From 8de36f734186e833ae692891923289559f36a58a Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 11 2011 13:24:42 +0000 Subject: - Allow hostname read network state - Allow syslog to manage all log files - Add use_fusefs_home_dirs boolean for chrome - Make vdagent working with confined users - Fix syslog port definition - Allow openvpn to set its process priority when the nice parameter is used - Restorecond should be able to watch and relabel devices in /dev - Alow hddtemp to perform DNS name resolution --- diff --git a/policy-F15.patch b/policy-F15.patch index a703605..8777a5f 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -3049,10 +3049,10 @@ index 0000000..e921f24 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..9f6478c +index 0000000..22ddda5 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,117 @@ +@@ -0,0 +1,124 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -3167,6 +3167,13 @@ index 0000000..9f6478c + fs_dontaudit_append_cifs_files(chrome_sandbox_t) +') + ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_search_fusefs(chrome_sandbox_t) ++ fs_read_fusefs_files(chrome_sandbox_t) ++ fs_exec_fusefs_files(chrome_sandbox_t) ++ fs_read_fusefs_symlinks(chrome_sandbox_t) ++') ++ +optional_policy(` + sandbox_use_ptys(chrome_sandbox_t) +') @@ -11374,7 +11381,7 @@ index 5a07a43..096bc60 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 0757523..7652d34 100644 +index 0757523..a14fd0f 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -11465,7 +11472,7 @@ index 0757523..7652d34 100644 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -112,7 +137,7 @@ network_port(hddtemp, tcp,7634,s0) +@@ -112,11 +137,12 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -11474,7 +11481,12 @@ index 0757523..7652d34 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -126,43 +151,59 @@ network_port(iscsi, tcp,3260,s0) + network_port(innd, tcp,119,s0) ++network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) + network_port(ipmi, udp,623,s0, udp,664,s0) + network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) + network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) +@@ -126,43 +152,59 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -11540,7 +11552,7 @@ index 0757523..7652d34 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,24 +218,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -177,25 +219,30 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -11570,11 +11582,13 @@ index 0757523..7652d34 100644 +network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0) type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) +-network_port(syslogd, udp,514,s0) +network_port(sype, tcp,9911,s0, udp,9911,s0) - network_port(syslogd, udp,514,s0) ++network_port(syslogd, udp,514,s0, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) -@@ -205,20 +251,22 @@ network_port(transproxy, tcp,8081,s0) + network_port(tftp, udp,69,s0) +@@ -205,20 +252,22 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -11600,7 +11614,7 @@ index 0757523..7652d34 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -272,9 +320,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -272,9 +321,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -30323,10 +30337,10 @@ index 87b4531..db2d189 100644 + files_list_etc($1) ') diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te -index c234b32..6620169 100644 +index c234b32..32f1b6d 100644 --- a/policy/modules/services/hddtemp.te +++ b/policy/modules/services/hddtemp.te -@@ -42,8 +42,8 @@ files_search_etc(hddtemp_t) +@@ -42,8 +42,12 @@ files_search_etc(hddtemp_t) files_read_usr_files(hddtemp_t) storage_raw_read_fixed_disk(hddtemp_t) @@ -30335,7 +30349,10 @@ index c234b32..6620169 100644 logging_send_syslog_msg(hddtemp_t) miscfiles_read_localization(hddtemp_t) -- + ++optional_policy(` ++ sysnet_dns_name_resolve(hddtemp_t) ++') diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if index ecab47a..40affd8 100644 --- a/policy/modules/services/icecast.if @@ -34776,6 +34793,19 @@ index 0a0d63c..91de41a 100644 ######################################## # # MySQL Manager Policy +diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc +index 1fc9905..e4dfb48 100644 +--- a/policy/modules/services/nagios.fc ++++ b/policy/modules/services/nagios.fc +@@ -34,6 +34,8 @@ ifdef(`distro_debian',` + # mail plugins + /usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) + ++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) ++ + # system plugins + /usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index 8581040..2367841 100644 --- a/policy/modules/services/nagios.if @@ -34868,18 +34898,34 @@ index 8581040..2367841 100644 allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index bf64a4c..8a9789c 100644 +index bf64a4c..eecaf7c 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te -@@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) +@@ -27,6 +27,9 @@ files_pid_file(nagios_var_run_t) + type nagios_spool_t; + files_type(nagios_spool_t) ++type nagios_var_lib_t; ++files_type(nagios_var_lib_t) ++ + nagios_plugin_template(admin) + nagios_plugin_template(checkdisk) + nagios_plugin_template(mail) +@@ -77,8 +80,13 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file) + manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) + files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) + ++manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) ++manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) ++files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file dir }) ++ kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) +kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) -@@ -107,13 +108,11 @@ files_read_etc_files(nagios_t) +@@ -107,13 +115,11 @@ files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) files_search_spool(nagios_t) @@ -34894,7 +34940,7 @@ index bf64a4c..8a9789c 100644 auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) -@@ -124,10 +123,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t) +@@ -124,10 +130,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) mta_send_mail(nagios_t) @@ -34907,7 +34953,7 @@ index bf64a4c..8a9789c 100644 netutils_kill_ping(nagios_t) ') -@@ -143,6 +142,7 @@ optional_policy(` +@@ -143,6 +149,7 @@ optional_policy(` # # Nagios CGI local policy # @@ -34915,7 +34961,7 @@ index bf64a4c..8a9789c 100644 optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -180,11 +180,13 @@ optional_policy(` +@@ -180,11 +187,13 @@ optional_policy(` # allow nrpe_t self:capability { setuid setgid }; @@ -34930,7 +34976,7 @@ index bf64a4c..8a9789c 100644 domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) -@@ -201,7 +203,8 @@ corecmd_exec_shell(nrpe_t) +@@ -201,7 +210,8 @@ corecmd_exec_shell(nrpe_t) corenet_tcp_bind_generic_node(nrpe_t) corenet_tcp_bind_inetd_child_port(nrpe_t) @@ -34940,7 +34986,7 @@ index bf64a4c..8a9789c 100644 dev_read_sysfs(nrpe_t) dev_read_urand(nrpe_t) -@@ -211,6 +214,7 @@ domain_read_all_domains_state(nrpe_t) +@@ -211,6 +221,7 @@ domain_read_all_domains_state(nrpe_t) files_read_etc_runtime_files(nrpe_t) files_read_etc_files(nrpe_t) @@ -34948,7 +34994,7 @@ index bf64a4c..8a9789c 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -270,12 +274,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -270,12 +281,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -34961,7 +35007,7 @@ index bf64a4c..8a9789c 100644 kernel_read_kernel_sysctls(nagios_mail_plugin_t) corecmd_read_bin_files(nagios_mail_plugin_t) -@@ -299,7 +301,7 @@ optional_policy(` +@@ -299,7 +308,7 @@ optional_policy(` optional_policy(` postfix_stream_connect_master(nagios_mail_plugin_t) @@ -34970,7 +35016,7 @@ index bf64a4c..8a9789c 100644 ') ###################################### -@@ -310,6 +312,9 @@ optional_policy(` +@@ -310,6 +319,9 @@ optional_policy(` # needed by ioctl() allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; @@ -34980,7 +35026,7 @@ index bf64a4c..8a9789c 100644 files_read_etc_runtime_files(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t) -@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -323,7 +335,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; allow nagios_services_plugin_t self:process { signal sigkill }; @@ -34988,7 +35034,7 @@ index bf64a4c..8a9789c 100644 allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms; -@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t) +@@ -340,6 +351,8 @@ files_read_usr_files(nagios_services_plugin_t) optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) @@ -34997,7 +35043,7 @@ index bf64a4c..8a9789c 100644 ') optional_policy(` -@@ -363,7 +369,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -363,7 +376,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -36107,7 +36153,7 @@ index 9d0a67b..9197ef0 100644 # interface(`openct_domtrans',` diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te -index 8b550f4..e41ff47 100644 +index 8b550f4..37e15bb 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0) @@ -36133,9 +36179,14 @@ index 8b550f4..e41ff47 100644 type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) -@@ -43,12 +46,11 @@ files_pid_file(openvpn_var_run_t) - allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; - allow openvpn_t self:process { signal getsched }; +@@ -40,15 +43,14 @@ files_pid_file(openvpn_var_run_t) + # openvpn local policy + # + +-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; +-allow openvpn_t self:process { signal getsched }; ++allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; ++allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; - allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -41301,7 +41352,7 @@ index de37806..229a3c7 100644 + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te -index 93c896a..11e586f 100644 +index 93c896a..c1e73c6 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -6,13 +6,22 @@ policy_module(rhcs, 1.1.0) @@ -41374,7 +41425,7 @@ index 93c896a..11e586f 100644 can_exec(fenced_t, fenced_exec_t) -@@ -82,8 +95,12 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -82,8 +95,13 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -41383,11 +41434,12 @@ index 93c896a..11e586f 100644 corecmd_exec_bin(fenced_t) +corecmd_exec_shell(fenced_t) ++corenet_udp_bind_ionixnetmon_port(fenced_t) +corenet_tcp_bind_zented_port(fenced_t) corenet_tcp_connect_http_port(fenced_t) dev_read_sysfs(fenced_t) -@@ -105,8 +122,24 @@ tunable_policy(`fenced_can_network_connect',` +@@ -105,8 +123,24 @@ tunable_policy(`fenced_can_network_connect',` ') optional_policy(` @@ -41413,7 +41465,7 @@ index 93c896a..11e586f 100644 ') optional_policy(` -@@ -114,13 +147,37 @@ optional_policy(` +@@ -114,13 +148,37 @@ optional_policy(` lvm_read_config(fenced_t) ') @@ -41452,7 +41504,7 @@ index 93c896a..11e586f 100644 allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -139,10 +196,6 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -139,10 +197,6 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -41463,7 +41515,7 @@ index 93c896a..11e586f 100644 lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -154,9 +207,10 @@ optional_policy(` +@@ -154,9 +208,10 @@ optional_policy(` allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; @@ -41475,7 +41527,7 @@ index 93c896a..11e586f 100644 dev_list_sysfs(groupd_t) files_read_etc_files(groupd_t) -@@ -168,8 +222,7 @@ init_rw_script_tmp_files(groupd_t) +@@ -168,8 +223,7 @@ init_rw_script_tmp_files(groupd_t) # qdiskd local policy # @@ -41485,7 +41537,7 @@ index 93c896a..11e586f 100644 allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -199,6 +252,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t) +@@ -199,6 +253,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t) files_dontaudit_getattr_all_pipes(qdiskd_t) files_read_etc_files(qdiskd_t) @@ -41494,7 +41546,7 @@ index 93c896a..11e586f 100644 storage_raw_read_removable_device(qdiskd_t) storage_raw_write_removable_device(qdiskd_t) storage_raw_read_fixed_disk(qdiskd_t) -@@ -207,10 +262,6 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -207,10 +263,6 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -41505,7 +41557,7 @@ index 93c896a..11e586f 100644 netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +274,28 @@ optional_policy(` +@@ -223,18 +275,28 @@ optional_policy(` # rhcs domains common policy # @@ -46271,13 +46323,30 @@ index 0000000..71d9784 + diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if new file mode 100644 -index 0000000..83336ab +index 0000000..7647279 --- /dev/null +++ b/policy/modules/services/vdagent.if -@@ -0,0 +1,93 @@ +@@ -0,0 +1,128 @@ + +## policy for vdagent + ++##################################### ++## ++## Getattr on vdagent executable. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`vdagent_getattr_exec',` ++ gen_require(` ++ type vdagent_exec_t; ++ ') ++ ++ allow $1 vdagent_exec_t:file getattr; ++') + +######################################## +## @@ -46297,6 +46366,24 @@ index 0000000..83336ab + domtrans_pattern($1, vdagent_exec_t, vdagent_t) +') + ++####################################### ++## ++## Get the attributes of vdagent logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vdagent_getattr_log',` ++ gen_require(` ++ type vdagent_log_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 vdagent_log_t:file getattr_file_perms; ++') + +######################################## +## @@ -51700,10 +51787,18 @@ index ede3231..6cdbda3 100644 auth_rw_login_records(getty_t) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index c310775..80e513b 100644 +index c310775..67f4c3d 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te -@@ -28,15 +28,18 @@ dev_read_sysfs(hostname_t) +@@ -21,6 +21,7 @@ allow hostname_t self:capability sys_admin; + allow hostname_t self:unix_stream_socket create_stream_socket_perms; + dontaudit hostname_t self:capability sys_tty_config; + ++kernel_read_network_state(hostname_t) + kernel_list_proc(hostname_t) + kernel_read_proc_symlinks(hostname_t) + +@@ -28,15 +29,18 @@ dev_read_sysfs(hostname_t) # Early devtmpfs, before udev relabel dev_dontaudit_rw_generic_chr_files(hostname_t) @@ -51722,7 +51817,7 @@ index c310775..80e513b 100644 fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -@@ -46,6 +49,7 @@ term_use_all_ptys(hostname_t) +@@ -46,6 +50,7 @@ term_use_all_ptys(hostname_t) init_use_fds(hostname_t) init_use_script_fds(hostname_t) init_use_script_ptys(hostname_t) @@ -54729,7 +54824,7 @@ index c7cfb62..ee89659 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 9b5a9ed..389ed25 100644 +index 9b5a9ed..9eb94a4 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -19,6 +19,11 @@ type auditd_log_t; @@ -54892,7 +54987,15 @@ index 9b5a9ed..389ed25 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -480,6 +528,10 @@ optional_policy(` +@@ -443,6 +491,7 @@ init_use_fds(syslogd_t) + + # cjp: this doesnt make sense + logging_send_syslog_msg(syslogd_t) ++logging_manage_all_logs(syslogd_t) + + miscfiles_read_localization(syslogd_t) + +@@ -480,6 +529,10 @@ optional_policy(` ') optional_policy(` @@ -54903,7 +55006,7 @@ index 9b5a9ed..389ed25 100644 postgresql_stream_connect(syslogd_t) ') -@@ -488,6 +540,10 @@ optional_policy(` +@@ -488,6 +541,10 @@ optional_policy(` ') optional_policy(` @@ -56704,7 +56807,7 @@ index 170e2c7..e29a4eb 100644 +') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..df3c078 100644 +index 7ed9819..c1f4c70 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -56859,16 +56962,18 @@ index 7ed9819..df3c078 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -312,6 +337,8 @@ kernel_use_fds(restorecond_t) +@@ -312,6 +337,10 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) ++dev_relabel_all_dev_nodes(restorecond_t) ++ +files_dontaudit_read_all_symlinks(restorecond_t) + fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) -@@ -335,6 +362,8 @@ miscfiles_read_localization(restorecond_t) +@@ -335,6 +364,8 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) @@ -56877,7 +56982,7 @@ index 7ed9819..df3c078 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -353,16 +382,19 @@ optional_policy(` +@@ -353,16 +384,19 @@ optional_policy(` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -56898,7 +57003,7 @@ index 7ed9819..df3c078 100644 dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) -@@ -380,6 +412,8 @@ selinux_compute_create_context(run_init_t) +@@ -380,6 +414,8 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -56907,7 +57012,7 @@ index 7ed9819..df3c078 100644 auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) auth_domtrans_upd_passwd(run_init_t) -@@ -388,6 +422,7 @@ auth_dontaudit_read_shadow(run_init_t) +@@ -388,6 +424,7 @@ auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) # for utmp init_rw_utmp(run_init_t) @@ -56915,7 +57020,7 @@ index 7ed9819..df3c078 100644 logging_send_syslog_msg(run_init_t) -@@ -405,6 +440,19 @@ ifndef(`direct_sysadm_daemon',` +@@ -405,6 +442,19 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -56935,7 +57040,7 @@ index 7ed9819..df3c078 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -420,61 +468,22 @@ optional_policy(` +@@ -420,61 +470,22 @@ optional_policy(` # semodule local policy # @@ -57005,7 +57110,7 @@ index 7ed9819..df3c078 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -487,118 +496,72 @@ ifdef(`distro_debian',` +@@ -487,118 +498,72 @@ ifdef(`distro_debian',` files_read_var_lib_symlinks(semanage_t) ') @@ -59329,7 +59434,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..6b7f9c7 100644 +index 28b88de..dc49084 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -60394,7 +60499,7 @@ index 28b88de..6b7f9c7 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1185,83 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1185,89 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -60446,11 +60551,9 @@ index 28b88de..6b7f9c7 100644 + + tunable_policy(`user_setrlimit',` + allow $1_usertype self:process setrlimit; - ') - - optional_policy(` -- netutils_run_ping_cond($1_t,$1_r) -- netutils_run_traceroute_cond($1_t,$1_r) ++ ') ++ ++ optional_policy(` + cdrecord_role($1_r, $1_t) + ') + @@ -60480,35 +60583,42 @@ index 28b88de..6b7f9c7 100644 + + optional_policy(` + java_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t,$1_r) +- netutils_run_traceroute_cond($1_t,$1_r) + mono_role_template($1, $1_r, $1_t) + ') + + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) ++ ') ++ ++ optional_policy(` ++ wine_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ postfix_run_postdrop($1_t, $1_r) ') -- # Run pppd in pppd_t by default for user + # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ wine_role_template($1, $1_r, $1_t) ++ ppp_run_cond($1_t, $1_r) ') optional_policy(` - setroubleshoot_stream_connect($1_t) -+ postfix_run_postdrop($1_t, $1_r) -+ ') -+ -+ # Run pppd in pppd_t by default for user -+ optional_policy(` -+ ppp_run_cond($1_t, $1_r) ++ vdagent_getattr_log($1_t) ++ vdagent_getattr_exec($1_t) ++ vdagent_stream_connect($1_t) ') ') -@@ -1039,7 +1297,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1303,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -60517,7 +60627,7 @@ index 28b88de..6b7f9c7 100644 ') ############################## -@@ -1066,6 +1324,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1330,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -60525,7 +60635,7 @@ index 28b88de..6b7f9c7 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1333,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1339,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -60535,7 +60645,7 @@ index 28b88de..6b7f9c7 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1350,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1356,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -60543,7 +60653,7 @@ index 28b88de..6b7f9c7 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1368,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1374,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -60557,7 +60667,7 @@ index 28b88de..6b7f9c7 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,15 +1385,19 @@ template(`userdom_admin_user_template',` +@@ -1119,15 +1391,19 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -60577,7 +60687,7 @@ index 28b88de..6b7f9c7 100644 term_use_all_terms($1_t) -@@ -1141,7 +1411,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1417,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -60589,7 +60699,7 @@ index 28b88de..6b7f9c7 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1483,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1489,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -60598,7 +60708,7 @@ index 28b88de..6b7f9c7 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1497,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1503,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -60606,7 +60716,7 @@ index 28b88de..6b7f9c7 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,8 +1513,15 @@ template(`userdom_security_admin_template',` +@@ -1237,8 +1519,15 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -60622,7 +60732,7 @@ index 28b88de..6b7f9c7 100644 optional_policy(` aide_run($1,$2) ') -@@ -1279,11 +1562,60 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1568,60 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -60683,7 +60793,7 @@ index 28b88de..6b7f9c7 100644 ubac_constrained($1) ') -@@ -1395,6 +1727,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1733,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -60691,14 +60801,13 @@ index 28b88de..6b7f9c7 100644 files_search_home($1) ') -@@ -1441,10 +1774,18 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,9 +1780,17 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) -') -######################################## --## + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + ') @@ -60709,11 +60818,10 @@ index 28b88de..6b7f9c7 100644 +') + +######################################## -+## + ## ## Do not audit attempts to list user home subdirectories. ## - ## -@@ -1456,9 +1797,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1803,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -60725,7 +60833,7 @@ index 28b88de..6b7f9c7 100644 ') ######################################## -@@ -1515,6 +1858,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1864,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -60768,7 +60876,7 @@ index 28b88de..6b7f9c7 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +1968,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1974,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -60777,7 +60885,7 @@ index 28b88de..6b7f9c7 100644 ') ######################################## -@@ -1603,10 +1984,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1990,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -60792,7 +60900,7 @@ index 28b88de..6b7f9c7 100644 ') ######################################## -@@ -1649,6 +2032,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2038,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -60818,7 +60926,7 @@ index 28b88de..6b7f9c7 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2102,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2108,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -60851,7 +60959,7 @@ index 28b88de..6b7f9c7 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2138,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2144,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -60869,7 +60977,7 @@ index 28b88de..6b7f9c7 100644 ') ######################################## -@@ -1779,6 +2204,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2210,24 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -60894,7 +61002,7 @@ index 28b88de..6b7f9c7 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2253,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2259,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -60904,7 +61012,7 @@ index 28b88de..6b7f9c7 100644 ') ######################################## -@@ -1827,20 +2269,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2275,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -60929,7 +61037,7 @@ index 28b88de..6b7f9c7 100644 ######################################## ## -@@ -2008,7 +2444,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2450,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -60938,7 +61046,7 @@ index 28b88de..6b7f9c7 100644 files_search_home($1) ') -@@ -2182,7 +2618,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2624,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -60947,7 +61055,7 @@ index 28b88de..6b7f9c7 100644 ') ######################################## -@@ -2435,13 +2871,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2877,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -60963,7 +61071,7 @@ index 28b88de..6b7f9c7 100644 ## ## ## -@@ -2462,26 +2899,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2905,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -60990,7 +61098,7 @@ index 28b88de..6b7f9c7 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2570,6 +2987,24 @@ interface(`userdom_use_user_ttys',` +@@ -2570,6 +2993,24 @@ interface(`userdom_use_user_ttys',` allow $1 user_tty_device_t:chr_file rw_term_perms; ') @@ -61015,7 +61123,7 @@ index 28b88de..6b7f9c7 100644 ######################################## ## ## Read and write a user domain pty. -@@ -2588,6 +3023,24 @@ interface(`userdom_use_user_ptys',` +@@ -2588,6 +3029,24 @@ interface(`userdom_use_user_ptys',` allow $1 user_devpts_t:chr_file rw_term_perms; ') @@ -61040,7 +61148,7 @@ index 28b88de..6b7f9c7 100644 ######################################## ## ## Read and write a user TTYs and PTYs. -@@ -2646,6 +3099,24 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2646,6 +3105,24 @@ interface(`userdom_dontaudit_use_user_terminals',` ######################################## ## @@ -61065,7 +61173,7 @@ index 28b88de..6b7f9c7 100644 ## Execute a shell in all user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -2815,7 +3286,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3292,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -61074,7 +61182,7 @@ index 28b88de..6b7f9c7 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3302,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3308,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -61090,7 +61198,7 @@ index 28b88de..6b7f9c7 100644 ') ######################################## -@@ -2917,7 +3390,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3396,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -61099,7 +61207,7 @@ index 28b88de..6b7f9c7 100644 ') ######################################## -@@ -2972,7 +3445,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3451,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -61146,7 +61254,7 @@ index 28b88de..6b7f9c7 100644 ') ######################################## -@@ -3009,6 +3520,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3526,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -61154,7 +61262,7 @@ index 28b88de..6b7f9c7 100644 kernel_search_proc($1) ') -@@ -3087,6 +3599,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3605,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -61179,7 +61287,7 @@ index 28b88de..6b7f9c7 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3669,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3675,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index df9f83b..9f5c531 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 37%{?dist} +Release: 38%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,16 @@ exit 0 %endif %changelog +* Thu Aug 11 2011 Miroslav Grepl 3.9.16-38 +- Allow hostname read network state +- Allow syslog to manage all log files +- Add use_fusefs_home_dirs boolean for chrome +- Make vdagent working with confined users +- Fix syslog port definition +- Allow openvpn to set its process priority when the nice parameter is used +- Restorecond should be able to watch and relabel devices in /dev +- Alow hddtemp to perform DNS name resolution + * Fri Aug 5 2011 Miroslav Grepl 3.9.16-37 - Fixes for zarafa, postfix policy - Backport collect policy