From 2f8981a987796b1b22d59e6f14a9186ca2b1d06c Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Nov 08 2013 08:40:08 +0000 Subject: * Fri Nov 08 2013 Lukas Vrabec 3.12.1-74.12 - Fixed userdom_dontaudit_delete_user_tmp_files - Add auth_exec_chkpwd interface - Add interface to dontaudit attempts to delete user_tmp_t files on thumbnails - Add tcp/8893 as milter port - Dontaudit leaked write descriptor to dmesg - Add rpc_kill_rpcd interface - Dontaudit attempts to write/delete user_tmp_t files - Dontaudit attempts by system_mail to modify network config - Allow ipc_lock for abrt to run journalctl. - Update zoneminder policy - Add policy for motion service - Allow glusterd_t to mounton glusterd_tmp_t - Allow glusterd to unmout al filesystems - Allow xenstored to read virt config --- diff --git a/policy-f19-base.patch b/policy-f19-base.patch index e12252e..2d1878f 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -1490,7 +1490,7 @@ index d6cc2d9..0685b19 100644 + +/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te -index 72bc6d8..ff164b3 100644 +index 72bc6d8..17357e5 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -9,6 +9,10 @@ type dmesg_t; @@ -1504,7 +1504,7 @@ index 72bc6d8..ff164b3 100644 ######################################## # # Local policy -@@ -19,6 +23,7 @@ dontaudit dmesg_t self:capability sys_tty_config; +@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config; allow dmesg_t self:process signal_perms; @@ -1512,20 +1512,22 @@ index 72bc6d8..ff164b3 100644 kernel_read_kernel_sysctls(dmesg_t) kernel_read_ring_buffer(dmesg_t) kernel_clear_ring_buffer(dmesg_t) -@@ -27,6 +32,7 @@ kernel_list_proc(dmesg_t) + kernel_change_ring_buffer_level(dmesg_t) + kernel_list_proc(dmesg_t) kernel_read_proc_symlinks(dmesg_t) ++kernel_dontaudit_write_kernel_sysctl(dmesg_t) dev_read_sysfs(dmesg_t) +dev_read_kmsg(dmesg_t) fs_search_auto_mountpoints(dmesg_t) -@@ -44,10 +50,13 @@ init_use_script_ptys(dmesg_t) +@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t) logging_send_syslog_msg(dmesg_t) logging_write_generic_logs(dmesg_t) -miscfiles_read_localization(dmesg_t) - +- userdom_dontaudit_use_unpriv_user_fds(dmesg_t) -userdom_use_user_terminals(dmesg_t) +userdom_use_inherited_user_terminals(dmesg_t) @@ -5424,7 +5426,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..5df4efc 100644 +index 4edc40d..12b06be 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5618,7 +5620,7 @@ index 4edc40d..5df4efc 100644 network_port(matahari, tcp,49000,s0, udp,49000,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) -network_port(milter) # no defined portcon -+network_port(milter, tcp, 8891, s0) # no defined portcon ++network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0) network_port(monopd, tcp,1234,s0) @@ -21225,7 +21227,7 @@ index d1f64a0..9a5dab5 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..15e1047 100644 +index 6bf0ecc..307cefc 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -21712,19 +21714,18 @@ index 6bf0ecc..15e1047 100644 ') ######################################## -@@ -765,11 +817,92 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,11 +817,91 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` - type xdm_t, xdm_tmp_t; + type xdm_t, xdm_tmp_t, xdm_var_run_t; -+ type xdm_dbusd_t; ') files_search_tmp($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + files_search_pids($1) -+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, { xdm_t xdm_dbusd_t } ) ++ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) +') + +######################################## @@ -21807,7 +21808,7 @@ index 6bf0ecc..15e1047 100644 ') ######################################## -@@ -793,6 +926,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +925,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -21833,7 +21834,7 @@ index 6bf0ecc..15e1047 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -806,7 +958,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -806,7 +957,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -21860,7 +21861,7 @@ index 6bf0ecc..15e1047 100644 ') ######################################## -@@ -846,7 +1016,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1015,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -21888,7 +21889,7 @@ index 6bf0ecc..15e1047 100644 ') ######################################## -@@ -869,6 +1058,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -869,6 +1057,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -21913,7 +21914,7 @@ index 6bf0ecc..15e1047 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -938,10 +1145,29 @@ interface(`xserver_getattr_log',` +@@ -938,10 +1144,29 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -21945,7 +21946,7 @@ index 6bf0ecc..15e1047 100644 ## ## Do not audit attempts to write the X server ## log files. -@@ -957,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -957,7 +1182,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -21954,7 +21955,7 @@ index 6bf0ecc..15e1047 100644 ') ######################################## -@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1229,64 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -22019,7 +22020,7 @@ index 6bf0ecc..15e1047 100644 ## Read xdm temporary files. ## ## -@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -1017,7 +1300,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -22028,7 +22029,7 @@ index 6bf0ecc..15e1047 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1079,6 +1362,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -22071,7 +22072,7 @@ index 6bf0ecc..15e1047 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1093,7 +1412,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -22080,7 +22081,7 @@ index 6bf0ecc..15e1047 100644 ') ######################################## -@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1430,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -22092,7 +22093,7 @@ index 6bf0ecc..15e1047 100644 ') ######################################## -@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` +@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -22118,7 +22119,7 @@ index 6bf0ecc..15e1047 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -22145,7 +22146,7 @@ index 6bf0ecc..15e1047 100644 ') ######################################## -@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -22154,7 +22155,7 @@ index 6bf0ecc..15e1047 100644 ## ## ## -@@ -1261,13 +1622,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1621,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -22179,7 +22180,7 @@ index 6bf0ecc..15e1047 100644 ') ######################################## -@@ -1284,10 +1655,623 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1654,623 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -22806,7 +22807,7 @@ index 6bf0ecc..15e1047 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..2967b77 100644 +index 2696452..2855251 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -22938,10 +22939,11 @@ index 2696452..2967b77 100644 fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) +-type xdm_t; +type xdm_unconfined_exec_t; +application_executable_file(xdm_unconfined_exec_t) + - type xdm_t; ++type xdm_t alias xdm_dbusd_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -23389,7 +23391,7 @@ index 2696452..2967b77 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +637,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +637,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23416,6 +23418,8 @@ index 2696452..2967b77 100644 +init_dbus_chat(xdm_t) +init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x") +init_status(xdm_t) ++ ++application_exec(xdm_t) libs_exec_lib_files(xdm_t) +libs_exec_ldconfig(xdm_t) @@ -23436,7 +23440,7 @@ index 2696452..2967b77 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +682,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +684,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23587,7 +23591,7 @@ index 2696452..2967b77 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +833,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +835,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23614,29 +23618,12 @@ index 2696452..2967b77 100644 ') optional_policy(` -@@ -514,12 +860,73 @@ optional_policy(` +@@ -514,12 +862,56 @@ optional_policy(` ') optional_policy(` -+ # Use dbus to start other processes as xdm_t -+ dbus_role_template(xdm, system_r, xdm_t) -+ dbus_system_bus_client(xdm_dbusd_t) + dbus_system_bus_client(xdm_t) + -+ application_dontaudit_exec(xdm_dbusd_t) -+ #fixes for xfce4-notifyd -+ allow xdm_dbusd_t self:unix_stream_socket connectto; -+ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto; -+ -+ -+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; -+ xserver_xdm_append_log(xdm_dbusd_t) -+ xserver_read_xdm_pid(xdm_dbusd_t) -+ -+ miscfiles_read_fonts(xdm_dbusd_t) -+ -+ corecmd_bin_entry_type(xdm_t) -+ + optional_policy(` + bluetooth_dbus_chat(xdm_t) + ') @@ -23688,7 +23675,7 @@ index 2696452..2967b77 100644 hostname_exec(xdm_t) ') -@@ -537,28 +944,78 @@ optional_policy(` +@@ -537,28 +929,78 @@ optional_policy(` ') optional_policy(` @@ -23776,7 +23763,7 @@ index 2696452..2967b77 100644 ') optional_policy(` -@@ -570,6 +1027,14 @@ optional_policy(` +@@ -570,6 +1012,14 @@ optional_policy(` ') optional_policy(` @@ -23791,7 +23778,7 @@ index 2696452..2967b77 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1059,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1044,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23804,7 +23791,7 @@ index 2696452..2967b77 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1076,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1061,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23820,7 +23807,7 @@ index 2696452..2967b77 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1092,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1077,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23831,7 +23818,7 @@ index 2696452..2967b77 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1107,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1092,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23853,7 +23840,7 @@ index 2696452..2967b77 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1127,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1112,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23867,7 +23854,7 @@ index 2696452..2967b77 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1153,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1138,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23899,7 +23886,7 @@ index 2696452..2967b77 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1185,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1170,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23917,7 +23904,7 @@ index 2696452..2967b77 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1208,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1193,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23941,7 +23928,7 @@ index 2696452..2967b77 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1227,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1212,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23950,7 +23937,7 @@ index 2696452..2967b77 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1271,44 @@ optional_policy(` +@@ -775,16 +1256,44 @@ optional_policy(` ') optional_policy(` @@ -23996,7 +23983,7 @@ index 2696452..2967b77 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1317,10 @@ optional_policy(` +@@ -793,6 +1302,10 @@ optional_policy(` ') optional_policy(` @@ -24007,7 +23994,7 @@ index 2696452..2967b77 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1336,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1321,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -24021,7 +24008,7 @@ index 2696452..2967b77 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1347,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1332,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -24030,7 +24017,7 @@ index 2696452..2967b77 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1360,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1345,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24065,7 +24052,7 @@ index 2696452..2967b77 100644 ') optional_policy(` -@@ -902,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1410,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24074,7 +24061,7 @@ index 2696452..2967b77 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1479,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1464,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -24106,7 +24093,7 @@ index 2696452..2967b77 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1525,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1510,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -24521,7 +24508,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..a2ab7c9 100644 +index 3efd5b6..f0151a8 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -24744,7 +24731,32 @@ index 3efd5b6..a2ab7c9 100644 ') ######################################## -@@ -448,6 +504,25 @@ interface(`auth_run_chk_passwd',` +@@ -428,6 +484,24 @@ interface(`auth_domtrans_chkpwd',` + + ######################################## + ## ++## Execute chkpwd in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`auth_exec_chkpwd',` ++ gen_require(` ++ type chkpwd_exec_t; ++ ') ++ ++ allow $1 chkpwd_exec_t:file execute; ++') ++ ++######################################## ++## + ## Execute chkpwd programs in the chkpwd domain. + ## + ## +@@ -448,6 +522,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -24770,7 +24782,7 @@ index 3efd5b6..a2ab7c9 100644 ') ######################################## -@@ -467,7 +542,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +560,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -24778,7 +24790,7 @@ index 3efd5b6..a2ab7c9 100644 ') ######################################## -@@ -664,6 +738,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +756,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -24789,7 +24801,7 @@ index 3efd5b6..a2ab7c9 100644 ') ####################################### -@@ -763,7 +841,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +859,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -24841,7 +24853,7 @@ index 3efd5b6..a2ab7c9 100644 ') ####################################### -@@ -824,9 +945,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +963,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -24872,7 +24884,7 @@ index 3efd5b6..a2ab7c9 100644 ## ## ## -@@ -834,12 +975,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +993,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -24903,7 +24915,7 @@ index 3efd5b6..a2ab7c9 100644 ') ######################################## -@@ -854,15 +1010,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1028,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -24922,7 +24934,7 @@ index 3efd5b6..a2ab7c9 100644 ## ## ## -@@ -875,13 +1031,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1049,33 @@ interface(`auth_signal_pam',` ## ## # @@ -24960,7 +24972,7 @@ index 3efd5b6..a2ab7c9 100644 ') ######################################## -@@ -959,9 +1135,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1153,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -24994,7 +25006,7 @@ index 3efd5b6..a2ab7c9 100644 ') ######################################## -@@ -1040,6 +1237,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1255,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -25005,7 +25017,7 @@ index 3efd5b6..a2ab7c9 100644 ') ######################################## -@@ -1176,6 +1377,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1395,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -25013,7 +25025,7 @@ index 3efd5b6..a2ab7c9 100644 ') ####################################### -@@ -1576,6 +1778,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1796,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -25039,7 +25051,7 @@ index 3efd5b6..a2ab7c9 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1947,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1965,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -25065,7 +25077,7 @@ index 3efd5b6..a2ab7c9 100644 ') ######################################## -@@ -1767,11 +1971,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +1989,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -25082,7 +25094,7 @@ index 3efd5b6..a2ab7c9 100644 ') ######################################## -@@ -1805,3 +2011,241 @@ interface(`auth_unconfined',` +@@ -1805,3 +2029,241 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -39251,7 +39263,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..db184a5 100644 +index 3c5dba7..a44c781 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -41784,7 +41796,7 @@ index 3c5dba7..db184a5 100644 ') ######################################## -@@ -3272,7 +3977,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3977,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -41813,6 +41825,25 @@ index 3c5dba7..db184a5 100644 + +######################################## +## ++## Do not audit attempts to delete users ++## temporary files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_delete_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ dontaudit $1 user_tmp_t:file delete_file_perms; ++') ++ ++######################################## ++## +## Do not audit attempts to read/write users +## temporary fifo files. +## @@ -41850,7 +41881,7 @@ index 3c5dba7..db184a5 100644 ') ######################################## -@@ -3290,7 +4052,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4071,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -41859,7 +41890,7 @@ index 3c5dba7..db184a5 100644 ') ######################################## -@@ -3309,6 +4071,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4090,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -41867,97 +41898,82 @@ index 3c5dba7..db184a5 100644 kernel_search_proc($1) ') -@@ -3385,6 +4148,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,27 +4167,27 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') +-######################################## +####################################### -+## + ## +-## Send a SIGCHLD signal to all user domains. +## Send signull to all user domains. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`userdom_sigchld_all_users',` +- gen_require(` +- attribute userdomain; +- ') +interface(`userdom_signull_all_users',` + gen_require(` + attribute userdomain; + ') -+ + +- allow $1 userdomain:process sigchld; + allow $1 userdomain:process signull; -+') -+ -+######################################## -+## -+## Send kill signals to all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_kill_all_users',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process sigkill; -+') -+ - ######################################## - ## - ## Send a SIGCHLD signal to all user domains. -@@ -3405,7 +4204,7 @@ interface(`userdom_sigchld_all_users',` + ') ######################################## ## -## Create keys for all user domains. -+## Read keys for all user domains. ++## Send kill signals to all user domains. ## ## ## -@@ -3413,17 +4212,17 @@ interface(`userdom_sigchld_all_users',` +@@ -3413,17 +4195,17 @@ interface(`userdom_sigchld_all_users',` ## ## # -interface(`userdom_create_all_users_keys',` -+interface(`userdom_read_all_users_keys',` ++interface(`userdom_kill_all_users',` gen_require(` attribute userdomain; ') - allow $1 userdomain:key create; -+ allow $1 userdomain:key read; ++ allow $1 userdomain:process sigkill; ') ######################################## ## -## Send a dbus message to all user domains. -+## Create keys for all user domains. ++## Send a SIGCHLD signal to all user domains. ## ## ## -@@ -3431,11 +4230,1516 @@ interface(`userdom_create_all_users_keys',` +@@ -3431,11 +4213,1552 @@ interface(`userdom_create_all_users_keys',` ## ## # -interface(`userdom_dbus_send_all_users',` -+interface(`userdom_create_all_users_keys',` - gen_require(` - attribute userdomain; -- class dbus send_msg; - ') - -- allow $1 userdomain:dbus send_msg; -+ allow $1 userdomain:key create; ++interface(`userdom_sigchld_all_users',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:process sigchld; +') + +######################################## +## -+## Send a dbus message to all user domains. ++## Read keys for all user domains. +## +## +## @@ -41965,13 +41981,49 @@ index 3c5dba7..db184a5 100644 +## +## +# -+interface(`userdom_dbus_send_all_users',` ++interface(`userdom_read_all_users_keys',` + gen_require(` + attribute userdomain; -+ class dbus send_msg; + ') + -+ allow $1 userdomain:dbus send_msg; ++ allow $1 userdomain:key read; ++') ++ ++######################################## ++## ++## Create keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_create_all_users_keys',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:key create; ++') ++ ++######################################## ++## ++## Send a dbus message to all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dbus_send_all_users',` + gen_require(` + attribute userdomain; + class dbus send_msg; + ') + + allow $1 userdomain:dbus send_msg; + ps_process_pattern($1, userdomain) +') + diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index dc594fa..dfef892 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -520,7 +520,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..2b3de55 100644 +index cc43d25..e997e0f 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -685,7 +685,7 @@ index cc43d25..2b3de55 100644 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -dontaudit abrt_t self:capability sys_rawio; -+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace }; ++allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; +dontaudit abrt_t self:capability { sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + @@ -4677,7 +4677,7 @@ index 83e899c..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..19bd545 100644 +index 1a82e29..25fbcc6 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -6034,7 +6034,7 @@ index 1a82e29..19bd545 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1072,170 @@ optional_policy(` +@@ -877,65 +1072,171 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6045,6 +6045,7 @@ index 1a82e29..19bd545 100644 +') + +optional_policy(` ++ zoneminder_append_log(httpd_t) + zoneminder_manage_lib_dirs(httpd_t) + zoneminder_manage_lib_files(httpd_t) +') @@ -6227,7 +6228,7 @@ index 1a82e29..19bd545 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1244,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1245,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6382,7 +6383,7 @@ index 1a82e29..19bd545 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1328,104 @@ optional_policy(` +@@ -1077,172 +1329,104 @@ optional_policy(` ') ') @@ -6618,7 +6619,7 @@ index 1a82e29..19bd545 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1433,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1434,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6715,7 +6716,7 @@ index 1a82e29..19bd545 100644 ######################################## # -@@ -1315,8 +1508,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1509,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6732,7 +6733,7 @@ index 1a82e29..19bd545 100644 ') ######################################## -@@ -1324,49 +1524,38 @@ optional_policy(` +@@ -1324,49 +1525,38 @@ optional_policy(` # User content local policy # @@ -6797,7 +6798,7 @@ index 1a82e29..19bd545 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1565,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1566,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -25590,10 +25591,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..930cbee +index 0000000..d6a2e10 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,171 @@ +@@ -0,0 +1,187 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -25651,7 +25652,8 @@ index 0000000..930cbee +# Local policy +# + -+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search kill fowner setuid net_admin }; ++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin }; ++ +allow glusterd_t self:capability2 block_suspend; +allow glusterd_t self:process { getcap setcap setrlimit signal_perms }; +allow glusterd_t self:fifo_file rw_fifo_file_perms; @@ -25666,6 +25668,7 @@ index 0000000..930cbee +manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) ++allow glusterd_t glusterd_tmp_t:dir mounton; + +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) @@ -25680,6 +25683,7 @@ index 0000000..930cbee + +manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) ++#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) + +can_exec(glusterd_t, glusterd_exec_t) @@ -25720,6 +25724,7 @@ index 0000000..930cbee +corenet_sendrecv_all_client_packets(glusterd_t) +corenet_tcp_bind_all_unreserved_ports(glusterd_t) +corenet_tcp_connect_all_unreserved_ports(glusterd_t) ++corenet_tcp_connect_ssh_port(glusterd_t) + +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) @@ -25729,6 +25734,7 @@ index 0000000..930cbee +domain_use_interactive_fds(glusterd_t) + +fs_mount_all_fs(glusterd_t) ++fs_unmount_all_fs(glusterd_t) +fs_getattr_all_fs(glusterd_t) + +files_mounton_mnt(glusterd_t) @@ -25740,6 +25746,7 @@ index 0000000..930cbee +fs_getattr_all_fs(glusterd_t) + +logging_send_syslog_msg(glusterd_t) ++libs_exec_ldconfig(glusterd_t) + +miscfiles_read_localization(glusterd_t) +miscfiles_read_public_files(glusterd_t) @@ -25747,6 +25754,7 @@ index 0000000..930cbee +userdom_manage_user_home_dirs(glusterd_t) +userdom_filetrans_home_content(glusterd_t) + ++mount_domtrans(glusterd_t) +tunable_policy(`gluster_anon_write',` + miscfiles_manage_public_files(glusterd_t) +') @@ -25764,6 +25772,15 @@ index 0000000..930cbee + +optional_policy(` + rpc_domtrans_rpcd(glusterd_t) ++ rpc_kill_rpcd(glusterd_t) ++') ++ ++optional_policy(` ++ rsync_exec(glusterd_t) ++') ++ ++optional_policy(` ++ ssh_exec(glusterd_t) +') diff --git a/glusterfs.fc b/glusterfs.fc deleted file mode 100644 @@ -39063,6 +39080,290 @@ index 4462c0e..84944d1 100644 sysnet_dns_name_resolve(monopd_t) userdom_dontaudit_use_unpriv_user_fds(monopd_t) +diff --git a/motion.fc b/motion.fc +new file mode 100644 +index 0000000..7415106 +--- /dev/null ++++ b/motion.fc +@@ -0,0 +1,9 @@ ++/usr/bin/motion -- gen_context(system_u:object_r:motion_exec_t,s0) ++ ++/usr/lib/systemd/system/motion.* -- gen_context(system_u:object_r:motion_unit_file_t,s0) ++ ++/var/log/motion\.log.* -- gen_context(system_u:object_r:motion_log_t,s0) ++ ++/var/run/motion\.pid -- gen_context(system_u:object_r:motion_var_run_t,s0) ++ ++/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0) +diff --git a/motion.if b/motion.if +new file mode 100644 +index 0000000..1b1b04c +--- /dev/null ++++ b/motion.if +@@ -0,0 +1,193 @@ ++ ++## Detect motion using a video4linux device ++ ++######################################## ++## ++## Execute TEMPLATE in the motion domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`motion_domtrans',` ++ gen_require(` ++ type motion_t, motion_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, motion_exec_t, motion_t) ++') ++######################################## ++## ++## Read motion's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`motion_read_log',` ++ gen_require(` ++ type motion_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, motion_log_t, motion_log_t) ++') ++ ++######################################## ++## ++## Append to motion log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`motion_append_log',` ++ gen_require(` ++ type motion_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, motion_log_t, motion_log_t) ++') ++ ++######################################## ++## ++## Manage motion log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`motion_manage_log',` ++ gen_require(` ++ type motion_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, motion_log_t, motion_log_t) ++ manage_files_pattern($1, motion_log_t, motion_log_t) ++ manage_lnk_files_pattern($1, motion_log_t, motion_log_t) ++') ++ ++######################################## ++## ++## Manage motion pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`motion_manage_pid',` ++ gen_require(` ++ type motion_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t) ++ manage_files_pattern($1, motion_var_run_t, motion_var_run_t) ++') ++ ++######################################## ++## ++## Manage motion data files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`motion_manage_data',` ++ gen_require(` ++ type motion_data_t; ++ ') ++ ++ manage_dirs_pattern($1, motion_data_t, motion_data_t) ++ manage_files_pattern($1, motion_data_t, motion_data_t) ++') ++ ++######################################## ++## ++## Execute motion server in the motion domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`motion_systemctl',` ++ gen_require(` ++ type motion_t; ++ type motion_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 motion_unit_file_t:file read_file_perms; ++ allow $1 motion_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, motion_t) ++') ++ ++######################################## ++## ++## Manage all motion files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`motion_manage_all_files',` ++ ++ motion_manage_log($1) ++ motion_manage_pid($1) ++ motion_manage_data($1) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an motion environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`motion_admin',` ++ gen_require(` ++ type motion_t; ++ type motion_log_t; ++ type motion_unit_file_t; ++ ') ++ ++ allow $1 motion_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, motion_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, motion_log_t) ++ ++ motion_systemctl($1) ++ admin_pattern($1, motion_unit_file_t) ++ allow $1 motion_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/motion.te b/motion.te +new file mode 100644 +index 0000000..b694afc +--- /dev/null ++++ b/motion.te +@@ -0,0 +1,64 @@ ++policy_module(motion, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type motion_t; ++type motion_exec_t; ++init_daemon_domain(motion_t, motion_exec_t) ++ ++type motion_log_t; ++logging_log_file(motion_log_t) ++ ++type motion_unit_file_t; ++systemd_unit_file(motion_unit_file_t) ++ ++type motion_var_run_t; ++files_pid_file(motion_var_run_t) ++ ++type motion_data_t; ++files_type(motion_data_t) ++ ++######################################## ++# ++# motion local policy ++# ++allow motion_t self:udp_socket { create connect getattr }; ++allow motion_t self:tcp_socket { bind create setopt listen }; ++allow motion_t self:netlink_route_socket r_netlink_socket_perms; ++ ++manage_dirs_pattern(motion_t, motion_log_t, motion_log_t) ++manage_files_pattern(motion_t, motion_log_t, motion_log_t) ++logging_log_filetrans(motion_t, motion_log_t, { dir file }) ++ ++manage_dirs_pattern(motion_t, motion_var_run_t, motion_var_run_t) ++manage_files_pattern(motion_t, motion_var_run_t, motion_var_run_t) ++files_pid_filetrans(motion_t, motion_var_run_t, { dir file }) ++ ++manage_dirs_pattern(motion_t, motion_data_t, motion_data_t) ++manage_files_pattern(motion_t, motion_data_t, motion_data_t) ++files_var_filetrans(motion_t, motion_data_t, { dir file }) ++ ++corenet_tcp_bind_http_cache_port(motion_t) ++corenet_tcp_bind_transproxy_port(motion_t) ++corenet_tcp_connect_http_port(motion_t) ++corenet_tcp_bind_generic_node(motion_t) ++ ++dev_read_video_dev(motion_t) ++dev_write_video_dev(motion_t) ++ ++domain_use_interactive_fds(motion_t) ++ ++logging_send_syslog_msg(motion_t) ++ ++sysnet_read_config(motion_t) ++ ++userdom_home_manager(motion_t) ++ ++optional_policy(` ++ zoneminder_domtrans(motion_t) ++ zoneminder_manage_lib_files(motion_t) ++') ++ diff --git a/mozilla.fc b/mozilla.fc index 6ffaba2..d1f0fda 100644 --- a/mozilla.fc @@ -42491,7 +42792,7 @@ index ed81cac..566684a 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..363dd67 100644 +index afd2fad..4ab8177 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -42521,7 +42822,7 @@ index afd2fad..363dd67 100644 type sendmail_exec_t; mta_agent_executable(sendmail_exec_t) -@@ -43,178 +43,78 @@ role system_r types system_mail_t; +@@ -43,178 +43,79 @@ role system_r types system_mail_t; mta_base_mail_template(user) typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; @@ -42655,11 +42956,12 @@ index afd2fad..363dd67 100644 +# newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; - +- -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) - -read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) -- ++dontaudit system_mail_t self:capability net_admin; + allow system_mail_t mail_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue") -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward") @@ -42736,7 +43038,7 @@ index afd2fad..363dd67 100644 ') optional_policy(` -@@ -223,18 +123,18 @@ optional_policy(` +@@ -223,18 +124,18 @@ optional_policy(` ') optional_policy(` @@ -42758,7 +43060,7 @@ index afd2fad..363dd67 100644 courier_manage_spool_dirs(system_mail_t) courier_manage_spool_files(system_mail_t) courier_rw_spool_pipes(system_mail_t) -@@ -245,13 +145,8 @@ optional_policy(` +@@ -245,13 +146,8 @@ optional_policy(` ') optional_policy(` @@ -42773,7 +43075,7 @@ index afd2fad..363dd67 100644 fail2ban_rw_inherited_tmp_files(system_mail_t) ') -@@ -264,10 +159,15 @@ optional_policy(` +@@ -264,10 +160,15 @@ optional_policy(` ') optional_policy(` @@ -42789,7 +43091,7 @@ index afd2fad..363dd67 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -278,6 +178,15 @@ optional_policy(` +@@ -278,6 +179,15 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -42805,7 +43107,7 @@ index afd2fad..363dd67 100644 ') optional_policy(` -@@ -293,42 +202,36 @@ optional_policy(` +@@ -293,42 +203,36 @@ optional_policy(` ') optional_policy(` @@ -42858,7 +43160,7 @@ index afd2fad..363dd67 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -337,40 +240,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -42907,7 +43209,7 @@ index afd2fad..363dd67 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -387,24 +276,165 @@ optional_policy(` +@@ -387,24 +277,165 @@ optional_policy(` ######################################## # @@ -72206,7 +72508,7 @@ index a6fb30c..b0c22f7 100644 +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + diff --git a/rpc.if b/rpc.if -index 3bd6446..8bde316 100644 +index 3bd6446..a6e9e6d 100644 --- a/rpc.if +++ b/rpc.if @@ -1,4 +1,4 @@ @@ -72406,7 +72708,7 @@ index 3bd6446..8bde316 100644 ## ## ## -@@ -167,120 +239,108 @@ interface(`rpc_initrc_domtrans_nfsd',` +@@ -167,120 +239,126 @@ interface(`rpc_initrc_domtrans_nfsd',` ## ## # @@ -72420,29 +72722,40 @@ index 3bd6446..8bde316 100644 - corecmd_search_bin($1) - domtrans_pattern($1, rpcd_exec_t, rpcd_t) --') + systemd_exec_systemctl($1) + allow $1 nfsd_unit_file_t:file read_file_perms; + allow $1 nfsd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, nfsd_t) + ') -####################################### --## ++######################################## + ## -## Execute rpcd init scripts in -## the initrc domain. --## --## ++## Send kill signals to rpcd. + ## + ## -## -## Domain allowed to transition. -## --## --# ++## ++## Domain allowed access. ++## + ## + # -interface(`rpc_initrc_domtrans_rpcd',` - gen_require(` - type rpcd_initrc_exec_t; - ') -- ++interface(`rpc_kill_rpcd',` ++ gen_require(` ++ type rpcd_t; ++ ') + - init_labeled_script_domtrans($1, rpcd_initrc_exec_t) -+ ps_process_pattern($1, nfsd_t) ++ allow $1 rpcd_t:process sigkill; ') ######################################## @@ -72569,7 +72882,7 @@ index 3bd6446..8bde316 100644 ## ## ## -@@ -312,7 +372,7 @@ interface(`rpc_udp_send_nfs',` +@@ -312,7 +390,7 @@ interface(`rpc_udp_send_nfs',` ######################################## ## @@ -72578,7 +72891,7 @@ index 3bd6446..8bde316 100644 ## ## ## -@@ -326,12 +386,12 @@ interface(`rpc_search_nfs_state_data',` +@@ -326,12 +404,12 @@ interface(`rpc_search_nfs_state_data',` ') files_search_var_lib($1) @@ -72593,7 +72906,7 @@ index 3bd6446..8bde316 100644 ## ## ## -@@ -339,19 +399,18 @@ interface(`rpc_search_nfs_state_data',` +@@ -339,19 +417,18 @@ interface(`rpc_search_nfs_state_data',` ## ## # @@ -72616,7 +72929,7 @@ index 3bd6446..8bde316 100644 ## ## ## -@@ -359,62 +418,31 @@ interface(`rpc_read_nfs_state_data',` +@@ -359,62 +436,31 @@ interface(`rpc_read_nfs_state_data',` ## ## # @@ -87628,10 +87941,10 @@ index 0000000..8b2dfff +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..17c737d +index 0000000..b34af39 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,146 @@ +@@ -0,0 +1,147 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -87729,7 +88042,8 @@ index 0000000..17c737d +userdom_read_user_tmp_files(thumb_t) +userdom_read_user_home_content_files(thumb_t) +userdom_exec_user_home_content_files(thumb_t) -+userdom_write_user_tmp_files(thumb_t) ++userdom_dontaudit_write_user_tmp_files(thumb_t) ++userdom_dontaudit_delete_user_tmp_files(thumb_t) +userdom_read_home_audio_files(thumb_t) +userdom_home_reader(thumb_t) + @@ -95197,10 +95511,10 @@ index 7c7f7fa..dfeac3e 100644 -userdom_manage_user_home_content_files(wm_domain) -userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) diff --git a/xen.fc b/xen.fc -index 42d83b0..5f18f6e 100644 +index 42d83b0..651d1cb 100644 --- a/xen.fc +++ b/xen.fc -@@ -1,38 +1,41 @@ +@@ -1,38 +1,42 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) -/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) @@ -95227,6 +95541,7 @@ index 42d83b0..5f18f6e 100644 /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) -/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) ++/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) +') -/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) @@ -95526,7 +95841,7 @@ index f93558c..16e29c1 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index ed40676..0706207 100644 +index ed40676..3fe3e35 100644 --- a/xen.te +++ b/xen.te @@ -1,42 +1,34 @@ @@ -96045,7 +96360,7 @@ index ed40676..0706207 100644 manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t) +@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) dev_read_sysfs(xenstored_t) @@ -96068,11 +96383,10 @@ index ed40676..0706207 100644 - xen_append_log(xenstored_t) - ######################################## - # +-######################################## +-# -# xm local policy -+# SSH component local policy - # +-# - -allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; -allow xm_t self:process { getcap getsched setsched setcap signal }; @@ -96168,9 +96482,14 @@ index ed40676..0706207 100644 - optional_policy(` - cron_system_entry(xm_t, xm_exec_t) --') -- --optional_policy(` ++ virt_read_config(xenstored_t) + ') + ++######################################## ++# ++# SSH component local policy ++# + optional_policy(` - dbus_system_bus_client(xm_t) - - optional_policy(` @@ -97583,16 +97902,12 @@ index b0803c2..f1fa5f7 100644 +') diff --git a/zoneminder.fc b/zoneminder.fc new file mode 100644 -index 0000000..a468da3 +index 0000000..8c61505 --- /dev/null +++ b/zoneminder.fc -@@ -0,0 +1,26 @@ -+/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) -+ +@@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) + -+/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0) -+ +/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0) + +/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0) @@ -97601,24 +97916,15 @@ index 0000000..a468da3 + +/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) + -+/var/motion(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) -+ +/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0) + -+/var/log/motion\.log.* -- gen_context(system_u:object_r:zoneminder_log_t,s0) -+ -+/var/run/motion\.pid -- gen_context(system_u:object_r:zoneminder_var_run_t,s0) -+ +/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) -+ -+ -+ diff --git a/zoneminder.if b/zoneminder.if new file mode 100644 -index 0000000..c72a70d +index 0000000..d02a6f4 --- /dev/null +++ b/zoneminder.if -@@ -0,0 +1,337 @@ +@@ -0,0 +1,374 @@ +## policy for zoneminder + +######################################## @@ -97640,6 +97946,26 @@ index 0000000..c72a70d + domtrans_pattern($1, zoneminder_exec_t, zoneminder_t) +') + ++######################################## ++## ++## Allow the specified domain to execute zoneminder ++## in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`zoneminder_exec',` ++ gen_require(` ++ type zoneminder_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, zoneminder_exec_t) ++') ++ + +######################################## +## @@ -97796,6 +98122,23 @@ index 0000000..c72a70d + manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) +') + ++######################################## ++## ++## Manage zoneminder sock_files files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_lib_sock_files',` ++ gen_require(` ++ type sock_var_lib_t; ++ ') ++ files_search_var_lib($1) ++ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) ++') + +######################################## +## @@ -97958,10 +98301,10 @@ index 0000000..c72a70d + diff --git a/zoneminder.te b/zoneminder.te new file mode 100644 -index 0000000..bdb821a +index 0000000..add28f7 --- /dev/null +++ b/zoneminder.te -@@ -0,0 +1,174 @@ +@@ -0,0 +1,187 @@ +policy_module(zoneminder, 1.0.0) + +######################################## @@ -97987,6 +98330,7 @@ index 0000000..bdb821a + +gen_require(` + class passwd rootok; ++ class passwd passwd; + ') + +type zoneminder_t; @@ -98023,6 +98367,7 @@ index 0000000..bdb821a +allow zoneminder_t self:shm create_shm_perms; +allow zoneminder_t self:fifo_file rw_fifo_file_perms; +allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow zoneminder_t self:netlink_selinux_socket create_socket_perms; + +manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) +manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) @@ -98066,6 +98411,7 @@ index 0000000..bdb821a +dev_write_video_dev(zoneminder_t) + +auth_use_nsswitch(zoneminder_t) ++#auth_read_shadow(zoneminder_t) need to debug zmpkg.pl to see why is needed this rule. + +logging_send_syslog_msg(zoneminder_t) +logging_send_audit_msgs(zoneminder_t) @@ -98080,9 +98426,11 @@ index 0000000..bdb821a + allow zoneminder_t self:capability { setuid setgid sys_resource }; + allow zoneminder_t self:process { setrlimit setsched }; + allow zoneminder_t self:key write; -+ allow zoneminder_t self:passwd rootok; ++ allow zoneminder_t self:passwd { passwd rootok }; + + auth_rw_lastlog(zoneminder_t) ++ auth_rw_faillog(zoneminder_t) ++ auth_exec_chkpwd(zoneminder_t) + + selinux_compute_access_vector(zoneminder_t) + @@ -98108,6 +98456,14 @@ index 0000000..bdb821a + mysql_stream_connect(zoneminder_t) +') + ++optional_policy(` ++ fprintd_dbus_chat(zoneminder_t) ++') ++ ++optional_policy(` ++ motion_manage_all_files(zoneminder_t) ++') ++ +######################################## +# +# zoneminder cgi local policy diff --git a/selinux-policy.spec b/selinux-policy.spec index a3fbca8..cf7fb4e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.11%{?dist} +Release: 74.12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,22 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Nov 08 2013 Lukas Vrabec 3.12.1-74.12 +- Fixed userdom_dontaudit_delete_user_tmp_files +- Add auth_exec_chkpwd interface +- Add interface to dontaudit attempts to delete user_tmp_t files on thumbnails +- Add tcp/8893 as milter port +- Dontaudit leaked write descriptor to dmesg +- Add rpc_kill_rpcd interface +- Dontaudit attempts to write/delete user_tmp_t files +- Dontaudit attempts by system_mail to modify network config +- Allow ipc_lock for abrt to run journalctl. +- Update zoneminder policy +- Add policy for motion service +- Allow glusterd_t to mounton glusterd_tmp_t +- Allow glusterd to unmout al filesystems +- Allow xenstored to read virt config + * Tue Oct 22 2013 Lukas Vrabec 3.12.1-74.11 - Back port piranha tmpfs fixes from RHEL6 - Fix piranha_domain_template()