From 7463dbb9fbc17de37c7639d2a9bf7512980edc27 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 17 2013 12:41:59 +0000 Subject: - Allow realmd to run ipa, really needs to be an unconfined_domain - Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid - Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition - Add support for sshd_unit_file_t - Add oracleasmfs_t - Allow unlabeled_t files to be stored on unlabeled_t filesystems --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 93b86f0..a403f1c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -15235,7 +15235,7 @@ index 8416beb..60b2ce1 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..2b79004 100644 +index 9e603f5..698aaee 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); @@ -15256,7 +15256,17 @@ index 9e603f5..2b79004 100644 type bdev_t; fs_type(bdev_t) -@@ -68,7 +71,7 @@ fs_type(capifs_t) +@@ -63,12 +66,17 @@ fs_type(binfmt_misc_fs_t) + files_mountpoint(binfmt_misc_fs_t) + genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) + ++type oracleasmfs_t; ++fs_type(oracleasmfs_t) ++files_mountpoint(oracleasmfs_t) ++genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0) ++ + type capifs_t; + fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) @@ -15265,7 +15275,7 @@ index 9e603f5..2b79004 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -89,6 +92,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -89,6 +97,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -15277,7 +15287,7 @@ index 9e603f5..2b79004 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -97,6 +105,7 @@ type hugetlbfs_t; +@@ -97,6 +110,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -15285,7 +15295,7 @@ index 9e603f5..2b79004 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -125,6 +134,10 @@ type oprofilefs_t; +@@ -125,6 +139,10 @@ type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) @@ -15296,7 +15306,7 @@ index 9e603f5..2b79004 100644 type ramfs_t; fs_type(ramfs_t) files_mountpoint(ramfs_t) -@@ -145,11 +158,6 @@ fs_type(spufs_t) +@@ -145,11 +163,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -15308,7 +15318,7 @@ index 9e603f5..2b79004 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -167,6 +175,8 @@ type vxfs_t; +@@ -167,6 +180,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -15317,7 +15327,7 @@ index 9e603f5..2b79004 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +186,8 @@ fs_type(tmpfs_t) +@@ -176,6 +191,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -15326,7 +15336,7 @@ index 9e603f5..2b79004 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +267,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +272,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -15335,7 +15345,7 @@ index 9e603f5..2b79004 100644 files_mountpoint(removable_t) # -@@ -274,6 +288,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +293,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -15970,7 +15980,7 @@ index 649e458..cc924ae 100644 + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 6fac350..06704f6 100644 +index 6fac350..b5b2f00 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -16021,7 +16031,15 @@ index 6fac350..06704f6 100644 # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -189,6 +202,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -165,6 +178,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) + type unlabeled_t; + fs_associate(unlabeled_t) + sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) ++allow unlabeled_t self:filesystem associate; + + # These initial sids are no longer used, and can be removed: + sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +203,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # @@ -16029,7 +16047,7 @@ index 6fac350..06704f6 100644 allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; -@@ -233,7 +247,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -16037,7 +16055,7 @@ index 6fac350..06704f6 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +257,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -16063,7 +16081,7 @@ index 6fac350..06704f6 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +280,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -16073,7 +16091,7 @@ index 6fac350..06704f6 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +295,49 @@ files_list_root(kernel_t) +@@ -277,25 +296,49 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -16123,7 +16141,7 @@ index 6fac350..06704f6 100644 ') optional_policy(` -@@ -305,6 +347,19 @@ optional_policy(` +@@ -305,6 +348,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -16143,7 +16161,7 @@ index 6fac350..06704f6 100644 ') optional_policy(` -@@ -334,7 +389,6 @@ optional_policy(` +@@ -334,7 +390,6 @@ optional_policy(` rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t) @@ -16151,7 +16169,7 @@ index 6fac350..06704f6 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +397,7 @@ optional_policy(` +@@ -343,9 +398,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -16162,7 +16180,7 @@ index 6fac350..06704f6 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +406,7 @@ optional_policy(` +@@ -354,7 +407,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -16171,7 +16189,7 @@ index 6fac350..06704f6 100644 ') ') -@@ -367,6 +419,15 @@ optional_policy(` +@@ -367,6 +420,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -16187,7 +16205,7 @@ index 6fac350..06704f6 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +471,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; @@ -20836,7 +20854,7 @@ index 346d011..3e23acb 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..c61ed66 100644 +index 76d9f66..3063a17 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,4 +1,15 @@ @@ -20855,7 +20873,12 @@ index 76d9f66..c61ed66 100644 /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) -@@ -12,5 +23,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +@@ -8,9 +19,15 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) + + /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) ++/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0) + /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) @@ -20867,7 +20890,7 @@ index 76d9f66..c61ed66 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..da12170 100644 +index fe0c682..2e18809 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -21396,7 +21419,7 @@ index fe0c682..da12170 100644 ') ###################################### -@@ -754,3 +854,101 @@ interface(`ssh_delete_tmp',` +@@ -754,3 +854,124 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -21498,11 +21521,34 @@ index fe0c682..da12170 100644 + + allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; +') ++ ++######################################## ++## ++## Execute sshd server in the sshd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ssh_systemctl',` ++ gen_require(` ++ type sshd_t; ++ type sshd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 sshd_unit_file_t:file manage_file_perms; ++ allow $1 sshd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, sshd_t) ++') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..3540387 100644 +index 5fc0391..b87b076 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3) +@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) # ## @@ -21552,25 +21598,27 @@ index 5fc0391..3540387 100644 ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) +mls_trusted_object(sshd_t) -+ + +-type sshd_key_t; +-files_type(sshd_key_t) +type sshd_initrc_exec_t; +init_script_file(sshd_initrc_exec_t) - type sshd_key_t; - files_type(sshd_key_t) - -type sshd_tmp_t; -files_tmp_file(sshd_tmp_t) -files_poly_parent(sshd_tmp_t) -- ++type sshd_unit_file_t; ++systemd_unit_file(sshd_unit_file_t) + -ifdef(`enable_mcs',` - init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) -') -- ++type sshd_key_t; ++files_type(sshd_key_t) + type ssh_t; type ssh_exec_t; - typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; -@@ -73,6 +81,11 @@ type ssh_home_t; +@@ -73,6 +84,11 @@ type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) @@ -21582,7 +21630,7 @@ index 5fc0391..3540387 100644 ############################## # -@@ -83,6 +96,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -83,6 +99,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -21590,7 +21638,7 @@ index 5fc0391..3540387 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -90,15 +104,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -90,15 +107,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -21607,7 +21655,7 @@ index 5fc0391..3540387 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -107,33 +117,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -107,33 +120,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -21652,7 +21700,7 @@ index 5fc0391..3540387 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -156,38 +172,42 @@ logging_read_generic_logs(ssh_t) +@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) @@ -21714,7 +21762,7 @@ index 5fc0391..3540387 100644 ') optional_policy(` -@@ -195,6 +215,7 @@ optional_policy(` +@@ -195,6 +218,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -21722,7 +21770,7 @@ index 5fc0391..3540387 100644 ############################## # # ssh_keysign_t local policy -@@ -206,6 +227,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -21730,7 +21778,7 @@ index 5fc0391..3540387 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +245,50 @@ optional_policy(` +@@ -223,33 +248,50 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -21790,7 +21838,7 @@ index 5fc0391..3540387 100644 ') optional_policy(` -@@ -257,11 +296,24 @@ optional_policy(` +@@ -257,11 +299,24 @@ optional_policy(` ') optional_policy(` @@ -21816,7 +21864,7 @@ index 5fc0391..3540387 100644 ') optional_policy(` -@@ -269,6 +321,10 @@ optional_policy(` +@@ -269,6 +324,10 @@ optional_policy(` ') optional_policy(` @@ -21827,7 +21875,7 @@ index 5fc0391..3540387 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +335,69 @@ optional_policy(` +@@ -279,13 +338,69 @@ optional_policy(` ') optional_policy(` @@ -21897,7 +21945,7 @@ index 5fc0391..3540387 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +406,26 @@ optional_policy(` +@@ -294,19 +409,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -21925,7 +21973,7 @@ index 5fc0391..3540387 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +442,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +445,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -21938,7 +21986,7 @@ index 5fc0391..3540387 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +456,138 @@ optional_policy(` +@@ -331,3 +459,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -22234,7 +22282,7 @@ index d1f64a0..3be3d00 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..ab37b7e 100644 +index 6bf0ecc..f0080ba 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -23102,7 +23150,7 @@ index 6bf0ecc..ab37b7e 100644 + type xdm_t; + ') + -+ dontaudit $1 xdm_t:unix_stream_socket { ioctl read write }; ++ dontaudit $1 xdm_t:unix_stream_socket { getattr ioctl read write }; +') + +######################################## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3f17fd2..366b5d3 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1714,10 +1714,10 @@ index 0000000..a95a4ad +') + diff --git a/alsa.fc b/alsa.fc -index 5de1e01..3aa9abb 100644 +index 5de1e01..e5ab7ff 100644 --- a/alsa.fc +++ b/alsa.fc -@@ -19,4 +19,6 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) +@@ -19,4 +19,8 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) @@ -1725,6 +1725,8 @@ index 5de1e01..3aa9abb 100644 +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) + +/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0) ++ ++/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0) diff --git a/alsa.if b/alsa.if index 708b743..c2edd9a 100644 --- a/alsa.if @@ -1817,10 +1819,16 @@ index 708b743..c2edd9a 100644 + ps_process_pattern($1, alsa_t) +') diff --git a/alsa.te b/alsa.te -index cda6d20..32d74d1 100644 +index cda6d20..89f2161 100644 --- a/alsa.te +++ b/alsa.te -@@ -24,6 +24,9 @@ files_type(alsa_var_lib_t) +@@ -21,9 +21,15 @@ files_tmp_file(alsa_tmp_t) + type alsa_var_lib_t; + files_type(alsa_var_lib_t) + ++type alsa_var_run_t; ++files_pid_file(alsa_var_run_t) ++ type alsa_home_t; userdom_user_home_content(alsa_home_t) @@ -1830,15 +1838,27 @@ index cda6d20..32d74d1 100644 ######################################## # # Local policy -@@ -31,6 +34,7 @@ userdom_user_home_content(alsa_home_t) +@@ -31,6 +37,7 @@ userdom_user_home_content(alsa_home_t) allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; dontaudit alsa_t self:capability sys_admin; -+allow alsa_t self:process signal_perms; ++allow alsa_t self:process { getsched setsched signal_perms }; allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen }; -@@ -59,7 +63,6 @@ dev_read_sound(alsa_t) +@@ -51,6 +58,11 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) + manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + ++manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) ++manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) ++manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) ++files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir }) ++ + kernel_read_system_state(alsa_t) + + corecmd_exec_bin(alsa_t) +@@ -59,7 +71,6 @@ dev_read_sound(alsa_t) dev_read_sysfs(alsa_t) dev_write_sound(alsa_t) @@ -1846,7 +1866,7 @@ index cda6d20..32d74d1 100644 files_search_var_lib(alsa_t) term_dontaudit_use_console(alsa_t) -@@ -72,8 +75,6 @@ init_use_fds(alsa_t) +@@ -72,8 +83,6 @@ init_use_fds(alsa_t) logging_send_syslog_msg(alsa_t) @@ -50403,7 +50423,7 @@ index 43d50f9..7f77d32 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 96db654..d23cd25 100644 +index 96db654..ff3aadd 100644 --- a/pcscd.te +++ b/pcscd.te @@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") @@ -50443,6 +50463,14 @@ index 96db654..d23cd25 100644 sysnet_dns_name_resolve(pcscd_t) optional_policy(` +@@ -85,3 +82,7 @@ optional_policy(` + optional_policy(` + udev_read_db(pcscd_t) + ') ++ ++optional_policy(` ++ virt_rw_svirt_dev(pcscd_t) ++') diff --git a/pegasus.fc b/pegasus.fc index dfd46e4..9515043 100644 --- a/pegasus.fc @@ -63626,14 +63654,16 @@ index f1512d6..93f1ee6 100644 userdom_dontaudit_search_user_home_dirs(readahead_t) diff --git a/realmd.fc b/realmd.fc -index 04babe3..02a1f34 100644 +index 04babe3..3b92679 100644 --- a/realmd.fc +++ b/realmd.fc -@@ -1 +1,3 @@ +@@ -1 +1,5 @@ -/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) +/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) + +/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0) ++ ++/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0) diff --git a/realmd.if b/realmd.if index bff31df..e38693b 100644 --- a/realmd.if @@ -63651,7 +63681,7 @@ index bff31df..e38693b 100644 ## ## diff --git a/realmd.te b/realmd.te -index 9a8f052..cffb3ca 100644 +index 9a8f052..1d63c74 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ @@ -63660,7 +63690,7 @@ index 9a8f052..cffb3ca 100644 ######################################## # -@@ -7,29 +7,38 @@ policy_module(realmd, 1.0.2) +@@ -7,43 +7,78 @@ policy_module(realmd, 1.0.2) type realmd_t; type realmd_exec_t; @@ -63673,6 +63703,9 @@ index 9a8f052..cffb3ca 100644 + +type realmd_var_cache_t; +files_type(realmd_var_cache_t) ++ ++type realmd_var_lib_t; ++files_type(realmd_var_lib_t) ######################################## # @@ -63680,9 +63713,12 @@ index 9a8f052..cffb3ca 100644 +# realmd local policy # - allow realmd_t self:capability sys_nice; +-allow realmd_t self:capability sys_nice; ++allow realmd_t self:capability { sys_nice }; ++allow realmd_t self:capability2 block_suspend; allow realmd_t self:process setsched; - ++allow realmd_t self:key manage_key_perms; ++ +manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) +manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) +files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file }) @@ -63690,7 +63726,12 @@ index 9a8f052..cffb3ca 100644 +manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) +manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) + ++manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) ++manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) ++files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir) + kernel_read_system_state(realmd_t) ++kernel_read_network_state(realmd_t) corecmd_exec_bin(realmd_t) corecmd_exec_shell(realmd_t) @@ -63708,16 +63749,25 @@ index 9a8f052..cffb3ca 100644 domain_use_interactive_fds(realmd_t) -@@ -38,12 +47,20 @@ dev_read_urand(realmd_t) + dev_read_rand(realmd_t) + dev_read_urand(realmd_t) - fs_getattr_all_fs(realmd_t) +-fs_getattr_all_fs(realmd_t) ++files_manage_etc_files(realmd_t) -files_read_usr_files(realmd_t) -- ++fs_getattr_all_fs(realmd_t) + auth_use_nsswitch(realmd_t) ++logging_manage_generic_logs(realmd_t) logging_send_syslog_msg(realmd_t) ++miscfiles_manage_generic_cert_files(realmd_t) ++ ++seutil_domtrans_setfiles(realmd_t) ++seutil_read_file_contexts(realmd_t) ++ +sysnet_dns_name_resolve(realmd_t) +systemd_exec_systemctl(realmd_t) + @@ -63731,7 +63781,22 @@ index 9a8f052..cffb3ca 100644 optional_policy(` dbus_system_domain(realmd_t, realmd_exec_t) -@@ -67,17 +84,25 @@ optional_policy(` +@@ -63,21 +98,40 @@ optional_policy(` + optional_policy(` + kerberos_use(realmd_t) + kerberos_rw_keytab(realmd_t) ++ kerberos_rw_config(realmd_t) ++ kerberos_filetrans_named_content(realmd_t) ++') ++ ++optional_policy(` ++ ntp_domtrans_ntpdate(realmd_t) ++') ++ ++optional_policy(` ++ ssh_domtrans(realmd_t) ++ ssh_systemctl(realmd_t) + ') optional_policy(` nis_exec_ypbind(realmd_t) @@ -63760,7 +63825,7 @@ index 9a8f052..cffb3ca 100644 ') optional_policy(` -@@ -86,5 +111,26 @@ optional_policy(` +@@ -86,5 +140,27 @@ optional_policy(` sssd_manage_lib_files(realmd_t) sssd_manage_public_files(realmd_t) sssd_read_pid_files(realmd_t) @@ -63772,12 +63837,15 @@ index 9a8f052..cffb3ca 100644 + xserver_read_state_xdm(realmd_t) +') + ++optional_policy(` ++ unconfined_domain(realmd_t) ++') ++ +##################################### +# +# realmd consolehelper local policy +# + -+ +optional_policy(` + userhelper_console_role_template(realmd, system_r, realmd_t) + authconfig_manage_lib_files(realmd_consolehelper_t) @@ -63786,8 +63854,6 @@ index 9a8f052..cffb3ca 100644 + + unconfined_domain_noaudit(realmd_consolehelper_t) ') -+ -+ diff --git a/remotelogin.fc b/remotelogin.fc index 327baf0..d8691bd 100644 --- a/remotelogin.fc @@ -72337,10 +72403,10 @@ index 0000000..577dfa7 +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..3fc69d5 +index 0000000..b12aada --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,65 @@ +@@ -0,0 +1,62 @@ +policy_module(sandbox,1.0.0) + +attribute sandbox_domain; @@ -72400,12 +72466,9 @@ index 0000000..3fc69d5 + +fs_dontaudit_getattr_all_fs(sandbox_domain) + -+ -+userdom_dontaudit_use_user_terminals(sandbox_domain) ++userdom_use_inherited_user_terminals(sandbox_domain) + +mta_dontaudit_read_spool_symlinks(sandbox_domain) -+ -+ diff --git a/sandboxX.fc b/sandboxX.fc new file mode 100644 index 0000000..6caef63 @@ -72813,7 +72876,7 @@ index 0000000..1b21b7b +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..5a3d049 +index 0000000..81198c3 --- /dev/null +++ b/sandboxX.te @@ -0,0 +1,463 @@ @@ -73062,7 +73125,7 @@ index 0000000..5a3d049 + udev_read_db(sandbox_x_domain) +') + -+userdom_dontaudit_use_user_terminals(sandbox_x_domain) ++userdom_use_inherited_user_terminals(sandbox_x_domain) +userdom_read_user_home_content_symlinks(sandbox_x_domain) +userdom_search_user_home_content(sandbox_x_domain) +userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain) @@ -84742,7 +84805,7 @@ index c30da4c..014e40c 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..fa2c674 100644 +index 9dec06c..a202ead 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -86162,7 +86225,7 @@ index 9dec06c..fa2c674 100644 ## ## ## -@@ -1091,95 +961,150 @@ interface(`virt_manage_virt_cache',` +@@ -1091,95 +961,168 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -86361,16 +86424,34 @@ index 9dec06c..fa2c674 100644 + gen_require(` + attribute svirt_lxc_domain; + ') - -- files_search_locks($1) -- admin_pattern($1, virt_lock_t) ++ + allow $1 svirt_lxc_domain:process transition; + role $2 types svirt_lxc_domain; + allow $1 svirt_lxc_domain:unix_dgram_socket sendto; ++ ++ allow svirt_lxc_domain $1:process sigchld; ++') + +- files_search_locks($1) +- admin_pattern($1, virt_lock_t) ++######################################## ++## ++## Read and write to svirt_image devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_rw_svirt_dev',` ++ gen_require(` ++ type svirt_image_t; ++ ') - dev_list_all_dev_nodes($1) - allow $1 virt_ptynode:chr_file rw_term_perms; -+ allow svirt_lxc_domain $1:process sigchld; ++ allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te index 1f22fba..f42e134 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index a27233b..b2df46e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 31%{?dist} +Release: 32%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Apr 17 2013 Miroslav Grepl 3.12.1-32 +- Allow realmd to run ipa, really needs to be an unconfined_domain +- Allow sandbox domains to use inherted terminals +- Allow pscd to use devices labeled svirt_image_t in order to use cat cards. +- Add label for new alsa pid +- Alsa now uses a pid file and needs to setsched +- Fix oracleasmfs_t definition +- Add support for sshd_unit_file_t +- Add oracleasmfs_t +- Allow unlabeled_t files to be stored on unlabeled_t filesystems + * Tue Apr 16 2013 Miroslav Grepl 3.12.1-31 - Fix description of deny_ptrace boolean - Remove allow for execmod lib_t for now