From 0ce55dd535f5da0374e056d3ed230f50f59bfd57 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 17 2014 16:53:47 +0000 Subject: - Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_e - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 25515ae..206fe53 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -5596,7 +5596,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..28e68c5 100644 +index 4edc40d..b826766 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5701,11 +5701,12 @@ index 4edc40d..28e68c5 100644 network_port(commplex_main, tcp,5000,s0, udp,5000,s0) network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) -+network_port(conman, tcp,7890,s0, udp,7890,s0) -+network_port(connlcli, tcp,1358,s0, udp,1358,s0) - network_port(couchdb, tcp,5984,s0, udp,5984,s0) +-network_port(couchdb, tcp,5984,s0, udp,5984,s0) -network_port(cslistener, tcp,9000,s0, udp,9000,s0) -network_port(ctdb, tcp,4379,s0, udp,4397,s0) ++network_port(conman, tcp,7890,s0, udp,7890,s0) ++network_port(connlcli, tcp,1358,s0, udp,1358,s0) ++network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0) +network_port(ctdb, tcp,4379,s0, udp,4379,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) @@ -15456,7 +15457,7 @@ index 64ff4d7..d2cb90d 100644 + allow $1 etc_t:service status; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 148d87a..ccbcb66 100644 +index 148d87a..b5a89ba 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.17.5) @@ -15476,7 +15477,7 @@ index 148d87a..ccbcb66 100644 # For labeling types that are to be polyinstantiated attribute polydir; -@@ -48,28 +52,45 @@ attribute usercanread; +@@ -48,31 +52,46 @@ attribute usercanread; # type boot_t; files_mountpoint(boot_t) @@ -15520,11 +15521,15 @@ index 148d87a..ccbcb66 100644 # generated during initialization. # -type etc_runtime_t; +-files_type(etc_runtime_t) +-#Temporarily in policy until FC5 dissappears +-typealias etc_runtime_t alias firstboot_rw_t; +type etc_runtime_t, configfile; - files_type(etc_runtime_t) - #Temporarily in policy until FC5 dissappears - typealias etc_runtime_t alias firstboot_rw_t; -@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t; ++files_ro_base_file(etc_runtime_t) + + # + # file_t is the default type of a file that has not yet been +@@ -81,6 +100,7 @@ typealias etc_runtime_t alias firstboot_rw_t; # type file_t; files_mountpoint(file_t) @@ -15532,7 +15537,7 @@ index 148d87a..ccbcb66 100644 kernel_rootfs_mountpoint(file_t) sid file gen_context(system_u:object_r:file_t,s0) -@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0) +@@ -89,6 +109,7 @@ sid file gen_context(system_u:object_r:file_t,s0) # are created # type home_root_t; @@ -15540,7 +15545,7 @@ index 148d87a..ccbcb66 100644 files_mountpoint(home_root_t) files_poly_parent(home_root_t) -@@ -96,12 +119,13 @@ files_poly_parent(home_root_t) +@@ -96,12 +117,13 @@ files_poly_parent(home_root_t) # lost_found_t is the type for the lost+found directories. # type lost_found_t; @@ -15555,7 +15560,7 @@ index 148d87a..ccbcb66 100644 files_mountpoint(mnt_t) # -@@ -123,6 +147,7 @@ files_type(readable_t) +@@ -123,6 +145,7 @@ files_type(readable_t) # root_t is the type for rootfs and the root directory. # type root_t; @@ -15563,7 +15568,7 @@ index 148d87a..ccbcb66 100644 files_mountpoint(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) -@@ -133,52 +158,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) +@@ -133,52 +156,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # type src_t; files_mountpoint(src_t) @@ -15627,7 +15632,7 @@ index 148d87a..ccbcb66 100644 files_pid_file(var_run_t) files_mountpoint(var_run_t) -@@ -186,7 +222,9 @@ files_mountpoint(var_run_t) +@@ -186,7 +220,9 @@ files_mountpoint(var_run_t) # var_spool_t is the type of /var/spool # type var_spool_t; @@ -15637,7 +15642,7 @@ index 148d87a..ccbcb66 100644 ######################################## # -@@ -225,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile) +@@ -225,10 +261,11 @@ fs_associate_tmpfs(tmpfsfile) # Create/access any file in a labeled filesystem; allow files_unconfined_type file_type:{ file chr_file } ~execmod; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; @@ -24443,7 +24448,7 @@ index 5fc0391..d6519a1 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index d1f64a0..8773437 100644 +index d1f64a0..2ef633d 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -24505,7 +24510,7 @@ index d1f64a0..8773437 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +76,33 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -24534,7 +24539,8 @@ index d1f64a0..8773437 100644 +/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + -+/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) +/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -24548,7 +24554,7 @@ index d1f64a0..8773437 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -92,25 +129,49 @@ ifndef(`distro_debian',` +@@ -92,25 +130,49 @@ ifndef(`distro_debian',` /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -36721,7 +36727,7 @@ index 72c746e..f035d9f 100644 +/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..e432df3 100644 +index 4584457..8a190ae 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,13 @@ interface(`mount_domtrans',` @@ -36738,7 +36744,7 @@ index 4584457..e432df3 100644 ') ######################################## -@@ -38,11 +45,122 @@ interface(`mount_domtrans',` +@@ -38,11 +45,140 @@ interface(`mount_domtrans',` # interface(`mount_run',` gen_require(` @@ -36843,6 +36849,24 @@ index 4584457..e432df3 100644 + files_search_pids($1) +') + ++####################################### ++## ++## Do not audit attemps to write mount PID files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mount_dontaudit_write_mount_pid',` ++ gen_require(` ++ type mount_var_run_t; ++ ') ++ ++ dontaudit $1 mount_var_run_t:file write; ++') ++ +######################################## +## +## Manage mount PID files. @@ -36863,7 +36887,7 @@ index 4584457..e432df3 100644 ') ######################################## -@@ -91,7 +209,7 @@ interface(`mount_signal',` +@@ -91,7 +227,7 @@ interface(`mount_signal',` ## ## ## @@ -36872,7 +36896,7 @@ index 4584457..e432df3 100644 ## ## # -@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',` +@@ -131,45 +267,138 @@ interface(`mount_send_nfs_client_request',` ######################################## ## @@ -47947,7 +47971,7 @@ index 3c5dba7..8d7c4a7 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..252a7aa 100644 +index e2b538b..0730c10 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5) @@ -48036,7 +48060,7 @@ index e2b538b..252a7aa 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,380 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,382 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -48103,6 +48127,8 @@ index e2b538b..252a7aa 100644 +dontaudit unpriv_userdomain self:dir setattr; +allow unpriv_userdomain self:key manage_key_perms; + ++mount_dontaudit_write_mount_pid(unpriv_userdomain) ++ +optional_policy(` + alsa_read_rw_config(unpriv_userdomain) + alsa_manage_home_files(unpriv_userdomain) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index ccff28f..f442d63 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -11182,7 +11182,7 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index fdee107..1910951 100644 +index fdee107..a4c2efb 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -11235,7 +11235,7 @@ index fdee107..1910951 100644 allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; -+allow cgred_t cgconfig_t:file read_file_perms; ++allow cgred_t cgconfig_etc_t:file read_file_perms; allow cgred_t cgrules_etc_t:file read_file_perms; allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms }; @@ -11272,10 +11272,10 @@ index 0000000..57866f6 +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) diff --git a/chrome.if b/chrome.if new file mode 100644 -index 0000000..5977d96 +index 0000000..23407b8 --- /dev/null +++ b/chrome.if -@@ -0,0 +1,134 @@ +@@ -0,0 +1,137 @@ + +## policy for chrome + @@ -11299,6 +11299,9 @@ index 0000000..5977d96 + + allow $1 chrome_sandbox_t:fd use; + ++ dontaudit chrome_sandbox_t $1:socket_class_set getattr; ++ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms; ++ + ifdef(`hide_broken_symptoms',` + fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) + ') @@ -13225,7 +13228,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..3b69f43 100644 +index 6471fa8..6ade0ea 100644 --- a/collectd.te +++ b/collectd.te @@ -26,18 +26,27 @@ files_type(collectd_var_lib_t) @@ -13293,7 +13296,7 @@ index 6471fa8..3b69f43 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +89,30 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +89,31 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` @@ -13306,6 +13309,7 @@ index 6471fa8..3b69f43 100644 + +optional_policy(` virt_read_config(collectd_t) ++ virt_stream_connect(collectd_t) ') ######################################## @@ -18024,7 +18028,7 @@ index 949011e..afe482b 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 06da9a0..c7834c8 100644 +index 06da9a0..c18145d 100644 --- a/cups.if +++ b/cups.if @@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',` @@ -18101,7 +18105,7 @@ index 06da9a0..c7834c8 100644 init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) -@@ -348,13 +379,63 @@ interface(`cups_admin',` +@@ -348,13 +379,64 @@ interface(`cups_admin',` logging_list_logs($1) admin_pattern($1, cupsd_log_t) @@ -18150,6 +18154,7 @@ index 06da9a0..c7834c8 100644 + files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf") + files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") + corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ++ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") +') + +######################################## @@ -23751,7 +23756,7 @@ index c880070..4448055 100644 -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/dovecot.if b/dovecot.if -index dbcac59..067c453 100644 +index dbcac59..f3e446c 100644 --- a/dovecot.if +++ b/dovecot.if @@ -1,29 +1,49 @@ @@ -23878,7 +23883,7 @@ index dbcac59..067c453 100644 ## ## ## -@@ -120,10 +136,29 @@ interface(`dovecot_write_inherited_tmp_files',` +@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',` allow $1 dovecot_tmp_t:file write; ') @@ -23898,6 +23903,7 @@ index dbcac59..067c453 100644 + ') + + files_search_etc($1) ++ list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t) + read_files_pattern($1, dovecot_etc_t, dovecot_etc_t) +') + @@ -23910,7 +23916,7 @@ index dbcac59..067c453 100644 ## ## ## -@@ -132,21 +167,24 @@ interface(`dovecot_write_inherited_tmp_files',` +@@ -132,21 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',` ## ## ## @@ -23941,7 +23947,7 @@ index dbcac59..067c453 100644 init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) -@@ -156,20 +194,25 @@ interface(`dovecot_admin',` +@@ -156,20 +195,25 @@ interface(`dovecot_admin',` files_list_etc($1) admin_pattern($1, dovecot_etc_t) @@ -30276,7 +30282,7 @@ index d03fd43..394cbf1 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 20f726b..45fe41c 100644 +index 20f726b..5314f96 100644 --- a/gnome.te +++ b/gnome.te @@ -1,18 +1,36 @@ @@ -30320,7 +30326,7 @@ index 20f726b..45fe41c 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -29,107 +47,226 @@ type gconfd_exec_t; +@@ -29,107 +47,227 @@ type gconfd_exec_t; typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) @@ -30550,6 +30556,7 @@ index 20f726b..45fe41c 100644 +manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) +manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) +files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) ++fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) +userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir }) -kernel_read_system_state(gkeyringd_domain) @@ -40303,10 +40310,12 @@ index e08c55d..9e634bd 100644 + +') diff --git a/mandb.fc b/mandb.fc -index 2de0f64..3c24286 100644 +index 2de0f64..c127555 100644 --- a/mandb.fc +++ b/mandb.fc -@@ -1 +1,10 @@ +@@ -1 +1,12 @@ ++HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) ++ /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) + +/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) @@ -40316,7 +40325,7 @@ index 2de0f64..3c24286 100644 + +/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0) + -+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) ++/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) diff --git a/mandb.if b/mandb.if index 327f3f7..4f61561 100644 --- a/mandb.if @@ -43069,10 +43078,10 @@ index 0000000..b694afc +') + diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..0804d06 100644 +index 6ffaba2..ab66d2f 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,69 @@ +@@ -1,38 +1,70 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -43096,6 +43105,7 @@ index 6ffaba2..0804d06 100644 +HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.cache/icedtea-web(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -43177,7 +43187,7 @@ index 6ffaba2..0804d06 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..03c6414 100644 +index 6194b80..cafb2b0 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -43888,7 +43898,7 @@ index 6194b80..03c6414 100644 ## ## ## -@@ -530,45 +519,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -43966,6 +43976,7 @@ index 6194b80..03c6414 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex") + optional_policy(` + gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla") ++ gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web") + ') ') + @@ -52209,7 +52220,7 @@ index 8f2ab09..bc2c7fe 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index df4c10f..fb50d4a 100644 +index df4c10f..2bbc3a6 100644 --- a/nscd.te +++ b/nscd.te @@ -1,36 +1,37 @@ @@ -52363,44 +52374,45 @@ index df4c10f..fb50d4a 100644 userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) -@@ -121,20 +131,31 @@ optional_policy(` +@@ -121,13 +131,11 @@ optional_policy(` ') optional_policy(` +- tunable_policy(`samba_domain_controller',` +- samba_append_log(nscd_t) +- samba_dontaudit_use_fds(nscd_t) +- ') + kerberos_use(nscd_t) +') -+ + +- samba_read_config(nscd_t) +- samba_read_var_files(nscd_t) +optional_policy(` -+ udev_read_db(nscd_t) -+') ++ nis_authenticate(nscd_t) + ') + + optional_policy(` +@@ -138,3 +146,20 @@ optional_policy(` + xen_dontaudit_rw_unix_stream_sockets(nscd_t) + xen_append_log(nscd_t) + ') + +optional_policy(` -+ xen_dontaudit_rw_unix_stream_sockets(nscd_t) -+ xen_append_log(nscd_t) ++ tunable_policy(`samba_domain_controller',` ++ samba_append_log(nscd_t) ++ samba_dontaudit_use_fds(nscd_t) ++ ') +') + +optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(nscd_t) - samba_dontaudit_use_fds(nscd_t) - ') -- -- samba_read_config(nscd_t) -- samba_read_var_files(nscd_t) - ') - - optional_policy(` -- udev_read_db(nscd_t) + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) + samba_stream_connect_nmbd(nscd_t) - ') - - optional_policy(` -- xen_dontaudit_rw_unix_stream_sockets(nscd_t) -- xen_append_log(nscd_t) ++') ++ ++optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) - ') ++') diff --git a/nsd.fc b/nsd.fc index 4f2b1b6..5348e92 100644 --- a/nsd.fc @@ -61600,10 +61612,10 @@ index 0000000..b975b85 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..b9d62b2 +index 0000000..cadefe5 --- /dev/null +++ b/pki.te -@@ -0,0 +1,285 @@ +@@ -0,0 +1,286 @@ +policy_module(pki,10.0.11) + +######################################## @@ -61716,6 +61728,7 @@ index 0000000..b9d62b2 +search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t) + +kernel_read_kernel_sysctls(pki_tomcat_t) ++kernel_read_net_sysctls(pki_tomcat_t) + +corenet_tcp_connect_http_cache_port(pki_tomcat_t) +corenet_tcp_connect_ldap_port(pki_tomcat_t) @@ -72949,7 +72962,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..5240406 100644 +index 3698b51..7d5630f 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -72971,7 +72984,7 @@ index 3698b51..5240406 100644 allow rabbitmq_beam_t self:process { setsched signal signull }; allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_beam_t self:tcp_socket { accept listen }; -@@ -38,50 +43,84 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +@@ -38,50 +43,85 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) @@ -73007,6 +73020,7 @@ index 3698b51..5240406 100644 corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) corenet_tcp_bind_generic_node(rabbitmq_beam_t) +corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t) ++corenet_tcp_bind_all_ephemeral_ports(rabbitmq_beam_t) corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) -corenet_tcp_bind_amqp_port(rabbitmq_beam_t) @@ -73065,7 +73079,7 @@ index 3698b51..5240406 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -89,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; +@@ -89,6 +129,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; @@ -73074,7 +73088,7 @@ index 3698b51..5240406 100644 corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t) -@@ -99,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -79542,7 +79556,7 @@ index 3bd6446..eec0a35 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..dba369f 100644 +index e5212e6..fa69f22 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -79728,35 +79742,38 @@ index e5212e6..dba369f 100644 optional_policy(` automount_signal(rpcd_t) -@@ -174,19 +110,23 @@ optional_policy(` +@@ -174,19 +110,27 @@ optional_policy(` ') optional_policy(` -- nis_read_ypserv_config(rpcd_t) + domain_unconfined_signal(rpcd_t) ++') ++ ++optional_policy(` ++ quota_manage_db(rpcd_t) ++') ++ ++optional_policy(` + nis_read_ypserv_config(rpcd_t) ') optional_policy(` - quota_manage_db_files(rpcd_t) -+ quota_manage_db(rpcd_t) ++ quota_read_db(rpcd_t) ') optional_policy(` - rgmanager_manage_tmp_files(rpcd_t) -+ nis_read_ypserv_config(rpcd_t) ++ rhcs_manage_cluster_tmp_files(rpcd_t) ') optional_policy(` - unconfined_signal(rpcd_t) -+ quota_read_db(rpcd_t) -+') -+ -+optional_policy(` -+ rhcs_manage_cluster_tmp_files(rpcd_t) ++ samba_stream_connect_nmbd(rpcd_t) ') ######################################## -@@ -195,41 +135,56 @@ optional_policy(` +@@ -195,41 +139,56 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -79821,7 +79838,7 @@ index e5212e6..dba369f 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -238,7 +193,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -79829,7 +79846,7 @@ index e5212e6..dba369f 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -250,12 +204,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -79844,7 +79861,7 @@ index e5212e6..dba369f 100644 ') ######################################## -@@ -263,7 +217,7 @@ optional_policy(` +@@ -263,7 +221,7 @@ optional_policy(` # GSSD local policy # @@ -79853,7 +79870,7 @@ index e5212e6..dba369f 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -271,6 +225,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -79861,7 +79878,7 @@ index e5212e6..dba369f 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -279,25 +234,30 @@ kernel_signal(gssd_t) +@@ -279,25 +238,30 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -79895,7 +79912,7 @@ index e5212e6..dba369f 100644 ') optional_policy(` -@@ -306,8 +266,11 @@ optional_policy(` +@@ -306,8 +270,11 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) @@ -83275,7 +83292,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..f56760b 100644 +index 57c034b..aa888c8 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -83982,14 +83999,14 @@ index 57c034b..f56760b 100644 - userdom_use_unpriv_users_fds(nmbd_t) -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -+userdom_dontaudit_search_user_home_dirs(nmbd_t) - +- -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(nmbd_t) - files_list_non_auth_dirs(nmbd_t) - files_read_non_auth_files(nmbd_t) -') -- ++userdom_dontaudit_search_user_home_dirs(nmbd_t) + -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) @@ -84020,11 +84037,11 @@ index 57c034b..f56760b 100644 -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) +allow smbcontrol_t nmbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) - ++ +allow smbcontrol_t smbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) +allow smbcontrol_t winbind_t:process { signal signull }; -+ + +files_search_var_lib(smbcontrol_t) samba_read_config(smbcontrol_t) -samba_rw_var_files(smbcontrol_t) @@ -84388,7 +84405,7 @@ index 57c034b..f56760b 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,26 +941,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,26 +941,43 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -84427,10 +84444,14 @@ index 57c034b..f56760b 100644 optional_policy(` kerberos_use(winbind_t) + kerberos_filetrans_named_content(winbind_t) ++') ++ ++optional_policy(` ++ nis_authenticate(winbind_t) ') optional_policy(` -@@ -952,31 +989,29 @@ optional_policy(` +@@ -952,31 +993,29 @@ optional_policy(` # Winbind helper local policy # @@ -84468,7 +84489,7 @@ index 57c034b..f56760b 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1025,38 @@ optional_policy(` +@@ -990,25 +1029,38 @@ optional_policy(` ######################################## # @@ -84489,24 +84510,24 @@ index 57c034b..f56760b 100644 + role system_r types samba_unconfined_net_t; + + unconfined_domain(samba_unconfined_net_t) -+ + +- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +- allow smbd_t samba_unconfined_script_exec_t:file ioctl; + manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + userdom_use_inherited_user_terminals(samba_unconfined_net_t) +') -+ + +type samba_unconfined_script_t; +type samba_unconfined_script_exec_t; +domain_type(samba_unconfined_script_t) +domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) +corecmd_shell_entry_type(samba_unconfined_script_t) +role system_r types samba_unconfined_script_t; - -- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; -- allow smbd_t samba_unconfined_script_exec_t:file ioctl; ++ +allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +allow smbd_t samba_unconfined_script_exec_t:file ioctl; - ++ +optional_policy(` unconfined_domain(samba_unconfined_script_t) +') @@ -85133,10 +85154,10 @@ index 0000000..3258f45 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..0161658 +index 0000000..330fea5 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,498 @@ +@@ -0,0 +1,502 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -85353,6 +85374,10 @@ index 0000000..0161658 +storage_dontaudit_rw_fuse(sandbox_x_domain) + +optional_policy(` ++ bluetooth_dbus_chat(sandbox_x_domain) ++') ++ ++optional_policy(` + consolekit_dbus_chat(sandbox_x_domain) +') + @@ -89744,7 +89769,7 @@ index 7d86b34..5f58180 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index ccd28bb..80106ac 100644 +index ccd28bb..6e335a9 100644 --- a/snort.te +++ b/snort.te @@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t) @@ -89762,7 +89787,18 @@ index ccd28bb..80106ac 100644 allow snort_t self:netlink_firewall_socket create_socket_perms; allow snort_t snort_etc_t:dir list_dir_perms; -@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t) +@@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms; + allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) +-append_files_pattern(snort_t, snort_log_t, snort_log_t) +-create_files_pattern(snort_t, snort_log_t, snort_log_t) +-setattr_files_pattern(snort_t, snort_log_t, snort_log_t) ++manage_files_pattern(snort_t, snort_log_t, snort_log_t) + logging_log_filetrans(snort_t, snort_log_t, { file dir }) + + manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) +@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t) kernel_dontaudit_read_system_state(snort_t) kernel_read_network_state(snort_t) @@ -89770,7 +89806,7 @@ index ccd28bb..80106ac 100644 corenet_all_recvfrom_netlabel(snort_t) corenet_tcp_sendrecv_generic_if(snort_t) corenet_udp_sendrecv_generic_if(snort_t) -@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t) +@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t) domain_use_interactive_fds(snort_t) @@ -102417,10 +102453,10 @@ index 0000000..7933d80 +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..5ce7d9c +index 0000000..d59b917 --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,94 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -102510,6 +102546,11 @@ index 0000000..5ce7d9c +corecmd_exec_bin(vmtools_helper_t) + +userdom_stream_connect(vmtools_helper_t) ++ ++optional_policy(` ++ unconfined_domain(vmtools_helper_t) ++') ++ diff --git a/vmware.if b/vmware.if index 20a1fb2..470ea95 100644 --- a/vmware.if @@ -102799,7 +102840,7 @@ index 7a7f342..afedcba 100644 ## ## diff --git a/vpn.te b/vpn.te -index 9329eae..992aefb 100644 +index 9329eae..38a4bf3 100644 --- a/vpn.te +++ b/vpn.te @@ -1,4 +1,4 @@ @@ -102917,7 +102958,7 @@ index 9329eae..992aefb 100644 - -optional_policy(` - seutil_use_newrole_fds(vpnc_t) -+ networkmanager_delete_pid_files(vpnc_t) ++ networkmanager_manage_pid_files(vpnc_t) ') diff --git a/w3c.te b/w3c.te index bcb76b6..d3cf4a8 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index 8038549..34cefae 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 138%{?dist} +Release: 139%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Mar 17 2014 Miroslav Grepl 3.12.1-139 +- Allow collectd to talk to libvirt +- Allow chrome_sandbox to use leaked unix_stream_sockets +- Dontaudit leaks of sockets into chrome_sandbox_t +- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t +- Run vmtools as unconfined domains +- Allow snort to manage its log files +- Allow systemd_cronjob_t to be entered via bin_t +- Allow procman to list doveconf_etc_t +- allow keyring daemon to create content in tmpfs directories +- Add proper labelling for icedtea-web +- vpnc is creating content in networkmanager var run directory +- Label sddm as xdm_exec_t to make KDE working again +- Allow postgresql to read network state +- Allow java running as pki_tomcat to read network sysctls +- Fix cgroup.te to allow cgred to read cgconfig_etc_t +- Allow beam.smp to use ephemeral ports +- Allow winbind to use the nis to authenticate passwords + * Fri Mar 14 2014 Lukas Vrabec 3.12.1-138 - Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least. - Allow net_admin cap for fence_virtd running as fenced_t