From 954ef8ad923c9c3a7c9e74a5f56ca48e0c589fd1 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Nov 30 2010 11:39:40 +0000 Subject: - fixes to allow /var/run and /var/lock as tmpfs - Allow chrome sandbox to connect to web ports - Allow dovecot to listem on lmtp and sieve ports - Allov ddclient to search sysctl_net_t - Transition back to original domain if you execute the shell --- diff --git a/policy-F15.patch b/policy-F15.patch index 63c3a4c..f229f8c 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -1985,10 +1985,10 @@ index 0000000..5ef90cd + diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..41a9493 +index 0000000..8dd672a --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,93 @@ +@@ -0,0 +1,106 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -2035,6 +2035,19 @@ index 0000000..41a9493 + +corecmd_exec_bin(chrome_sandbox_t) + ++corenet_all_recvfrom_unlabeled(chrome_sandbox_t) ++corenet_all_recvfrom_netlabel(chrome_sandbox_t) ++corenet_tcp_connect_flash_port(chrome_sandbox_t) ++corenet_tcp_connect_streaming_port(chrome_sandbox_t) ++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t) ++corenet_tcp_connect_http_port(chrome_sandbox_t) ++corenet_tcp_connect_http_cache_port(chrome_sandbox_t) ++corenet_tcp_connect_squid_port(chrome_sandbox_t) ++corenet_tcp_sendrecv_generic_if(chrome_sandbox_t) ++corenet_tcp_sendrecv_generic_node(chrome_sandbox_t) ++corenet_tcp_connect_ipp_port(chrome_sandbox_t) ++corenet_tcp_connect_speech_port(chrome_sandbox_t) ++ +domain_dontaudit_read_all_domains_state(chrome_sandbox_t) + +dev_read_urand(chrome_sandbox_t) @@ -2055,7 +2068,7 @@ index 0000000..41a9493 +miscfiles_read_localization(chrome_sandbox_t) +miscfiles_read_fonts(chrome_sandbox_t) + -+sysnet_dontaudit_read_config(chrome_sandbox_t) ++sysnet_dns_name_resolve(chrome_sandbox_t) + +optional_policy(` + execmem_exec(chrome_sandbox_t) @@ -18968,7 +18981,7 @@ index e182bf4..f80e725 100644 snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..72fe7a8 100644 +index 0d5711c..3874025 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -19002,7 +19015,7 @@ index 0d5711c..72fe7a8 100644 allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -@@ -88,14 +87,15 @@ template(`dbus_role_template',` +@@ -88,14 +87,16 @@ template(`dbus_role_template',` files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) @@ -19014,6 +19027,7 @@ index 0d5711c..72fe7a8 100644 # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $3) + corecmd_bin_domtrans($1_dbusd_t, $1_t) ++ corecmd_shell_domtrans($1_dbusd_t, $1_t) allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; @@ -19021,7 +19035,7 @@ index 0d5711c..72fe7a8 100644 kernel_read_system_state($1_dbusd_t) kernel_read_kernel_sysctls($1_dbusd_t) -@@ -116,7 +116,7 @@ template(`dbus_role_template',` +@@ -116,7 +117,7 @@ template(`dbus_role_template',` dev_read_urand($1_dbusd_t) @@ -19030,7 +19044,7 @@ index 0d5711c..72fe7a8 100644 domain_read_all_domains_state($1_dbusd_t) files_read_etc_files($1_dbusd_t) -@@ -149,17 +149,25 @@ template(`dbus_role_template',` +@@ -149,17 +150,25 @@ template(`dbus_role_template',` term_use_all_terms($1_dbusd_t) @@ -19058,7 +19072,7 @@ index 0d5711c..72fe7a8 100644 xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) ') -@@ -181,10 +189,12 @@ interface(`dbus_system_bus_client',` +@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -19071,7 +19085,7 @@ index 0d5711c..72fe7a8 100644 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -431,14 +441,28 @@ interface(`dbus_system_domain',` +@@ -431,14 +442,28 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -19101,7 +19115,7 @@ index 0d5711c..72fe7a8 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -497,3 +521,22 @@ interface(`dbus_unconfined',` +@@ -497,3 +522,22 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -19207,7 +19221,7 @@ index 0a1a61b..da508f4 100644 allow $1 ddclient_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te -index 24ba98a..41559cf 100644 +index 24ba98a..b8d064a 100644 --- a/policy/modules/services/ddclient.te +++ b/policy/modules/services/ddclient.te @@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t) @@ -19239,7 +19253,15 @@ index 24ba98a..41559cf 100644 manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -@@ -74,6 +82,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) +@@ -62,6 +70,7 @@ kernel_read_software_raid_state(ddclient_t) + kernel_getattr_core_if(ddclient_t) + kernel_getattr_message_if(ddclient_t) + kernel_read_kernel_sysctls(ddclient_t) ++kernel_search_network_sysctl(ddclient_t) + + corecmd_exec_shell(ddclient_t) + corecmd_exec_bin(ddclient_t) +@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) corenet_udp_sendrecv_generic_node(ddclient_t) corenet_tcp_sendrecv_all_ports(ddclient_t) corenet_udp_sendrecv_all_ports(ddclient_t) @@ -19248,7 +19270,7 @@ index 24ba98a..41559cf 100644 corenet_tcp_connect_all_ports(ddclient_t) corenet_sendrecv_all_client_packets(ddclient_t) -@@ -89,6 +99,8 @@ files_read_usr_files(ddclient_t) +@@ -89,6 +100,8 @@ files_read_usr_files(ddclient_t) fs_getattr_all_fs(ddclient_t) fs_search_auto_mountpoints(ddclient_t) @@ -19445,7 +19467,7 @@ index f706b99..c1ba3f2 100644 ') + diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..3aaa784 100644 +index f231f17..14921ca 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) @@ -19473,7 +19495,7 @@ index f231f17..3aaa784 100644 files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) -@@ -178,25 +182,37 @@ optional_policy(` +@@ -178,25 +182,41 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -19503,6 +19525,10 @@ index f231f17..3aaa784 100644 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) ++manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) ++manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) ++files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir) ++ +kernel_read_fs_sysctls(devicekit_power_t) kernel_read_network_state(devicekit_power_t) kernel_read_system_state(devicekit_power_t) @@ -19512,7 +19538,7 @@ index f231f17..3aaa784 100644 kernel_search_debugfs(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) -@@ -212,12 +228,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) +@@ -212,12 +232,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -19529,7 +19555,7 @@ index f231f17..3aaa784 100644 term_use_all_terms(devicekit_power_t) -@@ -225,8 +245,11 @@ auth_use_nsswitch(devicekit_power_t) +@@ -225,8 +249,11 @@ auth_use_nsswitch(devicekit_power_t) miscfiles_read_localization(devicekit_power_t) @@ -19541,7 +19567,7 @@ index f231f17..3aaa784 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -261,6 +284,10 @@ optional_policy(` +@@ -261,6 +288,10 @@ optional_policy(` ') optional_policy(` @@ -19552,7 +19578,7 @@ index f231f17..3aaa784 100644 hal_domtrans_mac(devicekit_power_t) hal_manage_log(devicekit_power_t) hal_manage_pid_dirs(devicekit_power_t) -@@ -269,6 +296,10 @@ optional_policy(` +@@ -269,6 +300,10 @@ optional_policy(` ') optional_policy(` @@ -19563,7 +19589,7 @@ index f231f17..3aaa784 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +307,21 @@ optional_policy(` +@@ -276,9 +311,21 @@ optional_policy(` ') optional_policy(` @@ -20327,10 +20353,21 @@ index 9bd812b..c808b31 100644 ') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te -index fdaeeba..1f6f6f3 100644 +index fdaeeba..c516b94 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te -@@ -96,10 +96,18 @@ optional_policy(` +@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) + manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) + logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) + ++manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) + manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) +-files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) ++files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + + kernel_read_kernel_sysctls(dnsmasq_t) + kernel_read_system_state(dnsmasq_t) +@@ -96,10 +97,18 @@ optional_policy(` ') optional_policy(` @@ -20349,6 +20386,12 @@ index fdaeeba..1f6f6f3 100644 seutil_sigchld_newrole(dnsmasq_t) ') +@@ -114,4 +123,5 @@ optional_policy(` + optional_policy(` + virt_manage_lib_files(dnsmasq_t) + virt_read_pid_files(dnsmasq_t) ++ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + ') diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc index bfc880b..9a1dcba 100644 --- a/policy/modules/services/dovecot.fc @@ -20431,7 +20474,7 @@ index e1d7dc5..ee51a19 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index cbe14e4..e74c9fe 100644 +index cbe14e4..da1c6bf 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -20485,7 +20528,16 @@ index cbe14e4..e74c9fe 100644 kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) -@@ -159,6 +164,11 @@ optional_policy(` +@@ -110,6 +115,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t) + corenet_tcp_bind_generic_node(dovecot_t) + corenet_tcp_bind_mail_port(dovecot_t) + corenet_tcp_bind_pop_port(dovecot_t) ++corenet_tcp_bind_lmtp_port(dovecot_t) ++corenet_tcp_bind_sieve_port(dovecot_t) + corenet_tcp_connect_all_ports(dovecot_t) + corenet_tcp_connect_postgresql_port(dovecot_t) + corenet_sendrecv_pop_server_packets(dovecot_t) +@@ -159,6 +166,11 @@ optional_policy(` ') optional_policy(` @@ -20497,7 +20549,7 @@ index cbe14e4..e74c9fe 100644 postgresql_stream_connect(dovecot_t) ') -@@ -179,7 +189,7 @@ optional_policy(` +@@ -179,7 +191,7 @@ optional_policy(` # dovecot auth local policy # @@ -20506,7 +20558,7 @@ index cbe14e4..e74c9fe 100644 allow dovecot_auth_t self:process { signal_perms getcap setcap }; allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; -@@ -189,6 +199,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -189,6 +201,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -20515,7 +20567,7 @@ index cbe14e4..e74c9fe 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -242,6 +254,7 @@ optional_policy(` +@@ -242,6 +256,7 @@ optional_policy(` ') optional_policy(` @@ -20523,7 +20575,7 @@ index cbe14e4..e74c9fe 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -253,19 +266,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; +@@ -253,19 +268,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; allow dovecot_deliver_t dovecot_t:process signull; @@ -20559,7 +20611,7 @@ index cbe14e4..e74c9fe 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -302,4 +329,5 @@ tunable_policy(`use_samba_home_dirs',` +@@ -302,4 +331,5 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` mta_manage_spool(dovecot_deliver_t) @@ -27493,10 +27545,10 @@ index 0000000..6403c17 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..6b69f38 +index 0000000..6716b5e --- /dev/null +++ b/policy/modules/services/piranha.te -@@ -0,0 +1,214 @@ +@@ -0,0 +1,219 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -27620,6 +27672,11 @@ index 0000000..6b69f38 + sasl_connect(piranha_web_t) +') + ++optional_policy(` ++ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t) ++ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t) ++') ++ +###################################### +# +# piranha-lvs local policy @@ -35874,7 +35931,7 @@ index 2124b6a..6546d6e 100644 /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..dbdc0e0 100644 +index 7c5d8d8..2ac9e34 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -14,13 +14,14 @@ @@ -36005,7 +36062,44 @@ index 7c5d8d8..dbdc0e0 100644 ## Read virt PID files. ## ## -@@ -308,6 +316,24 @@ interface(`virt_read_lib_files',` +@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',` + + ######################################## + ## ++## Create objects in the pid directory ++## with a private type with a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## ++## ++## ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. ++## ++## ++# ++interface(`virt_pid_filetrans',` ++ gen_require(` ++ type virt_vaar_run_t; ++ ') ++ ++ filetrans_pattern($1, virt_var_run_t, $2, $3) ++') ++ ++######################################## ++## + ## Search virt lib directories. + ## + ## +@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -36030,7 +36124,7 @@ index 7c5d8d8..dbdc0e0 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -352,9 +378,9 @@ interface(`virt_read_log',` +@@ -352,9 +408,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -36042,7 +36136,7 @@ index 7c5d8d8..dbdc0e0 100644 ## # interface(`virt_append_log',` -@@ -424,6 +450,24 @@ interface(`virt_read_images',` +@@ -424,6 +480,24 @@ interface(`virt_read_images',` ######################################## ## @@ -36067,7 +36161,7 @@ index 7c5d8d8..dbdc0e0 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -433,15 +477,15 @@ interface(`virt_read_images',` +@@ -433,15 +507,15 @@ interface(`virt_read_images',` ## ## # @@ -36088,7 +36182,7 @@ index 7c5d8d8..dbdc0e0 100644 ') ######################################## -@@ -516,3 +560,51 @@ interface(`virt_admin',` +@@ -516,3 +590,51 @@ interface(`virt_admin',` virt_manage_log($1) ') @@ -40736,7 +40830,7 @@ index df3fa64..36da732 100644 + allow $1 init_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8a105fd..2981ece 100644 +index 8a105fd..334ddd0 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -40932,7 +41026,7 @@ index 8a105fd..2981ece 100644 + + # Permissions for systemd-tmpfiles, needs its own policy. + files_relabel_all_lock_dirs(init_t) -+ files_relabel_all_pid_files(init_t) ++ files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) + files_manage_all_pids(init_t) + files_manage_all_locks(init_t) @@ -42748,7 +42842,7 @@ index 58bc27f..b4f0663 100644 + allow $1 clvmd_tmpfs_t:file rw_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 86ef2da..7f649d5 100644 +index 86ef2da..f1fe005 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -42792,7 +42886,18 @@ index 86ef2da..7f649d5 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -210,12 +223,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) +@@ -190,8 +203,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) + can_exec(lvm_t, lvm_exec_t) + + # Creating lock files ++manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) + manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t) +-files_lock_filetrans(lvm_t, lvm_lock_t, file) ++files_lock_filetrans(lvm_t, lvm_lock_t, { file dir }) + + manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) + manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) +@@ -210,12 +224,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_search_mnt(lvm_t) @@ -42808,7 +42913,7 @@ index 86ef2da..7f649d5 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -242,6 +258,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -242,6 +259,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -42816,7 +42921,7 @@ index 86ef2da..7f649d5 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -251,8 +268,9 @@ files_read_etc_files(lvm_t) +@@ -251,8 +269,9 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -42827,7 +42932,7 @@ index 86ef2da..7f649d5 100644 fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) -@@ -262,6 +280,7 @@ fs_rw_anon_inodefs_files(lvm_t) +@@ -262,6 +281,7 @@ fs_rw_anon_inodefs_files(lvm_t) mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) @@ -42835,7 +42940,7 @@ index 86ef2da..7f649d5 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -309,6 +328,11 @@ ifdef(`distro_redhat',` +@@ -309,6 +329,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -42847,7 +42952,7 @@ index 86ef2da..7f649d5 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -329,6 +353,10 @@ optional_policy(` +@@ -329,6 +354,10 @@ optional_policy(` ') optional_policy(` @@ -43298,7 +43403,7 @@ index 8b5c196..b195f9d 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6fe8471..be5821a 100644 +index 6fe8471..139e2c9 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -43348,7 +43453,7 @@ index 6fe8471..be5821a 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,8 +68,23 @@ can_exec(mount_t, mount_exec_t) +@@ -46,59 +68,96 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -43365,14 +43470,14 @@ index 6fe8471..be5821a 100644 kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) +-kernel_dontaudit_getattr_core_if(mount_t) +kernel_manage_debugfs(mount_t) +kernel_setsched(mount_t) +kernel_use_fds(mount_t) +kernel_request_load_module(mount_t) - kernel_dontaudit_getattr_core_if(mount_t) kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) -@@ -55,46 +92,68 @@ kernel_dontaudit_write_proc_dirs(mount_t) + # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -43381,7 +43486,6 @@ index 6fe8471..be5821a 100644 dev_list_all_dev_nodes(mount_t) +dev_read_usbfs(mount_t) +dev_read_rand(mount_t) -+dev_read_sysfs(mount_t) dev_read_sysfs(mount_t) dev_dontaudit_write_sysfs_dirs(mount_t) dev_rw_lvm_control(mount_t) @@ -43422,6 +43526,7 @@ index 6fe8471..be5821a 100644 # For reading cert files files_read_usr_files(mount_t) files_list_mnt(mount_t) ++files_write_all_dirs(mount_t) files_dontaudit_write_root_dirs(mount_t) -fs_getattr_xattr_fs(mount_t) @@ -43446,7 +43551,14 @@ index 6fe8471..be5821a 100644 +fs_manage_cgroup_files(mount_t) fs_dontaudit_write_tmpfs_dirs(mount_t) - mls_file_read_all_levels(mount_t) +-mls_file_read_all_levels(mount_t) +-mls_file_write_all_levels(mount_t) ++mls_file_read_to_clearance(mount_t) ++mls_file_write_to_clearance(mount_t) ++mls_process_write_to_clearance(mount_t) + + selinux_get_enforce_mode(mount_t) + @@ -106,6 +165,7 @@ storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) @@ -48808,19 +48920,20 @@ index 22ca011..df6b5de 100644 # diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index f7380b3..cabc009 100644 +index f7380b3..51867f6 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt -@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') +@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') # # All socket classes. # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') +- +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') - # -@@ -105,7 +105,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }') + # Datagram socket classes. +@@ -105,7 +104,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }') # # Permissions for using sockets. # @@ -48829,7 +48942,7 @@ index f7380b3..cabc009 100644 # # Permissions for creating and using sockets. -@@ -199,12 +199,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') +@@ -199,12 +198,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') @@ -48846,7 +48959,7 @@ index f7380b3..cabc009 100644 define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') -@@ -225,7 +227,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +@@ -225,7 +226,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') @@ -48855,7 +48968,7 @@ index f7380b3..cabc009 100644 define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -238,7 +240,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') +@@ -238,7 +239,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') @@ -48865,7 +48978,7 @@ index f7380b3..cabc009 100644 define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') -@@ -254,7 +257,8 @@ define(`getattr_sock_file_perms',`{ getattr }') +@@ -254,7 +256,8 @@ define(`getattr_sock_file_perms',`{ getattr }') define(`setattr_sock_file_perms',`{ setattr }') define(`read_sock_file_perms',`{ getattr open read }') define(`write_sock_file_perms',`{ getattr write open append }') @@ -48875,7 +48988,7 @@ index f7380b3..cabc009 100644 define(`create_sock_file_perms',`{ getattr create open }') define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') -@@ -271,7 +275,8 @@ define(`setattr_blk_file_perms',`{ setattr }') +@@ -271,7 +274,8 @@ define(`setattr_blk_file_perms',`{ setattr }') define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') @@ -48885,7 +48998,7 @@ index f7380b3..cabc009 100644 define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') -@@ -288,7 +293,8 @@ define(`setattr_chr_file_perms',`{ setattr }') +@@ -288,7 +292,8 @@ define(`setattr_chr_file_perms',`{ setattr }') define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') @@ -48895,7 +49008,7 @@ index f7380b3..cabc009 100644 define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') -@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') +@@ -305,7 +310,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') # # Use (read and write) terminals # @@ -48905,7 +49018,7 @@ index f7380b3..cabc009 100644 # # Sockets -@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept +@@ -317,3 +323,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') diff --git a/selinux-policy.spec b/selinux-policy.spec index b039c72..bfac031 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.10 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Tue Nov 30 2010 Miroslav Grepl 3.9.10-3 +- fixes to allow /var/run and /var/lock as tmpfs +- Allow chrome sandbox to connect to web ports +- Allow dovecot to listem on lmtp and sieve ports +- Allov ddclient to search sysctl_net_t +- Transition back to original domain if you execute the shell + * Thu Nov 25 2010 Miroslav Grepl 3.9.10-2 - Remove duplicate declaration