From c3f53c2a7ed7d639a25e5987d2552e8ad306882f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 12 2017 12:05:47 +0000 Subject: * Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283 - Allow passwd_t domain mmap /etc/shadow and /etc/passwd - Allow pulseaudio_t domain to map user tmp files - Allow mozilla plugin to mmap mozilla tmpfs files --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 9d0d555..01fb911 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a257b3f..766abd1 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3189,7 +3189,7 @@ index 99e3903ea..fa68362ea 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1e7..6a7c8001a 100644 +index 1d732f1e7..7e03673be 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3395,7 +3395,7 @@ index 1d732f1e7..6a7c8001a 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t) +@@ -310,26 +341,34 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -3406,7 +3406,9 @@ index 1d732f1e7..6a7c8001a 100644 auth_run_chk_passwd(passwd_t, passwd_roles) +auth_manage_passwd(passwd_t) ++auth_map_passwd(passwd_t) auth_manage_shadow(passwd_t) ++auth_map_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) -auth_use_nsswitch(passwd_t) @@ -3432,7 +3434,7 @@ index 1d732f1e7..6a7c8001a 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -338,12 +375,11 @@ init_use_fds(passwd_t) +@@ -338,12 +377,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) @@ -3446,7 +3448,7 @@ index 1d732f1e7..6a7c8001a 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t) +@@ -352,6 +390,20 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3467,7 +3469,7 @@ index 1d732f1e7..6a7c8001a 100644 optional_policy(` nscd_run(passwd_t, passwd_roles) -@@ -362,7 +412,7 @@ optional_policy(` +@@ -362,7 +414,7 @@ optional_policy(` # Password admin local policy # @@ -3476,7 +3478,7 @@ index 1d732f1e7..6a7c8001a 100644 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; -@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -401,9 +453,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3489,7 +3491,7 @@ index 1d732f1e7..6a7c8001a 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -416,7 +469,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -3497,7 +3499,7 @@ index 1d732f1e7..6a7c8001a 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -426,12 +478,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -3510,7 +3512,7 @@ index 1d732f1e7..6a7c8001a 100644 userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -@@ -446,8 +493,10 @@ optional_policy(` +@@ -446,8 +495,10 @@ optional_policy(` # Useradd local policy # @@ -3523,7 +3525,7 @@ index 1d732f1e7..6a7c8001a 100644 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; allow useradd_t self:fd use; -@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -461,6 +512,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -3534,7 +3536,7 @@ index 1d732f1e7..6a7c8001a 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +523,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3574,7 +3576,7 @@ index 1d732f1e7..6a7c8001a 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t) +@@ -498,45 +552,50 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -3636,7 +3638,7 @@ index 1d732f1e7..6a7c8001a 100644 ') optional_policy(` -@@ -545,14 +602,27 @@ optional_policy(` +@@ -545,14 +604,27 @@ optional_policy(` ') optional_policy(` @@ -3664,7 +3666,7 @@ index 1d732f1e7..6a7c8001a 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +632,12 @@ optional_policy(` +@@ -562,3 +634,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -33740,7 +33742,7 @@ index 247958765..890e1e293 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b669..3db526f84 100644 +index 3efd5b669..190c29841 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -34030,7 +34032,32 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',` +@@ -534,6 +629,24 @@ interface(`auth_dontaudit_getattr_shadow',` + + ######################################## + ## ++## Mmap the shadow passwords file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_map_shadow',` ++ gen_require(` ++ type shadow_t; ++ ') ++ ++ allow $1 shadow_t:file map; ++') ++ ++######################################## ++## + ## Read the shadow passwords file (/etc/shadow) + ## + ## +@@ -664,6 +777,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -34041,7 +34068,7 @@ index 3efd5b669..3db526f84 100644 ') ####################################### -@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +880,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -34093,7 +34120,7 @@ index 3efd5b669..3db526f84 100644 ') ####################################### -@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +984,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -34124,7 +34151,7 @@ index 3efd5b669..3db526f84 100644 ## ## ## -@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +1014,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -34155,7 +34182,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1049,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -34174,7 +34201,7 @@ index 3efd5b669..3db526f84 100644 ## ## ## -@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1070,33 @@ interface(`auth_signal_pam',` ## ## # @@ -34212,7 +34239,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1174,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -34246,7 +34273,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1276,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -34257,7 +34284,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1416,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -34265,7 +34292,7 @@ index 3efd5b669..3db526f84 100644 ') ####################################### -@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1817,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -34291,7 +34318,7 @@ index 3efd5b669..3db526f84 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1968,63 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1986,63 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -34359,7 +34386,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -1767,11 +2048,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +2066,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -34376,7 +34403,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -1805,3 +2088,280 @@ interface(`auth_unconfined',` +@@ -1805,3 +2106,298 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -34492,6 +34519,24 @@ index 3efd5b669..3db526f84 100644 + +######################################## +## ++## Mmap the passwd passwords file (/etc/passwd) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_map_passwd',` ++ gen_require(` ++ type passwd_file_t; ++ ') ++ ++ allow $1 passwd_file_t:file map; ++') ++ ++######################################## ++## +## Do not audit attempts to read the passwd +## password file (/etc/passwd). +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 49936dd..8e51ee1 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -53630,7 +53630,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..7d5d385a2 100644 +index 11ac8e4fc..3c24a12ef 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -53750,7 +53750,7 @@ index 11ac8e4fc..7d5d385a2 100644 ######################################## # # Local policy -@@ -75,27 +109,30 @@ optional_policy(` +@@ -75,104 +109,101 @@ optional_policy(` allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; @@ -53794,10 +53794,10 @@ index 11ac8e4fc..7d5d385a2 100644 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -@@ -103,76 +140,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) + manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) - +- -allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; @@ -53805,7 +53805,8 @@ index 11ac8e4fc..7d5d385a2 100644 -stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) - -can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) -- ++allow mozilla_plugin_t mozilla_tmpfs_t:file map; + kernel_read_kernel_sysctls(mozilla_t) kernel_read_network_state(mozilla_t) +# Access /proc, sysctl @@ -53902,7 +53903,7 @@ index 11ac8e4fc..7d5d385a2 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,56 +211,73 @@ auth_use_nsswitch(mozilla_t) +@@ -181,56 +212,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -54013,7 +54014,7 @@ index 11ac8e4fc..7d5d385a2 100644 ') optional_policy(` -@@ -244,19 +291,12 @@ optional_policy(` +@@ -244,19 +292,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -54035,7 +54036,7 @@ index 11ac8e4fc..7d5d385a2 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +305,32 @@ optional_policy(` +@@ -265,33 +306,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -54083,7 +54084,7 @@ index 11ac8e4fc..7d5d385a2 100644 ') optional_policy(` -@@ -300,259 +339,258 @@ optional_policy(` +@@ -300,259 +340,258 @@ optional_policy(` ######################################## # @@ -54488,7 +54489,7 @@ index 11ac8e4fc..7d5d385a2 100644 ') optional_policy(` -@@ -560,7 +598,11 @@ optional_policy(` +@@ -560,7 +599,11 @@ optional_policy(` ') optional_policy(` @@ -54501,7 +54502,7 @@ index 11ac8e4fc..7d5d385a2 100644 ') optional_policy(` -@@ -568,108 +610,144 @@ optional_policy(` +@@ -568,108 +611,144 @@ optional_policy(` ') optional_policy(` @@ -80891,10 +80892,10 @@ index 45843b55c..4d1adace5 100644 + ps_process_pattern($1, pulseaudio_t) ') diff --git a/pulseaudio.te b/pulseaudio.te -index 6643b49c2..dd0c3d371 100644 +index 6643b49c2..22214f676 100644 --- a/pulseaudio.te +++ b/pulseaudio.te -@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0) +@@ -8,61 +8,50 @@ policy_module(pulseaudio, 1.6.0) attribute pulseaudio_client; attribute pulseaudio_tmpfsfile; @@ -80970,10 +80971,11 @@ index 6643b49c2..dd0c3d371 100644 +# ~/.esd_auth - maybe we should label this pulseaudio_home_t? +userdom_read_user_home_content_files(pulseaudio_t) +userdom_search_admin_dir(pulseaudio_t) ++userdom_map_tmp_files(pulseaudio_t) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) +@@ -72,10 +61,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) @@ -80985,7 +80987,7 @@ index 6643b49c2..dd0c3d371 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -85,62 +70,58 @@ kernel_read_kernel_sysctls(pulseaudio_t) +@@ -85,62 +71,58 @@ kernel_read_kernel_sysctls(pulseaudio_t) corecmd_exec_bin(pulseaudio_t) @@ -81067,7 +81069,7 @@ index 6643b49c2..dd0c3d371 100644 ') optional_policy(` -@@ -153,8 +134,9 @@ optional_policy(` +@@ -153,8 +135,9 @@ optional_policy(` optional_policy(` dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) @@ -81079,7 +81081,7 @@ index 6643b49c2..dd0c3d371 100644 optional_policy(` consolekit_dbus_chat(pulseaudio_t) -@@ -174,29 +156,49 @@ optional_policy(` +@@ -174,29 +157,49 @@ optional_policy(` ') optional_policy(` @@ -81131,7 +81133,7 @@ index 6643b49c2..dd0c3d371 100644 # # Client local policy # -@@ -210,8 +212,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi +@@ -210,8 +213,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi fs_getattr_tmpfs(pulseaudio_client) @@ -81140,7 +81142,7 @@ index 6643b49c2..dd0c3d371 100644 corenet_tcp_sendrecv_generic_if(pulseaudio_client) corenet_tcp_sendrecv_generic_node(pulseaudio_client) -@@ -220,38 +220,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) +@@ -220,38 +221,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) pulseaudio_stream_connect(pulseaudio_client) diff --git a/selinux-policy.spec b/selinux-policy.spec index 8636194..ee81507 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 282%{?dist} +Release: 283%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,11 @@ exit 0 %endif %changelog +* Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283 +- Allow passwd_t domain mmap /etc/shadow and /etc/passwd +- Allow pulseaudio_t domain to map user tmp files +- Allow mozilla plugin to mmap mozilla tmpfs files + * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282 - Add new bunch of map rules - Merge pull request #25 from NetworkManager/nm-ovs