From a78aa2578b88f02eea1bb215c5aa349dfd98296b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 04 2011 15:01:48 +0000 Subject: - Backport sandbox and seunshare policy from F15 - Allow rpm setfcap capability --- diff --git a/policy-F13.patch b/policy-F13.patch index 0e28057..4e0cf5d 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -2333,7 +2333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.19/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2011-01-07 09:32:51.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2011-03-04 14:47:11.334413001 +0000 @@ -1,6 +1,8 @@ policy_module(rpm, 1.10.0) @@ -2378,7 +2378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te -allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod }; -allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; ++allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid setfcap sys_chroot sys_nice sys_tty_config mknod }; + +allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; @@ -2453,15 +2453,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) -@@ -155,6 +188,7 @@ +@@ -155,6 +188,8 @@ files_exec_etc_files(rpm_t) init_domtrans_script(rpm_t) +init_use_script_ptys(rpm_t) ++init_signull_script(rpm_t) libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,7 +208,19 @@ +@@ -174,7 +209,19 @@ ') optional_policy(` @@ -2482,7 +2483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') optional_policy(` -@@ -182,36 +228,19 @@ +@@ -182,36 +229,19 @@ ') optional_policy(` @@ -2523,7 +2524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -222,12 +251,15 @@ +@@ -222,12 +252,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; @@ -2539,7 +2540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -239,6 +271,9 @@ +@@ -239,6 +272,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) @@ -2549,7 +2550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te dev_list_sysfs(rpm_script_t) -@@ -254,7 +289,9 @@ +@@ -254,7 +290,9 @@ fs_getattr_xattr_fs(rpm_script_t) fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) @@ -2559,7 +2560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -@@ -272,14 +309,19 @@ +@@ -272,14 +310,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -2579,7 +2580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -291,8 +333,10 @@ +@@ -291,8 +334,10 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) @@ -2590,7 +2591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te libs_exec_ld_so(rpm_script_t) libs_exec_lib_files(rpm_script_t) -@@ -308,12 +352,15 @@ +@@ -308,12 +353,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -2606,7 +2607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') ') -@@ -326,13 +373,26 @@ +@@ -326,13 +374,26 @@ ') optional_policy(` @@ -7672,13 +7673,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.19/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2011-01-18 15:44:18.000000000 +0000 -@@ -0,0 +1 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2011-03-04 14:38:18.886413002 +0000 +@@ -0,0 +1,2 @@ ++ +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2011-01-18 16:53:26.000000000 +0000 -@@ -0,0 +1,332 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2011-03-04 14:38:18.890413002 +0000 +@@ -0,0 +1,305 @@ + +## policy for sandbox + @@ -7701,9 +7703,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +interface(`sandbox_transition',` + gen_require(` + type sandbox_xserver_t; ++ type sandbox_file_t; + attribute sandbox_domain; + attribute sandbox_x_domain; -+ attribute sandbox_file_type; + attribute sandbox_tmpfs_type; + ') + @@ -7730,27 +7732,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; -+ dontaudit sandbox_x_domain $1:process signal; ++ dontaudit sandbox_x_domain $1:process { signal sigkill }; + + allow $1 sandbox_tmpfs_type:file manage_file_perms; + dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; + -+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type); -+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type); -+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type); -+ manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type); -+ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type); -+ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type) -+ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type) -+ relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type) -+ relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type) -+ relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) ++ can_exec($1, sandbox_file_t) ++ allow $1 sandbox_file_t:filesystem getattr; ++ manage_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) +') + +######################################## +## +## Creates types and rules for a basic -+## qemu process domain. ++## sandbox process domain. +## +## +## @@ -7762,24 +7766,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + + gen_require(` + attribute sandbox_domain; -+ attribute sandbox_file_type; ++ type sandbox_file_t; ++ attribute sandbox_type; + ') ++ type $1_t, sandbox_domain, sandbox_type; + -+ type $1_t, sandbox_domain; + application_type($1_t) + + mls_rangetrans_target($1_t) + mcs_untrusted_proc($1_t) -+ -+ type $1_file_t, sandbox_file_type; -+ files_type($1_file_t) -+ -+ can_exec($1_t, $1_file_t) -+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t) -+ manage_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) +') + +######################################## @@ -7799,7 +7794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + type sandbox_xserver_t; + type sandbox_exec_t; + attribute sandbox_domain, sandbox_x_domain; -+ attribute sandbox_file_type, sandbox_tmpfs_type; ++ attribute sandbox_tmpfs_type; + attribute sandbox_type; + ') + @@ -7807,16 +7802,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + application_type($1_t) + mcs_untrusted_proc($1_t) + -+ type $1_file_t, sandbox_file_type; -+ files_type($1_file_t) -+ -+ can_exec($1_t, $1_file_t) -+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t) -+ manage_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) -+ + # window manager + miscfiles_setattr_fonts_cache_dirs($1_t) + allow $1_t self:capability setuid; @@ -7834,34 +7819,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file ) + # Pulseaudio tmpfs files with different MCS labels + dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; ++ dontaudit $1_t $1_client_tmpfs_t:file { read write }; + allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; + + domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) + allow $1_t sandbox_xserver_t:process signal_perms; + -+ domtrans_pattern($1_t, $1_file_t, $1_client_t) -+ domain_entry_file($1_client_t, $1_file_t) ++ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t) ++ domain_entry_file($1_client_t, sandbox_exec_t) + + # Random tmpfs_t that gets created when you run X. + fs_rw_tmpfs_files($1_t) + -+ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) -+ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) -+ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) -+ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms; + ps_process_pattern(sandbox_xserver_t, $1_client_t) + ps_process_pattern(sandbox_xserver_t, $1_t) + allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; + allow sandbox_xserver_t $1_t:shm rw_shm_perms; + allow $1_client_t $1_t:unix_stream_socket connectto; + allow $1_t $1_client_t:unix_stream_socket connectto; -+ -+ can_exec($1_client_t, $1_file_t) -+ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t) -+ manage_files_pattern($1_client_t, $1_file_t, $1_file_t) -+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) -+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) -+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) +') + +######################################## @@ -7883,26 +7858,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; +') + -+####################################### ++######################################## +## -+## allow domain to read -+## sandbox tmpfs files ++## allow domain to read ++## sandbox tmpfs files +## +## -+## -+## Domain allowed access -+## ++## ++## Domain allowed access ++## +## +# +interface(`sandbox_read_tmpfs_files',` -+ gen_require(` -+ attribute sandbox_tmpfs_type; -+ ') ++ gen_require(` ++ attribute sandbox_tmpfs_type; ++ ') + -+ allow $1 sandbox_tmpfs_type:file read_file_perms; ++ allow $1 sandbox_tmpfs_type:file read_file_perms; +') + -+######################################### ++######################################## +## +## allow domain to manage +## sandbox tmpfs files @@ -7933,10 +7908,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# +interface(`sandbox_delete_files',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ delete_files_pattern($1, sandbox_file_type, sandbox_file_type) ++ delete_files_pattern($1, sandbox_file_t, sandbox_file_t) +') + +######################################## @@ -7951,10 +7926,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# +interface(`sandbox_delete_sock_files',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) ++ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) +') + +######################################## @@ -7970,10 +7945,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# +interface(`sandbox_setattr_dirs',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ allow $1 sandbox_file_type:dir setattr; ++ allow $1 sandbox_file_t:dir setattr; +') + +######################################## @@ -7988,10 +7963,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# +interface(`sandbox_delete_dirs',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type) ++ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t) +') + +######################################## @@ -8006,28 +7981,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# +interface(`sandbox_list',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ allow $1 sandbox_file_type:dir list_dir_perms; ++ allow $1 sandbox_file_t:dir list_dir_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-02-17 09:39:15.596796002 +0000 -@@ -0,0 +1,458 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-03-04 14:39:39.566413002 +0000 +@@ -0,0 +1,475 @@ +policy_module(sandbox,1.0.0) -+ +dbus_stub() +attribute sandbox_domain; +attribute sandbox_x_domain; -+attribute sandbox_file_type; +attribute sandbox_web_type; ++attribute sandbox_file_type; +attribute sandbox_tmpfs_type; +attribute sandbox_type; + +type sandbox_exec_t; +files_type(sandbox_exec_t) + ++type sandbox_file_t, sandbox_file_type; ++files_type(sandbox_file_t) ++typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t }; ++ +######################################## +# +# Declarations @@ -8059,6 +8037,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_xserver_t self:shm create_shm_perms; +allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; + ++manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) ++manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) ++manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) ++allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms; ++ +manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) @@ -8136,6 +8119,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +dev_rw_all_inherited_chr_files(sandbox_domain) +dev_rw_all_inherited_blk_files(sandbox_domain) + ++can_exec(sandbox_domain, sandbox_file_t) ++allow sandbox_domain sandbox_file_t:filesystem getattr; ++manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++ +gen_require(` + type usr_t, lib_t, locale_t; + type var_t, var_run_t, rpm_log_t, locale_t; @@ -8172,7 +8163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; + -+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem }; ++allow sandbox_x_domain self:process { signal_perms getsched setsched setpgid execstack execmem }; +dontaudit sandbox_x_domain sandbox_x_domain:process signal; +dontaudit sandbox_x_domain sandbox_xserver_t:process signal; + @@ -8185,6 +8176,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr }; +term_create_pty(sandbox_x_domain,sandbox_devpts_t) + ++can_exec(sandbox_x_domain, sandbox_file_t) ++allow sandbox_x_domain sandbox_file_t:filesystem getattr; ++manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++ +domain_dontaudit_read_all_domains_state(sandbox_x_domain) + +files_search_home(sandbox_x_domain) @@ -8209,8 +8208,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +fs_getattr_xattr_fs(sandbox_x_domain) +fs_list_inotifyfs(sandbox_x_domain) + -+storage_dontaudit_rw_fuse(sandbox_x_domain) -+ +auth_dontaudit_read_login_records(sandbox_x_domain) +auth_dontaudit_write_login_records(sandbox_x_domain) +auth_use_nsswitch(sandbox_x_domain) @@ -8222,6 +8219,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +miscfiles_read_localization(sandbox_x_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain) + ++mta_dontaudit_read_spool_symlinks(sandbox_x_domain) ++ +selinux_get_fs_mount(sandbox_x_domain) +selinux_validate_context(sandbox_x_domain) +selinux_compute_access_vector(sandbox_x_domain) @@ -8242,6 +8241,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +miscfiles_read_fonts(sandbox_x_domain) + ++storage_dontaudit_rw_fuse(sandbox_x_domain) ++ +optional_policy(` + consolekit_dbus_chat(sandbox_x_domain) +') @@ -8275,6 +8276,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +userdom_read_user_home_content_symlinks(sandbox_x_domain) +userdom_search_user_home_content(sandbox_x_domain) + ++fs_search_auto_mountpoints(sandbox_x_domain) ++ +tunable_policy(`use_nfs_home_dirs',` + fs_search_auto_mountpoints(sandbox_x_domain) + fs_search_nfs(sandbox_xserver_t) @@ -8318,22 +8321,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +auth_use_nsswitch(sandbox_x_client_t) + -+selinux_get_fs_mount(sandbox_x_client_t) -+selinux_validate_context(sandbox_x_client_t) -+selinux_compute_access_vector(sandbox_x_client_t) -+selinux_compute_create_context(sandbox_x_client_t) -+selinux_compute_relabel_context(sandbox_x_client_t) -+selinux_compute_user_contexts(sandbox_x_client_t) -+seutil_read_default_contexts(sandbox_x_client_t) -+ +optional_policy(` + hal_dbus_chat(sandbox_x_client_t) +') + -+allow sandbox_web_t self:process setsched; -+ +optional_policy(` -+ nsplugin_read_rw_files(sandbox_web_t) ++ nsplugin_read_rw_files(sandbox_x_client_t) +') + +######################################## @@ -8344,7 +8337,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +allow sandbox_web_type self:capability { setuid setgid }; +allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; -+allow sandbox_web_type self:process setsched; +dontaudit sandbox_web_type self:process setrlimit; + +allow sandbox_web_type self:tcp_socket create_stream_socket_perms; @@ -8395,8 +8387,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +files_dontaudit_getattr_all_dirs(sandbox_web_type) +files_dontaudit_list_mnt(sandbox_web_type) + -+# the bug in pulseaudiot, needed by fedora13 ++# the bug in pulseaudio, needed by fedora13 +fs_rw_anon_inodefs_files(sandbox_web_type) ++#fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) +fs_dontaudit_getattr_all_fs(sandbox_web_type) + +storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type) @@ -8472,7 +8465,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) +') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.7.19/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/apps/screen.fc 2011-01-24 17:04:52.066455001 +0000 @@ -8510,76 +8502,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i files_search_home($1_screen_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.19/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2010-05-28 07:42:00.000000000 +0000 -@@ -2,30 +2,12 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2011-03-04 14:38:26.802413002 +0000 +@@ -25,7 +25,7 @@ + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + ## +@@ -53,8 +53,14 @@ ######################################## ## --## Execute a domain transition to run seunshare. +-## Role access for seunshare +## The role template for the seunshare module. ## --## --## --## Domain allowed to transition. --## --## --# --interface(`seunshare_domtrans',` -- gen_require(` -- type seunshare_t, seunshare_exec_t; -- ') -- -- domtrans_pattern($1, seunshare_exec_t, seunshare_t) --') -- --######################################## --## --## Execute seunshare in the seunshare domain, and --## allow the specified role the seunshare domain. --## --## +## - ## --## Domain allowed access. ++## +## The prefix of the user role (e.g., user +## is the prefix for user_r). - ## - ## ++## ++## ## -@@ -33,48 +15,34 @@ - ## Role allowed access. - ## - ## --# --interface(`seunshare_run',` -- gen_require(` -- type seunshare_t; -- ') -- -- seunshare_domtrans($1) -- role $2 types seunshare_t; -- -- allow $1 seunshare_t:process signal_perms; -- -- ifdef(`hide_broken_symptoms', ` -- dontaudit seunshare_t $1:tcp_socket rw_socket_perms; -- dontaudit seunshare_t $1:udp_socket rw_socket_perms; -- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; -- ') --') -- --######################################## --## --## Role access for seunshare --## --## --## --## Role allowed access. --## --## - ## ## - ## User domain for the role. + ## Role allowed access. +@@ -66,15 +72,31 @@ ## ## # @@ -8595,29 +8544,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + type $1_seunshare_t, seunshare_domain; + application_domain($1_seunshare_t, seunshare_exec_t) + role $2 types $1_seunshare_t; -+ -+ mls_process_set_level($1_seunshare_t) - seunshare_domtrans($1) -+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) -+ sandbox_transition($1_seunshare_t, $2) ++ mls_process_set_level($1_seunshare_t) - ps_process_pattern($2, seunshare_t) - allow $2 seunshare_t:process signal; ++ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) ++ sandbox_transition($1_seunshare_t, $2) ++ + ps_process_pattern($3, $1_seunshare_t) + allow $3 $1_seunshare_t:process signal_perms; + + allow $1_seunshare_t $3:process transition; + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; + ++ corecmd_bin_domtrans($1_seunshare_t, $1_t) ++ corecmd_shell_domtrans($1_seunshare_t, $1_t) ++ + ifdef(`hide_broken_symptoms', ` + dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.19/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-08-25 14:06:59.000000000 +0000 -@@ -6,40 +6,45 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2011-03-04 14:39:51.781413002 +0000 +@@ -1,45 +1,52 @@ +- +-policy_module(seunshare, 1.0.1) ++policy_module(seunshare, 1.1.0) + + ######################################## + # # Declarations # @@ -8631,43 +8589,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar # # seunshare local policy # -+allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice }; ++allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setsched }; ++ ++allow seunshare_domain self:fifo_file rw_file_perms; ++allow seunshare_domain self:unix_stream_socket create_stream_socket_perms; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; -allow seunshare_t self:process { setexec signal getcap setcap }; -+allow seunshare_domain self:fifo_file rw_file_perms; -+allow seunshare_domain self:unix_stream_socket create_stream_socket_perms; ++kernel_read_system_state(seunshare_domain) -allow seunshare_t self:fifo_file rw_file_perms; -allow seunshare_t self:unix_stream_socket create_stream_socket_perms; -+kernel_read_system_state(seunshare_domain) - --corecmd_exec_shell(seunshare_t) --corecmd_exec_bin(seunshare_t) +corecmd_exec_shell(seunshare_domain) +corecmd_exec_bin(seunshare_domain) --files_read_etc_files(seunshare_t) --files_mounton_all_poly_members(seunshare_t) +-corecmd_exec_shell(seunshare_t) +-corecmd_exec_bin(seunshare_t) +files_search_all(seunshare_domain) +files_read_etc_files(seunshare_domain) +files_mounton_all_poly_members(seunshare_domain) ++files_manage_generic_tmp_dirs(seunshare_domain) ++files_relabelfrom_tmp_dirs(seunshare_domain) --auth_use_nsswitch(seunshare_t) +-files_read_etc_files(seunshare_t) +-files_mounton_all_poly_members(seunshare_t) +fs_manage_cgroup_dirs(seunshare_domain) +fs_manage_cgroup_files(seunshare_domain) --logging_send_syslog_msg(seunshare_t) +-auth_use_nsswitch(seunshare_t) +auth_use_nsswitch(seunshare_domain) --miscfiles_read_localization(seunshare_t) +-logging_send_syslog_msg(seunshare_t) +logging_send_syslog_msg(seunshare_domain) --userdom_use_user_terminals(seunshare_t) +-miscfiles_read_localization(seunshare_t) +miscfiles_read_localization(seunshare_domain) -+ + +-userdom_use_user_terminals(seunshare_t) +userdom_use_user_terminals(seunshare_domain) ++userdom_list_user_home_content(seunshare_domain) ifdef(`hide_broken_symptoms', ` - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) @@ -10904,7 +10865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2011-01-24 18:04:53.791455000 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2011-03-04 14:14:25.595413001 +0000 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -11535,7 +11496,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3918,6 +4356,13 @@ +@@ -3757,6 +4195,24 @@ + rw_sock_files_pattern($1, tmp_t, tmp_t) + ') + ++####################################### ++## ++## Relabel a dir from the type used in /tmp. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelfrom_tmp_dirs',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++') ++ + ######################################## + ## + ## Set the attributes of all tmp directories. +@@ -3918,6 +4374,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11549,7 +11535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4013,6 +4458,24 @@ +@@ -4013,6 +4476,24 @@ ######################################## ## @@ -11574,7 +11560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Delete generic files in /usr in the caller domain. ## ## -@@ -4026,7 +4489,7 @@ +@@ -4026,7 +4507,7 @@ type usr_t; ') @@ -11583,7 +11569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4107,6 +4570,24 @@ +@@ -4107,6 +4588,24 @@ ######################################## ## @@ -11608,7 +11594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -5032,6 +5513,43 @@ +@@ -5032,6 +5531,43 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -11652,7 +11638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5091,6 +5609,24 @@ +@@ -5091,6 +5627,24 @@ ######################################## ## @@ -11677,7 +11663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create an object in the process ID directory, with a private type. ## ## -@@ -5238,6 +5774,7 @@ +@@ -5238,6 +5792,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -11685,7 +11671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5306,6 +5843,24 @@ +@@ -5306,6 +5861,24 @@ ######################################## ## @@ -11710,7 +11696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5494,12 +6049,15 @@ +@@ -5494,12 +6067,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -11727,7 +11713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5520,3 +6078,229 @@ +@@ -5520,3 +6096,229 @@ typeattribute $1 files_unconfined_type; ') @@ -19081,8 +19067,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2011-02-25 17:14:37.956974505 +0000 -@@ -0,0 +1,93 @@ ++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2011-03-04 14:00:18.904413000 +0000 +@@ -0,0 +1,95 @@ +policy_module(certmonger,1.0.0) + +######################################## @@ -19125,7 +19111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) +files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } ) + -+domain_use_interactive_fds(certmonger_t) ++corecmd_exec_bin(certmonger_t) + +corenet_tcp_sendrecv_generic_if(certmonger_t) +corenet_tcp_sendrecv_generic_node(certmonger_t) @@ -19134,17 +19120,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + +dev_read_urand(certmonger_t) + ++domain_use_interactive_fds(certmonger_t) ++ +files_read_etc_files(certmonger_t) +files_read_usr_files(certmonger_t) +files_list_tmp(certmonger_t) + +auth_rw_cache(certmonger_t) + ++logging_send_syslog_msg(certmonger_t) ++ +miscfiles_read_localization(certmonger_t) +miscfiles_manage_cert_files(certmonger_t) + -+logging_send_syslog_msg(certmonger_t) -+ +sysnet_dns_name_resolve(certmonger_t) + +userdom_search_user_home_content(certmonger_t) @@ -44699,8 +44687,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.19/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-12-07 13:22:23.000000000 +0000 -@@ -28,10 +28,12 @@ ++++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2011-03-04 14:01:31.072413000 +0000 +@@ -28,15 +28,18 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -44713,7 +44701,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -98,4 +100,6 @@ + /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) +@@ -98,4 +101,6 @@ /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index c6534f9..d3b69cf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 97%{?dist} +Release: 98%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,10 @@ exit 0 %endif %changelog +* Fri Mar 4 2011 Miroslav Grepl 3.7.19-98 +- Backport sandbox and seunshare policy from F15 +- Allow rpm setfcap capability + * Fri Mar 4 2011 Miroslav Grepl 3.7.19-97 - Allow svirt to manage sock_file in ~/.libvirt directory - Allow sysamd to run udev in udev_t domain