From e01b4650f34a5d33920c25f310e2ceaeb827462e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 06 2012 10:51:05 +0000 Subject: * Mon Aug 6 2012 Miroslav Grepl 3.10.0-144 - Allow sendmail to read/write postfix_delivery_t - Update sanlock policy to solve all AVC's - Change virt interface so confined users can optionally manage virt content - setroubleshoot was trying to getattr on sysctl and proc stuff - Need to allow svirt_t ability to getattr on nfs_t file system - Allow staff users to run svirt_t processes - Add new booleans to allow staff user and unprivuser to use boxes --- diff --git a/policy-F16.patch b/policy-F16.patch index a633395..fa8fb12 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -87291,14 +87291,21 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..93323c7 100644 +index 2be17d2..3bcca19 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,57 @@ policy_module(staff, 2.2.0) +@@ -8,12 +8,64 @@ policy_module(staff, 2.2.0) role staff_r; userdom_unpriv_user_template(staff) +fs_exec_noxattr(staff_t) ++ ++## ++##

++## allow staff user to create and transition to svirt domains. ++##

++## ++gen_tunable(staff_use_svirt, false) ######################################## # @@ -87352,7 +87359,7 @@ index 2be17d2..93323c7 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,23 +68,122 @@ optional_policy(` +@@ -23,23 +75,122 @@ optional_policy(` ') optional_policy(` @@ -87477,7 +87484,7 @@ index 2be17d2..93323c7 100644 ') optional_policy(` -@@ -48,10 +192,59 @@ optional_policy(` +@@ -48,10 +199,59 @@ optional_policy(` ') optional_policy(` @@ -87537,7 +87544,7 @@ index 2be17d2..93323c7 100644 xserver_role(staff_r, staff_t) ') -@@ -61,10 +254,6 @@ ifndef(`distro_redhat',` +@@ -61,10 +261,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -87548,7 +87555,7 @@ index 2be17d2..93323c7 100644 cdrecord_role(staff_r, staff_t) ') -@@ -89,18 +278,10 @@ ifndef(`distro_redhat',` +@@ -89,18 +285,10 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -87567,7 +87574,7 @@ index 2be17d2..93323c7 100644 java_role(staff_r, staff_t) ') -@@ -121,10 +302,6 @@ ifndef(`distro_redhat',` +@@ -121,10 +309,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -87578,7 +87585,7 @@ index 2be17d2..93323c7 100644 pyzor_role(staff_r, staff_t) ') -@@ -137,10 +314,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +321,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -87589,7 +87596,7 @@ index 2be17d2..93323c7 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +345,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +352,15 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -87597,6 +87604,14 @@ index 2be17d2..93323c7 100644 +tunable_policy(`allow_execmod',` + userdom_execmod_user_home_files(staff_t) +') ++ ++virt_transition_svirt(staff_t, staff_r) ++virt_filetrans_home_content(staff_t) ++tunable_policy(`staff_use_svirt',` ++ allow staff_t self:fifo_file relabelfrom; ++ dev_rw_kvm(staff_t) ++ virt_manage_images(staff_t) ++') diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if index ff92430..36740ea 100644 --- a/policy/modules/roles/sysadm.if @@ -89207,10 +89222,23 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..7e0ea58 100644 +index e5bfdd4..e6f6011 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,105 @@ role user_r; +@@ -1,5 +1,12 @@ + policy_module(unprivuser, 2.2.0) + ++## ++##

++## Allow unprivledged user to create and transition to svirt domains. ++##

++## ++gen_tunable(unprivuser_use_svirt, false) ++ + # this module should be named user, but that is + # a compile error since user is a keyword. + +@@ -12,15 +19,105 @@ role user_r; userdom_unpriv_user_template(user) @@ -89316,7 +89344,7 @@ index e5bfdd4..7e0ea58 100644 vlock_run(user_t, user_r) ') -@@ -62,19 +152,11 @@ ifndef(`distro_redhat',` +@@ -62,19 +159,11 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -89337,7 +89365,7 @@ index e5bfdd4..7e0ea58 100644 ') optional_policy(` -@@ -98,10 +180,6 @@ ifndef(`distro_redhat',` +@@ -98,10 +187,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -89348,7 +89376,7 @@ index e5bfdd4..7e0ea58 100644 postgresql_role(user_r, user_t) ') -@@ -118,11 +196,7 @@ ifndef(`distro_redhat',` +@@ -118,11 +203,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -89361,11 +89389,16 @@ index e5bfdd4..7e0ea58 100644 ') optional_policy(` -@@ -157,3 +231,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +238,9 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') + ++virt_transition_svirt(user_t, user_r) ++virt_filetrans_home_content(user_t) ++tunable_policy(`unprivuser_use_svirt',` ++ virt_manage_images(user_t) ++') diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te index 0ecc786..0143f70 100644 --- a/policy/modules/roles/webadm.te @@ -116377,7 +116410,7 @@ index 256166a..a8fe27a 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..c3643f0 100644 +index 343cee3..74a5b1a 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,6 +37,7 @@ interface(`mta_stub',` @@ -116531,7 +116564,7 @@ index 343cee3..c3643f0 100644 ######################################## ## ## Make the specified type by a system MTA. -@@ -306,10 +257,15 @@ interface(`mta_mailserver_sender',` +@@ -306,10 +257,16 @@ interface(`mta_mailserver_sender',` interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; @@ -116544,11 +116577,12 @@ index 343cee3..c3643f0 100644 + + optional_policy(` + mta_rw_delivery_tcp_sockets($1) ++ mta_rw_delivery_pipe($1) + ') ') ####################################### -@@ -362,6 +318,8 @@ interface(`mta_send_mail',` +@@ -362,6 +319,8 @@ interface(`mta_send_mail',` allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file rw_fifo_file_perms; @@ -116557,7 +116591,7 @@ index 343cee3..c3643f0 100644 ') ######################################## -@@ -391,12 +349,19 @@ interface(`mta_send_mail',` +@@ -391,12 +350,19 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -116579,7 +116613,7 @@ index 343cee3..c3643f0 100644 ') ######################################## -@@ -409,7 +374,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +375,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -116587,7 +116621,7 @@ index 343cee3..c3643f0 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +384,60 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +385,60 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -116648,7 +116682,7 @@ index 343cee3..c3643f0 100644 ## Execute sendmail in the caller domain. ## ## -@@ -438,6 +456,26 @@ interface(`mta_sendmail_exec',` +@@ -438,6 +457,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -116675,7 +116709,7 @@ index 343cee3..c3643f0 100644 ## Read mail server configuration. ## ## -@@ -494,6 +532,7 @@ interface(`mta_read_aliases',` +@@ -494,6 +533,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -116683,7 +116717,7 @@ index 343cee3..c3643f0 100644 ') ######################################## -@@ -532,7 +571,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -532,7 +572,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -116692,7 +116726,7 @@ index 343cee3..c3643f0 100644 ') ######################################## -@@ -552,7 +591,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +592,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -116701,7 +116735,7 @@ index 343cee3..c3643f0 100644 ') ####################################### -@@ -574,6 +613,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` +@@ -574,6 +614,44 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` dontaudit $1 mailserver_delivery:tcp_socket { read write }; ') @@ -116724,10 +116758,29 @@ index 343cee3..c3643f0 100644 + allow $1 mailserver_delivery:tcp_socket { read write }; +') + ++##################################### ++## ++## Allow attempts to read and write fifo ++## file of mail delivery domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mta_rw_delivery_pipe',` ++ gen_require(` ++ attribute mailserver_delivery; ++ ') ++ ++ allow $1 mailserver_delivery:fifo_file rw_inherited_fifo_file_perms; ++') ++ ####################################### ## ## Connect to all mail servers over TCP. (Deprecated) -@@ -646,8 +704,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +724,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -116738,7 +116791,7 @@ index 343cee3..c3643f0 100644 ') ####################################### -@@ -677,7 +735,26 @@ interface(`mta_spool_filetrans',` +@@ -677,7 +755,26 @@ interface(`mta_spool_filetrans',` ') files_search_spool($1) @@ -116766,7 +116819,7 @@ index 343cee3..c3643f0 100644 ') ######################################## -@@ -697,8 +774,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +794,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -116777,7 +116830,7 @@ index 343cee3..c3643f0 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +915,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +935,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -116786,7 +116839,7 @@ index 343cee3..c3643f0 100644 ') ######################################## -@@ -864,6 +941,36 @@ interface(`mta_manage_queue',` +@@ -864,6 +961,36 @@ interface(`mta_manage_queue',` ####################################### ## @@ -116823,7 +116876,7 @@ index 343cee3..c3643f0 100644 ## Read sendmail binary. ## ## -@@ -899,3 +1006,170 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +1026,170 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -132827,7 +132880,7 @@ index 0000000..3eb745d +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 -index 0000000..e9c2efe +index 0000000..a535b8c --- /dev/null +++ b/policy/modules/services/sanlock.te @@ -0,0 +1,103 @@ @@ -132877,8 +132930,8 @@ index 0000000..e9c2efe +# +# sanlock local policy +# -+allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice }; -+allow sanlock_t self:process { setsched signull signal sigkill }; ++allow sanlock_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice sys_resource }; ++allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; + +allow sanlock_t self:fifo_file rw_fifo_file_perms; +allow sanlock_t self:unix_stream_socket create_stream_socket_perms; @@ -133530,7 +133583,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te -index 086cd5f..4e69f51 100644 +index 086cd5f..50880aa 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -133553,7 +133606,7 @@ index 086cd5f..4e69f51 100644 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -49,17 +52,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble +@@ -49,17 +52,22 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) # pid file @@ -133568,6 +133621,7 @@ index 086cd5f..4e69f51 100644 kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) +kernel_dontaudit_list_all_proc(setroubleshootd_t) ++kernel_read_irq_sysctls(setroubleshootd_t) +kernel_read_unlabeled_state(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) @@ -133576,7 +133630,15 @@ index 086cd5f..4e69f51 100644 corenet_all_recvfrom_unlabeled(setroubleshootd_t) corenet_all_recvfrom_netlabel(setroubleshootd_t) -@@ -85,6 +92,7 @@ files_getattr_all_files(setroubleshootd_t) +@@ -74,6 +82,7 @@ dev_read_urand(setroubleshootd_t) + dev_read_sysfs(setroubleshootd_t) + dev_getattr_all_blk_files(setroubleshootd_t) + dev_getattr_all_chr_files(setroubleshootd_t) ++dev_getattr_mtrr_dev(setroubleshootd_t) + + domain_dontaudit_search_all_domains_state(setroubleshootd_t) + domain_signull_all_domains(setroubleshootd_t) +@@ -85,6 +94,7 @@ files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) files_getattr_all_sockets(setroubleshootd_t) files_read_all_symlinks(setroubleshootd_t) @@ -133584,7 +133646,7 @@ index 086cd5f..4e69f51 100644 fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) -@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) +@@ -95,6 +105,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) @@ -133592,7 +133654,7 @@ index 086cd5f..4e69f51 100644 term_dontaudit_use_all_ptys(setroubleshootd_t) term_dontaudit_use_all_ttys(setroubleshootd_t) -@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t) +@@ -104,6 +115,8 @@ auth_use_nsswitch(setroubleshootd_t) init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) @@ -133601,7 +133663,7 @@ index 086cd5f..4e69f51 100644 miscfiles_read_localization(setroubleshootd_t) locallogin_dontaudit_use_fds(setroubleshootd_t) -@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t) +@@ -112,8 +125,6 @@ logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) @@ -133610,7 +133672,7 @@ index 086cd5f..4e69f51 100644 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) seutil_read_bin_policy(setroubleshootd_t) -@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -121,10 +132,23 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -133634,7 +133696,7 @@ index 086cd5f..4e69f51 100644 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -151,7 +173,12 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -151,7 +175,12 @@ kernel_read_system_state(setroubleshoot_fixit_t) corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) @@ -133647,7 +133709,7 @@ index 086cd5f..4e69f51 100644 files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +191,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +193,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -139274,7 +139336,7 @@ index 2124b6a..5072bd7 100644 +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..85b7d8b 100644 +index 7c5d8d8..6fc6ad4 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -13,39 +13,45 @@ @@ -139679,15 +139741,27 @@ index 7c5d8d8..85b7d8b 100644 ') ######################################## -@@ -466,6 +642,7 @@ interface(`virt_manage_images',` +@@ -466,18 +642,7 @@ interface(`virt_manage_images',` manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) +- +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_read_nfs_symlinks($1) +- ') +- +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_files($1) +- fs_manage_cifs_files($1) +- fs_read_cifs_symlinks($1) +- ') + rw_chr_files_pattern($1, virt_image_type, virt_image_type) + ') - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) -@@ -500,10 +677,19 @@ interface(`virt_manage_images',` + ######################################## +@@ -500,10 +665,19 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; @@ -139708,7 +139782,7 @@ index 7c5d8d8..85b7d8b 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) -@@ -515,4 +701,248 @@ interface(`virt_admin',` +@@ -515,4 +689,248 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -139958,7 +140032,7 @@ index 7c5d8d8..85b7d8b 100644 + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..caef8cf 100644 +index 3eca020..4ca7290 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -1,60 +1,91 @@ @@ -140028,15 +140102,15 @@ index 3eca020..caef8cf 100644 +gen_tunable(virt_use_sanlock, false) + +## -+##

+ ##

+-## Allow virt to use usb devices +## Allow confined virtual guests to interact with the xserver +##

+## +gen_tunable(virt_use_xserver, false) + +## - ##

--## Allow virt to use usb devices ++##

+## Allow confined virtual guests to use usb devices ##

## @@ -140181,12 +140255,13 @@ index 3eca020..caef8cf 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +228,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +228,17 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) + fs_manage_nfs_named_sockets(svirt_t) + fs_read_nfs_symlinks(svirt_t) ++ fs_getattr_nfs(svirt_t) ') tunable_policy(`virt_use_samba',` @@ -140194,10 +140269,11 @@ index 3eca020..caef8cf 100644 fs_manage_cifs_files(svirt_t) + fs_manage_cifs_named_sockets(svirt_t) + fs_read_cifs_symlinks(virtd_t) ++ fs_getattr_cifs(svirt_t) ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +245,28 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +247,28 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -140226,7 +140302,7 @@ index 3eca020..caef8cf 100644 xen_rw_image_files(svirt_t) ') -@@ -173,22 +275,41 @@ optional_policy(` +@@ -173,22 +277,41 @@ optional_policy(` # virtd local policy # @@ -140275,7 +140351,7 @@ index 3eca020..caef8cf 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -199,9 +320,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -199,9 +322,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -140296,7 +140372,7 @@ index 3eca020..caef8cf 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +347,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +349,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -140312,7 +140388,7 @@ index 3eca020..caef8cf 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +375,32 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +377,32 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -140346,7 +140422,7 @@ index 3eca020..caef8cf 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +408,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +410,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -140365,7 +140441,7 @@ index 3eca020..caef8cf 100644 mcs_process_set_categories(virtd_t) -@@ -276,6 +434,8 @@ term_use_ptmx(virtd_t) +@@ -276,6 +436,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -140374,14 +140450,14 @@ index 3eca020..caef8cf 100644 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -285,16 +445,32 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +447,32 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) - -+selinux_validate_context(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -140407,7 +140483,7 @@ index 3eca020..caef8cf 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +489,10 @@ optional_policy(` +@@ -313,6 +491,10 @@ optional_policy(` ') optional_policy(` @@ -140418,7 +140494,7 @@ index 3eca020..caef8cf 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -326,19 +506,30 @@ optional_policy(` +@@ -326,19 +508,30 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -140450,7 +140526,7 @@ index 3eca020..caef8cf 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -353,6 +544,12 @@ optional_policy(` +@@ -353,6 +546,12 @@ optional_policy(` ') optional_policy(` @@ -140463,7 +140539,7 @@ index 3eca020..caef8cf 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -360,11 +557,11 @@ optional_policy(` +@@ -360,11 +559,11 @@ optional_policy(` ') optional_policy(` @@ -140480,7 +140556,7 @@ index 3eca020..caef8cf 100644 ') optional_policy(` -@@ -375,6 +572,7 @@ optional_policy(` +@@ -375,6 +574,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -140488,7 +140564,7 @@ index 3eca020..caef8cf 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -394,20 +592,36 @@ optional_policy(` +@@ -394,20 +594,36 @@ optional_policy(` # virtual domains common policy # @@ -140528,7 +140604,7 @@ index 3eca020..caef8cf 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +632,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +634,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -140542,7 +140618,7 @@ index 3eca020..caef8cf 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +645,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +647,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -140555,7 +140631,7 @@ index 3eca020..caef8cf 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +658,430 @@ files_search_all(virt_domain) +@@ -440,25 +660,435 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -140681,6 +140757,18 @@ index 3eca020..caef8cf 100644 + ') +') + ++tunable_policy(`virt_use_nfs',` ++ fs_manage_nfs_dirs(virsh_t) ++ fs_manage_nfs_files(virsh_t) ++ fs_read_nfs_symlinks(virsh_t) ++') ++ ++tunable_policy(`virt_use_samba',` ++ fs_manage_cifs_files(virsh_t) ++ fs_manage_cifs_files(virsh_t) ++ fs_read_cifs_symlinks(virsh_t) ++') ++ +optional_policy(` + vhostmd_rw_tmpfs_files(virsh_t) + vhostmd_stream_connect(virsh_t) @@ -140688,13 +140776,6 @@ index 3eca020..caef8cf 100644 +') + +optional_policy(` -+ virt_domtrans(virsh_t) -+ virt_manage_images(virsh_t) -+ virt_manage_config(virsh_t) -+ virt_stream_connect(virsh_t) -+') -+ -+optional_policy(` + ssh_basic_client_template(virsh, virsh_t, system_r) + + kernel_read_xen_state(virsh_ssh_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9ef8a5a..258a48d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 143%{?dist} +Release: 144%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -479,6 +479,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Aug 6 2012 Miroslav Grepl 3.10.0-144 +- Allow sendmail to read/write postfix_delivery_t +- Update sanlock policy to solve all AVC's +- Change virt interface so confined users can optionally manage virt content +- setroubleshoot was trying to getattr on sysctl and proc stuff +- Need to allow svirt_t ability to getattr on nfs_t file system +- Allow staff users to run svirt_t processes +- Add new booleans to allow staff user and unprivuser to use boxes + * Thu Aug 2 2012 Miroslav Grepl 3.10.0-143 - Alias firstboot_tmp_t to tmp_t - Add support for sqlgre