diff --git a/policy-f21-base.patch b/policy-f21-base.patch index 13f8ce3..5c49f28 100644 --- a/policy-f21-base.patch +++ b/policy-f21-base.patch @@ -9015,7 +9015,7 @@ index 6a1e4d1..7ac2831 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..c84dc1a 100644 +index cf04cb5..b1ed42b 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -9082,7 +9082,7 @@ index cf04cb5..c84dc1a 100644 # create child processes in the domain -allow domain self:process { fork sigchld }; -+allow domain self:process { getcap fork getsched signal_perms }; ++allow domain self:process { getcap fork getsched signal_perms setrlimit getattr getcap getsched getsession }; # Use trusted objects in /dev +dev_read_cpu_online(domain) @@ -25620,7 +25620,7 @@ index 6bf0ecc..b036584 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..5a2c173 100644 +index 8b40377..3495bef 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -26261,7 +26261,7 @@ index 8b40377..5a2c173 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +688,155 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +688,159 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -26309,6 +26309,10 @@ index 8b40377..5a2c173 100644 +userdom_filetrans_generic_home_content(xdm_t) + +optional_policy(` ++ colord_read_lib_files(xdm_t) ++') ++ ++optional_policy(` + gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates") +') + @@ -26423,7 +26427,7 @@ index 8b40377..5a2c173 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +849,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +853,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -26455,7 +26459,7 @@ index 8b40377..5a2c173 100644 ') optional_policy(` -@@ -517,9 +883,34 @@ optional_policy(` +@@ -517,9 +887,34 @@ optional_policy(` optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -26463,17 +26467,17 @@ index 8b40377..5a2c173 100644 + optional_policy(` + accountsd_dbus_chat(xdm_t) + ') -+ -+ optional_policy(` + + optional_policy(` +- accountsd_dbus_chat(xdm_t) + bluetooth_dbus_chat(xdm_t) + ') + + optional_policy(` + cpufreqselector_dbus_chat(xdm_t) + ') - - optional_policy(` -- accountsd_dbus_chat(xdm_t) ++ ++ optional_policy(` + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') @@ -26491,7 +26495,7 @@ index 8b40377..5a2c173 100644 ') ') -@@ -530,6 +921,20 @@ optional_policy(` +@@ -530,6 +925,20 @@ optional_policy(` ') optional_policy(` @@ -26512,7 +26516,7 @@ index 8b40377..5a2c173 100644 hostname_exec(xdm_t) ') -@@ -547,28 +952,78 @@ optional_policy(` +@@ -547,28 +956,78 @@ optional_policy(` ') optional_policy(` @@ -26600,7 +26604,7 @@ index 8b40377..5a2c173 100644 ') optional_policy(` -@@ -580,6 +1035,14 @@ optional_policy(` +@@ -580,6 +1039,14 @@ optional_policy(` ') optional_policy(` @@ -26615,7 +26619,7 @@ index 8b40377..5a2c173 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1057,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1061,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -26624,7 +26628,7 @@ index 8b40377..5a2c173 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1067,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1071,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -26637,7 +26641,7 @@ index 8b40377..5a2c173 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1084,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1088,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -26653,7 +26657,7 @@ index 8b40377..5a2c173 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1100,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1104,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -26664,7 +26668,7 @@ index 8b40377..5a2c173 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1115,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1119,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -26701,7 +26705,7 @@ index 8b40377..5a2c173 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1161,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1165,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -26733,7 +26737,7 @@ index 8b40377..5a2c173 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1194,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1198,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -26748,7 +26752,7 @@ index 8b40377..5a2c173 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1215,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1219,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -26772,7 +26776,7 @@ index 8b40377..5a2c173 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1234,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1238,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -26781,7 +26785,7 @@ index 8b40377..5a2c173 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1278,50 @@ optional_policy(` +@@ -785,17 +1282,50 @@ optional_policy(` ') optional_policy(` @@ -26834,7 +26838,7 @@ index 8b40377..5a2c173 100644 ') optional_policy(` -@@ -803,6 +1329,10 @@ optional_policy(` +@@ -803,6 +1333,10 @@ optional_policy(` ') optional_policy(` @@ -26845,7 +26849,7 @@ index 8b40377..5a2c173 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1348,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1352,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -26870,7 +26874,7 @@ index 8b40377..5a2c173 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1371,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1375,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -26905,7 +26909,7 @@ index 8b40377..5a2c173 100644 ') optional_policy(` -@@ -912,7 +1436,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1440,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -26914,7 +26918,7 @@ index 8b40377..5a2c173 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1490,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1494,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -26946,7 +26950,7 @@ index 8b40377..5a2c173 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1536,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1540,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch index dfa87b9..86b9b80 100644 --- a/policy-f21-contrib.patch +++ b/policy-f21-contrib.patch @@ -7798,7 +7798,7 @@ index 1a7a97e..2c7252a 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431b..5ce1846 100644 +index 7fd431b..e9c4c5a 100644 --- a/apm.te +++ b/apm.te @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t) @@ -7827,11 +7827,13 @@ index 7fd431b..5ce1846 100644 domain_use_interactive_fds(apm_t) -@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t) +@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t) + # Server local policy # - allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; +-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; ++allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource }; +dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; @@ -40801,10 +40803,10 @@ index 0000000..b9347fa +') diff --git a/kmscon.te b/kmscon.te new file mode 100644 -index 0000000..be3d5d6 +index 0000000..32a9e13 --- /dev/null +++ b/kmscon.te -@@ -0,0 +1,86 @@ +@@ -0,0 +1,88 @@ +# KMSCon SELinux policy module +# Contributed by Lubomir Rintel + @@ -40848,6 +40850,8 @@ index 0000000..be3d5d6 +list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t) +read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t) + ++kernel_read_system_state(kmscon_t) ++ +auth_read_passwd(kmscon_t) + +dev_rw_dri(kmscon_t) @@ -67455,7 +67459,7 @@ index 30e751f..61feb3a 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce9..18872dc 100644 +index 3078ce9..c57d1cf 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; @@ -67495,7 +67499,7 @@ index 3078ce9..18872dc 100644 logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t) +@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t) fs_getattr_all_fs(plymouthd_t) @@ -67505,15 +67509,16 @@ index 3078ce9..18872dc 100644 term_getattr_pty_fs(plymouthd_t) term_use_all_terms(plymouthd_t) term_use_ptmx(plymouthd_t) - --miscfiles_read_localization(plymouthd_t) ++term_use_usb_ttys(plymouthd_t) ++ +init_signal(plymouthd_t) + +logging_link_generic_logs(plymouthd_t) +logging_delete_generic_logs(plymouthd_t) + +auth_use_nsswitch(plymouthd_t) -+ + +-miscfiles_read_localization(plymouthd_t) miscfiles_read_fonts(plymouthd_t) miscfiles_manage_fonts_cache(plymouthd_t) @@ -67527,7 +67532,7 @@ index 3078ce9..18872dc 100644 ') optional_policy(` -@@ -90,35 +96,37 @@ optional_policy(` +@@ -90,35 +97,37 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 4b80494..447f88e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 105.9%{?dist} +Release: 105.10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -604,6 +604,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Mar 30 2015 Lukas Vrabec 3.13.1-105.10 +- Allow kmscon to read system state. BZ (1206871) +- Allow plymouthd to open usbttys. BZ(1202429) +- apmd needs sys_resource when shutting down the machine +- Allow xdm_t to read colord_var_lib_t files. BZ(1201985) +- Allow all domains some process flags + * Mon Mar 23 2015 Lukas Vrabec 3.13.1-105.9 - Allow mysqld_t to use pam. BZ(1196104) - Allow fetchmail to read mail_spool_t. BZ(1200552)