systemctl',` ++ gen_require(` ++ type ipsec_mgmt_unit_file_t; ++ type ipsec_mgmt_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 ipsec_mgmt_unit_file_t:file read_file_perms; ++ allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ipsec_mgmt_t) ++') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index a30840c..5980b7e 100644 +index a30840c..18ef725 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te -@@ -72,14 +72,18 @@ role system_r types setkey_t; +@@ -1,4 +1,4 @@ +-policy_module(ipsec, 1.13.0) ++policy_module(ipsec, 1.13.3) + + ######################################## + # +@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) + corecmd_shell_entry_type(ipsec_mgmt_t) + role system_r types ipsec_mgmt_t; + ++type ipsec_mgmt_unit_file_t; ++systemd_unit_file(ipsec_mgmt_unit_file_t) ++ + type ipsec_mgmt_lock_t; + files_lock_file(ipsec_mgmt_lock_t) + +@@ -72,14 +75,18 @@ role system_r types setkey_t; # ipsec Local policy # @@ -136532,7 +136607,7 @@ index a30840c..5980b7e 100644 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -@@ -113,6 +117,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; +@@ -113,6 +120,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; kernel_read_kernel_sysctls(ipsec_t) @@ -136540,7 +136615,7 @@ index a30840c..5980b7e 100644 kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; -@@ -127,20 +132,22 @@ corecmd_exec_shell(ipsec_t) +@@ -127,20 +135,22 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -136570,7 +136645,7 @@ index a30840c..5980b7e 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -156,6 +163,8 @@ files_dontaudit_search_home(ipsec_t) +@@ -156,6 +166,8 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -136579,7 +136654,7 @@ index a30840c..5980b7e 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -164,11 +173,13 @@ auth_use_nsswitch(ipsec_t) +@@ -164,16 +176,22 @@ auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) @@ -136594,7 +136669,16 @@ index a30840c..5980b7e 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -186,10 +197,10 @@ optional_policy(` + + optional_policy(` ++ iptables_domtrans(ipsec_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(ipsec_t) + ') + +@@ -186,10 +204,10 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -136609,15 +136693,26 @@ index a30840c..5980b7e 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -209,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; - files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) +@@ -205,14 +223,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) + manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) + logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) + +-allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; +-files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) ++manage_files_pattern(ipsec_mgmt_t, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t) ++files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, { file }) manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) +manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; -@@ -245,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +-files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) ++files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file }) + + # _realsetup needs to be able to cat /var/run/pluto.pid, + # run ps on that pid, and delete the file +@@ -245,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -136634,7 +136729,7 @@ index a30840c..5980b7e 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -254,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -254,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -136643,7 +136738,7 @@ index a30840c..5980b7e 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -277,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -277,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -136655,7 +136750,7 @@ index a30840c..5980b7e 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -289,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -289,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -136679,7 +136774,7 @@ index a30840c..5980b7e 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -321,6 +349,10 @@ optional_policy(` +@@ -321,11 +356,15 @@ optional_policy(` ') optional_policy(` @@ -136690,7 +136785,13 @@ index a30840c..5980b7e 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -334,7 +366,7 @@ optional_policy(` + optional_policy(` +- nscd_socket_use(ipsec_mgmt_t) ++ nscd_use(ipsec_mgmt_t) + ') + + ######################################## +@@ -334,7 +373,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -136699,7 +136800,7 @@ index a30840c..5980b7e 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -369,13 +401,12 @@ kernel_request_load_module(racoon_t) +@@ -369,13 +408,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -136719,7 +136820,7 @@ index a30840c..5980b7e 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -400,10 +431,11 @@ locallogin_use_fds(racoon_t) +@@ -400,10 +438,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -136732,7 +136833,7 @@ index a30840c..5980b7e 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -437,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -437,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -141990,14 +142091,15 @@ index bea4629..06e2834 100644 /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) +/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if -index efa9c27..591f581 100644 +index efa9c27..75bdcd0 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if -@@ -40,3 +40,21 @@ interface(`setrans_translate_context',` +@@ -40,3 +40,23 @@ interface(`setrans_translate_context',` stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) files_list_pids($1) ') -+####################################### ++ ++###################################### +## +## Allow a domain to manage pid files +## @@ -142015,6 +142117,7 @@ index efa9c27..591f581 100644 + files_search_pids($1) + manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t) +') ++ diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 1447687..d5e6fb9 100644 --- a/policy/modules/system/setrans.te @@ -145942,7 +146045,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..9c9a616 100644 +index e720dcd..9a6a3b0 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -148102,11 +148205,13 @@ index e720dcd..9c9a616 100644 ') ######################################## -@@ -2298,6 +2975,44 @@ interface(`userdom_dontaudit_append_user_tmp_files',` +@@ -2296,6 +2973,45 @@ interface(`userdom_dontaudit_append_user_tmp_files',` + dontaudit $1 user_tmp_t:file append_file_perms; + ') - ######################################## - ## -+## Relabel user tmp files. ++####################################### ++## ++## Set the attributes of user tmp files. +## +## +## @@ -148115,17 +148220,17 @@ index e720dcd..9c9a616 100644 +## +## +# -+interface(`userdom_relabel_user_tmp_files',` ++interface(`userdom_setattr_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + -+ allow $1 user_tmp_t:file relabel_file_perms; -+') -+ ++ allow $1 user_tmp_t:file setattr; ++') ++ +######################################## +## -+## Set the attributes of user tmp files. ++## Relabel user tmp files. +## +## +## @@ -148134,20 +148239,19 @@ index e720dcd..9c9a616 100644 +## +## +# -+interface(`userdom_setattr_user_tmp_files',` ++interface(`userdom_relabel_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + -+ allow $1 user_tmp_t:file setattr; ++ allow $1 user_tmp_t:file relabel_file_perms; +') + -+######################################## -+## ++ + ######################################## + ## ## Read and write user temporary files. - ## - ## -@@ -2521,6 +3236,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2521,6 +3237,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -148173,7 +148277,7 @@ index e720dcd..9c9a616 100644 ######################################## ## ## Read user tmpfs files. -@@ -2537,13 +3271,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2537,13 +3272,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -148189,7 +148293,7 @@ index e720dcd..9c9a616 100644 ## ## ## -@@ -2564,7 +3299,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2564,7 +3300,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -148198,7 +148302,7 @@ index e720dcd..9c9a616 100644 ## ## ## -@@ -2572,14 +3307,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2572,14 +3308,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -148233,7 +148337,7 @@ index e720dcd..9c9a616 100644 ') ######################################## -@@ -2674,6 +3425,24 @@ interface(`userdom_use_user_ttys',` +@@ -2674,6 +3426,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -148258,7 +148362,7 @@ index e720dcd..9c9a616 100644 ## Read and write a user domain pty. ## ## -@@ -2692,22 +3461,34 @@ interface(`userdom_use_user_ptys',` +@@ -2692,22 +3462,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -148301,7 +148405,7 @@ index e720dcd..9c9a616 100644 ## ## ## -@@ -2716,14 +3497,33 @@ interface(`userdom_use_user_ptys',` +@@ -2716,14 +3498,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -148339,7 +148443,7 @@ index e720dcd..9c9a616 100644 ') ######################################## -@@ -2742,8 +3542,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2742,8 +3543,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -148369,7 +148473,7 @@ index e720dcd..9c9a616 100644 ') ######################################## -@@ -2815,69 +3634,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2815,69 +3635,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -148470,7 +148574,7 @@ index e720dcd..9c9a616 100644 ## ## ## -@@ -2885,12 +3703,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2885,12 +3704,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -148485,7 +148589,7 @@ index e720dcd..9c9a616 100644 ') ######################################## -@@ -2954,7 +3772,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2954,7 +3773,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -148494,7 +148598,7 @@ index e720dcd..9c9a616 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2970,16 +3788,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2970,16 +3789,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -148516,7 +148620,7 @@ index e720dcd..9c9a616 100644 ## ## ## -@@ -2987,30 +3807,12 @@ interface(`userdom_search_user_home_content',` +@@ -2987,30 +3808,12 @@ interface(`userdom_search_user_home_content',` ## ## # @@ -148549,7 +148653,7 @@ index e720dcd..9c9a616 100644 ') ######################################## -@@ -3074,7 +3876,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3074,7 +3877,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -148558,7 +148662,7 @@ index e720dcd..9c9a616 100644 ') ######################################## -@@ -3129,7 +3931,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3129,7 +3932,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -148624,7 +148728,7 @@ index e720dcd..9c9a616 100644 ') ######################################## -@@ -3147,7 +4006,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3147,7 +4007,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -148633,7 +148737,7 @@ index e720dcd..9c9a616 100644 ') ######################################## -@@ -3166,6 +4025,7 @@ interface(`userdom_read_all_users_state',` +@@ -3166,6 +4026,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -148641,7 +148745,7 @@ index e720dcd..9c9a616 100644 kernel_search_proc($1) ') -@@ -3242,6 +4102,42 @@ interface(`userdom_signal_all_users',` +@@ -3242,6 +4103,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -148684,7 +148788,7 @@ index e720dcd..9c9a616 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3262,6 +4158,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3262,6 +4159,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -148709,7 +148813,7 @@ index e720dcd..9c9a616 100644 ## Create keys for all user domains. ## ## -@@ -3295,4 +4209,1400 @@ interface(`userdom_dbus_send_all_users',` +@@ -3295,4 +4210,1401 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -149325,6 +149429,24 @@ index e720dcd..9c9a616 100644 + allow $1 user_tmp_t:file { getattr append }; +') + ++######################################## ++## ++## Dontaudit append files inherited from the admin home dir. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_append_inherited_admin_home_file',` ++ gen_require(` ++ attribute admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file append_inherited_file_perms; ++') ++ +###################################### +## +## Read audio files in the users homedir. @@ -149584,7 +149706,7 @@ index e720dcd..9c9a616 100644 +## +## +# -+interface(`userdom_dontaudit_read_admin_home_file',` ++interface(`userdom_dontaudit_read_admin_home_files',` + gen_require(` + type admin_home_t; + ') @@ -149602,31 +149724,14 @@ index e720dcd..9c9a616 100644 +## +## +# -+interface(`userdom_dontaudit_read_inherited_admin_home_file',` ++interface(`userdom_dontaudit_read_inherited_admin_home_files',` + gen_require(` + attribute admin_home_t; + ') + + dontaudit $1 admin_home_t:file read_inherited_file_perms; +') -+ -+######################################## -+## -+## Dontaudit append files inherited from the admin home dir. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_append_inherited_admin_home_file',` -+ gen_require(` -+ attribute admin_home_t; -+ ') + -+ dontaudit $1 admin_home_t:file append_inherited_file_perms; -+') + +######################################## +## diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch index 891a691..b755ee5 100644 --- a/policy-f18-contrib.patch +++ b/policy-f18-contrib.patch @@ -370,7 +370,7 @@ index 0b827c5..cce58bb 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index 30861ec..9906206 100644 +index 30861ec..9551f2f 100644 --- a/abrt.te +++ b/abrt.te @@ -5,13 +5,41 @@ policy_module(abrt, 1.2.0) @@ -591,7 +591,7 @@ index 30861ec..9906206 100644 +miscfiles_read_public_files(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) -+userdom_dontaudit_read_admin_home_file(abrt_t) ++userdom_dontaudit_read_admin_home_files(abrt_t) + +tunable_policy(`abrt_anon_write',` + miscfiles_manage_public_files(abrt_t) @@ -24633,10 +24633,10 @@ index 0000000..e15bbb0 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..5200157 +index 0000000..bd14f46 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,141 @@ +@@ -0,0 +1,142 @@ +policy_module(glusterd, 1.0.0) + +## @@ -24718,7 +24718,8 @@ index 0000000..5200157 + +manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file }) ++manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) ++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) @@ -60895,7 +60896,7 @@ index b2a0b6a..ea27ee5 100644 /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) diff --git a/rpm.if b/rpm.if -index 951d8f6..fb48b05 100644 +index 951d8f6..c9f8056 100644 --- a/rpm.if +++ b/rpm.if @@ -13,10 +13,13 @@ @@ -60987,32 +60988,7 @@ index 951d8f6..fb48b05 100644 ') ######################################## -@@ -296,6 +342,24 @@ interface(`rpm_manage_log',` - logging_rw_generic_log_dirs($1) - allow $1 rpm_log_t:file manage_file_perms; - ') -+######################################## -+## -+## Create, read, write, and delete the RPM log. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_read_log',` -+ gen_require(` -+ type rpm_log_t; -+ ') -+ -+ read_files_pattern($1, rpm_log_t, rpm_log_t) -+') -+ - - ######################################## - ## -@@ -332,7 +396,9 @@ interface(`rpm_manage_script_tmp_files',` +@@ -332,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -61022,7 +60998,7 @@ index 951d8f6..fb48b05 100644 ') ##################################### -@@ -351,8 +417,7 @@ interface(`rpm_append_tmp_files',` +@@ -351,8 +399,7 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -61032,7 +61008,7 @@ index 951d8f6..fb48b05 100644 ') ######################################## -@@ -372,7 +437,9 @@ interface(`rpm_manage_tmp_files',` +@@ -372,7 +419,9 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -61042,7 +61018,7 @@ index 951d8f6..fb48b05 100644 ') ######################################## -@@ -456,6 +523,7 @@ interface(`rpm_read_db',` +@@ -456,6 +505,7 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -61050,7 +61026,7 @@ index 951d8f6..fb48b05 100644 ') ######################################## -@@ -499,6 +567,26 @@ interface(`rpm_manage_db',` +@@ -499,6 +549,26 @@ interface(`rpm_manage_db',` ######################################## ## @@ -61077,7 +61053,7 @@ index 951d8f6..fb48b05 100644 ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -513,7 +601,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -513,11 +583,29 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -61086,6 +61062,28 @@ index 951d8f6..fb48b05 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') + ++######################################## ++## ++## Create, read, write, and delete the RPM log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_read_log',` ++ gen_require(` ++ type rpm_log_t; ++ ') ++ ++ read_files_pattern($1, rpm_log_t, rpm_log_t) ++') ++ + ##################################### + ## + ## Read rpm pid files. @@ -573,3 +661,66 @@ interface(`rpm_pid_filetrans',` files_pid_filetrans($1, rpm_var_run_t, file) @@ -72830,7 +72828,7 @@ index e70b0e8..cd83b89 100644 /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/userhelper.if b/userhelper.if -index 65baaac..16d4548 100644 +index 65baaac..4262175 100644 --- a/userhelper.if +++ b/userhelper.if @@ -25,6 +25,7 @@ template(`userhelper_role_template',` @@ -72878,10 +72876,12 @@ index 65baaac..16d4548 100644 tunable_policy(`! secure_mode',` #if we are not in secure mode then we can transition to sysadm_t sysadm_bin_spec_domtrans($1_userhelper_t) -@@ -204,6 +195,25 @@ interface(`userhelper_dontaudit_search_config',` +@@ -202,6 +193,25 @@ interface(`userhelper_dontaudit_search_config',` + dontaudit $1 userhelper_conf_t:dir search_dir_perms; + ') - ######################################## - ## ++####################################### ++## +## Do not audit attempts to write +## the userhelper configuration files. +## @@ -72896,14 +72896,12 @@ index 65baaac..16d4548 100644 + type userhelper_conf_t; + ') + -+ dontaudit $1 userhelper_conf_t:file write; ++ dontaudit $1 userhelper_conf_t:file write; +') -+ -+######################################## -+## ++ + ######################################## + ## ## Allow domain to use userhelper file descriptor. - ## - ## @@ -255,3 +265,91 @@ interface(`userhelper_exec',` can_exec($1, userhelper_exec_t) @@ -74790,7 +74788,7 @@ index 6f0736b..b6aaf56 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 947bbc6..1ff7327 100644 +index 947bbc6..3ae3c76 100644 --- a/virt.te +++ b/virt.te @@ -4,57 +4,97 @@ policy_module(virt, 1.5.0) @@ -75989,7 +75987,7 @@ index 947bbc6..1ff7327 100644 + +userdom_use_inherited_user_terminals(svirt_lxc_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain) -+userdom_dontaudit_read_inherited_admin_home_file(svirt_lxc_domain) ++userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain) + +optional_policy(` + apache_exec_modules(svirt_lxc_domain) diff --git a/selinux-policy.spec b/selinux-policy.spec index a50438e..70d3b90 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -8,10 +8,10 @@ %define BUILD_TARGETED 1 %endif %if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} -%define BUILD_MINIMUM 1 +%define BUILD_MINIMUM 0 %endif %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} -%define BUILD_MLS 1 +%define BUILD_MLS 0 %endif %define POLICYVER 27 %define POLICYCOREUTILSVER 2.1.13-34 @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 101%{?dist} +Release: 102%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,14 @@ SELinux Reference policy mls base module. %endif %Changelog +* Tue Sep 03 2013 Lukas Vrabec 3.10.1-102 +- Fix syntax error in mock policy +- Allow glusterd to create sock_file in /run +- Add rpm_read_log interface +- Add interface userhelper_dontaudit_write_config +- Add support to strongswam in ipsec policy +- Add interface corenet_relabel_tun_tap_dev + * Thu Aug 29 2013 Lukas Vrabec 3.11.1-101 - Allow ssh_t to use /dev/ptmx - Allow syslogd to search psad lib files @@ -587,7 +595,7 @@ SELinux Reference policy mls base module. - Allow to create .mplayer with the correct labeling for unconfined - Allow iscsiadmin to create lock file with the correct labeling -* Tue Jun 27 2013 Miroslav Grepl 3.11.1-97 +* Thu Jun 27 2013 Miroslav Grepl 3.11.1-97 - Make DSPAM to act as a LDA working - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - condor_collector uses tcp/9000