From 4da7659056498082e1fc5cbcf79022f54fdeb5b0 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 18 2010 17:18:55 +0000 Subject: - Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. --- diff --git a/.gitignore b/.gitignore index d9cccef..c87b0e2 100644 --- a/.gitignore +++ b/.gitignore @@ -226,4 +226,4 @@ serefpolicy* /serefpolicy-3.9.3.tgz /serefpolicy-3.9.4.tgz /serefpolicy-3.9.5.tgz -/serefpolicy-3.9.7.tgz +/serefpolicy-3.9.6.tgz diff --git a/modules-targeted.conf b/modules-targeted.conf index a514c68..0a03926 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -23,7 +23,7 @@ accountsd = module # # Berkeley process accounting # -acct = base +acct = module # Layer: services # Module: ajaxterm @@ -67,7 +67,7 @@ cpufreqselector = module # chrome = module -# Layer: modules +# Layer: module # Module: awstats # # awstats executable @@ -717,7 +717,7 @@ howl = module # # Internet services daemon. # -inetd = base +inetd = module # Layer: system # Module: init @@ -759,7 +759,7 @@ irc = module # # IRQ balancing daemon # -irqbalance = base +irqbalance = module # Layer: system # Module: iscsi @@ -1893,7 +1893,7 @@ uucp = module # # run real-mode video BIOS code to alter hardware state # -vbetool = base +vbetool = module # Layer: apps # Module: webalizer @@ -1914,7 +1914,7 @@ xfs = module # # X windows login display manager # -xserver = base +xserver = module # Layer: services # Module: zarafa @@ -1942,7 +1942,7 @@ usermanage = base # # Red Hat utility to change /etc/fstab. # -updfstab = base +updfstab = module # Layer: admin # Module: vpn @@ -1956,7 +1956,7 @@ vpn = module # # run real-mode video BIOS code to alter hardware state # -vbetool = base +vbetool = module # Layer: kernel # Module: terminal diff --git a/policy-F14.patch b/policy-F14.patch index f52b337..7957c71 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -5812,10 +5812,10 @@ index 0000000..587c440 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..89fcce3 +index 0000000..39f006a --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,408 @@ +@@ -0,0 +1,420 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6052,6 +6052,18 @@ index 0000000..89fcce3 +userdom_read_user_home_content_symlinks(sandbox_x_domain) +userdom_search_user_home_content(sandbox_x_domain) + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_search_nfs(sandbox_x_domain) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(sandbox_x_domain) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_search_fusefs(sandbox_x_domain) ++') ++ +files_search_home(sandbox_x_t) +userdom_use_user_ptys(sandbox_x_t) + @@ -6380,10 +6392,10 @@ index 0000000..7866118 +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if new file mode 100644 -index 0000000..3d12484 +index 0000000..46368cc --- /dev/null +++ b/policy/modules/apps/telepathy.if -@@ -0,0 +1,188 @@ +@@ -0,0 +1,168 @@ + +## Telepathy framework. + @@ -6497,26 +6509,6 @@ index 0000000..3d12484 + +######################################## +## -+## Read and write Telepathy Butterfly -+## temporary files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`telepathy_butterfly_rw_tmp_files', ` -+ gen_require(` -+ type telepathy_butterfly_tmp_t; -+ ') -+ -+ allow $1 telepathy_butterfly_tmp_t:file rw_file_perms; -+ files_search_tmp($1) -+') -+ -+######################################## -+## +## Stream connect to Telepathy Gabble +## +## @@ -7691,7 +7683,7 @@ index 3b2da10..7c29e17 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 99482ca..8d34173 100644 +index 99482ca..c381190 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',` @@ -7887,7 +7879,32 @@ index 99482ca..8d34173 100644 ## Do not audit attempts to get the attributes of ## the autofs device node. ## -@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',` +@@ -3048,24 +3192,6 @@ interface(`dev_rw_printer',` + + ######################################## + ## +-## Read printk devices (e.g., /dev/kmsg /dev/mcelog) +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dev_read_printk',` +- gen_require(` +- type device_t, printk_device_t; +- ') +- +- read_chr_files_pattern($1, device_t, printk_device_t) +-') +- +-######################################## +-## + ## Get the attributes of the QEMU + ## microcode and id interfaces. + ## +@@ -3613,6 +3739,24 @@ interface(`dev_manage_smartcard',` ######################################## ## @@ -7912,7 +7929,7 @@ index 99482ca..8d34173 100644 ## Get the attributes of sysfs directories. ## ## -@@ -3755,6 +3917,24 @@ interface(`dev_rw_sysfs',` +@@ -3755,6 +3899,24 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -7937,7 +7954,7 @@ index 99482ca..8d34173 100644 ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## -@@ -3924,6 +4104,24 @@ interface(`dev_read_usbmon_dev',` +@@ -3924,6 +4086,24 @@ interface(`dev_read_usbmon_dev',` ######################################## ## @@ -7962,7 +7979,7 @@ index 99482ca..8d34173 100644 ## Mount a usbfs filesystem. ## ## -@@ -4234,11 +4432,10 @@ interface(`dev_write_video_dev',` +@@ -4234,11 +4414,10 @@ interface(`dev_write_video_dev',` # interface(`dev_rw_vhost',` gen_require(` @@ -16219,7 +16236,7 @@ index fa82327..7f4ca47 100644 # bind to udp/323 corenet_udp_bind_chronyd_port(chronyd_t) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if -index 1f11572..01b02f3 100644 +index 1f11572..7f6a7ab 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -33,6 +33,7 @@ interface(`clamav_stream_connect',` @@ -16230,6 +16247,22 @@ index 1f11572..01b02f3 100644 stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) ') +@@ -49,12 +50,12 @@ interface(`clamav_stream_connect',` + # + interface(`clamav_append_log',` + gen_require(` +- type clamav_log_t; ++ type clamav_var_log_t; + ') + + logging_search_logs($1) +- allow $1 clamav_log_t:dir list_dir_perms; +- append_files_pattern($1, clamav_log_t, clamav_log_t) ++ allow $1 clamav_var_log_t:dir list_dir_perms; ++ append_files_pattern($1, clamav_var_log_t, clamav_var_log_t) + ') + + ######################################## @@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',` interface(`clamav_admin',` gen_require(` @@ -18739,7 +18772,7 @@ index f706b99..ab2edfc 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..8d467c4 100644 +index f231f17..3aaa784 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) @@ -18861,7 +18894,7 @@ index f231f17..8d467c4 100644 ') optional_policy(` -+ mount_exec(devicekit_power_t) ++ mount_domtrans(devicekit_power_t) +') + +optional_policy(` @@ -18902,10 +18935,19 @@ index 5e2cea8..7e129ff 100644 ') diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te -index d4424ad..a307b51 100644 +index d4424ad..2e09383 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te -@@ -111,6 +111,10 @@ optional_policy(` +@@ -73,6 +73,8 @@ corenet_tcp_connect_all_ports(dhcpd_t) + corenet_sendrecv_dhcpd_server_packets(dhcpd_t) + corenet_sendrecv_pxe_server_packets(dhcpd_t) + corenet_sendrecv_all_client_packets(dhcpd_t) ++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t) ++corenet_udp_bind_all_unreserved_ports(dhcpd_t) + + dev_read_sysfs(dhcpd_t) + dev_read_rand(dhcpd_t) +@@ -111,6 +113,10 @@ optional_policy(` ') optional_policy(` @@ -28038,7 +28080,7 @@ index 29b9295..2a70dd1 100644 pyzor_signal(procmail_t) ') diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if -index bc329d1..d1a3745 100644 +index bc329d1..f040c20 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if @@ -91,7 +91,6 @@ interface(`psad_manage_config',` @@ -28085,6 +28127,15 @@ index bc329d1..d1a3745 100644 ## Read and write psad fifo files. ## ## +@@ -186,7 +205,7 @@ interface(`psad_append_log',` + # + interface(`psad_rw_fifo_file',` + gen_require(` +- type psad_t; ++ type psad_t, psad_var_lib_t; + ') + + files_search_var_lib($1) @@ -233,7 +252,7 @@ interface(`psad_rw_tmp_files',` interface(`psad_admin',` gen_require(` @@ -32881,7 +32932,7 @@ index 22adaca..784c363 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..c7efe5d 100644 +index 2dad3c8..580297a 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -32959,7 +33010,12 @@ index 2dad3c8..c7efe5d 100644 ############################## # # SSH client local policy -@@ -99,11 +103,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms; +@@ -95,15 +99,11 @@ allow ssh_t self:sem create_sem_perms; + allow ssh_t self:msgq create_msgq_perms; + allow ssh_t self:msg { send receive }; + allow ssh_t self:tcp_socket create_stream_socket_perms; ++can_exec(ssh_t, ssh_exec_t) + # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; @@ -32971,7 +33027,7 @@ index 2dad3c8..c7efe5d 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -113,6 +112,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -113,6 +113,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -32979,7 +33035,7 @@ index 2dad3c8..c7efe5d 100644 # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -124,9 +124,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) +@@ -124,9 +125,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config @@ -32993,7 +33049,7 @@ index 2dad3c8..c7efe5d 100644 kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -138,6 +139,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) +@@ -138,6 +140,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -33002,7 +33058,7 @@ index 2dad3c8..c7efe5d 100644 dev_read_urand(ssh_t) -@@ -169,14 +172,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) +@@ -169,14 +173,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -33021,7 +33077,7 @@ index 2dad3c8..c7efe5d 100644 ') tunable_policy(`use_nfs_home_dirs',` -@@ -200,6 +202,53 @@ optional_policy(` +@@ -200,6 +203,53 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -33075,7 +33131,7 @@ index 2dad3c8..c7efe5d 100644 ############################## # # ssh_keysign_t local policy -@@ -209,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,7 +259,7 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -33084,7 +33140,7 @@ index 2dad3c8..c7efe5d 100644 dev_read_urand(ssh_keysign_t) -@@ -232,33 +281,39 @@ optional_policy(` +@@ -232,33 +282,39 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -33133,7 +33189,7 @@ index 2dad3c8..c7efe5d 100644 ') optional_policy(` -@@ -266,11 +321,24 @@ optional_policy(` +@@ -266,11 +322,24 @@ optional_policy(` ') optional_policy(` @@ -33159,7 +33215,7 @@ index 2dad3c8..c7efe5d 100644 ') optional_policy(` -@@ -284,6 +352,11 @@ optional_policy(` +@@ -284,6 +353,11 @@ optional_policy(` ') optional_policy(` @@ -33171,7 +33227,7 @@ index 2dad3c8..c7efe5d 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +365,26 @@ optional_policy(` +@@ -292,26 +366,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -33217,7 +33273,7 @@ index 2dad3c8..c7efe5d 100644 ') dnl endif TODO ######################################## -@@ -324,7 +397,6 @@ tunable_policy(`ssh_sysadm_login',` +@@ -324,7 +398,6 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; @@ -33225,7 +33281,7 @@ index 2dad3c8..c7efe5d 100644 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; -@@ -353,10 +425,6 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -353,10 +426,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -40400,7 +40456,7 @@ index 9df8c4d..0199a7d 100644 +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index d97d16d..8b174c8 100644 +index d97d16d..ed1b8be 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',` @@ -40430,6 +40486,37 @@ index d97d16d..8b174c8 100644 ## Use the dynamic link/loader for automatic loading ## of shared libraries. ## +@@ -383,7 +403,7 @@ interface(`libs_manage_shared_libs',` + type lib_t, textrel_shlib_t; + ') + +- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) ++ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + ') + + ######################################## +@@ -402,9 +422,9 @@ interface(`libs_use_shared_libs',` + ') + + files_search_usr($1) +- allow $1 lib_t:dir list_dir_perms; +- read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) +- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) ++ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms; ++ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ++ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + allow $1 textrel_shlib_t:file execmod; + ') + +@@ -445,7 +465,7 @@ interface(`libs_relabel_shared_libs',` + type lib_t, textrel_shlib_t; + ') + +- relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) ++ relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + ') + + ######################################## diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index bf416a4..99d7f60 100644 --- a/policy/modules/system/libraries.te diff --git a/selinux-policy.spec b/selinux-policy.spec index c28bcc9..1650d91 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.7 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,9 @@ exit 0 %endif %changelog +* Fri Oct 15 2010 Dan Walsh 3.9.7-4 +- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. + * Fri Oct 15 2010 Dan Walsh 3.9.7-3 - Allow cobblerd to list cobler appache content