From 02a8a402a1dbcef4dc31ac60517d73e5c952b696 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Sep 26 2011 10:32:44 +0000 Subject: - Make mta_role() active - Allow asterisk to connect to jabber client port - Allow procmail to read utmp - Add NIS support for systemd_logind_t - Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled a - Fix systemd_manage_unit_dirs() interface - Allow ssh_t to manage directories passed into it - init needs to be able to create and delete unit file directories - Fix typo in apache_exec_sys_script - Add ability for logrotate to transition to awstat domain --- diff --git a/policy-F16.patch b/policy-F16.patch index ce2d8d9..3dbb7e8 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1048,7 +1048,7 @@ index 4f7bd3c..a29af21 100644 - unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..c4bbe69 100644 +index 7090dae..0db59d1 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi @@ -1098,7 +1098,18 @@ index 7090dae..c4bbe69 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -162,10 +163,20 @@ optional_policy(` +@@ -154,6 +155,10 @@ optional_policy(` + ') + + optional_policy(` ++ awstats_domtrans(logrotate_t) ++') ++ ++optional_policy(` + asterisk_domtrans(logrotate_t) + ') + +@@ -162,10 +167,20 @@ optional_policy(` ') optional_policy(` @@ -1119,7 +1130,7 @@ index 7090dae..c4bbe69 100644 cups_domtrans(logrotate_t) ') -@@ -203,7 +214,6 @@ optional_policy(` +@@ -203,7 +218,6 @@ optional_policy(` psad_domtrans(logrotate_t) ') @@ -1127,7 +1138,7 @@ index 7090dae..c4bbe69 100644 optional_policy(` samba_exec_log(logrotate_t) ') -@@ -228,3 +238,14 @@ optional_policy(` +@@ -228,3 +242,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -3901,6 +3912,36 @@ index 48cf11b..9787bd4 100644 -/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) +/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) +diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if +index 283ff0d..53f9ba1 100644 +--- a/policy/modules/apps/awstats.if ++++ b/policy/modules/apps/awstats.if +@@ -5,6 +5,25 @@ + + ######################################## + ## ++## Execute the awstats program in the awstats domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`awstats_domtrans',` ++ gen_require(` ++ type awstats_t, awstats_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, awstats_exec_t, awstats_t) ++') ++ ++######################################## ++## + ## Read and write awstats unnamed pipes. + ## + ## diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index 46ea44f..f7183ef 100644 --- a/policy/modules/apps/cdrecord.te @@ -4744,7 +4785,7 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..8136040 100644 +index f5afe78..19f3c30 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,44 +1,731 @@ @@ -5404,11 +5445,10 @@ index f5afe78..8136040 100644 +## Search gkeyringd temporary directories. +## +## - ## --## Role allowed access ++## +## Domain allowed access. - ## - ## ++## ++## +# +interface(`gnome_search_gkeyringd_tmp_dirs',` + gen_require(` @@ -5423,22 +5463,18 @@ index f5afe78..8136040 100644 +## +## search gconf homedir (.local) +## - ## ++## ## --## User domain for the role +-## Role allowed access +## Domain allowed access. ## ## - # --interface(`gnome_role',` ++# +interface(`gnome_search_gconf',` - gen_require(` -- type gconfd_t, gconfd_exec_t; -- type gconf_tmp_t; ++ gen_require(` + type gconf_home_t; - ') - -- role $1 types gconfd_t; ++ ') ++ + allow $1 gconf_home_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) +') @@ -5447,17 +5483,23 @@ index f5afe78..8136040 100644 +## +## Set attributes of Gnome config dirs. +## -+## -+## + ## + ## +-## User domain for the role +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`gnome_role',` +interface(`gnome_setattr_config_dirs',` -+ gen_require(` + gen_require(` +- type gconfd_t, gconfd_exec_t; +- type gconf_tmp_t; + type gnome_home_t; -+ ') + ') +- role $1 types gconfd_t; +- - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; @@ -5546,7 +5588,7 @@ index f5afe78..8136040 100644 ## ## ## -@@ -84,37 +770,42 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +770,60 @@ template(`gnome_read_gconf_config',` ## ## # @@ -5568,66 +5610,84 @@ index f5afe78..8136040 100644 -## gconf connection template. +## Connect to gnome over an unix stream socket. ## --## +## - ## - ## Domain allowed access. - ## - ## -+## +## ++## Domain allowed access. ++## ++## + ## + ## +## The type of the user domain. +## +## ++# ++interface(`gnome_stream_connect',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ # Connect to pulseaudit server ++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) ++') ++ ++######################################## ++## ++## list gnome homedir content (.config) ++## ++## ++## + ## Domain allowed access. + ## + ## # -interface(`gnome_stream_connect_gconf',` -+interface(`gnome_stream_connect',` ++interface(`gnome_list_home_config',` gen_require(` - type gconfd_t, gconf_tmp_t; -+ attribute gnome_home_type; ++ type config_home_t; ') - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; -+ # Connect to pulseaudit server -+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) ++ allow $1 config_home_t:dir list_dir_perms; ') ######################################## ## -## Run gconfd in gconfd domain. -+## list gnome homedir content (.config) ++## Set attributes of gnome homedir content (.config) ## ## ## -@@ -122,17 +813,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +831,18 @@ interface(`gnome_stream_connect_gconf',` ## ## # -interface(`gnome_domtrans_gconfd',` -+interface(`gnome_list_home_config',` ++interface(`gnome_setattr_home_config',` gen_require(` - type gconfd_t, gconfd_exec_t; + type config_home_t; ') - domtrans_pattern($1, gconfd_exec_t, gconfd_t) -+ allow $1 config_home_t:dir list_dir_perms; ++ setattr_dirs_pattern($1, config_home_t, config_home_t) ++ userdom_search_user_home_dirs($1) ') ######################################## ## -## Set attributes of Gnome config dirs. -+## Set attributes of gnome homedir content (.config) ++## read gnome homedir content (.config) ## ## ## -@@ -140,51 +831,356 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +850,355 @@ interface(`gnome_domtrans_gconfd',` ## ## # -interface(`gnome_setattr_config_dirs',` -+interface(`gnome_setattr_home_config',` ++interface(`gnome_read_home_config',` gen_require(` - type gnome_home_t; + type config_home_t; @@ -5635,14 +5695,15 @@ index f5afe78..8136040 100644 - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) - files_search_home($1) -+ setattr_dirs_pattern($1, config_home_t, config_home_t) -+ userdom_search_user_home_dirs($1) ++ list_dirs_pattern($1, config_home_t, config_home_t) ++ read_files_pattern($1, config_home_t, config_home_t) ++ read_lnk_files_pattern($1, config_home_t, config_home_t) ') ######################################## ## -## Read gnome homedir content (.config) -+## read gnome homedir content (.config) ++## manage gnome homedir content (.config) ## -## +## @@ -5652,7 +5713,7 @@ index f5afe78..8136040 100644 ## # -template(`gnome_read_config',` -+interface(`gnome_read_home_config',` ++interface(`gnome_manage_home_config',` gen_require(` - type gnome_home_t; + type config_home_t; @@ -5661,9 +5722,7 @@ index f5afe78..8136040 100644 - list_dirs_pattern($1, gnome_home_t, gnome_home_t) - read_files_pattern($1, gnome_home_t, gnome_home_t) - read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) -+ list_dirs_pattern($1, config_home_t, config_home_t) -+ read_files_pattern($1, config_home_t, config_home_t) -+ read_lnk_files_pattern($1, config_home_t, config_home_t) ++ manage_files_pattern($1, config_home_t, config_home_t) ') ######################################## @@ -5678,12 +5737,12 @@ index f5afe78..8136040 100644 ## # -interface(`gnome_manage_config',` -+interface(`gnome_manage_home_config',` ++interface(`gnome_manage_home_config_dirs',` + gen_require(` + type config_home_t; + ') + -+ manage_files_pattern($1, config_home_t, config_home_t) ++ manage_dirs_pattern($1, config_home_t, config_home_t) +') + +######################################## @@ -10573,7 +10632,7 @@ index 3cfb128..609921d 100644 + ') +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..7c8de51 100644 +index 2533ea0..11187e0 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble @@ -10620,7 +10679,7 @@ index 2533ea0..7c8de51 100644 +optional_policy(` +# ~/.config/dconf/user -+ gnome_read_home_config(telepathy_logger_t) ++ gnome_manage_home_config(telepathy_logger_t) +') + ####################################### @@ -19216,7 +19275,7 @@ index be4de58..7e8b6ec 100644 init_exec(secadm_t) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..afb3532 100644 +index 2be17d2..a1156ed 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,53 @@ policy_module(staff, 2.2.0) @@ -19273,7 +19332,7 @@ index 2be17d2..afb3532 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,19 +68,103 @@ optional_policy(` +@@ -27,19 +68,107 @@ optional_policy(` ') optional_policy(` @@ -19343,6 +19402,10 @@ index 2be17d2..afb3532 100644 +') + +optional_policy(` ++ mta_role(staff_r, staff_t) ++') ++ ++optional_policy(` + mysql_exec(staff_t) +') + @@ -19379,7 +19442,7 @@ index 2be17d2..afb3532 100644 ') optional_policy(` -@@ -48,10 +173,48 @@ optional_policy(` +@@ -48,10 +177,48 @@ optional_policy(` ') optional_policy(` @@ -19428,7 +19491,7 @@ index 2be17d2..afb3532 100644 xserver_role(staff_r, staff_t) ') -@@ -89,18 +252,10 @@ ifndef(`distro_redhat',` +@@ -89,18 +256,10 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19447,6 +19510,17 @@ index 2be17d2..afb3532 100644 java_role(staff_r, staff_t) ') +@@ -121,10 +280,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- mta_role(staff_r, staff_t) +- ') +- +- optional_policy(` + pyzor_role(staff_r, staff_t) + ') + @@ -137,10 +292,6 @@ ifndef(`distro_redhat',` ') @@ -21117,10 +21191,10 @@ index 0000000..1105ff5 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..42c1458 100644 +index e5bfdd4..77f4b39 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,82 @@ role user_r; +@@ -12,15 +12,86 @@ role user_r; userdom_unpriv_user_template(user) @@ -21167,6 +21241,10 @@ index e5bfdd4..42c1458 100644 +') + +optional_policy(` ++ mta_role(user_r, user_t) ++') ++ ++optional_policy(` + netutils_run_ping_cond(user_t, user_r) + netutils_run_traceroute_cond(user_t, user_r) +') @@ -21203,7 +21281,7 @@ index e5bfdd4..42c1458 100644 vlock_run(user_t, user_r) ') -@@ -62,19 +129,11 @@ ifndef(`distro_redhat',` +@@ -62,19 +133,11 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21224,6 +21302,17 @@ index e5bfdd4..42c1458 100644 ') optional_policy(` +@@ -98,10 +161,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- mta_role(user_r, user_t) +- ') +- +- optional_policy(` + postgresql_role(user_r, user_t) + ') + @@ -118,11 +177,7 @@ ifndef(`distro_redhat',` ') @@ -22655,7 +22744,7 @@ index 9e39aa5..83dbd34 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..1b928cb 100644 +index 6480167..b963935 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -23025,7 +23114,7 @@ index 6480167..1b928cb 100644 + ') + + allow $1 httpd_sys_script_exec_t:dir search_dir_perms; -+ can_exec($1, httpd_sys_script_exec_t; ++ can_exec($1, httpd_sys_script_exec_t) +') + ######################################## @@ -24584,7 +24673,7 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..7cc09e8 100644 +index b3b0176..987245c 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -19,10 +19,11 @@ type asterisk_log_t; @@ -24624,16 +24713,17 @@ index b3b0176..7cc09e8 100644 kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) -@@ -108,6 +110,8 @@ corenet_tcp_bind_generic_port(asterisk_t) +@@ -108,6 +110,9 @@ corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) +corenet_tcp_connect_festival_port(asterisk_t) ++corenet_tcp_connect_jabber_client_port(asterisk_t) +corenet_tcp_connect_pktcable_port(asterisk_t) corenet_tcp_connect_postgresql_port(asterisk_t) corenet_tcp_connect_snmp_port(asterisk_t) corenet_tcp_connect_sip_port(asterisk_t) -@@ -116,6 +120,7 @@ dev_rw_generic_usb_dev(asterisk_t) +@@ -116,6 +121,7 @@ dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) dev_read_sound(asterisk_t) dev_write_sound(asterisk_t) @@ -24641,7 +24731,7 @@ index b3b0176..7cc09e8 100644 dev_read_urand(asterisk_t) domain_use_interactive_fds(asterisk_t) -@@ -125,6 +130,7 @@ files_search_spool(asterisk_t) +@@ -125,6 +131,7 @@ files_search_spool(asterisk_t) # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm # are labeled usr_t files_read_usr_files(asterisk_t) @@ -24649,7 +24739,7 @@ index b3b0176..7cc09e8 100644 fs_getattr_all_fs(asterisk_t) fs_list_inotifyfs(asterisk_t) -@@ -141,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +@@ -141,6 +148,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` @@ -47206,7 +47296,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te -index 29b9295..e1ae545 100644 +index 29b9295..6451f82 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -47228,12 +47318,14 @@ index 29b9295..e1ae545 100644 create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -75,10 +78,18 @@ files_search_pids(procmail_t) +@@ -75,10 +78,20 @@ files_search_pids(procmail_t) # for spamassasin files_read_usr_files(procmail_t) +application_exec_all(procmail_t) + ++init_read_utmp(procmail_t) ++ logging_send_syslog_msg(procmail_t) +logging_append_all_logs(procmail_t) @@ -47247,7 +47339,7 @@ index 29b9295..e1ae545 100644 # only works until we define a different type for maildir userdom_manage_user_home_content_dirs(procmail_t) userdom_manage_user_home_content_files(procmail_t) -@@ -87,8 +98,8 @@ userdom_manage_user_home_content_pipes(procmail_t) +@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t) userdom_manage_user_home_content_sockets(procmail_t) userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) @@ -47258,7 +47350,7 @@ index 29b9295..e1ae545 100644 mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -125,6 +136,11 @@ optional_policy(` +@@ -125,6 +138,11 @@ optional_policy(` postfix_read_spool_files(procmail_t) postfix_read_local_state(procmail_t) postfix_read_master_state(procmail_t) @@ -54185,7 +54277,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..3b7fec1 100644 +index 22adaca..040ec9b 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -54385,7 +54477,7 @@ index 22adaca..3b7fec1 100644 type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; type ssh_agent_tmp_t; -@@ -327,7 +367,7 @@ template(`ssh_role_template',` +@@ -327,17 +367,19 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) @@ -54394,7 +54486,11 @@ index 22adaca..3b7fec1 100644 # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; -@@ -338,6 +378,7 @@ template(`ssh_role_template',` + allow ssh_t $3:unix_stream_socket connectto; ++ allow ssh_t $3:key manage_key_perms; + + # user can manage the keys and config + manage_files_pattern($3, ssh_home_t, ssh_home_t) manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) @@ -54402,7 +54498,7 @@ index 22adaca..3b7fec1 100644 ############################## # -@@ -359,7 +400,7 @@ template(`ssh_role_template',` +@@ -359,7 +401,7 @@ template(`ssh_role_template',` stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. @@ -54411,7 +54507,7 @@ index 22adaca..3b7fec1 100644 # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) -@@ -381,7 +422,6 @@ template(`ssh_role_template',` +@@ -381,7 +423,6 @@ template(`ssh_role_template',` files_read_etc_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t) @@ -54419,7 +54515,7 @@ index 22adaca..3b7fec1 100644 libs_read_lib_files($1_ssh_agent_t) -@@ -393,14 +433,13 @@ template(`ssh_role_template',` +@@ -393,14 +434,13 @@ template(`ssh_role_template',` seutil_dontaudit_read_config($1_ssh_agent_t) # Write to the user domain tty. @@ -54437,7 +54533,7 @@ index 22adaca..3b7fec1 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) -@@ -477,8 +516,27 @@ interface(`ssh_read_pipes',` +@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',` type sshd_t; ') @@ -54466,7 +54562,7 @@ index 22adaca..3b7fec1 100644 ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -494,7 +552,7 @@ interface(`ssh_rw_pipes',` +@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -54475,7 +54571,7 @@ index 22adaca..3b7fec1 100644 ') ######################################## -@@ -586,6 +644,24 @@ interface(`ssh_domtrans',` +@@ -586,6 +645,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -54500,7 +54596,7 @@ index 22adaca..3b7fec1 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -618,7 +694,7 @@ interface(`ssh_setattr_key_files',` +@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -54509,7 +54605,7 @@ index 22adaca..3b7fec1 100644 files_search_pids($1) ') -@@ -680,6 +756,32 @@ interface(`ssh_domtrans_keygen',` +@@ -680,6 +757,32 @@ interface(`ssh_domtrans_keygen',` domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') @@ -54542,7 +54638,7 @@ index 22adaca..3b7fec1 100644 ######################################## ## ## Read ssh server keys -@@ -695,7 +797,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +798,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -54551,7 +54647,7 @@ index 22adaca..3b7fec1 100644 ') ###################################### -@@ -735,3 +837,81 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +838,81 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -62905,7 +63001,7 @@ index 94fd8dd..b5e5c70 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..8c027c2 100644 +index 29a9565..1c92ab6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -63084,7 +63180,7 @@ index 29a9565..8c027c2 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,16 +247,137 @@ tunable_policy(`init_upstart',` +@@ -186,16 +247,138 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -63181,6 +63277,7 @@ index 29a9565..8c027c2 100644 + seutil_read_file_contexts(init_t) + + systemd_exec_systemctl(init_t) ++ systemd_manage_unit_dirs(init_t) + systemd_manage_all_unit_files(init_t) + systemd_logger_stream_connect(init_t) + @@ -63224,7 +63321,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -203,6 +385,17 @@ optional_policy(` +@@ -203,6 +386,17 @@ optional_policy(` ') optional_policy(` @@ -63242,7 +63339,7 @@ index 29a9565..8c027c2 100644 unconfined_domain(init_t) ') -@@ -212,7 +405,7 @@ optional_policy(` +@@ -212,7 +406,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -63251,7 +63348,7 @@ index 29a9565..8c027c2 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -63267,7 +63364,7 @@ index 29a9565..8c027c2 100644 init_write_initctl(initrc_t) -@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -63304,7 +63401,7 @@ index 29a9565..8c027c2 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -63312,7 +63409,7 @@ index 29a9565..8c027c2 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -63323,7 +63420,7 @@ index 29a9565..8c027c2 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -63340,7 +63437,7 @@ index 29a9565..8c027c2 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -63348,7 +63445,7 @@ index 29a9565..8c027c2 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -63360,7 +63457,7 @@ index 29a9565..8c027c2 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -63374,7 +63471,7 @@ index 29a9565..8c027c2 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -63383,7 +63480,7 @@ index 29a9565..8c027c2 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -63391,7 +63488,7 @@ index 29a9565..8c027c2 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -63399,7 +63496,7 @@ index 29a9565..8c027c2 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -63421,7 +63518,7 @@ index 29a9565..8c027c2 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -63432,7 +63529,7 @@ index 29a9565..8c027c2 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +704,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +705,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -63441,7 +63538,7 @@ index 29a9565..8c027c2 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +719,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +720,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -63449,7 +63546,7 @@ index 29a9565..8c027c2 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +749,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +750,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -63483,7 +63580,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -531,10 +783,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +784,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -63506,7 +63603,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -549,6 +813,39 @@ ifdef(`distro_suse',` +@@ -549,6 +814,39 @@ ifdef(`distro_suse',` ') ') @@ -63546,7 +63643,7 @@ index 29a9565..8c027c2 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +858,8 @@ optional_policy(` +@@ -561,6 +859,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -63555,7 +63652,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -577,6 +876,7 @@ optional_policy(` +@@ -577,6 +877,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -63563,7 +63660,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -589,6 +889,17 @@ optional_policy(` +@@ -589,6 +890,17 @@ optional_policy(` ') optional_policy(` @@ -63581,7 +63678,7 @@ index 29a9565..8c027c2 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +916,13 @@ optional_policy(` +@@ -605,9 +917,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -63595,7 +63692,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -632,6 +947,10 @@ optional_policy(` +@@ -632,6 +948,10 @@ optional_policy(` ') optional_policy(` @@ -63606,7 +63703,7 @@ index 29a9565..8c027c2 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -649,6 +968,11 @@ optional_policy(` +@@ -649,6 +969,11 @@ optional_policy(` ') optional_policy(` @@ -63618,7 +63715,7 @@ index 29a9565..8c027c2 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1013,7 @@ optional_policy(` +@@ -689,6 +1014,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -63626,7 +63723,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -706,7 +1031,13 @@ optional_policy(` +@@ -706,7 +1032,13 @@ optional_policy(` ') optional_policy(` @@ -63640,7 +63737,7 @@ index 29a9565..8c027c2 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1060,10 @@ optional_policy(` +@@ -729,6 +1061,10 @@ optional_policy(` ') optional_policy(` @@ -63651,7 +63748,7 @@ index 29a9565..8c027c2 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1073,20 @@ optional_policy(` +@@ -738,10 +1074,20 @@ optional_policy(` ') optional_policy(` @@ -63672,7 +63769,7 @@ index 29a9565..8c027c2 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1095,10 @@ optional_policy(` +@@ -750,6 +1096,10 @@ optional_policy(` ') optional_policy(` @@ -63683,7 +63780,7 @@ index 29a9565..8c027c2 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1120,6 @@ optional_policy(` +@@ -771,8 +1121,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -63692,7 +63789,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -790,10 +1137,12 @@ optional_policy(` +@@ -790,10 +1138,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -63705,7 +63802,7 @@ index 29a9565..8c027c2 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1154,6 @@ optional_policy(` +@@ -805,7 +1155,6 @@ optional_policy(` ') optional_policy(` @@ -63713,7 +63810,7 @@ index 29a9565..8c027c2 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1163,26 @@ optional_policy(` +@@ -815,11 +1164,26 @@ optional_policy(` ') optional_policy(` @@ -63741,7 +63838,7 @@ index 29a9565..8c027c2 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1192,25 @@ optional_policy(` +@@ -829,6 +1193,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -63767,7 +63864,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -844,6 +1226,10 @@ optional_policy(` +@@ -844,6 +1227,10 @@ optional_policy(` ') optional_policy(` @@ -63778,7 +63875,7 @@ index 29a9565..8c027c2 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1240,149 @@ optional_policy(` +@@ -854,3 +1241,151 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -63834,6 +63931,8 @@ index 29a9565..8c027c2 100644 + allow init_t daemon:unix_dgram_socket create_socket_perms; + allow init_t daemon:tcp_socket create_stream_socket_perms; + allow daemon init_t:unix_dgram_socket sendto; ++ # need write to /var/run/systemd/notify ++ init_write_pid_socket(daemon) + dontaudit daemon init_t:unix_stream_socket { read ioctl getattr }; +') + @@ -68561,10 +68660,10 @@ index 0000000..9eaa38e +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..eb3673d +index 0000000..25872de --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,436 @@ +@@ -0,0 +1,454 @@ +## SELinux policy for systemd components + +####################################### @@ -68945,6 +69044,24 @@ index 0000000..eb3673d + +######################################## +## ++## manage systemd unit dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_unit_dirs',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++') ++ ++######################################## ++## +## manage all systemd unit files +## +## @@ -69003,10 +69120,10 @@ index 0000000..eb3673d + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..411793e +index 0000000..0cb5eaa --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,360 @@ +@@ -0,0 +1,372 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -69140,6 +69257,15 @@ index 0000000..411793e +') + +optional_policy(` ++ # we label /run/user/$USER/dconf as config_home_t ++ gnome_manage_home_config_dirs(systemd_logind_t) ++') ++ ++optional_policy(` ++ nis_use_ypbind(systemd_logind_t) ++') ++ ++optional_policy(` + # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file + xserver_search_xdm_tmp_dirs(systemd_logind_t) +') @@ -69357,6 +69483,9 @@ index 0000000..411793e +# +# systemd_sysctl domains local policy +# ++ ++allow systemctl_domain systemd_unit_file_type:dir search_dir_perms; ++ +fs_list_cgroup_dirs(systemctl_domain) +fs_read_cgroup_files(systemctl_domain) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 6bc15c9..29adf53 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 33%{?dist} +Release: 34%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -467,6 +467,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Sep 26 2011 Miroslav Grepl 3.10.0-34 +- Make mta_role() active +- Allow asterisk to connect to jabber client port +- Allow procmail to read utmp +- Add NIS support for systemd_logind_t +- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t +- Fix systemd_manage_unit_dirs() interface +- Allow ssh_t to manage directories passed into it +- init needs to be able to create and delete unit file directories +- Fix typo in apache_exec_sys_script +- Add ability for logrotate to transition to awstat domain + * Fri Sep 23 2011 Miroslav Grepl 3.10.0-33 - Change screen to use screen_domain attribute and allow screen_domains to read all process domain state - Add SELinux support for ssh pre-auth net process in F17