From 74d6c017e6c38c3e2e7488f598238035fa5de1f3 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 05 2014 08:55:49 +0000 Subject: - Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask - Add sysnet_filetrans_named_content_ifconfig() interface - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow kerberos keytab domains to manage sssd/userdomain keys" - Allow to run ip cmd in neutron_t domain --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 20d3191..ce89934 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -39073,7 +39073,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..86c7a82 100644 +index 6944526..da5588b 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -39360,7 +39360,7 @@ index 6944526..86c7a82 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +919,76 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +919,94 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -39437,6 +39437,24 @@ index 6944526..86c7a82 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') ++ ++######################################## ++## ++## Transition to sysnet ifconfig named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_filetrans_named_content_ifconfig',` ++ gen_require(` ++ type ifconfig_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") ++') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index b7686d5..28f16ce 100644 --- a/policy/modules/system/sysnetwork.te @@ -41319,7 +41337,7 @@ index 0000000..8bca1d7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..435ce0f +index 0000000..976116e --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,634 @@ @@ -41569,7 +41587,7 @@ index 0000000..435ce0f +logging_send_syslog_msg(systemd_passwd_agent_t) + +userdom_use_user_ptys(systemd_passwd_agent_t) -+userdom_use_inherited_user_ttys(systemd_passwd_agent_t) ++userdom_use_user_ttys(systemd_passwd_agent_t) + +optional_policy(` + lvm_signull(systemd_passwd_agent_t) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index eb48e3c..16af07d 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -17676,7 +17676,7 @@ index b25b01d..e99c5c6 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 6ce66e7..d95f222 100644 +index 6ce66e7..7725178 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -17723,7 +17723,7 @@ index 6ce66e7..d95f222 100644 files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) kernel_read_network_state(ctdbd_t) -@@ -72,9 +84,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) +@@ -72,9 +84,12 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -17732,10 +17732,11 @@ index 6ce66e7..d95f222 100644 corenet_sendrecv_ctdb_server_packets(ctdbd_t) corenet_tcp_bind_ctdb_port(ctdbd_t) +corenet_udp_bind_ctdb_port(ctdbd_t) ++corenet_tcp_connect_ctdb_port(ctdbd_t) corenet_tcp_sendrecv_ctdb_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,12 +99,14 @@ dev_read_urand(ctdbd_t) +@@ -85,12 +100,14 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -17752,7 +17753,7 @@ index 6ce66e7..d95f222 100644 miscfiles_read_public_files(ctdbd_t) optional_policy(` -@@ -109,6 +125,7 @@ optional_policy(` +@@ -109,6 +126,7 @@ optional_policy(` samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) @@ -36039,7 +36040,7 @@ index f9de9fc..11504e6 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 3465a9a..2b1dc23 100644 +index 3465a9a..c37f70b 100644 --- a/kerberos.te +++ b/kerberos.te @@ -1,4 +1,4 @@ @@ -36370,7 +36371,7 @@ index 3465a9a..2b1dc23 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -303,26 +343,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -303,28 +343,34 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -36398,6 +36399,20 @@ index 3465a9a..2b1dc23 100644 seutil_read_file_contexts(kpropd_t) sysnet_dns_name_resolve(kpropd_t) + + kerberos_use(kpropd_t) ++ ++ ++######################################## ++# ++# kerberos keytab domain local policy ++# ++ ++userdom_manage_all_users_keys(kerberos_keytab_domain) ++ ++optional_policy(` ++ sssd_manage_keys(kerberos_keytab_domain) ++') diff --git a/kerneloops.if b/kerneloops.if index 714448f..fa0c994 100644 --- a/kerneloops.if @@ -72081,10 +72096,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..2cd8df3 100644 +index 769d1fd..ec4b05c 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,123 @@ +@@ -1,96 +1,125 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -72140,6 +72155,7 @@ index 769d1fd..2cd8df3 100644 +allow neutron_t self:key manage_key_perms; +allow neutron_t self:tcp_socket { accept listen }; +allow neutron_t self:unix_stream_socket { accept listen }; ++allow neutron_t self:netlink_route_socket rw_netlink_socket_perms; + +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) @@ -72219,6 +72235,7 @@ index 769d1fd..2cd8df3 100644 -logging_send_audit_msgs(quantum_t) -logging_send_syslog_msg(quantum_t) +sysnet_exec_ifconfig(neutron_t) ++sysnet_filetrans_named_content_ifconfig(neutron_t) -miscfiles_read_localization(quantum_t) +optional_policy(` @@ -83030,7 +83047,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..3ac0bb1 100644 +index 57c034b..f56760b 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -83611,7 +83628,7 @@ index 57c034b..3ac0bb1 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -493,9 +499,33 @@ optional_policy(` +@@ -493,9 +499,36 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -83634,9 +83651,12 @@ index 57c034b..3ac0bb1 100644 + allow nmbd_t self:capability { dac_read_search dac_override }; + fs_manage_noxattr_fs_files(smbd_t) + files_manage_non_security_files(smbd_t) ++ files_manage_non_security_dirs(smbd_t) + fs_manage_noxattr_fs_files(nmbd_t) + files_manage_non_security_files(nmbd_t) ++ files_manage_non_security_dirs(nmbd_t) +') ++ +userdom_filetrans_home_content(nmbd_t) + ######################################## @@ -83646,7 +83666,7 @@ index 57c034b..3ac0bb1 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +536,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +539,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -83661,7 +83681,7 @@ index 57c034b..3ac0bb1 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +552,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -83685,7 +83705,7 @@ index 57c034b..3ac0bb1 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +569,42 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +572,42 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -83752,7 +83772,7 @@ index 57c034b..3ac0bb1 100644 ') optional_policy(` -@@ -600,19 +617,26 @@ optional_policy(` +@@ -600,19 +620,26 @@ optional_policy(` ######################################## # @@ -83784,7 +83804,7 @@ index 57c034b..3ac0bb1 100644 samba_search_var(smbcontrol_t) samba_read_winbind_pid(smbcontrol_t) -@@ -620,16 +644,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +647,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -83802,7 +83822,7 @@ index 57c034b..3ac0bb1 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +657,23 @@ optional_policy(` +@@ -637,22 +660,23 @@ optional_policy(` ######################################## # @@ -83834,7 +83854,7 @@ index 57c034b..3ac0bb1 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +682,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -83870,7 +83890,7 @@ index 57c034b..3ac0bb1 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +709,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +712,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -83962,7 +83982,7 @@ index 57c034b..3ac0bb1 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +788,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -83986,7 +84006,7 @@ index 57c034b..3ac0bb1 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +802,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +805,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -84029,7 +84049,7 @@ index 57c034b..3ac0bb1 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +832,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +835,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -84043,7 +84063,7 @@ index 57c034b..3ac0bb1 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -834,16 +856,19 @@ optional_policy(` +@@ -834,16 +859,19 @@ optional_policy(` # allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; @@ -84067,7 +84087,7 @@ index 57c034b..3ac0bb1 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +878,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -84078,7 +84098,7 @@ index 57c034b..3ac0bb1 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +889,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -84108,7 +84128,7 @@ index 57c034b..3ac0bb1 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +912,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +915,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -84129,7 +84149,7 @@ index 57c034b..3ac0bb1 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +930,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -84140,7 +84160,7 @@ index 57c034b..3ac0bb1 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,26 +938,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,26 +941,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -84182,7 +84202,7 @@ index 57c034b..3ac0bb1 100644 ') optional_policy(` -@@ -952,31 +986,29 @@ optional_policy(` +@@ -952,31 +989,29 @@ optional_policy(` # Winbind helper local policy # @@ -84220,7 +84240,7 @@ index 57c034b..3ac0bb1 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1022,38 @@ optional_policy(` +@@ -990,25 +1025,38 @@ optional_policy(` ######################################## # @@ -91605,7 +91625,7 @@ index dbb005a..45291bb 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..16a04bf 100644 +index a240455..3dd6f00 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -91899,7 +91919,7 @@ index a240455..16a04bf 100644 ## ## ## -@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',` +@@ -317,8 +388,46 @@ interface(`sssd_stream_connect',` ######################################## ## @@ -91924,12 +91944,31 @@ index a240455..16a04bf 100644 + +######################################## +## ++## Manage keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_manage_keys',` ++ gen_require(` ++ type sssd_t; ++ ') ++ ++ allow $1 sssd_t:key manage_key_perms; ++ allow sssd_t $1:key manage_key_perms; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an sssd environment ## ## ## -@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +436,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -91938,7 +91977,7 @@ index a240455..16a04bf 100644 ## ## ## -@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +444,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -92800,10 +92839,10 @@ index 0000000..df82c36 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..c7b2bf6 +index 0000000..7bef550 --- /dev/null +++ b/swift.te -@@ -0,0 +1,69 @@ +@@ -0,0 +1,80 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -92815,6 +92854,9 @@ index 0000000..c7b2bf6 +type swift_exec_t; +init_daemon_domain(swift_t, swift_exec_t) + ++type swift_tmp_t; ++files_tmpfs_file(swift_tmp_t) ++ +type swift_var_cache_t; +files_type(swift_var_cache_t) + @@ -92839,6 +92881,10 @@ index 0000000..c7b2bf6 +allow swift_t self:unix_stream_socket create_stream_socket_perms; +allow swift_t self:unix_dgram_socket create_socket_perms; + ++manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t) ++manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t) ++files_tmp_filetrans(swift_t, swift_tmp_t, { dir file }) ++ +manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) +manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) +manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) @@ -92873,6 +92919,10 @@ index 0000000..c7b2bf6 +logging_send_syslog_msg(swift_t) + +userdom_dontaudit_search_user_home_dirs(swift_t) ++ ++optional_policy(` ++ rpm_exec(swift_t) ++') diff --git a/swift_alias.fc b/swift_alias.fc new file mode 100644 index 0000000..b7db254 diff --git a/selinux-policy.spec b/selinux-policy.spec index 730debe..ba5fbc1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 129%{?dist} +Release: 130%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 5 2014 Miroslav Grepl 3.12.1-130 +- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask +- Add sysnet_filetrans_named_content_ifconfig() interface +- Allow ctdbd to connect own ports +- Fix samba_export_all_rw booleanto cover also non security dirs +- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs +- Allow neutron to create /run/netns with correct labeling +- Allow kerberos keytab domains to manage sssd/userdomain keys" +- Allow to run ip cmd in neutron_t domain + * Mon Mar 3 2014 Miroslav Grepl 3.12.1-129 - Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-libreswan-service