From 007424272c0c5f3c6a3399426b8bde83a292286c Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 10 2012 20:03:31 +0000 Subject: * Tue Apr 10 2012 Miroslav Grepl 3.10.0-113 - Allow svirt_t to create content in the users homedir under ~/.libvirt - Fix label on /var/lib/heartbeat - Allow systemd_logind_t to send kill signals to all processes started by a - Fuse now supports Xattr Support --- diff --git a/policy-F16.patch b/policy-F16.patch index aa998e5..56b89a2 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -78788,7 +78788,7 @@ index 97fcdac..cddd329 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index f125dc2..f5e522e 100644 +index f125dc2..990455d 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); @@ -78844,7 +78844,36 @@ index f125dc2..f5e522e 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -254,6 +253,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -230,14 +229,24 @@ genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) + genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) + + type fusefs_t; +-fs_noxattr_type(fusefs_t) ++fs_type(fusefs_t) ++files_type(fusefs_t) + files_mountpoint(fusefs_t) ++files_poly_parent(fusefs_t) ++dev_associate(fusefs_t) ++ + allow fusefs_t self:filesystem associate; + allow fusefs_t fs_t:filesystem associate; +-genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) +-genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) +-genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0) + ++# Use a transition SID based on the allocating task SID and the ++# filesystem SID to label inodes in the following filesystem types, ++# and label the filesystem itself with the specified context. ++# This is appropriate for pseudo filesystems like devpts and tmpfs ++# where we want to label objects with a derived type. ++fs_use_trans fuse gen_context(system_u:object_r:fusefs_t,s0); ++fs_use_trans fuseblk gen_context(system_u:object_r:fusefs_t,s0); ++fs_use_trans fusectl gen_context(system_u:object_r:fusefs_t,s0); ++allow fusefs_t noxattrfs:filesystem associate; + # + # iso9660_t is the type for CD filesystems + # and their files. +@@ -254,6 +263,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -78853,7 +78882,7 @@ index f125dc2..f5e522e 100644 files_mountpoint(removable_t) # -@@ -273,6 +274,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -273,6 +284,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -93528,10 +93557,10 @@ index e67a003..cc813f3 100644 unconfined_stream_connect(consolekit_t) ') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc -index 3a6d7eb..945b4fa 100644 +index 3a6d7eb..91569e7 100644 --- a/policy/modules/services/corosync.fc +++ b/policy/modules/services/corosync.fc -@@ -1,8 +1,16 @@ +@@ -1,12 +1,22 @@ /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) +/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) + @@ -93543,12 +93572,12 @@ index 3a6d7eb..945b4fa 100644 /usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) + -+/usr/lib(64)?/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) +/usr/lib(64)?/heartbeat/heartbeat -- gen_context(system_u:object_r:corosync_exec_t,s0) /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) ++/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) -@@ -10,3 +18,5 @@ + /var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) @@ -130515,7 +130544,7 @@ index 7c5d8d8..c542fe7 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..9386b72 100644 +index 3eca020..56e57cd 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.0) @@ -130626,13 +130655,16 @@ index 3eca020..9386b72 100644 type virt_etc_t; files_config_file(virt_etc_t) -@@ -62,23 +93,31 @@ files_config_file(virt_etc_t) +@@ -62,23 +93,34 @@ files_config_file(virt_etc_t) type virt_etc_rw_t; files_type(virt_etc_rw_t) +type virt_home_t; +userdom_user_home_content(virt_home_t) + ++type svirt_home_t; ++userdom_user_home_content(svirt_home_t) ++ # virt Image files type virt_image_t; # customizable virt_image(virt_image_t) @@ -130659,7 +130691,7 @@ index 3eca020..9386b72 100644 type virtd_t; type virtd_exec_t; -@@ -89,6 +128,11 @@ domain_subj_id_change_exemption(virtd_t) +@@ -89,6 +131,11 @@ domain_subj_id_change_exemption(virtd_t) type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -130671,7 +130703,7 @@ index 3eca020..9386b72 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -97,6 +141,34 @@ ifdef(`enable_mls',` +@@ -97,6 +144,34 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -130706,7 +130738,7 @@ index 3eca020..9386b72 100644 ######################################## # # svirt local policy -@@ -104,15 +176,12 @@ ifdef(`enable_mls',` +@@ -104,15 +179,12 @@ ifdef(`enable_mls',` allow svirt_t self:udp_socket create_socket_perms; @@ -130723,7 +130755,7 @@ index 3eca020..9386b72 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -130,9 +199,15 @@ corenet_tcp_connect_all_ports(svirt_t) +@@ -130,9 +202,17 @@ corenet_tcp_connect_all_ports(svirt_t) dev_list_sysfs(svirt_t) @@ -130733,13 +130765,15 @@ index 3eca020..9386b72 100644 userdom_read_user_home_content_symlinks(svirt_t) userdom_read_all_users_state(svirt_t) +append_files_pattern(svirt_t, virt_home_t, virt_home_t) -+# needed for creating of monitors -+create_sock_files_pattern(svirt_t, virt_home_t, virt_home_t) -+stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t) ++manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) ++manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) ++manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) ++filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, { dir sock_file file }) ++stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +222,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +227,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -130755,7 +130789,7 @@ index 3eca020..9386b72 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +239,28 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +244,28 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -130784,7 +130818,7 @@ index 3eca020..9386b72 100644 xen_rw_image_files(svirt_t) ') -@@ -173,22 +269,41 @@ optional_policy(` +@@ -173,22 +274,41 @@ optional_policy(` # virtd local policy # @@ -130833,7 +130867,7 @@ index 3eca020..9386b72 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -199,9 +314,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -199,9 +319,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -130854,7 +130888,7 @@ index 3eca020..9386b72 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +341,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +346,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -130870,7 +130904,7 @@ index 3eca020..9386b72 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +369,33 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +374,33 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -130905,7 +130939,7 @@ index 3eca020..9386b72 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +403,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +408,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -130924,7 +130958,7 @@ index 3eca020..9386b72 100644 mcs_process_set_categories(virtd_t) -@@ -276,6 +429,8 @@ term_use_ptmx(virtd_t) +@@ -276,6 +434,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -130933,14 +130967,14 @@ index 3eca020..9386b72 100644 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -285,16 +440,31 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +445,31 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -130965,7 +130999,7 @@ index 3eca020..9386b72 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +483,10 @@ optional_policy(` +@@ -313,6 +488,10 @@ optional_policy(` ') optional_policy(` @@ -130976,7 +131010,7 @@ index 3eca020..9386b72 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -326,6 +500,14 @@ optional_policy(` +@@ -326,6 +505,14 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -130991,7 +131025,7 @@ index 3eca020..9386b72 100644 ') optional_policy(` -@@ -334,11 +516,14 @@ optional_policy(` +@@ -334,11 +521,14 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_read_pid_files(virtd_t) dnsmasq_signull(virtd_t) @@ -131006,7 +131040,7 @@ index 3eca020..9386b72 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -360,11 +545,11 @@ optional_policy(` +@@ -360,11 +550,11 @@ optional_policy(` ') optional_policy(` @@ -131023,7 +131057,7 @@ index 3eca020..9386b72 100644 ') optional_policy(` -@@ -394,20 +579,36 @@ optional_policy(` +@@ -394,20 +584,36 @@ optional_policy(` # virtual domains common policy # @@ -131063,7 +131097,7 @@ index 3eca020..9386b72 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +619,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +624,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -131077,7 +131111,7 @@ index 3eca020..9386b72 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +632,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +637,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -131090,7 +131124,7 @@ index 3eca020..9386b72 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +645,396 @@ files_search_all(virt_domain) +@@ -440,25 +650,396 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -131098,12 +131132,12 @@ index 3eca020..9386b72 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) -+ + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -135317,10 +135351,35 @@ index f9a06d2..3d407c6 100644 files_read_etc_files(zos_remote_t) diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if -index 1b6619e..c480ddd 100644 +index 1b6619e..3aed6ad 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if -@@ -205,3 +205,21 @@ interface(`application_dontaudit_sigkill',` +@@ -189,6 +189,24 @@ interface(`application_dontaudit_signal',` + + ######################################## + ## ++## Send kill signals to all application domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`application_sigkill',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ allow $1 application_domain_type:process sigkill; ++') ++ ++######################################## ++## + ## Do not audit attempts to send kill signals + ## to all application domains. + ## +@@ -205,3 +223,21 @@ interface(`application_dontaudit_sigkill',` dontaudit $1 application_domain_type:process sigkill; ') @@ -145206,10 +145265,10 @@ index 0000000..a7e3666 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..68bf0f6 +index 0000000..4014dae --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,403 @@ +@@ -0,0 +1,409 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -145270,7 +145329,7 @@ index 0000000..68bf0f6 +# + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) -+allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config }; ++allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config }; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; @@ -145340,6 +145399,12 @@ index 0000000..68bf0f6 +userdom_manage_user_tmp_files(systemd_logind_t) +userdom_manage_user_tmp_symlinks(systemd_logind_t) +userdom_manage_user_tmp_sockets(systemd_logind_t) ++userdom_signal_all_users(systemd_logind_t) ++userdom_signull_all_users(systemd_logind_t) ++userdom_kill_all_users(systemd_logind_t) ++application_signal(systemd_logind_t) ++application_signull(systemd_logind_t) ++application_sigkill(systemd_logind_t) + +optional_policy(` + cron_dbus_chat_crond(systemd_logind_t) @@ -146896,7 +146961,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..2358d96 100644 +index 4b2878a..a93af01 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -149276,10 +149341,30 @@ index 4b2878a..2358d96 100644 kernel_search_proc($1) ') -@@ -3142,6 +3836,24 @@ interface(`userdom_signal_all_users',` +@@ -3140,6 +3834,42 @@ interface(`userdom_signal_all_users',` + allow $1 userdomain:process signal; + ') - ######################################## - ## ++####################################### ++## ++## Send signull to all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_signull_all_users',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:process signull; ++') ++ ++######################################## ++## +## Send kill signals to all user domains. +## +## @@ -149296,12 +149381,10 @@ index 4b2878a..2358d96 100644 + allow $1 userdomain:process sigkill; +') + -+######################################## -+## + ######################################## + ## ## Send a SIGCHLD signal to all user domains. - ## - ## -@@ -3160,6 +3872,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3890,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -149326,7 +149409,7 @@ index 4b2878a..2358d96 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3924,1273 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3942,1273 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 8f80045..ec14fcb 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 112%{?dist} +Release: 113%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -489,6 +489,12 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 10 2012 Miroslav Grepl 3.10.0-113 +- Allow svirt_t to create content in the users homedir under ~/.libvirt +- Fix label on /var/lib/heartbeat +- Allow systemd_logind_t to send kill signals to all processes started by a user +- Fuse now supports Xattr Support + * Tue Apr 10 2012 Miroslav Grepl 3.10.0-112 - upowered needs to setsched on the kernel - Allow mpd_t to manage log files