From 513e3a104be1eab318c2ffbefa3740e812bc00fb Mon Sep 17 00:00:00 2001 From: Miroslav Date: Sep 23 2011 11:57:50 +0000 Subject: +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state +- Add SELinux support for ssh pre-auth net process in F17 +- Add logging_syslogd_can_sendmail boolean --- diff --git a/policy-F16.patch b/policy-F16.patch index 45d7e6a..ce2d8d9 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1663,10 +1663,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..bb587b1 +index 0000000..3008c85 --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,228 @@ +@@ -0,0 +1,236 @@ +policy_module(permissivedomains,16) + +optional_policy(` @@ -1766,6 +1766,14 @@ index 0000000..bb587b1 +') + +optional_policy(` ++ gen_require(` ++ type sshd_sandbox_t; ++ ') ++ ++ permissive sshd_sandbox_t; ++') ++ ++optional_policy(` + gen_require(` + type fail2ban_client_t; + ') @@ -2291,18 +2299,20 @@ index b4ac57e..ef944a4 100644 logging_send_syslog_msg(readahead_t) logging_set_audit_parameters(readahead_t) diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc -index b206bf6..b11df05 100644 +index b206bf6..de6d89b 100644 --- a/policy/modules/admin/rpm.fc +++ b/policy/modules/admin/rpm.fc -@@ -7,6 +7,7 @@ +@@ -6,7 +6,9 @@ + /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -24,9 +25,14 @@ ifdef(`distro_redhat', ` +@@ -24,9 +26,14 @@ ifdef(`distro_redhat', ` /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -2317,7 +2327,7 @@ index b206bf6..b11df05 100644 /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -@@ -36,6 +42,8 @@ ifdef(`distro_redhat', ` +@@ -36,6 +43,8 @@ ifdef(`distro_redhat', ` /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) @@ -3649,7 +3659,7 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..d3dd0b9 100644 +index 441cf22..4779a8d 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t) @@ -3696,7 +3706,15 @@ index 441cf22..d3dd0b9 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -291,17 +293,18 @@ selinux_compute_create_context(passwd_t) +@@ -277,6 +279,7 @@ kernel_read_kernel_sysctls(passwd_t) + + # for SSP + dev_read_urand(passwd_t) ++dev_dontaudit_getattr_all(passwd_t) + + fs_getattr_xattr_fs(passwd_t) + fs_search_auto_mountpoints(passwd_t) +@@ -291,17 +294,18 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -3719,7 +3737,16 @@ index 441cf22..d3dd0b9 100644 domain_use_interactive_fds(passwd_t) -@@ -323,7 +326,7 @@ miscfiles_read_localization(passwd_t) +@@ -311,6 +315,8 @@ files_search_var(passwd_t) + files_dontaudit_search_pids(passwd_t) + files_relabel_etc_files(passwd_t) + ++term_search_ptys(passwd_t) ++ + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(passwd_t) +@@ -323,7 +329,7 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) @@ -3728,7 +3755,7 @@ index 441cf22..d3dd0b9 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -332,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3736,7 +3763,7 @@ index 441cf22..d3dd0b9 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -381,8 +385,7 @@ dev_read_urand(sysadm_passwd_t) +@@ -381,8 +388,7 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3746,7 +3773,7 @@ index 441cf22..d3dd0b9 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) -@@ -426,7 +429,7 @@ optional_policy(` +@@ -426,7 +432,7 @@ optional_policy(` # Useradd local policy # @@ -3755,7 +3782,7 @@ index 441cf22..d3dd0b9 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -448,8 +451,12 @@ corecmd_exec_shell(useradd_t) +@@ -448,8 +454,12 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3768,7 +3795,7 @@ index 441cf22..d3dd0b9 100644 files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -460,6 +467,7 @@ fs_search_auto_mountpoints(useradd_t) +@@ -460,6 +470,7 @@ fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) @@ -3776,7 +3803,7 @@ index 441cf22..d3dd0b9 100644 # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) -@@ -469,8 +477,7 @@ selinux_compute_create_context(useradd_t) +@@ -469,8 +480,7 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -3786,15 +3813,15 @@ index 441cf22..d3dd0b9 100644 auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,21 +505,11 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,21 +508,11 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) @@ -4365,10 +4392,10 @@ index 0000000..6f3570a +/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if new file mode 100644 -index 0000000..e455bba +index 0000000..fc9014f --- /dev/null +++ b/policy/modules/apps/execmem.if -@@ -0,0 +1,129 @@ +@@ -0,0 +1,133 @@ +## execmem domain + +######################################## @@ -4437,6 +4464,10 @@ index 0000000..e455bba + + files_execmod_tmp($1_execmem_t) + ++ optional_policy(` ++ execmem_execmod($1_execmem_t) ++ ') ++ + # needed by plasma-desktop + optional_policy(` + gnome_read_usr_config($1_execmem_t) @@ -4495,7 +4526,7 @@ index 0000000..e455bba + type execmem_exec_t; + ') + -+ allow $1 execmem_exec_t:chr_file execmod; ++ allow $1 execmem_exec_t:file execmod; +') + diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te @@ -9990,17 +10021,61 @@ index c8254dd..340a2d7 100644 /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index a57e81e..57519a4 100644 +index a57e81e..f9fbc60 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if -@@ -68,15 +68,16 @@ template(`screen_role_template',` - manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) - manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) - userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) -+ userdom_admin_home_dir_filetrans($1_screen_t, screen_home_t, dir) - read_files_pattern($1_screen_t, screen_home_t, screen_home_t) - read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) +@@ -25,6 +25,7 @@ template(`screen_role_template',` + gen_require(` + type screen_exec_t, screen_tmp_t; + type screen_home_t, screen_var_run_t; ++ attribute screen_domain; + ') + ######################################## +@@ -32,51 +33,18 @@ template(`screen_role_template',` + # Declarations + # + +- type $1_screen_t; ++ type $1_screen_t, screen_domain; + application_domain($1_screen_t, screen_exec_t) + domain_interactive_fd($1_screen_t) + ubac_constrained($1_screen_t) + role $2 types $1_screen_t; + +- ######################################## +- # +- # Local policy +- # +- +- allow $1_screen_t self:capability { setuid setgid fsetid }; +- allow $1_screen_t self:process signal_perms; +- allow $1_screen_t self:fifo_file rw_fifo_file_perms; +- allow $1_screen_t self:tcp_socket create_stream_socket_perms; +- allow $1_screen_t self:udp_socket create_socket_perms; +- # Internal screen networking +- allow $1_screen_t self:fd use; +- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto }; +- allow $1_screen_t self:unix_dgram_socket create_socket_perms; +- +- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) +- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) +- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) +- files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir }) +- +- # Create fifo +- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) +- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) +- manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) +- files_pid_filetrans($1_screen_t, screen_var_run_t, dir) +- +- allow $1_screen_t screen_home_t:dir list_dir_perms; +- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) +- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) +- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) +- read_files_pattern($1_screen_t, screen_home_t, screen_home_t) +- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) +- - allow $1_screen_t $3:process signal; - domtrans_pattern($3, screen_exec_t, $1_screen_t) @@ -10012,7 +10087,7 @@ index a57e81e..57519a4 100644 manage_fifo_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_home_t, screen_home_t) -@@ -87,8 +88,6 @@ template(`screen_role_template',` +@@ -87,77 +55,22 @@ template(`screen_role_template',` relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) @@ -10020,15 +10095,191 @@ index a57e81e..57519a4 100644 - manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) - kernel_read_system_state($1_screen_t) -@@ -118,6 +117,7 @@ template(`screen_role_template',` - # for SSP - dev_read_urand($1_screen_t) +- kernel_read_system_state($1_screen_t) +- kernel_read_kernel_sysctls($1_screen_t) +- +- corecmd_list_bin($1_screen_t) +- corecmd_read_bin_files($1_screen_t) +- corecmd_read_bin_symlinks($1_screen_t) +- corecmd_read_bin_pipes($1_screen_t) +- corecmd_read_bin_sockets($1_screen_t) + # Revert to the user domain when a shell is executed. + corecmd_shell_domtrans($1_screen_t, $3) + corecmd_bin_domtrans($1_screen_t, $3) + +- corenet_all_recvfrom_unlabeled($1_screen_t) +- corenet_all_recvfrom_netlabel($1_screen_t) +- corenet_tcp_sendrecv_generic_if($1_screen_t) +- corenet_udp_sendrecv_generic_if($1_screen_t) +- corenet_tcp_sendrecv_generic_node($1_screen_t) +- corenet_udp_sendrecv_generic_node($1_screen_t) +- corenet_tcp_sendrecv_all_ports($1_screen_t) +- corenet_udp_sendrecv_all_ports($1_screen_t) +- corenet_tcp_connect_all_ports($1_screen_t) +- +- dev_dontaudit_getattr_all_chr_files($1_screen_t) +- dev_dontaudit_getattr_all_blk_files($1_screen_t) +- # for SSP +- dev_read_urand($1_screen_t) +- +- domain_use_interactive_fds($1_screen_t) +- +- files_search_tmp($1_screen_t) +- files_search_home($1_screen_t) +- files_list_home($1_screen_t) +- files_read_usr_files($1_screen_t) +- files_read_etc_files($1_screen_t) +- +- fs_search_auto_mountpoints($1_screen_t) +- fs_getattr_xattr_fs($1_screen_t) +- + auth_domtrans_chk_passwd($1_screen_t) + auth_use_nsswitch($1_screen_t) +- auth_dontaudit_read_shadow($1_screen_t) +- auth_dontaudit_exec_utempter($1_screen_t) +- +- # Write to utmp. +- init_rw_utmp($1_screen_t) +- +- logging_send_syslog_msg($1_screen_t) +- +- miscfiles_read_localization($1_screen_t) +- +- seutil_read_config($1_screen_t) + +- userdom_use_user_terminals($1_screen_t) +- userdom_create_user_pty($1_screen_t) + userdom_user_home_domtrans($1_screen_t, $3) +- userdom_setattr_user_ptys($1_screen_t) +- userdom_setattr_user_ttys($1_screen_t) + + tunable_policy(`use_samba_home_dirs',` + fs_cifs_domtrans($1_screen_t, $3) +- fs_read_cifs_symlinks($1_screen_t) +- fs_list_cifs($1_screen_t) + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_nfs_domtrans($1_screen_t, $3) +- fs_list_nfs($1_screen_t) +- fs_read_nfs_symlinks($1_screen_t) + ') + ') +diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te +index 553bc73..b3b144c 100644 +--- a/policy/modules/apps/screen.te ++++ b/policy/modules/apps/screen.te +@@ -5,6 +5,8 @@ policy_module(screen, 2.3.1) + # Declarations + # -+ domain_sigchld_interactive_fds($1_screen_t) - domain_use_interactive_fds($1_screen_t) ++attribute screen_domain; ++ + type screen_exec_t; + application_executable_file(screen_exec_t) - files_search_tmp($1_screen_t) +@@ -24,3 +26,101 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t + typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; + files_pid_file(screen_var_run_t) + ubac_constrained(screen_var_run_t) ++ ++######################################## ++# ++# Local policy ++# ++ ++allow screen_domain self:capability { setuid setgid fsetid }; ++allow screen_domain self:process signal_perms; ++allow screen_domain self:fifo_file rw_fifo_file_perms; ++allow screen_domain self:tcp_socket create_stream_socket_perms; ++allow screen_domain self:udp_socket create_socket_perms; ++# Internal screen networking ++allow screen_domain self:fd use; ++allow screen_domain self:unix_stream_socket { create_socket_perms connectto }; ++allow screen_domain self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) ++manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) ++manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) ++files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) ++ ++# Create fifo ++manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) ++manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) ++manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) ++files_pid_filetrans(screen_domain, screen_var_run_t, dir) ++ ++allow screen_domain screen_home_t:dir list_dir_perms; ++manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) ++manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t) ++userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir) ++userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir) ++read_files_pattern(screen_domain, screen_home_t, screen_home_t) ++read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t) ++ ++kernel_read_system_state(screen_domain) ++kernel_read_kernel_sysctls(screen_domain) ++ ++corecmd_list_bin(screen_domain) ++corecmd_read_bin_files(screen_domain) ++corecmd_read_bin_symlinks(screen_domain) ++corecmd_read_bin_pipes(screen_domain) ++corecmd_read_bin_sockets(screen_domain) ++ ++corenet_all_recvfrom_unlabeled(screen_domain) ++corenet_all_recvfrom_netlabel(screen_domain) ++corenet_tcp_sendrecv_generic_if(screen_domain) ++corenet_udp_sendrecv_generic_if(screen_domain) ++corenet_tcp_sendrecv_generic_node(screen_domain) ++corenet_udp_sendrecv_generic_node(screen_domain) ++corenet_tcp_sendrecv_all_ports(screen_domain) ++corenet_udp_sendrecv_all_ports(screen_domain) ++corenet_tcp_connect_all_ports(screen_domain) ++ ++dev_dontaudit_getattr_all_chr_files(screen_domain) ++dev_dontaudit_getattr_all_blk_files(screen_domain) ++# for SSP ++dev_read_urand(screen_domain) ++ ++domain_sigchld_interactive_fds(screen_domain) ++domain_use_interactive_fds(screen_domain) ++domain_read_all_domains_state(screen_domain) ++ ++files_search_tmp(screen_domain) ++files_search_home(screen_domain) ++files_list_home(screen_domain) ++files_read_usr_files(screen_domain) ++files_read_etc_files(screen_domain) ++ ++fs_search_auto_mountpoints(screen_domain) ++fs_getattr_xattr_fs(screen_domain) ++ ++auth_dontaudit_read_shadow(screen_domain) ++auth_dontaudit_exec_utempter(screen_domain) ++ ++# Write to utmp. ++init_rw_utmp(screen_domain) ++ ++logging_send_syslog_msg(screen_domain) ++ ++miscfiles_read_localization(screen_domain) ++ ++seutil_read_config(screen_domain) ++ ++userdom_use_user_terminals(screen_domain) ++userdom_create_user_pty(screen_domain) ++userdom_setattr_user_ptys(screen_domain) ++userdom_setattr_user_ttys(screen_domain) ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_symlinks(screen_domain) ++ fs_list_cifs(screen_domain) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_list_nfs(screen_domain) ++ fs_read_nfs_symlinks(screen_domain) ++') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 1dc7a85..a01511f 100644 --- a/policy/modules/apps/seunshare.if @@ -18174,10 +18425,15 @@ index 1700ef2..6b7eabb 100644 + dev_filetrans($1, removable_device_t, chr_file, "rio500") +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 7d45d15..6727eb7 100644 +index 7d45d15..6d27fb3 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc -@@ -19,6 +19,7 @@ +@@ -14,11 +14,11 @@ + /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) +-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) + /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) @@ -18185,7 +18441,7 @@ index 7d45d15..6727eb7 100644 /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) -@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',` +@@ -41,3 +41,5 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') @@ -22260,7 +22516,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..d7a8d41 100644 +index 9e39aa5..83dbd34 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -22342,7 +22598,7 @@ index 9e39aa5..d7a8d41 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,8 +85,10 @@ ifdef(`distro_suse', ` +@@ -73,20 +85,25 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -22354,7 +22610,11 @@ index 9e39aa5..d7a8d41 100644 /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -84,9 +98,10 @@ ifdef(`distro_suse', ` + /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) ++/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + + /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) @@ -22366,7 +22626,7 @@ index 9e39aa5..d7a8d41 100644 ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -105,7 +120,27 @@ ifdef(`distro_debian', ` +@@ -105,7 +122,27 @@ ifdef(`distro_debian', ` /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -22395,7 +22655,7 @@ index 9e39aa5..d7a8d41 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..6a02978 100644 +index 6480167..1b928cb 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -22727,7 +22987,7 @@ index 6480167..6a02978 100644 ') ######################################## -@@ -802,6 +880,24 @@ interface(`apache_domtrans_rotatelogs',` +@@ -802,6 +880,43 @@ interface(`apache_domtrans_rotatelogs',` domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') @@ -22749,10 +23009,29 @@ index 6480167..6a02978 100644 + can_exec($1, httpd_rotatelogs_exec_t) +') + ++####################################### ++## ++## Execute httpd system scripts in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`apache_exec_sys_script',` ++ gen_require(` ++ type httpd_sys_script_exec_t; ++ ') ++ ++ allow $1 httpd_sys_script_exec_t:dir search_dir_perms; ++ can_exec($1, httpd_sys_script_exec_t; ++') ++ ######################################## ## ## Allow the specified domain to list -@@ -819,6 +915,7 @@ interface(`apache_list_sys_content',` +@@ -819,6 +934,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -22760,7 +23039,7 @@ index 6480167..6a02978 100644 files_search_var($1) ') -@@ -846,6 +943,74 @@ interface(`apache_manage_sys_content',` +@@ -846,6 +962,74 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -22835,7 +23114,7 @@ index 6480167..6a02978 100644 ######################################## ## ## Execute all web scripts in the system -@@ -862,7 +1027,12 @@ interface(`apache_manage_sys_content',` +@@ -862,7 +1046,12 @@ interface(`apache_manage_sys_content',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; @@ -22849,7 +23128,7 @@ index 6480167..6a02978 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -921,9 +1091,10 @@ interface(`apache_domtrans_all_scripts',` +@@ -921,9 +1110,10 @@ interface(`apache_domtrans_all_scripts',` ## ## ## @@ -22861,7 +23140,7 @@ index 6480167..6a02978 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -950,7 +1121,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -950,7 +1140,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -22870,7 +23149,7 @@ index 6480167..6a02978 100644 ') ######################################## -@@ -1091,6 +1262,25 @@ interface(`apache_read_tmp_files',` +@@ -1091,6 +1281,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -22896,7 +23175,7 @@ index 6480167..6a02978 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1107,7 +1297,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1107,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -22905,7 +23184,7 @@ index 6480167..6a02978 100644 ') ######################################## -@@ -1150,12 +1340,6 @@ interface(`apache_cgi_domain',` +@@ -1150,12 +1359,6 @@ interface(`apache_cgi_domain',` ## ## All of the rules required to administrate an apache environment ## @@ -22918,7 +23197,7 @@ index 6480167..6a02978 100644 ## ## ## Domain allowed access. -@@ -1170,17 +1354,15 @@ interface(`apache_cgi_domain',` +@@ -1170,17 +1373,15 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -22941,7 +23220,7 @@ index 6480167..6a02978 100644 ps_process_pattern($1, httpd_t) init_labeled_script_domtrans($1, httpd_initrc_exec_t) -@@ -1191,10 +1373,10 @@ interface(`apache_admin',` +@@ -1191,10 +1392,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -22954,7 +23233,7 @@ index 6480167..6a02978 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1387,69 @@ interface(`apache_admin',` +@@ -1205,14 +1406,69 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -30612,7 +30891,7 @@ index 1a1becd..d4357ec 100644 ') + diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 1bff6ee..c6db074 100644 +index 1bff6ee..fbfc5db 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -30694,7 +30973,7 @@ index 1bff6ee..c6db074 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -151,12 +171,156 @@ optional_policy(` +@@ -151,12 +171,166 @@ optional_policy(` ') optional_policy(` @@ -30715,7 +30994,7 @@ index 1bff6ee..c6db074 100644 # -# Unconfined access to this module +# system_bus_type rules - # ++# +role system_r types system_bus_type; + +fs_search_all(system_bus_type) @@ -30727,7 +31006,7 @@ index 1bff6ee..c6db074 100644 +init_dgram_send(system_bus_type) +init_use_fds(system_bus_type) +init_rw_stream_sockets(system_bus_type) - ++ +ps_process_pattern(system_dbusd_t, system_bus_type) + +userdom_dontaudit_search_admin_dir(system_bus_type) @@ -30752,7 +31031,7 @@ index 1bff6ee..c6db074 100644 +######################################## +# +# session_bus_type rules -+# + # +dontaudit session_bus_type self:capability sys_resource; +allow session_bus_type self:process { getattr sigkill signal }; +dontaudit session_bus_type self:process { ptrace setrlimit }; @@ -30828,6 +31107,16 @@ index 1bff6ee..c6db074 100644 +userdom_manage_user_home_content_files(session_bus_type) +userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file }) + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(session_bus_type) ++ fs_manage_nfs_files(session_bus_type) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(session_bus_type) ++ fs_manage_cifs_files(session_bus_type) ++') + +optional_policy(` + gnome_read_gconf_home_files(session_bus_type) +') @@ -33554,7 +33843,7 @@ index 298f066..b54de69 100644 /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if -index 6bef7f8..464669c 100644 +index 6bef7f8..885cd43 100644 --- a/policy/modules/services/exim.if +++ b/policy/modules/services/exim.if @@ -5,9 +5,9 @@ @@ -33569,10 +33858,35 @@ index 6bef7f8..464669c 100644 ## # interface(`exim_domtrans',` -@@ -20,6 +20,24 @@ interface(`exim_domtrans',` +@@ -20,6 +20,49 @@ interface(`exim_domtrans',` ######################################## ## ++## Execute the mailman program in the mailman domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The role to allow the mailman domain. ++## ++## ++## ++# ++interface(`exim_run',` ++ gen_require(` ++ type exim_t; ++ ') ++ ++ exim_domtrans($1) ++ role $2 types exim_t; ++') ++ ++######################################## ++## +## Execute exim in the exim domain. +## +## @@ -33594,7 +33908,7 @@ index 6bef7f8..464669c 100644 ## Do not audit attempts to read, ## exim tmp files ## -@@ -101,9 +119,9 @@ interface(`exim_read_log',` +@@ -101,9 +144,9 @@ interface(`exim_read_log',` ## exim log files. ## ## @@ -33606,7 +33920,7 @@ index 6bef7f8..464669c 100644 ## # interface(`exim_append_log',` -@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',` +@@ -194,3 +237,46 @@ interface(`exim_manage_spool_files',` manage_files_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) ') @@ -38950,7 +39264,7 @@ index 14ad189..2b8efd8 100644 /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if -index 67c7fdd..84b7626 100644 +index 67c7fdd..d7338be 100644 --- a/policy/modules/services/mailman.if +++ b/policy/modules/services/mailman.if @@ -16,7 +16,7 @@ @@ -38971,6 +39285,38 @@ index 67c7fdd..84b7626 100644 files_list_var(mailman_$1_t) files_list_var_lib(mailman_$1_t) files_read_var_lib_symlinks(mailman_$1_t) +@@ -108,6 +108,31 @@ interface(`mailman_domtrans',` + domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) + ') + ++######################################## ++## ++## Execute the mailman program in the mailman domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The role to allow the mailman domain. ++## ++## ++## ++# ++interface(`mailman_run',` ++ gen_require(` ++ type mailman_mail_t; ++ ') ++ ++ mailman_domtrans($1) ++ role $2 types mailman_mail_t; ++') ++ + ####################################### + ## + ## Execute mailman CGI scripts in the diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index af4d572..cea085e 100644 --- a/policy/modules/services/mailman.te @@ -40656,7 +41002,7 @@ index 256166a..6321a93 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..f8c4fb6 100644 +index 343cee3..f6c92f9 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -40686,7 +41032,7 @@ index 343cee3..f8c4fb6 100644 # interface(`mta_role',` gen_require(` -@@ -169,7 +171,7 @@ interface(`mta_role',` +@@ -169,11 +171,19 @@ interface(`mta_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, sendmail_exec_t, user_mail_t) @@ -40695,7 +41041,19 @@ index 343cee3..f8c4fb6 100644 allow mta_user_agent $2:fd use; allow mta_user_agent $2:process sigchld; -@@ -220,6 +222,25 @@ interface(`mta_agent_executable',` + allow mta_user_agent $2:fifo_file { read write }; ++ ++ optional_policy(` ++ exim_run($2, $1) ++ ') ++ ++ optional_policy(` ++ mailman_run(mta_user_agent, $1) ++ ') + ') + + ######################################## +@@ -220,6 +230,25 @@ interface(`mta_agent_executable',` application_executable_file($1) ') @@ -40721,7 +41079,7 @@ index 343cee3..f8c4fb6 100644 ######################################## ## ## Make the specified type by a system MTA. -@@ -306,7 +327,6 @@ interface(`mta_mailserver_sender',` +@@ -306,7 +335,6 @@ interface(`mta_mailserver_sender',` interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; @@ -40729,7 +41087,7 @@ index 343cee3..f8c4fb6 100644 ') typeattribute $1 mailserver_delivery; -@@ -330,12 +350,6 @@ interface(`mta_mailserver_user_agent',` +@@ -330,12 +358,6 @@ interface(`mta_mailserver_user_agent',` ') typeattribute $1 mta_user_agent; @@ -40742,7 +41100,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -350,9 +364,8 @@ interface(`mta_mailserver_user_agent',` +@@ -350,9 +372,8 @@ interface(`mta_mailserver_user_agent',` # interface(`mta_send_mail',` gen_require(` @@ -40753,7 +41111,7 @@ index 343cee3..f8c4fb6 100644 ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -@@ -391,12 +404,17 @@ interface(`mta_send_mail',` +@@ -391,12 +412,17 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -40773,7 +41131,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -409,7 +427,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +435,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -40781,7 +41139,7 @@ index 343cee3..f8c4fb6 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +437,24 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +445,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -40806,7 +41164,7 @@ index 343cee3..f8c4fb6 100644 ## Execute sendmail in the caller domain. ## ## -@@ -438,6 +473,26 @@ interface(`mta_sendmail_exec',` +@@ -438,6 +481,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -40833,7 +41191,7 @@ index 343cee3..f8c4fb6 100644 ## Read mail server configuration. ## ## -@@ -474,7 +529,8 @@ interface(`mta_write_config',` +@@ -474,7 +537,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -40843,7 +41201,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -494,6 +550,7 @@ interface(`mta_read_aliases',` +@@ -494,6 +558,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -40851,7 +41209,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -532,7 +589,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -532,7 +597,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -40860,7 +41218,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -552,7 +609,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +617,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -40869,7 +41227,7 @@ index 343cee3..f8c4fb6 100644 ') ####################################### -@@ -646,8 +703,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +711,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -40880,7 +41238,7 @@ index 343cee3..f8c4fb6 100644 ') ####################################### -@@ -697,8 +754,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +762,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -40891,7 +41249,7 @@ index 343cee3..f8c4fb6 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +895,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +903,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -40900,7 +41258,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -899,3 +956,112 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +964,112 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -50715,7 +51073,7 @@ index cda37bb..484e552 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..66a585d 100644 +index b1468ed..4bd5e3c 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -50793,7 +51151,7 @@ index b1468ed..66a585d 100644 ######################################## # # NFSD local policy -@@ -120,9 +133,13 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; +@@ -120,9 +133,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) @@ -50804,10 +51162,11 @@ index b1468ed..66a585d 100644 corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) +corenet_tcp_bind_nfs_port(nfsd_t) ++corenet_udp_bind_nfs_port(nfsd_t) dev_dontaudit_getattr_all_blk_files(nfsd_t) dev_dontaudit_getattr_all_chr_files(nfsd_t) -@@ -148,6 +165,8 @@ storage_raw_read_removable_device(nfsd_t) +@@ -148,6 +166,8 @@ storage_raw_read_removable_device(nfsd_t) # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) @@ -50816,7 +51175,7 @@ index b1468ed..66a585d 100644 # Write access to public_content_t and public_content_rw_t tunable_policy(`allow_nfsd_anon_write',` miscfiles_manage_public_files(nfsd_t) -@@ -158,7 +177,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -158,7 +178,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -50824,7 +51183,7 @@ index b1468ed..66a585d 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -170,8 +188,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -170,8 +189,7 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -50834,7 +51193,7 @@ index b1468ed..66a585d 100644 ') ######################################## -@@ -181,7 +198,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',` allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; allow gssd_t self:process { getsched setsched }; @@ -50843,7 +51202,7 @@ index b1468ed..66a585d 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -199,6 +216,7 @@ corecmd_exec_bin(gssd_t) +@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) @@ -50851,7 +51210,7 @@ index b1468ed..66a585d 100644 fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) -@@ -210,14 +228,14 @@ auth_manage_cache(gssd_t) +@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -50868,7 +51227,7 @@ index b1468ed..66a585d 100644 ') optional_policy(` -@@ -229,6 +247,10 @@ optional_policy(` +@@ -229,6 +248,10 @@ optional_policy(` ') optional_policy(` @@ -52432,7 +52791,7 @@ index 7e94c7c..5700fb8 100644 + admin_pattern($1, mail_spool_t) +') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te -index 22dac1f..c3cf42a 100644 +index 22dac1f..1c27bd6 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t) @@ -52471,7 +52830,17 @@ index 22dac1f..c3cf42a 100644 mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -149,7 +150,9 @@ optional_policy(` +@@ -129,6 +130,9 @@ optional_policy(` + + optional_policy(` + exim_domtrans(sendmail_t) ++ exim_manage_spool_files(sendmail_t) ++ exim_manage_spool_dirs(sendmail_t) ++ exim_read_log(sendmail_t) + ') + + optional_policy(` +@@ -149,7 +153,9 @@ optional_policy(` ') optional_policy(` @@ -52481,7 +52850,7 @@ index 22dac1f..c3cf42a 100644 postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,20 +171,13 @@ optional_policy(` +@@ -168,20 +174,13 @@ optional_policy(` ') optional_policy(` @@ -52863,7 +53232,7 @@ index 275f9fb..4f4a192 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..633e4ce 100644 +index 3d8d1b3..9509742 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -52904,7 +53273,11 @@ index 3d8d1b3..633e4ce 100644 kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) -@@ -97,12 +100,15 @@ fs_search_auto_mountpoints(snmpd_t) +@@ -94,15 +97,19 @@ files_search_home(snmpd_t) + fs_getattr_all_dirs(snmpd_t) + fs_getattr_all_fs(snmpd_t) + fs_search_auto_mountpoints(snmpd_t) ++files_search_all_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) @@ -52921,7 +53294,7 @@ index 3d8d1b3..633e4ce 100644 logging_send_syslog_msg(snmpd_t) -@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t) +@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) @@ -53812,7 +54185,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..0d987fd 100644 +index 22adaca..3b7fec1 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -53874,7 +54247,37 @@ index 22adaca..0d987fd 100644 dev_read_urand($1_ssh_t) -@@ -168,7 +166,7 @@ template(`ssh_basic_client_template',` +@@ -148,6 +146,29 @@ template(`ssh_basic_client_template',` + ') + ') + ++###################################### ++## ++## The template to define a domain to which sshd dyntransition. ++## ++## ++## ++## The prefix of the dyntransition domain ++## ++## ++# ++template(`ssh_dyntransition_domain_template',` ++ gen_require(` ++ attribute ssh_dyntransition_domain; ++ ') ++ ++ type $1, ssh_dyntransition_domain; ++ domain_type($1) ++ role system_r types $1; ++ ++ optional_policy(` ++ ssh_dyntransition_to($1) ++ ') ++') + ####################################### + ## + ## The template to define a ssh server. +@@ -168,7 +189,7 @@ template(`ssh_basic_client_template',` ## ## # @@ -53883,7 +54286,7 @@ index 22adaca..0d987fd 100644 type $1_t, ssh_server; auth_login_pgm_domain($1_t) -@@ -181,16 +179,18 @@ template(`ssh_server_template', ` +@@ -181,16 +202,18 @@ template(`ssh_server_template', ` type $1_var_run_t; files_pid_file($1_var_run_t) @@ -53905,7 +54308,7 @@ index 22adaca..0d987fd 100644 term_create_pty($1_t, $1_devpts_t) manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -@@ -206,6 +206,7 @@ template(`ssh_server_template', ` +@@ -206,6 +229,7 @@ template(`ssh_server_template', ` kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) @@ -53913,7 +54316,7 @@ index 22adaca..0d987fd 100644 corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -220,8 +221,11 @@ template(`ssh_server_template', ` +@@ -220,8 +244,11 @@ template(`ssh_server_template', ` corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) @@ -53926,7 +54329,7 @@ index 22adaca..0d987fd 100644 fs_dontaudit_getattr_all_fs($1_t) -@@ -234,6 +238,7 @@ template(`ssh_server_template', ` +@@ -234,6 +261,7 @@ template(`ssh_server_template', ` corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -53934,7 +54337,7 @@ index 22adaca..0d987fd 100644 files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) -@@ -243,13 +248,17 @@ template(`ssh_server_template', ` +@@ -243,13 +271,17 @@ template(`ssh_server_template', ` miscfiles_read_localization($1_t) @@ -53954,7 +54357,7 @@ index 22adaca..0d987fd 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) fs_read_nfs_symlinks($1_t) -@@ -268,6 +277,14 @@ template(`ssh_server_template', ` +@@ -268,6 +300,14 @@ template(`ssh_server_template', ` files_read_var_lib_symlinks($1_t) nx_spec_domtrans_server($1_t) ') @@ -53969,7 +54372,7 @@ index 22adaca..0d987fd 100644 ') ######################################## -@@ -290,11 +307,11 @@ template(`ssh_server_template', ` +@@ -290,11 +330,11 @@ template(`ssh_server_template', ` ## User domain for the role ## ## @@ -53982,7 +54385,7 @@ index 22adaca..0d987fd 100644 type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; type ssh_agent_tmp_t; -@@ -327,7 +344,7 @@ template(`ssh_role_template',` +@@ -327,7 +367,7 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) @@ -53991,7 +54394,7 @@ index 22adaca..0d987fd 100644 # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; -@@ -338,6 +355,7 @@ template(`ssh_role_template',` +@@ -338,6 +378,7 @@ template(`ssh_role_template',` manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) @@ -53999,7 +54402,7 @@ index 22adaca..0d987fd 100644 ############################## # -@@ -359,7 +377,7 @@ template(`ssh_role_template',` +@@ -359,7 +400,7 @@ template(`ssh_role_template',` stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. @@ -54008,7 +54411,7 @@ index 22adaca..0d987fd 100644 # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) -@@ -381,7 +399,6 @@ template(`ssh_role_template',` +@@ -381,7 +422,6 @@ template(`ssh_role_template',` files_read_etc_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t) @@ -54016,7 +54419,7 @@ index 22adaca..0d987fd 100644 libs_read_lib_files($1_ssh_agent_t) -@@ -393,14 +410,13 @@ template(`ssh_role_template',` +@@ -393,14 +433,13 @@ template(`ssh_role_template',` seutil_dontaudit_read_config($1_ssh_agent_t) # Write to the user domain tty. @@ -54034,13 +54437,13 @@ index 22adaca..0d987fd 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) -@@ -477,8 +493,27 @@ interface(`ssh_read_pipes',` +@@ -477,8 +516,27 @@ interface(`ssh_read_pipes',` type sshd_t; ') - allow $1 sshd_t:fifo_file { getattr read }; + allow $1 sshd_t:fifo_file read_fifo_file_perms; - ') ++') + +###################################### +## @@ -54058,12 +54461,12 @@ index 22adaca..0d987fd 100644 + ') + + allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; -+') + ') + ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -494,7 +529,7 @@ interface(`ssh_rw_pipes',` +@@ -494,7 +552,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -54072,7 +54475,7 @@ index 22adaca..0d987fd 100644 ') ######################################## -@@ -586,6 +621,24 @@ interface(`ssh_domtrans',` +@@ -586,6 +644,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -54097,7 +54500,7 @@ index 22adaca..0d987fd 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -618,7 +671,7 @@ interface(`ssh_setattr_key_files',` +@@ -618,7 +694,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -54106,7 +54509,7 @@ index 22adaca..0d987fd 100644 files_search_pids($1) ') -@@ -680,6 +733,32 @@ interface(`ssh_domtrans_keygen',` +@@ -680,6 +756,32 @@ interface(`ssh_domtrans_keygen',` domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') @@ -54139,7 +54542,7 @@ index 22adaca..0d987fd 100644 ######################################## ## ## Read ssh server keys -@@ -695,7 +774,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +797,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -54148,7 +54551,7 @@ index 22adaca..0d987fd 100644 ') ###################################### -@@ -735,3 +814,81 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +837,81 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -54181,13 +54584,13 @@ index 22adaca..0d987fd 100644 +## +## +# -+interface(`ssh_dyntransition_chroot_user',` ++interface(`ssh_dyntransition_to',` + gen_require(` -+ type chroot_user_t; ++ type sshd_t; + ') + -+ allow $1 chroot_user_t:process dyntransition; -+ allow chroot_user_t $1:process sigchld; ++ allow sshd_t $1:process dyntransition; ++ allow $1 sshd_t:process sigchld; +') + +######################################## @@ -54231,7 +54634,7 @@ index 22adaca..0d987fd 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..28ef6ae 100644 +index 2dad3c8..a6e2e1e 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0) @@ -54271,12 +54674,12 @@ index 2dad3c8..28ef6ae 100644 -gen_tunable(ssh_sysadm_login, false) +gen_tunable(ssh_chroot_rw_homedirs, false) ++attribute ssh_dyntransition_domain; attribute ssh_server; attribute ssh_agent_type; -+type chroot_user_t; -+domain_type(chroot_user_t) -+role system_r types chroot_user_t; ++ssh_dyntransition_domain_template(chroot_user_t) ++ssh_dyntransition_domain_template(sshd_sandbox_t) + type ssh_keygen_t; type ssh_keygen_exec_t; @@ -54531,14 +54934,10 @@ index 2dad3c8..28ef6ae 100644 ') optional_policy(` -@@ -284,6 +337,19 @@ optional_policy(` +@@ -284,6 +337,15 @@ optional_policy(` ') optional_policy(` -+ ssh_dyntransition_chroot_user(sshd_t) -+') -+ -+optional_policy(` + systemd_exec_systemctl(sshd_t) +') + @@ -54551,7 +54950,7 @@ index 2dad3c8..28ef6ae 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +358,26 @@ optional_policy(` +@@ -292,26 +354,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -54597,7 +54996,7 @@ index 2dad3c8..28ef6ae 100644 ') dnl endif TODO ######################################## -@@ -322,19 +388,26 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +384,26 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -54625,7 +55024,7 @@ index 2dad3c8..28ef6ae 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,15 +424,63 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,15 +420,83 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -54639,16 +55038,39 @@ index 2dad3c8..28ef6ae 100644 optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) + udev_read_db(ssh_keygen_t) + ') + ++#################################### ++# ++# ssh_dyntransition domain local policy ++# ++ ++allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid }; ++ ++allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; ++ + optional_policy(` +- udev_read_db(ssh_keygen_t) ++ ssh_rw_stream_sockets(ssh_dyntransition_domain) ++ ssh_rw_tcp_sockets(ssh_dyntransition_domain) +') + ++##################################### ++# ++# ssh_sandbox local policy ++# ++ ++allow sshd_t sshd_sandbox_t:process signal; ++ ++init_ioctl_stream_sockets(sshd_sandbox_t) ++ ++logging_send_audit_msgs(sshd_sandbox_t) ++ +###################################### +# +# chroot_user_t local policy +# + -+allow chroot_user_t self:capability { setuid sys_chroot setgid }; -+ -+allow chroot_user_t self:fifo_file rw_fifo_file_perms; + +userdom_read_user_home_content_files(chroot_user_t) +userdom_read_inherited_user_home_content_files(chroot_user_t) @@ -54684,12 +55106,9 @@ index 2dad3c8..28ef6ae 100644 +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(chroot_user_t) + fs_read_nfs_symlinks(chroot_user_t) - ') - - optional_policy(` -- udev_read_db(ssh_keygen_t) -+ ssh_rw_stream_sockets(chroot_user_t) -+ ssh_rw_tcp_sockets(chroot_user_t) ++') ++ ++optional_policy(` + ssh_rw_dgram_sockets(chroot_user_t) ') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if @@ -54750,7 +55169,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..69e86c3 100644 +index 8ffa257..7d5a298 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -54776,7 +55195,7 @@ index 8ffa257..69e86c3 100644 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,8 +50,12 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,11 +50,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -54789,7 +55208,11 @@ index 8ffa257..69e86c3 100644 corecmd_exec_bin(sssd_t) dev_read_urand(sssd_t) -@@ -60,6 +66,7 @@ domain_obj_id_change_exemption(sssd_t) ++dev_read_sysfs(sssd_t) + + domain_read_all_domains_state(sssd_t) + domain_obj_id_change_exemption(sssd_t) +@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) @@ -54797,7 +55220,7 @@ index 8ffa257..69e86c3 100644 fs_list_inotifyfs(sssd_t) -@@ -69,7 +76,7 @@ seutil_read_file_contexts(sssd_t) +@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t) mls_file_read_to_clearance(sssd_t) @@ -54806,7 +55229,7 @@ index 8ffa257..69e86c3 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) -@@ -79,6 +86,12 @@ logging_send_syslog_msg(sssd_t) +@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -54819,7 +55242,7 @@ index 8ffa257..69e86c3 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,4 +100,28 @@ optional_policy(` +@@ -87,4 +101,28 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -56706,7 +57129,7 @@ index 7c5d8d8..72e3065 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..c0d1ec6 100644 +index 3eca020..1eb165e 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,74 @@ policy_module(virt, 1.4.0) @@ -57076,9 +57499,9 @@ index 3eca020..c0d1ec6 100644 logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -57232,7 +57655,7 @@ index 3eca020..c0d1ec6 100644 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -@@ -457,8 +624,177 @@ optional_policy(` +@@ -457,8 +624,188 @@ optional_policy(` ') optional_policy(` @@ -57356,11 +57779,12 @@ index 3eca020..c0d1ec6 100644 +# +# virt_lxc local policy +# -+allow virt_lxc_t self:capability { net_admin setpcap chown sys_admin }; ++allow virt_lxc_t self:capability { net_admin net_raw setpcap chown sys_admin }; +allow virt_lxc_t self:process { setsched getcap setcap signal_perms }; +allow virt_lxc_t self:fifo_file rw_fifo_file_perms; +allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms; ++allow virt_lxc_t self:packet_socket create_socket_perms; + +allow virt_lxc_t virt_image_type:dir mounton; + @@ -57376,6 +57800,7 @@ index 3eca020..c0d1ec6 100644 + +kernel_read_network_state(virt_lxc_t) +kernel_search_network_sysctl(virt_lxc_t) ++kernel_read_sysctl(virt_lxc_t) + +dev_read_sysfs(virt_lxc_t) + @@ -57385,12 +57810,14 @@ index 3eca020..c0d1ec6 100644 +files_mounton_all_mountpoints(virt_lxc_t) +files_mount_all_file_type_fs(virt_lxc_t) +files_unmount_all_file_type_fs(virt_lxc_t) ++files_list_isid_type_dirs(virt_lxc_t) + +fs_manage_tmpfs_dirs(virt_lxc_t) +fs_manage_tmpfs_chr_files(virt_lxc_t) +fs_manage_tmpfs_symlinks(virt_lxc_t) +fs_manage_cgroup_dirs(virt_lxc_t) +fs_rw_cgroup_files(virt_lxc_t) ++fs_remount_all_fs(virt_lxc_t) + +selinux_mount_fs(virt_lxc_t) +selinux_unmount_fs(virt_lxc_t) @@ -57404,7 +57831,14 @@ index 3eca020..c0d1ec6 100644 + +miscfiles_read_localization(virt_lxc_t) + -+sysnet_exec_ifconfig(virt_lxc_t) ++sysnet_domtrans_ifconfig(virt_lxc_t) ++ ++type lxc_t; ++domain_type(lxc_t); ++ ++optional_policy(` ++ unconfined_domain(lxc_t) ++') + +optional_policy(` + unconfined_shell_domtrans(virt_lxc_t) @@ -61556,10 +61990,10 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..6794869 100644 +index 94fd8dd..b5e5c70 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if -@@ -79,6 +79,42 @@ interface(`init_script_domain',` +@@ -79,6 +79,44 @@ interface(`init_script_domain',` domtrans_pattern(init_run_all_scripts_domain, $2, $1) ') @@ -61594,15 +62028,17 @@ index 94fd8dd..6794869 100644 + domtrans_pattern(init_t,$2,$1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow init_t $1:unix_dgram_socket create_socket_perms; -+ allow $1 init_t:unix_stream_socket ioctl; ++ allow $1 init_t:unix_stream_socket ioctl; + allow $1 init_t:unix_dgram_socket sendto; ++ # need write to /var/run/systemd/notify ++ init_write_pid_socket($1) + ') +') + ######################################## ## ## Create a domain which can be started by init. -@@ -105,7 +141,11 @@ interface(`init_domain',` +@@ -105,7 +143,11 @@ interface(`init_domain',` role system_r types $1; @@ -61615,7 +62051,7 @@ index 94fd8dd..6794869 100644 ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -193,8 +233,10 @@ interface(`init_daemon_domain',` +@@ -193,8 +235,10 @@ interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; @@ -61626,7 +62062,7 @@ index 94fd8dd..6794869 100644 ') typeattribute $1 daemon; -@@ -202,39 +244,20 @@ interface(`init_daemon_domain',` +@@ -202,39 +246,20 @@ interface(`init_daemon_domain',` domain_type($1) domain_entry_file($1, $2) @@ -61652,17 +62088,17 @@ index 94fd8dd..6794869 100644 typeattribute $2 direct_init_entry; - userdom_dontaudit_use_user_terminals($1) -- ') -- ++# userdom_dontaudit_use_user_terminals($1) + ') + - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') -+# userdom_dontaudit_use_user_terminals($1) - ') - +- ') +- - optional_policy(` - nscd_socket_use($1) + tunable_policy(`init_upstart || init_systemd',` @@ -61671,7 +62107,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -283,17 +306,20 @@ interface(`init_daemon_domain',` +@@ -283,17 +308,20 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; @@ -61693,7 +62129,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -336,22 +362,23 @@ interface(`init_ranged_daemon_domain',` +@@ -336,22 +364,23 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -61724,7 +62160,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -401,20 +428,41 @@ interface(`init_system_domain',` +@@ -401,20 +430,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -61766,7 +62202,7 @@ index 94fd8dd..6794869 100644 ######################################## ## ## Execute init (/sbin/init) with a domain transition. -@@ -451,6 +499,10 @@ interface(`init_exec',` +@@ -451,6 +501,10 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -61777,7 +62213,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -509,6 +561,24 @@ interface(`init_sigchld',` +@@ -509,6 +563,24 @@ interface(`init_sigchld',` ######################################## ## @@ -61802,7 +62238,7 @@ index 94fd8dd..6794869 100644 ## Connect to init with a unix socket. ## ## -@@ -519,10 +589,66 @@ interface(`init_sigchld',` +@@ -519,10 +591,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -61871,7 +62307,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -688,19 +814,25 @@ interface(`init_telinit',` +@@ -688,19 +816,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -61898,7 +62334,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -730,7 +862,7 @@ interface(`init_rw_initctl',` +@@ -730,7 +864,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -61907,7 +62343,7 @@ index 94fd8dd..6794869 100644 ## ## # -@@ -773,18 +905,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -61931,7 +62367,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -800,19 +933,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -61977,7 +62413,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -868,9 +1023,14 @@ interface(`init_script_file_domtrans',` +@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -61992,7 +62428,7 @@ index 94fd8dd..6794869 100644 files_search_etc($1) ') -@@ -1079,6 +1239,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -62017,7 +62453,7 @@ index 94fd8dd..6794869 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1308,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -62031,7 +62467,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -1375,6 +1548,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -62059,7 +62495,7 @@ index 94fd8dd..6794869 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1655,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -62085,7 +62521,7 @@ index 94fd8dd..6794869 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1732,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -62110,7 +62546,7 @@ index 94fd8dd..6794869 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1586,6 +1817,24 @@ interface(`init_read_utmp',` +@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',` ######################################## ## @@ -62135,7 +62571,7 @@ index 94fd8dd..6794869 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1674,7 +1923,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -62144,7 +62580,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -1715,6 +1964,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -62273,7 +62709,7 @@ index 94fd8dd..6794869 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2120,175 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -62330,6 +62766,25 @@ index 94fd8dd..6794869 100644 + init_dontaudit_use_script_fds($1) +') + ++####################################### ++## ++## Allow the specified domain to ioctl an ++## init with a unix domain stream sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_ioctl_stream_sockets',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_stream_socket ioctl; ++') ++ +######################################## +## +## Allow the specified domain to read/write to @@ -64817,10 +65272,24 @@ index 831b909..efe1038 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..0c27f81 100644 +index b6ec597..5684c8a 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -20,6 +20,7 @@ files_security_file(auditd_log_t) +@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2) + # Declarations + # + ++## ++##

++## Allow syslogd daemon to send mail ++##

++## ++gen_tunable(logging_syslogd_can_sendmail, false) ++ + attribute logfile; + + type auditctl_t; +@@ -20,6 +27,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; @@ -64828,7 +65297,7 @@ index b6ec597..0c27f81 100644 files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) -@@ -64,6 +65,7 @@ files_config_file(syslog_conf_t) +@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) @@ -64836,7 +65305,7 @@ index b6ec597..0c27f81 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -111,7 +113,7 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -64845,7 +65314,7 @@ index b6ec597..0c27f81 100644 init_dontaudit_use_fds(auditctl_t) -@@ -183,16 +185,19 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -64866,7 +65335,7 @@ index b6ec597..0c27f81 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,10 +242,17 @@ corecmd_exec_shell(audisp_t) +@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -64884,7 +65353,7 @@ index b6ec597..0c27f81 100644 logging_send_syslog_msg(audisp_t) -@@ -250,6 +262,10 @@ sysnet_dns_name_resolve(audisp_t) +@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t) optional_policy(` dbus_system_bus_client(audisp_t) @@ -64895,7 +65364,7 @@ index b6ec597..0c27f81 100644 ') ######################################## -@@ -280,11 +296,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -64916,7 +65385,7 @@ index b6ec597..0c27f81 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -354,11 +379,12 @@ optional_policy(` +@@ -354,11 +386,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -64931,7 +65400,7 @@ index b6ec597..0c27f81 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -376,6 +402,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -64939,7 +65408,7 @@ index b6ec597..0c27f81 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -385,9 +412,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -64955,8 +65424,15 @@ index b6ec597..0c27f81 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -428,8 +461,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) +@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) + corenet_sendrecv_postgresql_client_packets(syslogd_t) + corenet_sendrecv_mysqld_client_packets(syslogd_t) ++tunable_policy(`logging_syslogd_can_sendmail',` ++ # support for ommail module to send logs via mail ++ corenet_tcp_connect_smtp_port(syslogd_t) ++') ++ dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) +dev_read_rand(syslogd_t) @@ -64969,7 +65445,7 @@ index b6ec597..0c27f81 100644 files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -448,6 +486,7 @@ term_write_console(syslogd_t) +@@ -448,6 +498,7 @@ term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -64977,7 +65453,7 @@ index b6ec597..0c27f81 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -459,6 +498,7 @@ init_use_fds(syslogd_t) +@@ -459,6 +510,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -64985,7 +65461,7 @@ index b6ec597..0c27f81 100644 miscfiles_read_localization(syslogd_t) -@@ -496,11 +536,20 @@ optional_policy(` +@@ -496,11 +548,20 @@ optional_policy(` ') optional_policy(` @@ -66986,7 +67462,7 @@ index 170e2c7..b85fc73 100644 + ') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..4e8cb38 100644 +index 7ed9819..f2b7643 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -67257,17 +67733,17 @@ index 7ed9819..4e8cb38 100644 -allow semanage_t self:unix_stream_socket create_stream_socket_perms; -allow semanage_t self:unix_dgram_socket create_socket_perms; -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +- +-allow semanage_t policy_config_t:file rw_file_perms; +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; --allow semanage_t policy_config_t:file rw_file_perms; -+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) - -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) -- ++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) + -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - @@ -67296,13 +67772,13 @@ index 7ed9819..4e8cb38 100644 - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) -+# Admins are creating pp files in random locations -+files_read_non_security_files(semanage_t) - +- -locallogin_use_fds(semanage_t) - -logging_send_syslog_msg(semanage_t) -- ++# Admins are creating pp files in random locations ++files_read_non_security_files(semanage_t) + -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) @@ -67319,7 +67795,20 @@ index 7ed9819..4e8cb38 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -487,118 +498,72 @@ ifdef(`distro_debian',` +@@ -482,123 +493,85 @@ seutil_manage_default_contexts(semanage_t) + userdom_read_user_home_content_files(semanage_t) + userdom_read_user_tmp_files(semanage_t) + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(semanage_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(semanage_t) ++') ++ + ifdef(`distro_debian',` + files_read_var_lib_files(semanage_t) files_read_var_lib_symlinks(semanage_t) ') @@ -67384,23 +67873,23 @@ index 7ed9819..4e8cb38 100644 -mls_file_write_all_levels(setfiles_t) -mls_file_upgrade(setfiles_t) -mls_file_downgrade(setfiles_t) -- ++init_dontaudit_use_fds(setsebool_t) + -selinux_validate_context(setfiles_t) -selinux_compute_access_vector(setfiles_t) -selinux_compute_create_context(setfiles_t) -selinux_compute_relabel_context(setfiles_t) -selinux_compute_user_contexts(setfiles_t) -+init_dontaudit_use_fds(setsebool_t) - --term_use_all_ttys(setfiles_t) --term_use_all_ptys(setfiles_t) --term_use_unallocated_ttys(setfiles_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) +-term_use_all_ttys(setfiles_t) +-term_use_all_ptys(setfiles_t) +-term_use_unallocated_ttys(setfiles_t) +- -# this is to satisfy the assertion: -auth_relabelto_shadow(setfiles_t) - @@ -68514,10 +69003,10 @@ index 0000000..eb3673d + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..e50a989 +index 0000000..411793e --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,359 @@ +@@ -0,0 +1,360 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -68623,6 +69112,7 @@ index 0000000..e50a989 +# /run/user/.* +# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display) +auth_manage_var_auth(systemd_logind_t) ++auth_use_nsswitch(systemd_logind_t) + +authlogin_read_state(systemd_logind_t) + @@ -73483,7 +73973,7 @@ index 4b2878a..fe5913a 100644 + allow $1 unpriv_userdomain:sem rw_sem_perms; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 9b4a930..02686f5 100644 +index 9b4a930..5cd0c45 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2) @@ -73536,7 +74026,7 @@ index 9b4a930..02686f5 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +98,73 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +98,74 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -73593,6 +74083,7 @@ index 9b4a930..02686f5 100644 + +# Nautilus causes this avc +dontaudit unpriv_userdomain self:dir setattr; ++allow unpriv_userdomain self:key manage_key_perms; + +optional_policy(` + alsa_read_rw_config(unpriv_userdomain) diff --git a/selinux-policy.spec b/selinux-policy.spec index f1c7240..f8a3bd6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 32%{?dist} +Release: 33%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -468,6 +468,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Sep 23 2011 Miroslav Grepl 3.10.0-33 +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state +- Add SELinux support for ssh pre-auth net process in F17 +- Add logging_syslogd_can_sendmail boolean + * Wed Sep 21 2011 Miroslav Grepl 3.10.0-32 - Allow pwupdate to send mail - Fix execmem_execmod() interface