From 428cbbdc9e474ca34eedd893f920353aa93e36c6 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Dec 02 2014 11:58:06 +0000 Subject: * Tue Dec 02 2014 Lukas Vrabec 3.12.1-74.30 - Allow systemd_tmpfiles_t to manage/relabel non auth files. BZ #(1139336) - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories. - Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Allow boinc_t manage boinc_project_tmp_t files and dirs (#1135687) - Allow apache to communicate with zoneminder, dontaudit attempts to read utmp - Allow smoltclient to connect on http_cache port. (#982199) - Allow mozilla_plugin_t to setcap (#981796) --- diff --git a/policy-f19-base.patch b/policy-f19-base.patch index af264ba..e9f6c88 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -37516,10 +37516,10 @@ index 0000000..ba2e887 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..4015e6a +index 0000000..675f0f8 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,665 @@ +@@ -0,0 +1,641 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -37820,32 +37820,8 @@ index 0000000..4015e6a +fs_relabel_tmpfs_dirs(systemd_tmpfiles_t) +fs_list_all(systemd_tmpfiles_t) + -+files_getattr_all_dirs(systemd_tmpfiles_t) -+files_getattr_all_files(systemd_tmpfiles_t) -+files_getattr_all_sockets(systemd_tmpfiles_t) -+files_getattr_all_symlinks(systemd_tmpfiles_t) -+files_relabel_all_lock_dirs(systemd_tmpfiles_t) -+files_relabel_all_lock_files(systemd_tmpfiles_t) -+files_relabel_all_pid_dirs(systemd_tmpfiles_t) -+files_relabel_all_pid_files(systemd_tmpfiles_t) -+files_relabel_all_spool_dirs(systemd_tmpfiles_t) -+files_manage_all_pids(systemd_tmpfiles_t) -+files_manage_all_pid_dirs(systemd_tmpfiles_t) -+files_manage_all_locks(systemd_tmpfiles_t) -+files_read_generic_tmp_symlinks(systemd_tmpfiles_t) -+files_setattr_all_tmp_dirs(systemd_tmpfiles_t) -+files_delete_boot_flag(systemd_tmpfiles_t) -+files_delete_all_non_security_dirs(systemd_tmpfiles_t) -+files_delete_all_non_security_files(systemd_tmpfiles_t) -+files_delete_all_pid_sockets(systemd_tmpfiles_t) -+files_delete_all_pid_pipes(systemd_tmpfiles_t) -+files_purge_tmp(systemd_tmpfiles_t) -+files_manage_generic_tmp_files(systemd_tmpfiles_t) -+files_manage_generic_tmp_dirs(systemd_tmpfiles_t) -+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t) -+files_relabelfrom_tmp_files(systemd_tmpfiles_t) -+files_relabel_all_tmp_dirs(systemd_tmpfiles_t) -+files_relabel_all_tmp_files(systemd_tmpfiles_t) ++files_manage_non_auth_files(systemd_tmpfiles_t) ++files_relabel_non_auth_files(systemd_tmpfiles_t) +files_list_lost_found(systemd_tmpfiles_t) + +mls_file_read_all_levels(systemd_tmpfiles_t) @@ -39538,10 +39514,10 @@ index 0280b32..61f19e9 100644 -') +attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..65191bd 100644 +index db75976..96bdcdd 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,21 @@ +@@ -1,4 +1,23 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -39562,10 +39538,12 @@ index db75976..65191bd 100644 +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs/.* <> +HOME_DIR/\.debug(/.*)? <> ++HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0) ++HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..a44c781 100644 +index 3c5dba7..afec557 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -42260,7 +42238,7 @@ index 3c5dba7..a44c781 100644 ## ## ## -@@ -3431,11 +4213,1552 @@ interface(`userdom_create_all_users_keys',` +@@ -3431,11 +4213,1555 @@ interface(`userdom_create_all_users_keys',` ## ## # @@ -43768,6 +43746,7 @@ index 3c5dba7..a44c781 100644 + type home_bin_t; + type audio_home_t; + type home_cert_t; ++ type user_tmp_t; + ') + + userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") @@ -43776,6 +43755,8 @@ index 3c5dba7..a44c781 100644 + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") ++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp") ++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp") +') + +######################################## @@ -43815,7 +43796,7 @@ index 3c5dba7..a44c781 100644 + dontaudit $1 user_home_type:dir_file_class_set audit_access; ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..158e013 100644 +index e2b538b..347c102 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -43903,7 +43884,7 @@ index e2b538b..158e013 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +82,228 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +82,230 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -44058,6 +44039,8 @@ index e2b538b..158e013 100644 +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert") +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki") +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp") + +optional_policy(` + gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index ef49e9c..e1e4c79 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -4679,7 +4679,7 @@ index 83e899c..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..4457dc9 100644 +index 1a82e29..f6e6154 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5367,7 +5367,7 @@ index 1a82e29..4457dc9 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5480,6 +5480,8 @@ index 1a82e29..4457dc9 100644 logging_send_syslog_msg(httpd_t) -miscfiles_read_localization(httpd_t) ++init_dontaudit_read_utmp(httpd_t) ++ miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) @@ -5598,7 +5600,7 @@ index 1a82e29..4457dc9 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5658,7 +5660,7 @@ index 1a82e29..4457dc9 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +772,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5749,7 +5751,7 @@ index 1a82e29..4457dc9 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +819,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5830,7 +5832,7 @@ index 1a82e29..4457dc9 100644 ') optional_policy(` -@@ -743,14 +871,6 @@ optional_policy(` +@@ -743,14 +873,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5845,7 +5847,7 @@ index 1a82e29..4457dc9 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +885,23 @@ optional_policy(` +@@ -765,6 +887,23 @@ optional_policy(` ') optional_policy(` @@ -5869,7 +5871,7 @@ index 1a82e29..4457dc9 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +918,47 @@ optional_policy(` +@@ -781,34 +920,47 @@ optional_policy(` ') optional_policy(` @@ -5928,7 +5930,7 @@ index 1a82e29..4457dc9 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +966,18 @@ optional_policy(` +@@ -816,8 +968,18 @@ optional_policy(` ') optional_policy(` @@ -5947,7 +5949,7 @@ index 1a82e29..4457dc9 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +986,7 @@ optional_policy(` +@@ -826,6 +988,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5955,7 +5957,7 @@ index 1a82e29..4457dc9 100644 ') optional_policy(` -@@ -836,20 +997,39 @@ optional_policy(` +@@ -836,20 +999,39 @@ optional_policy(` ') optional_policy(` @@ -6001,7 +6003,7 @@ index 1a82e29..4457dc9 100644 ') optional_policy(` -@@ -857,19 +1037,35 @@ optional_policy(` +@@ -857,19 +1039,35 @@ optional_policy(` ') optional_policy(` @@ -6037,7 +6039,7 @@ index 1a82e29..4457dc9 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1073,171 @@ optional_policy(` +@@ -877,65 +1075,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6051,6 +6053,8 @@ index 1a82e29..4457dc9 100644 + zoneminder_append_log(httpd_t) + zoneminder_manage_lib_dirs(httpd_t) + zoneminder_manage_lib_files(httpd_t) ++ zoneminder_stream_connect(httpd_t) ++ zoneminder_exec(httpd_t) +') + ######################################## @@ -6231,7 +6235,7 @@ index 1a82e29..4457dc9 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1246,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1250,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6386,7 +6390,7 @@ index 1a82e29..4457dc9 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1330,104 @@ optional_policy(` +@@ -1077,172 +1334,104 @@ optional_policy(` ') ') @@ -6622,7 +6626,7 @@ index 1a82e29..4457dc9 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1435,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1439,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6719,7 +6723,7 @@ index 1a82e29..4457dc9 100644 ######################################## # -@@ -1315,8 +1510,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1514,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6736,7 +6740,7 @@ index 1a82e29..4457dc9 100644 ') ######################################## -@@ -1324,49 +1526,38 @@ optional_policy(` +@@ -1324,49 +1530,38 @@ optional_policy(` # User content local policy # @@ -6801,7 +6805,7 @@ index 1a82e29..4457dc9 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1567,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1571,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -9259,7 +9263,7 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 7c92aa1..ae20918 100644 +index 7c92aa1..27dd0d9 100644 --- a/boinc.te +++ b/boinc.te @@ -1,11 +1,20 @@ @@ -9285,7 +9289,7 @@ index 7c92aa1..ae20918 100644 type boinc_exec_t; init_daemon_domain(boinc_t, boinc_exec_t) -@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t) +@@ -21,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t) type boinc_var_lib_t; files_type(boinc_var_lib_t) @@ -9364,7 +9368,11 @@ index 7c92aa1..ae20918 100644 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) + files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) + ++manage_dirs_pattern(boinc_t, boinc_project_tmp_t, boinc_project_tmp_t) ++manage_files_pattern(boinc_t, boinc_project_tmp_t, boinc_project_tmp_t) ++ manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -9386,11 +9394,11 @@ index 7c92aa1..ae20918 100644 -create_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -logging_log_filetrans(boinc_t, boinc_log_t, file) -- --can_exec(boinc_t, boinc_var_lib_t) +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +-can_exec(boinc_t, boinc_var_lib_t) +- -domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +logging_log_filetrans(boinc_t, boinc_log_t, { file }) @@ -9461,7 +9469,7 @@ index 7c92aa1..ae20918 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -130,55 +151,71 @@ init_read_utmp(boinc_t) +@@ -130,55 +154,71 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -41273,7 +41281,7 @@ index 6194b80..99effb5 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..e3036c4 100644 +index 6a306ee..95bafda 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -41731,7 +41739,7 @@ index 6a306ee..e3036c4 100644 +dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config }; +dontaudit mozilla_plugin_t self:capability2 block_suspend; + -+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; ++allow mozilla_plugin_t self:process { setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow mozilla_plugin_t self:netlink_socket create_socket_perms; +allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; @@ -82929,10 +82937,18 @@ index a8b1aaf..4689a59 100644 netutils_domtrans_ping(httpd_smokeping_cgi_script_t) diff --git a/smoltclient.te b/smoltclient.te -index 9c8f9a5..f074b4d 100644 +index 9c8f9a5..d8d4623 100644 --- a/smoltclient.te +++ b/smoltclient.te -@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t) +@@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t) + + corenet_sendrecv_http_client_packets(smoltclient_t) + corenet_tcp_connect_http_port(smoltclient_t) ++corenet_tcp_connect_http_cache_port(smoltclient_t) + corenet_tcp_sendrecv_http_port(smoltclient_t) + + dev_read_sysfs(smoltclient_t) +@@ -51,14 +52,12 @@ fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) files_read_etc_runtime_files(smoltclient_t) @@ -82947,7 +82963,7 @@ index 9c8f9a5..f074b4d 100644 optional_policy(` abrt_stream_connect(smoltclient_t) -@@ -77,6 +75,10 @@ optional_policy(` +@@ -77,6 +76,10 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 12ab5e5..a22bd36 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.29%{?dist} +Release: 74.30%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -542,6 +542,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Dec 02 2014 Lukas Vrabec 3.12.1-74.30 +- Allow systemd_tmpfiles_t to manage/relabel non auth files. BZ #(1139336) +- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories. +- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t +- Allow boinc_t manage boinc_project_tmp_t files and dirs (#1135687) +- Allow apache to communicate with zoneminder, dontaudit attempts to read utmp +- Allow smoltclient to connect on http_cache port. (#982199) +- Allow mozilla_plugin_t to setcap (#981796) + * Tue Aug 12 2014 Lukas Vrabec 3.12.1-74.29 - Allow sensord to send a signal. - Allow smokeping cgi script to send syslog messages (#1122163)