From b89cea80209525c65bd908121813e573a7594d73 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 27 2014 13:27:55 +0000 Subject: * Wed Aug 27 2014 Lukas Vrabec 3.12.1-182 - Allow pppd to connect to http port. (#1128947) - Allow fail2ban to read audit logs - Dontaudit svirt_sandbox_domain doing access checks on /proc - Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories. - Allow domains to are allowed to mounton proc to mount on files as well as dirs - Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index fdd54a6..a03f04d 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -17370,7 +17370,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 649e458..847133d 100644 +index 649e458..d2a0da5 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -17560,7 +17560,7 @@ index 649e458..847133d 100644 ## Allow caller to get the attributes of kernel message ## interface (/proc/kmsg). ## -@@ -1458,6 +1565,24 @@ interface(`kernel_list_all_proc',` +@@ -1458,6 +1565,25 @@ interface(`kernel_list_all_proc',` ######################################## ## @@ -17578,6 +17578,7 @@ index 649e458..847133d 100644 + ') + + allow $1 proc_type:dir mounton; ++ allow $1 proc_type:file mounton; +') + +######################################## @@ -17585,7 +17586,7 @@ index 649e458..847133d 100644 ## Do not audit attempts to list all proc directories. ## ## -@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1477,6 +1603,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -17610,7 +17611,7 @@ index 649e458..847133d 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',` +@@ -1672,7 +1816,7 @@ interface(`kernel_read_net_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -17619,7 +17620,7 @@ index 649e458..847133d 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',` +@@ -1693,7 +1837,7 @@ interface(`kernel_rw_net_sysctls',` ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -17628,7 +17629,7 @@ index 649e458..847133d 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',` +@@ -1715,7 +1859,6 @@ interface(`kernel_read_unix_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) @@ -17636,7 +17637,7 @@ index 649e458..847133d 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -2085,9 +2227,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,9 +2228,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -17666,7 +17667,7 @@ index 649e458..847133d 100644 ######################################## ## ## Allow caller to read all sysctls. -@@ -2282,6 +2443,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2444,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -17692,7 +17693,7 @@ index 649e458..847133d 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2486,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2487,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -17701,7 +17702,7 @@ index 649e458..847133d 100644 ## ## # -@@ -2488,6 +2668,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2669,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -17726,7 +17727,7 @@ index 649e458..847133d 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2723,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2724,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -17751,7 +17752,7 @@ index 649e458..847133d 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2632,7 +2848,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2632,7 +2849,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -17760,7 +17761,7 @@ index 649e458..847133d 100644 ') ######################################## -@@ -2670,6 +2886,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2670,6 +2887,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -17785,7 +17786,7 @@ index 649e458..847133d 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2697,6 +2931,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2697,6 +2932,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -17811,7 +17812,7 @@ index 649e458..847133d 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2806,6 +3059,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2806,6 +3060,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -17845,7 +17846,7 @@ index 649e458..847133d 100644 ######################################## ## -@@ -2961,6 +3241,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2961,6 +3242,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -17870,7 +17871,7 @@ index 649e458..847133d 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2975,5 +3273,300 @@ interface(`kernel_unconfined',` +@@ -2975,5 +3274,300 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -28308,7 +28309,7 @@ index 28ad538..ed25543 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..42803b7 100644 +index 3efd5b6..c6007d1 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -28330,7 +28331,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -53,10 +59,13 @@ interface(`auth_use_pam',` +@@ -53,13 +59,18 @@ interface(`auth_use_pam',` auth_read_login_records($1) auth_append_login_records($1) auth_rw_lastlog($1) @@ -28345,7 +28346,12 @@ index 3efd5b6..42803b7 100644 logging_send_audit_msgs($1) logging_send_syslog_msg($1) -@@ -78,8 +87,19 @@ interface(`auth_use_pam',` ++ userdom_search_user_tmp_dirs($1) ++ + optional_policy(` + dbus_system_bus_client($1) + +@@ -78,8 +89,19 @@ interface(`auth_use_pam',` ') optional_policy(` @@ -28365,7 +28371,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -95,48 +115,20 @@ interface(`auth_use_pam',` +@@ -95,48 +117,20 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; @@ -28419,7 +28425,7 @@ index 3efd5b6..42803b7 100644 mls_file_read_all_levels($1) mls_file_write_all_levels($1) -@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',` +@@ -146,18 +140,43 @@ interface(`auth_login_pgm_domain',` mls_fd_share_all_levels($1) auth_use_pam($1) @@ -28471,7 +28477,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',` +@@ -231,6 +250,25 @@ interface(`auth_domtrans_login_program',` ######################################## ## @@ -28497,7 +28503,7 @@ index 3efd5b6..42803b7 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -322,6 +358,24 @@ interface(`auth_rw_cache',` +@@ -322,6 +360,24 @@ interface(`auth_rw_cache',` ######################################## ## @@ -28522,7 +28528,7 @@ index 3efd5b6..42803b7 100644 ## Manage authentication cache ## ## -@@ -402,6 +456,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -402,6 +458,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') @@ -28531,7 +28537,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -428,6 +484,24 @@ interface(`auth_domtrans_chkpwd',` +@@ -428,6 +486,24 @@ interface(`auth_domtrans_chkpwd',` ######################################## ## @@ -28556,7 +28562,7 @@ index 3efd5b6..42803b7 100644 ## Execute chkpwd programs in the chkpwd domain. ## ## -@@ -448,6 +522,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +524,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -28582,7 +28588,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -467,7 +560,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -28590,7 +28596,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -664,6 +756,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +758,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -28601,7 +28607,7 @@ index 3efd5b6..42803b7 100644 ') ####################################### -@@ -763,7 +859,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +861,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -28653,7 +28659,7 @@ index 3efd5b6..42803b7 100644 ') ####################################### -@@ -824,9 +963,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +965,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -28684,7 +28690,7 @@ index 3efd5b6..42803b7 100644 ## ## ## -@@ -834,12 +993,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +995,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -28715,7 +28721,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -854,15 +1028,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1030,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -28734,7 +28740,7 @@ index 3efd5b6..42803b7 100644 ## ## ## -@@ -875,13 +1049,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1051,33 @@ interface(`auth_signal_pam',` ## ## # @@ -28772,7 +28778,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -959,9 +1153,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1155,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -28806,7 +28812,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -1040,6 +1255,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1257,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -28817,7 +28823,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -1176,6 +1395,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1397,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -28825,7 +28831,7 @@ index 3efd5b6..42803b7 100644 ') ####################################### -@@ -1576,6 +1796,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1798,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -28851,7 +28857,7 @@ index 3efd5b6..42803b7 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1965,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1967,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -28877,7 +28883,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -1767,11 +1989,17 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +1991,17 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -28898,7 +28904,7 @@ index 3efd5b6..42803b7 100644 ') ######################################## -@@ -1805,3 +2033,262 @@ interface(`auth_unconfined',` +@@ -1805,3 +2035,262 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -43977,10 +43983,10 @@ index 0280b32..61f19e9 100644 -') +attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..4ca3a28 100644 +index db75976..cb4a211 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,28 @@ +@@ -1,4 +1,30 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -44004,6 +44010,8 @@ index db75976..4ca3a28 100644 +HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) +HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) +HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) ++HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0) ++HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) + @@ -44011,7 +44019,7 @@ index db75976..4ca3a28 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..0eec4d9 100644 +index 3c5dba7..ff283b4 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -46942,7 +46950,7 @@ index 3c5dba7..0eec4d9 100644 ## Send a dbus message to all user domains. ## ## -@@ -3438,4 +4382,1661 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4382,1663 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -47092,7 +47100,7 @@ index 3c5dba7..0eec4d9 100644 + + dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:dir list_dir_perms; - ') ++') + +######################################## +## @@ -48405,6 +48413,7 @@ index 3c5dba7..0eec4d9 100644 + type home_bin_t; + type audio_home_t; + type home_cert_t; ++ type user_tmp_t; + ') + + userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") @@ -48413,6 +48422,8 @@ index 3c5dba7..0eec4d9 100644 + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") ++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp") ++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp") +') + +######################################## @@ -48602,10 +48613,9 @@ index 3c5dba7..0eec4d9 100644 + optional_policy(` + samhain_run($1, $2) + ') -+') -+ + ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..4027ca7 100644 +index e2b538b..37730c1 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5) @@ -48694,7 +48704,7 @@ index e2b538b..4027ca7 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,388 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -48862,6 +48872,8 @@ index e2b538b..4027ca7 100644 +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012") +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013") +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp") + +optional_policy(` + gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index c361d6e..8ed8f78 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -1660,7 +1660,7 @@ index 01cbb67..94a4a24 100644 files_list_etc($1) diff --git a/aide.te b/aide.te -index 4b28ab3..f781a7a 100644 +index 4b28ab3..a8e2f01 100644 --- a/aide.te +++ b/aide.te @@ -10,6 +10,7 @@ attribute_role aide_roles; @@ -1671,12 +1671,13 @@ index 4b28ab3..f781a7a 100644 role aide_roles types aide_t; type aide_log_t; -@@ -23,22 +24,30 @@ files_type(aide_db_t) +@@ -23,22 +24,34 @@ files_type(aide_db_t) # Local policy # -allow aide_t self:capability { dac_override fowner }; +allow aide_t self:capability { dac_override fowner ipc_lock sys_admin }; ++allow aide_t self:process signal; manage_files_pattern(aide_t, aide_db_t, aide_db_t) +files_var_lib_filetrans(aide_t, aide_db_t, { dir file }) @@ -1687,6 +1688,9 @@ index 4b28ab3..f781a7a 100644 +manage_files_pattern(aide_t, aide_log_t, aide_log_t) logging_log_filetrans(aide_t, aide_log_t, file) ++dev_read_rand(aide_t) ++dev_read_urand(aide_t) ++ files_read_all_files(aide_t) files_read_all_symlinks(aide_t) +files_getattr_all_pipes(aide_t) @@ -26538,7 +26542,7 @@ index 50d0084..6565422 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index 0872e50..0cb0a7b 100644 +index 0872e50..37dfeb3 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -26566,9 +26570,11 @@ index 0872e50..0cb0a7b 100644 files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) -@@ -91,23 +89,35 @@ auth_use_nsswitch(fail2ban_t) +@@ -90,24 +88,37 @@ fs_getattr_all_fs(fail2ban_t) + auth_use_nsswitch(fail2ban_t) logging_read_all_logs(fail2ban_t) ++logging_read_audit_log(fail2ban_t) logging_send_syslog_msg(fail2ban_t) +logging_dontaudit_search_audit_logs(fail2ban_t) @@ -26606,7 +26612,7 @@ index 0872e50..0cb0a7b 100644 iptables_domtrans(fail2ban_t) ') -@@ -116,6 +126,10 @@ optional_policy(` +@@ -116,6 +127,10 @@ optional_policy(` ') optional_policy(` @@ -26617,7 +26623,7 @@ index 0872e50..0cb0a7b 100644 shorewall_domtrans(fail2ban_t) ') -@@ -129,22 +143,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -129,22 +144,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -26644,7 +26650,7 @@ index 0872e50..0cb0a7b 100644 logging_search_all_logs(fail2ban_client_t) - -miscfiles_read_localization(fail2ban_client_t) -+logging_dontaudit_search_audit_logs(fail2ban_client_t) ++logging_read_audit_log(fail2ban_client_t) userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) @@ -68604,7 +68610,7 @@ index cd8b8b9..6c73980 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index b2b5dba..9bc465c 100644 +index b2b5dba..0d1dd3c 100644 --- a/ppp.te +++ b/ppp.te @@ -1,4 +1,4 @@ @@ -68766,11 +68772,12 @@ index b2b5dba..9bc465c 100644 corenet_all_recvfrom_netlabel(pppd_t) corenet_tcp_sendrecv_generic_if(pppd_t) corenet_raw_sendrecv_generic_if(pppd_t) -@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t) +@@ -135,9 +145,22 @@ corenet_raw_sendrecv_generic_node(pppd_t) corenet_udp_sendrecv_generic_node(pppd_t) corenet_tcp_sendrecv_all_ports(pppd_t) corenet_udp_sendrecv_all_ports(pppd_t) - ++corenet_tcp_connect_http_port(pppd_t) +# Access /dev/ppp. corenet_rw_ppp_dev(pppd_t) @@ -68789,7 +68796,7 @@ index b2b5dba..9bc465c 100644 corecmd_exec_bin(pppd_t) corecmd_exec_shell(pppd_t) -@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t) +@@ -147,36 +170,31 @@ files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) @@ -68835,7 +68842,7 @@ index b2b5dba..9bc465c 100644 optional_policy(` ddclient_run(pppd_t, pppd_roles) -@@ -186,11 +203,13 @@ optional_policy(` +@@ -186,11 +204,13 @@ optional_policy(` l2tpd_dgram_send(pppd_t) l2tpd_rw_socket(pppd_t) l2tpd_stream_connect(pppd_t) @@ -68850,7 +68857,7 @@ index b2b5dba..9bc465c 100644 ') ') -@@ -218,16 +237,19 @@ optional_policy(` +@@ -218,16 +238,19 @@ optional_policy(` ######################################## # @@ -68873,7 +68880,7 @@ index b2b5dba..9bc465c 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +259,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -68930,7 +68937,7 @@ index b2b5dba..9bc465c 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +303,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -68945,7 +68952,7 @@ index b2b5dba..9bc465c 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +319,10 @@ optional_policy(` +@@ -299,6 +320,10 @@ optional_policy(` ') optional_policy(` @@ -87717,10 +87724,10 @@ index 0000000..03bdcef +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..330fea5 +index 0000000..a2883c9 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,502 @@ +@@ -0,0 +1,503 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -87875,6 +87882,7 @@ index 0000000..330fea5 +manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); +manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); +dontaudit sandbox_x_domain sandbox_file_t:dir mounton; ++allow sandbox_x_domain sandbox_file_t:file execmod; + +kernel_getattr_proc(sandbox_x_domain) +kernel_read_network_state(sandbox_x_domain) @@ -91560,10 +91568,18 @@ index a8b1aaf..4689a59 100644 netutils_domtrans_ping(httpd_smokeping_cgi_script_t) diff --git a/smoltclient.te b/smoltclient.te -index 9c8f9a5..f074b4d 100644 +index 9c8f9a5..d8d4623 100644 --- a/smoltclient.te +++ b/smoltclient.te -@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t) +@@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t) + + corenet_sendrecv_http_client_packets(smoltclient_t) + corenet_tcp_connect_http_port(smoltclient_t) ++corenet_tcp_connect_http_cache_port(smoltclient_t) + corenet_tcp_sendrecv_http_port(smoltclient_t) + + dev_read_sysfs(smoltclient_t) +@@ -51,14 +52,12 @@ fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) files_read_etc_runtime_files(smoltclient_t) @@ -91578,7 +91594,7 @@ index 9c8f9a5..f074b4d 100644 optional_policy(` abrt_stream_connect(smoltclient_t) -@@ -77,6 +75,10 @@ optional_policy(` +@@ -77,6 +76,10 @@ optional_policy(` ') optional_policy(` @@ -103035,7 +103051,7 @@ index 9dec06c..c43ef2e 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index 1f22fba..b3121c0 100644 +index 1f22fba..34b36bc 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,224 @@ @@ -104498,7 +104514,7 @@ index 1f22fba..b3121c0 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1141,314 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1141,315 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -104669,6 +104685,7 @@ index 1f22fba..b3121c0 100644 +kernel_read_all_sysctls(svirt_sandbox_domain) +kernel_rw_net_sysctls(svirt_sandbox_domain) +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) ++kernel_dontaudit_access_check_proc(svirt_sandbox_domain) + +corecmd_exec_all_executables(svirt_sandbox_domain) + @@ -104950,7 +104967,7 @@ index 1f22fba..b3121c0 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1461,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1462,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -104965,7 +104982,7 @@ index 1f22fba..b3121c0 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1479,8 @@ optional_policy(` +@@ -1183,9 +1480,8 @@ optional_policy(` ######################################## # @@ -104976,7 +104993,7 @@ index 1f22fba..b3121c0 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1493,218 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1494,219 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -105182,6 +105199,7 @@ index 1f22fba..b3121c0 100644 + +corenet_tcp_bind_generic_node(sandbox_net_domain) +corenet_udp_bind_generic_node(sandbox_net_domain) ++corenet_raw_bind_generic_node(sandbox_net_domain) +corenet_tcp_sendrecv_all_ports(sandbox_net_domain) +corenet_udp_sendrecv_all_ports(sandbox_net_domain) +corenet_udp_bind_all_ports(sandbox_net_domain) diff --git a/selinux-policy.spec b/selinux-policy.spec index b196087..521857e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 181%{?dist} +Release: 182%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Aug 27 2014 Lukas Vrabec 3.12.1-182 +- Allow pppd to connect to http port. (#1128947) +- Allow fail2ban to read audit logs +- Dontaudit svirt_sandbox_domain doing access checks on /proc +- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t +- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories. +- Allow domains to are allowed to mounton proc to mount on files as well as dirs +- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) + * Wed Aug 20 2014 Lukas Vrabec 3.12.1-181 - Allow docker lots more access. - Added interface kernel_dontaudit_setsched