From 8fa97e617d652f64421d35b5e13fef18bcc5b1b2 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 25 2014 15:23:08 +0000 Subject: * Thu Sep 25 2014 Lukas Vrabec 3.12.1-187 - Allow all domains to read fonts - Add fixes for pki-tomcat scriptlet handling. - setfscreate in pki.te is not capability class. --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 21f9083..44de1f4 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -9024,7 +9024,7 @@ index 6a1e4d1..1b9b0b5 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..97237ca 100644 +index cf04cb5..a290c56 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -9124,7 +9124,7 @@ index cf04cb5..97237ca 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +174,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +174,19 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -9140,10 +9140,11 @@ index cf04cb5..97237ca 100644 +optional_policy(` + miscfiles_read_localization(domain) + miscfiles_read_man_pages(domain) ++ miscfiles_read_fonts(domain) ') optional_policy(` -@@ -133,6 +196,9 @@ optional_policy(` +@@ -133,6 +197,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -9153,7 +9154,7 @@ index cf04cb5..97237ca 100644 ') ######################################## -@@ -147,12 +213,18 @@ optional_policy(` +@@ -147,12 +214,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -9173,7 +9174,7 @@ index cf04cb5..97237ca 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +238,340 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +239,340 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -22977,15 +22978,16 @@ index 5fc0391..980e658 100644 +') + diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index d1f64a0..b79dbb4 100644 +index d1f64a0..696dd0e 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc -@@ -2,13 +2,35 @@ +@@ -2,13 +2,36 @@ # HOME_DIR # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) +HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) ++HOME_DIR/\.local/share/fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) @@ -23016,7 +23018,7 @@ index d1f64a0..b79dbb4 100644 # # /dev -@@ -22,13 +44,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -23039,7 +23041,7 @@ index d1f64a0..b79dbb4 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +77,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -23083,7 +23085,7 @@ index d1f64a0..b79dbb4 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -92,25 +130,51 @@ ifndef(`distro_debian',` +@@ -92,25 +131,51 @@ ifndef(`distro_debian',` /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -23141,7 +23143,7 @@ index d1f64a0..b79dbb4 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..0d55916 100644 +index 6bf0ecc..30ca475 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -24125,7 +24127,7 @@ index 6bf0ecc..0d55916 100644 ') ######################################## -@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1679,646 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -24644,6 +24646,9 @@ index 6bf0ecc..0d55916 100644 + userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") ++ optional_policy(` ++ gnome_data_filetrans($1, user_fonts_t, dir, "fonts") ++ ') + userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") + filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto") + files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index bd19ccb..35aa4a1 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -41017,7 +41017,7 @@ index 7bab8e5..36ced41 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index 4256a4c..aea48db 100644 +index 4256a4c..9125f9f 100644 --- a/logwatch.te +++ b/logwatch.te @@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6) @@ -41062,12 +41062,13 @@ index 4256a4c..aea48db 100644 fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) -@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t) +@@ -92,13 +102,14 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) -miscfiles_read_localization(logwatch_t) -- ++miscfiles_read_hwdata(logwatch_t) + selinux_dontaudit_getattr_dir(logwatch_t) sysnet_exec_ifconfig(logwatch_t) @@ -41077,7 +41078,7 @@ index 4256a4c..aea48db 100644 mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) mta_getattr_spool(logwatch_t) -@@ -137,6 +146,12 @@ optional_policy(` +@@ -137,6 +148,12 @@ optional_policy(` ') optional_policy(` @@ -41090,7 +41091,7 @@ index 4256a4c..aea48db 100644 rpc_search_nfs_state_data(logwatch_t) ') -@@ -145,6 +160,13 @@ optional_policy(` +@@ -145,6 +162,13 @@ optional_policy(` samba_read_share_files(logwatch_t) ') @@ -41104,7 +41105,7 @@ index 4256a4c..aea48db 100644 ######################################## # # Mail local policy -@@ -164,6 +186,19 @@ dev_read_sysfs(logwatch_mail_t) +@@ -164,6 +188,19 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -64127,10 +64128,10 @@ index 0000000..b975b85 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..47fb375 +index 0000000..393d4be --- /dev/null +++ b/pki.te -@@ -0,0 +1,292 @@ +@@ -0,0 +1,293 @@ +policy_module(pki,10.0.11) + +######################################## @@ -64205,9 +64206,9 @@ index 0000000..47fb375 +# pki-tomcat local policy +# + -+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; ++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid }; +dontaudit pki_tomcat_t self:capability net_admin; -+allow pki_tomcat_t self:process { signal setsched signull execmem }; ++allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate }; + +allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; +allow pki_tomcat_t self:tcp_socket { accept listen }; @@ -64218,6 +64219,7 @@ index 0000000..47fb375 +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabelfrom_file_perms; + +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 8fdf541..46ab30e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 186%{?dist} +Release: 187%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Sep 25 2014 Lukas Vrabec 3.12.1-187 +- Allow all domains to read fonts +- Add fixes for pki-tomcat scriptlet handling. +- setfscreate in pki.te is not capability class. + * Mon Sep 22 2014 Lukas Vrabec 3.12.1-186 - Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems - Allow sensord read in /proc BZ(#1143799)