From 0ffdd95627529594dfa9fd6a8b9d8fd8d483c59d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 08 2011 17:15:05 +0000 Subject: - Fixes for ssh_keygen policy - Allow sysadm_t to run ssh-keygen in ssh_keygen_t domain - Backport spice vdagent policy --- diff --git a/modules-targeted.conf b/modules-targeted.conf index dc9e340..54d4a43 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2237,3 +2237,10 @@ mediawiki = module # policy for namespace.init script # namespace = module + +# Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module diff --git a/policy-F13.patch b/policy-F13.patch index 4e0cf5d..979192d 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -13553,7 +13553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-03-04 13:15:26.285413000 +0000 ++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-03-08 15:16:37.182413000 +0000 @@ -28,17 +28,31 @@ corecmd_exec_shell(sysadm_t) @@ -13798,11 +13798,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) -+ allow sysadm_screen_t self:capability { dac_read_search dac_override }; ++ allow sysadm_screen_t self:capability { dac_read_search dac_override sys_tty_config }; ') optional_policy(` -@@ -358,8 +422,14 @@ +@@ -358,11 +422,18 @@ ') optional_policy(` @@ -13817,7 +13817,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -382,9 +452,11 @@ ++ ssh_run_keygen(sysadm_t, sysadm_r) + ') + + optional_policy(` +@@ -382,9 +453,11 @@ sysnet_run_dhcpc(sysadm_t, sysadm_r) ') @@ -13829,7 +13833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -393,23 +465,31 @@ +@@ -393,23 +466,31 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') @@ -13861,7 +13865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. unprivuser_role_change(sysadm_r) ') -@@ -417,9 +497,11 @@ +@@ -417,9 +498,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') @@ -13873,7 +13877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -427,9 +509,15 @@ +@@ -427,9 +510,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') @@ -13889,7 +13893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` vpn_run(sysadm_t, sysadm_r) -@@ -440,13 +528,30 @@ +@@ -440,13 +529,30 @@ ') optional_policy(` @@ -38276,7 +38280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-11-02 16:20:27.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2011-03-08 14:16:27.328413001 +0000 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -38519,7 +38523,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. files_search_pids($1) ') -@@ -693,7 +726,51 @@ +@@ -678,6 +711,32 @@ + domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) + ') + ++###################################### ++## ++## Execute ssh-keygen in the iptables domain, and ++## allow the specified role the ssh-keygen domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ssh_run_keygen',` ++ gen_require(` ++ type ssh_keygen_t; ++ ') ++ ++ role $2 types ssh_keygen_t; ++ ssh_domtrans_keygen($1) ++') ++ + ######################################## + ## + ## Read ssh server keys +@@ -693,7 +752,51 @@ type sshd_key_t; ') @@ -38572,7 +38609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ####################################### -@@ -714,3 +791,67 @@ +@@ -714,3 +817,67 @@ files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -38642,7 +38679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-02-14 14:49:26.196796002 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-03-08 14:38:01.609413002 +0000 @@ -34,13 +34,12 @@ ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -38733,17 +38770,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -217,6 +221,9 @@ - allow ssh_keygen_t sshd_key_t:file manage_file_perms; - files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) - -+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) -+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) -+ - kernel_read_kernel_sysctls(ssh_keygen_t) +@@ -201,54 +205,6 @@ + xserver_domtrans_xauth(ssh_t) + ') - fs_search_auto_mountpoints(ssh_keygen_t) -@@ -282,36 +289,39 @@ +-######################################## +-# +-# ssh_keygen local policy +-# +- +-# ssh_keygen_t is the type of the ssh-keygen program when run at install time +-# and by sysadm_t +- +-dontaudit ssh_keygen_t self:capability sys_tty_config; +-allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; +- +-allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; +- +-allow ssh_keygen_t sshd_key_t:file manage_file_perms; +-files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) +- +-kernel_read_kernel_sysctls(ssh_keygen_t) +- +-fs_search_auto_mountpoints(ssh_keygen_t) +- +-dev_read_sysfs(ssh_keygen_t) +-dev_read_urand(ssh_keygen_t) +- +-term_dontaudit_use_console(ssh_keygen_t) +- +-domain_use_interactive_fds(ssh_keygen_t) +- +-files_read_etc_files(ssh_keygen_t) +- +-init_use_fds(ssh_keygen_t) +-init_use_script_ptys(ssh_keygen_t) +- +-logging_send_syslog_msg(ssh_keygen_t) +- +-userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +- +-optional_policy(` +- nscd_socket_use(ssh_keygen_t) +-') +- +-optional_policy(` +- seutil_sigchld_newrole(ssh_keygen_t) +-') +- +-optional_policy(` +- udev_read_db(ssh_keygen_t) +-') +- + ############################## + # + # ssh_keysign_t local policy +@@ -282,36 +238,39 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -38792,7 +38874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -319,10 +329,27 @@ +@@ -319,10 +278,27 @@ ') optional_policy(` @@ -38820,7 +38902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. rpm_use_script_fds(sshd_t) ') -@@ -333,10 +360,18 @@ +@@ -333,10 +309,18 @@ ') optional_policy(` @@ -38840,6 +38922,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd +@@ -376,6 +360,10 @@ + allow ssh_keygen_t sshd_key_t:file manage_file_perms; + files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) + ++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) ++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) ++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) ++ + kernel_read_kernel_sysctls(ssh_keygen_t) + + fs_search_auto_mountpoints(ssh_keygen_t) +@@ -384,6 +372,7 @@ + dev_read_urand(ssh_keygen_t) + + term_dontaudit_use_console(ssh_keygen_t) ++term_use_all_ptys(ssh_keygen_t) + + domain_use_interactive_fds(ssh_keygen_t) + +@@ -397,6 +386,11 @@ + logging_send_syslog_msg(ssh_keygen_t) + + userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) ++userdom_search_admin_dir(ssh_keygen_t) ++ ++optional_policy(` ++ nscd_socket_use(ssh_keygen_t) ++') + + optional_policy(` + seutil_sigchld_newrole(ssh_keygen_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.19/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-04-13 18:44:36.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/sssd.if 2010-09-16 14:48:33.000000000 +0000 @@ -39418,6 +39531,99 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn allow varnishd_t self:process signal; allow varnishd_t self:fifo_file rw_fifo_file_perms; allow varnishd_t self:tcp_socket create_stream_socket_perms; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.fc serefpolicy-3.7.19/policy/modules/services/vdagent.fc +--- nsaserefpolicy/policy/modules/services/vdagent.fc 1970-01-01 00:00:00.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/vdagent.fc 2011-03-08 12:55:29.677413000 +0000 +@@ -0,0 +1,4 @@ ++ ++/sbin/vdagent -- gen_context(system_u:object_r:vdagent_exec_t,s0) ++ ++/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.if serefpolicy-3.7.19/policy/modules/services/vdagent.if +--- nsaserefpolicy/policy/modules/services/vdagent.if 1970-01-01 00:00:00.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/vdagent.if 2011-03-08 12:55:29.684413000 +0000 +@@ -0,0 +1,39 @@ ++## The spice guest agent daemon. ++ ++ ++######################################## ++## ++## Execute a domain transition to run vdagent. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vdagent_domtrans',` ++ gen_require(` ++ type vdagent_t, vdagent_exec_t; ++ ') ++ ++ domtrans_pattern($1, vdagent_exec_t, vdagent_t) ++') ++ ++######################################## ++## ++## Connect to vdagent over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vdagent_stream_connect',` ++ gen_require(` ++ type vdagent_t, vdagent_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.te serefpolicy-3.7.19/policy/modules/services/vdagent.te +--- nsaserefpolicy/policy/modules/services/vdagent.te 1970-01-01 00:00:00.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/vdagent.te 2011-03-08 13:05:40.170413001 +0000 +@@ -0,0 +1,38 @@ ++policy_module(vdagent,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type vdagent_t; ++type vdagent_exec_t; ++udev_system_domain(vdagent_t, vdagent_exec_t) ++ ++type vdagent_var_run_t; ++files_pid_file(vdagent_var_run_t) ++ ++permissive vdagent_t; ++ ++######################################## ++# ++# vdagent local policy ++# ++allow vdagent_t self:process { fork }; ++ ++allow vdagent_t self:fifo_file rw_fifo_file_perms; ++allow vdagent_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) ++manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) ++manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) ++manage_lnk_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) ++files_pid_filetrans(vdagent_t, vdagent_var_run_t, { file dir sock_file }) ++ ++domain_use_interactive_fds(vdagent_t) ++ ++files_read_etc_files(vdagent_t) ++ ++miscfiles_read_localization(vdagent_t) ++ ++userdom_use_user_ptys(vdagent_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.19/policy/modules/services/vhostmd.fc --- nsaserefpolicy/policy/modules/services/vhostmd.fc 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/vhostmd.fc 2010-07-21 08:49:49.000000000 +0000 @@ -41069,7 +41275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-11-02 17:15:31.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2011-03-08 15:27:05.150413000 +0000 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.3.2) @@ -41613,7 +41819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +654,12 @@ +@@ -477,6 +654,13 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -41623,10 +41829,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +userdom_manage_user_tmp_sockets(xdm_t) +userdom_manage_tmpfs_role(system_r, xdm_t) +userdom_dontaudit_getattr_user_home_content(xdm_t) ++userdom_dontaudit_write_admin_dir(xdm_t) xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -495,6 +678,12 @@ +@@ -495,6 +679,12 @@ fs_exec_cifs_files(xdm_t) ') @@ -41639,7 +41846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -508,11 +697,17 @@ +@@ -508,11 +698,17 @@ ') optional_policy(` @@ -41657,7 +41864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +715,51 @@ +@@ -520,12 +716,51 @@ ') optional_policy(` @@ -41709,7 +41916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,20 +777,63 @@ +@@ -543,20 +778,63 @@ ') optional_policy(` @@ -41775,7 +41982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +842,6 @@ +@@ -565,7 +843,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -41783,10 +41990,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +852,10 @@ +@@ -576,6 +853,14 @@ ') optional_policy(` ++ vdagent_stream_connect(xdm_t) ++') ++ ++optional_policy(` + wm_exec(xdm_t) +') + @@ -41794,7 +42005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +880,9 @@ +@@ -600,10 +885,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -41806,7 +42017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +894,18 @@ +@@ -615,6 +899,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -41825,7 +42036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +925,19 @@ +@@ -634,12 +930,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -41847,7 +42058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -647,6 +945,7 @@ +@@ -647,6 +950,7 @@ # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -41855,7 +42066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -673,7 +972,6 @@ +@@ -673,7 +977,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -41863,7 +42074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +981,12 @@ +@@ -683,9 +986,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -41877,7 +42088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +1001,13 @@ +@@ -700,8 +1006,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -41891,7 +42102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +1029,14 @@ +@@ -723,11 +1034,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -41906,7 +42117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1088,28 @@ +@@ -779,12 +1093,28 @@ ') optional_policy(` @@ -41936,7 +42147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1136,7 @@ +@@ -811,7 +1141,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -41945,7 +42156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1157,14 @@ +@@ -832,9 +1162,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -41960,7 +42171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1179,14 @@ +@@ -849,11 +1184,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -41977,7 +42188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1332,34 @@ +@@ -999,3 +1337,34 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -47382,7 +47593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.19/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/udev.if 2011-03-04 13:01:58.267413001 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/udev.if 2011-03-08 16:58:29.797413002 +0000 @@ -1,5 +1,31 @@ ## Policy for udev. @@ -47451,6 +47662,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ## Create, read, write, and delete ## udev pid files. ## +@@ -213,3 +257,35 @@ + files_search_var_lib($1) + manage_files_pattern($1, udev_var_run_t, udev_var_run_t) + ') ++ ++####################################### ++## ++## Create a domain for processes ++## which can be started by udev. ++## ++## ++## ++## Type to be used as a domain. ++## ++## ++## ++## ++## Type of the program to be used as an entry point to this domain. ++## ++## ++# ++interface(`udev_system_domain',` ++ gen_require(` ++ type udev_t; ++ role system_r; ++ ') ++ ++ domain_type($1) ++ domain_entry_file($1, $2) ++ ++ role system_r types $1; ++ ++ domtrans_pattern(udev_t, $2, $1) ++ ++ dontaudit $1 udev_t:unix_dgram_socket { read write }; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.19/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/system/udev.te 2011-03-04 12:59:56.537413001 +0000 @@ -48293,7 +48540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2011-02-25 17:52:11.239507921 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2011-03-08 15:28:55.169413000 +0000 @@ -30,8 +30,9 @@ ') @@ -49899,7 +50146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3111,3 +3500,725 @@ +@@ -3111,3 +3500,743 @@ allow $1 userdomain:dbus send_msg; ') @@ -50028,6 +50275,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dontaudit $1 admin_home_t:dir list_dir_perms; +') + ++####################################### ++## ++## dontaudit write /root ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaudit_write_admin_dir',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:dir write; ++') ++ +######################################## +## +## Allow domain to list /root diff --git a/selinux-policy.spec b/selinux-policy.spec index d3b69cf..eac9f6a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 98%{?dist} +Release: 99%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,11 @@ exit 0 %endif %changelog +* Tue Mar 8 2011 Miroslav Grepl 3.7.19-99 +- Fixes for ssh_keygen policy +- Allow sysadm_t to run ssh-keygen in ssh_keygen_t domain +- Backport spice vdagent policy + * Fri Mar 4 2011 Miroslav Grepl 3.7.19-98 - Backport sandbox and seunshare policy from F15 - Allow rpm setfcap capability