From e8917d11519379fb601be308230dfd314954c851 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 24 2014 22:47:45 +0000 Subject: * Fri Apr 25 2014 Lukas Vrabec 3.12.1-157 - Added fprintd dontaudit tmp dirs rule - Add interface to allow tools to check the processes state of bind/named - ALlow rhsmcertd-worker connect to tcp/8080 - Allow locate to getattr any files in mock_var_lib - Fix label on sensor logs - Add cockpit policy - Allow locate to getattr any files in mock_var_lib - Allow docker to start systemd service - Allow mock-build to write all inherited ttys and ptys - Fix mock_read_lib_files() interface - Allow sys_ptrace for mock-build - Additional access required for gear management of openshift directories - Allow tgtd to read /proc/net/psched - Add glance_use_fusefs() boolean - Allow ifconfig to manage lnk files - Allow ipsec_mgmt_t to read state of the bind process - If you use ldap you should be able to read certs - Dontaudit access to this leaked fifo_file - Remove dup sysnet_manage_ifconfig_run() interface - systemd calling needs to be optional --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 0e82369..764520e 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -2406,10 +2406,10 @@ index 0960199..aa51ab2 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..fc6d1d3 100644 +index d9fce57..612503a 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,100 @@ attribute sudodomain; +@@ -7,3 +7,105 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -2441,6 +2441,7 @@ index d9fce57..fc6d1d3 100644 +allow sudodomain self:unix_dgram_socket sendto; +allow sudodomain self:unix_stream_socket connectto; +allow sudodomain self:key manage_key_perms; ++allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_getattr_core_if(sudodomain) +kernel_link_key(sudodomain) @@ -2503,6 +2504,10 @@ index d9fce57..fc6d1d3 100644 +userdom_search_admin_dir(sudodomain) +userdom_manage_all_users_keys(sudodomain) + ++tunable_policy(`authlogin_yubikey',` ++ auth_manage_home_content(sudodomain) ++') ++ +optional_policy(` + dbus_system_bus_client(sudodomain) +') @@ -8923,7 +8928,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..64d9761 100644 +index cf04cb5..2df18b9 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8964,7 +8969,7 @@ index cf04cb5..64d9761 100644 # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; -@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +110,48 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -9007,13 +9012,14 @@ index cf04cb5..64d9761 100644 +# All executables should be able to search the directory they are in +corecmd_search_bin(domain) + ++ +tunable_policy(`domain_kernel_load_modules',` + kernel_request_load_module(domain) +') ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +170,18 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -9032,7 +9038,7 @@ index cf04cb5..64d9761 100644 ') optional_policy(` -@@ -133,6 +191,9 @@ optional_policy(` +@@ -133,6 +192,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -9042,7 +9048,7 @@ index cf04cb5..64d9761 100644 ') ######################################## -@@ -147,12 +208,18 @@ optional_policy(` +@@ -147,12 +209,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -9062,7 +9068,7 @@ index cf04cb5..64d9761 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +233,338 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +234,339 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9262,6 +9268,7 @@ index cf04cb5..64d9761 100644 + systemd_filetrans_named_content(named_filetrans_domain) + systemd_filetrans_named_hostname(named_filetrans_domain) + systemd_filetrans_home_content(named_filetrans_domain) ++ systemd_dontaudit_write_inherited_logind_sessions_pipes(domain) +') + +optional_policy(` @@ -27944,14 +27951,14 @@ index c6fdab7..af71c62 100644 sudo_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..36fbb93 100644 +index 28ad538..a1a917c 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,28 @@ -+HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) -+/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.yubico/(.*) gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) @@ -28038,7 +28045,7 @@ index 28ad538..36fbb93 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..c74d0d5 100644 +index 3efd5b6..42803b7 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -28628,7 +28635,7 @@ index 3efd5b6..c74d0d5 100644 ') ######################################## -@@ -1805,3 +2033,242 @@ interface(`auth_unconfined',` +@@ -1805,3 +2033,262 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -28831,6 +28838,26 @@ index 3efd5b6..c74d0d5 100644 + read_files_pattern($1, auth_home_t, auth_home_t) +') + ++######################################## ++## ++## Read the authorization data in the user home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_manage_home_content',` ++ ++ gen_require(` ++ type auth_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, auth_home_t, auth_home_t) ++ manage_dirs_pattern($1, auth_home_t, auth_home_t) ++') + +######################################## +## @@ -28872,7 +28899,7 @@ index 3efd5b6..c74d0d5 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 104037e..9b993c6 100644 +index 104037e..cc09db4 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2) @@ -28888,7 +28915,7 @@ index 104037e..9b993c6 100644 + +## +##

-+## Allow users to login using a yubikey server ++## Allow users to login using a yubikey OTP server or challenge response mode +##

+## +gen_tunable(authlogin_yubikey, false) @@ -33068,7 +33095,7 @@ index 0d4c8d3..3a3ec52 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..4917c6e 100644 +index 9e54bf9..5338f4d 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -33265,7 +33292,7 @@ index 9e54bf9..4917c6e 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +325,23 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -33289,11 +33316,12 @@ index 9e54bf9..4917c6e 100644 +optional_policy(` + bind_read_dnssec_keys(ipsec_mgmt_t) + bind_read_config(ipsec_mgmt_t) ++ bind_read_state(ipsec_mgmt_t) +') optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +364,10 @@ optional_policy(` +@@ -322,6 +365,10 @@ optional_policy(` ') optional_policy(` @@ -33304,7 +33332,7 @@ index 9e54bf9..4917c6e 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +381,7 @@ optional_policy(` +@@ -335,7 +382,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -33313,7 +33341,7 @@ index 9e54bf9..4917c6e 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +417,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -33333,7 +33361,7 @@ index 9e54bf9..4917c6e 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +447,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -33346,7 +33374,7 @@ index 9e54bf9..4917c6e 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +484,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -39247,7 +39275,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..98ac8bf 100644 +index 6944526..07fa942 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -39543,17 +39571,19 @@ index 6944526..98ac8bf 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -733,6 +904,9 @@ interface(`sysnet_use_ldap',` +@@ -733,6 +904,11 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) + + # LDAP Configuration using encrypted requires + dev_read_urand($1) ++ ++ ldap_read_certs($1) ') ######################################## -@@ -754,7 +928,6 @@ interface(`sysnet_use_portmap',` +@@ -754,7 +930,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -39561,7 +39591,7 @@ index 6944526..98ac8bf 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +939,114 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +941,114 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -39677,7 +39707,7 @@ index 6944526..98ac8bf 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..28f16ce 100644 +index b7686d5..3c77852 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -39905,7 +39935,7 @@ index b7686d5..28f16ce 100644 vmware_append_log(dhcpc_t) ') -@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -39922,6 +39952,7 @@ index b7686d5..28f16ce 100644 +can_exec(ifconfig_t, ifconfig_exec_t) + +manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) ++manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) +create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) +files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir }) +allow ifconfig_t ifconfig_var_run_t:file mounton; @@ -39929,7 +39960,7 @@ index b7686d5..28f16ce 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -274,14 +333,31 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -274,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -39946,7 +39977,8 @@ index b7686d5..28f16ce 100644 +dev_unmount_sysfs_fs(ifconfig_t) domain_use_interactive_fds(ifconfig_t) - ++domain_read_all_domains_state(ifconfig_t) ++ +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) + +files_dontaudit_rw_inherited_pipes(ifconfig_t) @@ -39954,14 +39986,14 @@ index b7686d5..28f16ce 100644 +files_dontaudit_read_root_files(ifconfig_t) +files_rw_inherited_tmp_file(ifconfig_t) +files_dontaudit_rw_var_files(ifconfig_t) -+ + files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) +files_read_usr_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +370,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,31 +372,50 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -39988,8 +40020,13 @@ index b7686d5..28f16ce 100644 +userdom_use_inherited_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) ++optional_policy(` ++ hostname_exec(ifconfig_t) ++') ++ ifdef(`distro_ubuntu',` -@@ -318,7 +394,22 @@ ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(ifconfig_t) ') ') @@ -40012,7 +40049,7 @@ index b7686d5..28f16ce 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +420,11 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +426,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -40026,7 +40063,7 @@ index b7686d5..28f16ce 100644 ') optional_policy(` -@@ -339,7 +433,15 @@ optional_policy(` +@@ -339,7 +439,15 @@ optional_policy(` ') optional_policy(` @@ -40043,7 +40080,7 @@ index b7686d5..28f16ce 100644 ') optional_policy(` -@@ -360,3 +462,13 @@ optional_policy(` +@@ -360,3 +468,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -40112,10 +40149,10 @@ index 0000000..e9f1096 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..8bca1d7 +index 0000000..24b2af3 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1440 @@ +@@ -0,0 +1,1458 @@ +## SELinux policy for systemd components + +###################################### @@ -40487,6 +40524,24 @@ index 0000000..8bca1d7 + +###################################### +## ++## Dontaudit attempts to write inherited logind sessions pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',` ++ gen_require(` ++ type systemd_logind_sessions_t; ++ ') ++ ++ dontaudit $1 systemd_logind_sessions_t:fifo_file write; ++') ++ ++###################################### ++## +## Write systemd inhibit pipes. +## +## diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index e06bda9..66de755 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -8762,7 +8762,7 @@ index 2b9a3a1..f755e6b 100644 +/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +') diff --git a/bind.if b/bind.if -index 866a1e2..6c2dbe4 100644 +index 866a1e2..43b445c 100644 --- a/bind.if +++ b/bind.if @@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',` @@ -8857,7 +8857,33 @@ index 866a1e2..6c2dbe4 100644 ## Create, read, write, and delete ## bind zone files. ## -@@ -362,12 +426,20 @@ interface(`bind_udp_chat_named',` +@@ -344,6 +408,25 @@ interface(`bind_udp_chat_named',` + + ######################################## + ## ++## Allow the domain to read bind state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_read_state',` ++ gen_require(` ++ type named_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, named_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an bind environment. + ## +@@ -362,12 +445,20 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; @@ -8867,22 +8893,22 @@ index 866a1e2..6c2dbe4 100644 + type named_zone_t, named_initrc_exec_t; + type dnssec_t, ndc_t, named_keytab_t; + type named_unit_file_t; - ') - -- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { named_t ndc_t }) ++ ') ++ + allow $1 named_t:process signal_perms; + ps_process_pattern($1, named_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 named_t:process ptrace; -+ ') -+ + ') + +- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { named_t ndc_t }) + bind_run_ndc($1, $2) init_labeled_script_domtrans($1, named_initrc_exec_t) domain_system_change_exemption($1) -@@ -383,11 +455,15 @@ interface(`bind_admin',` +@@ -383,11 +474,15 @@ interface(`bind_admin',` files_list_etc($1) admin_pattern($1, named_conf_t) @@ -13097,6 +13123,312 @@ index 2a71346..3a38b11 100644 + tftp_manage_config(cobblerd_t) tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) ') +diff --git a/cockpit.fc b/cockpit.fc +new file mode 100644 +index 0000000..ee6e817 +--- /dev/null ++++ b/cockpit.fc +@@ -0,0 +1,9 @@ ++/usr/lib/systemd/system/cockpit.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) ++ ++/usr/lib/systemd/system/cockpit.socket -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) ++ ++/usr/lib/systemd/system/cockpitd.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) ++ ++/usr/libexec/cockpitd -- gen_context(system_u:object_r:cockpit_exec_t,s0) ++ ++/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0) +diff --git a/cockpit.if b/cockpit.if +new file mode 100644 +index 0000000..25e3237 +--- /dev/null ++++ b/cockpit.if +@@ -0,0 +1,186 @@ ++ ++## policy for cockpit ++ ++######################################## ++## ++## Execute TEMPLATE in the cockpit domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cockpit_domtrans',` ++ gen_require(` ++ type cockpit_t, cockpit_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, cockpit_exec_t, cockpit_t) ++') ++ ++######################################## ++## ++## Search cockpit lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_search_lib',` ++ gen_require(` ++ type cockpit_var_lib_t; ++ ') ++ ++ allow $1 cockpit_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read cockpit lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_read_lib_files',` ++ gen_require(` ++ type cockpit_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) ++') ++ ++######################################## ++## ++## Manage cockpit lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_manage_lib_files',` ++ gen_require(` ++ type cockpit_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) ++') ++ ++######################################## ++## ++## Manage cockpit lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_manage_lib_dirs',` ++ gen_require(` ++ type cockpit_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) ++') ++ ++######################################## ++## ++## Execute cockpit server in the cockpit domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cockpit_systemctl',` ++ gen_require(` ++ type cockpit_t; ++ type cockpit_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 cockpit_unit_file_t:file read_file_perms; ++ allow $1 cockpit_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, cockpit_t) ++') ++ ++ ++######################################## ++## ++## Send and receive messages from ++## cockpit over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_dbus_chat',` ++ gen_require(` ++ type cockpit_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 cockpit_t:dbus send_msg; ++ allow cockpit_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an cockpit environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`cockpit_admin',` ++ gen_require(` ++ type cockpit_t; ++ type cockpit_var_lib_t; ++ type cockpit_unit_file_t; ++ ') ++ ++ allow $1 cockpit_t:process { signal_perms }; ++ ps_process_pattern($1, cockpit_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cockpit_t:process ptrace; ++ ') ++ ++ files_search_var_lib($1) ++ admin_pattern($1, cockpit_var_lib_t) ++ ++ cockpit_systemctl($1) ++ admin_pattern($1, cockpit_unit_file_t) ++ allow $1 cockpit_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/cockpit.te b/cockpit.te +new file mode 100644 +index 0000000..ede96a7 +--- /dev/null ++++ b/cockpit.te +@@ -0,0 +1,93 @@ ++policy_module(cockpit, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type cockpit_t; ++type cockpit_exec_t; ++init_daemon_domain(cockpit_t, cockpit_exec_t) ++ ++type cockpit_var_lib_t; ++files_type(cockpit_var_lib_t) ++ ++type cockpit_unit_file_t; ++systemd_unit_file(cockpit_unit_file_t) ++ ++######################################## ++# ++# cockpit local policy ++# ++allow cockpit_t self:capability net_admin; ++allow cockpit_t self:fifo_file rw_fifo_file_perms; ++allow cockpit_t self:unix_stream_socket create_stream_socket_perms; ++allow cockpit_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow cockpit_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t) ++manage_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t) ++manage_lnk_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t) ++files_var_lib_filetrans(cockpit_t, cockpit_var_lib_t, { dir file lnk_file }) ++ ++kernel_read_system_state(cockpit_t) ++kernel_read_network_state(cockpit_t) ++ ++corecmd_exec_bin(cockpit_t) ++corecmd_exec_shell(cockpit_t) ++ ++dev_read_sysfs(cockpit_t) ++ ++domain_use_interactive_fds(cockpit_t) ++domain_read_all_domains_state(cockpit_t) ++ ++files_read_etc_files(cockpit_t) ++files_list_tmp(cockpit_t) ++ ++fs_read_tmpfs_symlinks(cockpit_t) ++fs_list_cgroup_dirs(cockpit_t) ++fs_read_cgroup_files(cockpit_t) ++fs_getattr_all_fs(cockpit_t) ++ ++auth_use_nsswitch(cockpit_t) ++ ++init_dbus_chat(cockpit_t) ++init_status(cockpit_t) ++init_read_state(cockpit_t) ++init_list_pid_dirs(cockpit_t) ++ ++logging_send_syslog_msg(cockpit_t) ++ ++miscfiles_read_localization(cockpit_t) ++ ++systemd_status_all_unit_files(cockpit_t) ++systemd_read_logind_sessions_files(cockpit_t) ++ ++udev_read_pid_files(cockpit_t) ++ ++optional_policy(` ++ dbus_system_bus_client(cockpit_t) ++ dbus_connect_system_bus(cockpit_t) ++ ++ optional_policy(` ++ accountsd_dbus_chat(cockpit_t) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat_disk(cockpit_t) ++ devicekit_dbus_chat_power(cockpit_t) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(cockpit_t) ++ networkmanager_stream_connect(cockpit_t) ++ ') ++ ++ optional_policy(` ++ realmd_dbus_chat(cockpit_t) ++ ') ++') ++ ++optional_policy(` ++ docker_stream_connect(cockpit_t) ++') diff --git a/collectd.fc b/collectd.fc index 79a3abe..2e7d7ed 100644 --- a/collectd.fc @@ -23532,10 +23864,10 @@ index 0000000..66fe66d +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..f6fe2c3 +index 0000000..fcf810d --- /dev/null +++ b/docker.te -@@ -0,0 +1,271 @@ +@@ -0,0 +1,272 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23760,6 +24092,7 @@ index 0000000..f6fe2c3 +modutils_domtrans_insmod(docker_t) + +systemd_status_all_unit_files(docker_t) ++systemd_start_systemd_services(docker_t) + +userdom_stream_connect(docker_t) +userdom_search_user_home_content(docker_t) @@ -26552,7 +26885,7 @@ index c12c067..a415012 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index c81b6e8..ed04b9e 100644 +index c81b6e8..72b7712 100644 --- a/fprintd.te +++ b/fprintd.te @@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t) @@ -26564,7 +26897,7 @@ index c81b6e8..ed04b9e 100644 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -28,15 +30,14 @@ kernel_read_system_state(fprintd_t) +@@ -28,15 +30,16 @@ kernel_read_system_state(fprintd_t) dev_list_usbfs(fprintd_t) dev_read_sysfs(fprintd_t) @@ -26572,7 +26905,8 @@ index c81b6e8..ed04b9e 100644 dev_rw_generic_usb_dev(fprintd_t) -files_read_usr_files(fprintd_t) -- ++files_dontaudit_list_tmp(fprintd_t) + fs_getattr_all_fs(fprintd_t) auth_use_nsswitch(fprintd_t) @@ -26582,7 +26916,7 @@ index c81b6e8..ed04b9e 100644 userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) -@@ -54,8 +55,17 @@ optional_policy(` +@@ -54,8 +57,17 @@ optional_policy(` ') ') @@ -27705,10 +28039,10 @@ index 0000000..04e159f +') diff --git a/gear.te b/gear.te new file mode 100644 -index 0000000..e6a1c7c +index 0000000..7f1639a --- /dev/null +++ b/gear.te -@@ -0,0 +1,101 @@ +@@ -0,0 +1,105 @@ +policy_module(gear, 1.0.0) + +######################################## @@ -27736,7 +28070,7 @@ index 0000000..e6a1c7c +# +# gear local policy +# -+allow gear_t self:capability chown; ++allow gear_t self:capability { chown net_admin fowner dac_override }; +allow gear_t self:capability2 block_suspend; +allow gear_t self:process { getattr signal_perms }; +allow gear_t self:fifo_file rw_fifo_file_perms; @@ -27810,6 +28144,10 @@ index 0000000..e6a1c7c +optional_policy(` + docker_stream_connect(gear_t) +') ++ ++optional_policy(` ++ openshift_manage_lib_files(gear_t) ++') diff --git a/gift.te b/gift.te index 395238e..af76abb 100644 --- a/gift.te @@ -28086,11 +28424,20 @@ index 9eacb2c..229782f 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index e0a4f46..6838221 100644 +index e0a4f46..2d17fe6 100644 --- a/glance.te +++ b/glance.te -@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) +@@ -5,10 +5,16 @@ policy_module(glance, 1.0.2) + # Declarations + # ++## ++##

++## Allow glance domain to manage fuse files ++##

++## ++gen_tunable(glance_use_fusefs, false) ++ attribute glance_domain; -type glance_registry_t, glance_domain; @@ -28099,7 +28446,7 @@ index e0a4f46..6838221 100644 init_daemon_domain(glance_registry_t, glance_registry_exec_t) type glance_registry_initrc_exec_t; -@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t) +@@ -17,8 +23,10 @@ init_script_file(glance_registry_initrc_exec_t) type glance_registry_tmp_t; files_tmp_file(glance_registry_tmp_t) @@ -28112,7 +28459,7 @@ index e0a4f46..6838221 100644 init_daemon_domain(glance_api_t, glance_api_exec_t) type glance_api_initrc_exec_t; -@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t) +@@ -41,6 +49,7 @@ files_pid_file(glance_var_run_t) # Common local policy # @@ -28120,7 +28467,7 @@ index e0a4f46..6838221 100644 allow glance_domain self:fifo_file rw_fifo_file_perms; allow glance_domain self:unix_stream_socket create_stream_socket_perms; allow glance_domain self:tcp_socket { accept listen }; -@@ -56,29 +58,29 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +@@ -56,29 +65,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) @@ -28151,6 +28498,15 @@ index e0a4f46..6838221 100644 - sysnet_dns_name_resolve(glance_domain) ++tunable_policy(`glance_use_fusefs',` ++ fs_manage_fusefs_dirs(glance_domain) ++ fs_manage_fusefs_files(glance_domain) ++ fs_read_fusefs_symlinks(glance_domain) ++ fs_getattr_fusefs(glance_domain) ++') ++ ++ ++ +optional_policy(` + mysql_read_db_lnk_files(glance_domain) +') @@ -28158,7 +28514,7 @@ index e0a4f46..6838221 100644 ######################################## # # Registry local policy -@@ -88,8 +90,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm +@@ -88,8 +106,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) @@ -28173,7 +28529,7 @@ index e0a4f46..6838221 100644 logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +116,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +132,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -42659,10 +43015,10 @@ index 0000000..8d0e473 +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/mock.if b/mock.if new file mode 100644 -index 0000000..6568bfe +index 0000000..f5b98e6 --- /dev/null +++ b/mock.if -@@ -0,0 +1,310 @@ +@@ -0,0 +1,311 @@ +## policy for mock + +######################################## @@ -42718,6 +43074,7 @@ index 0000000..6568bfe + ') + + files_search_var_lib($1) ++ list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) + read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + @@ -42975,10 +43332,10 @@ index 0000000..6568bfe +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..fc64201 +index 0000000..1bf717f --- /dev/null +++ b/mock.te -@@ -0,0 +1,276 @@ +@@ -0,0 +1,277 @@ +policy_module(mock,1.0.0) + +## @@ -43173,7 +43530,7 @@ index 0000000..fc64201 +# +# mock_build local policy +# -+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; ++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace }; +dontaudit mock_build_t self:capability audit_write; +allow mock_build_t self:process { fork setsched setpgid signal_perms }; +allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; @@ -43250,6 +43607,7 @@ index 0000000..fc64201 + +libs_exec_ldconfig(mock_build_t) + ++term_use_all_inherited_terms(mock_build_t) +userdom_use_inherited_user_ptys(mock_build_t) + +tunable_policy(`mock_enable_homedirs',` @@ -79157,7 +79515,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index 1cedd70..d193f7a 100644 +index 1cedd70..87038e7 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) @@ -79178,13 +79536,14 @@ index 1cedd70..d193f7a 100644 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) -@@ -51,22 +50,47 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) +@@ -51,22 +50,48 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) +kernel_read_sysctl(rhsmcertd_t) + +corenet_tcp_connect_http_port(rhsmcertd_t) ++corenet_tcp_connect_http_cache_port(rhsmcertd_t) +corenet_tcp_connect_squid_port(rhsmcertd_t) corecmd_exec_bin(rhsmcertd_t) @@ -88334,7 +88693,7 @@ index 5f35d78..50651d2 100644 + uucp_domtrans_uux(sendmail_t) ') diff --git a/sensord.fc b/sensord.fc -index 8185d5a..97926d2 100644 +index 8185d5a..9be989a 100644 --- a/sensord.fc +++ b/sensord.fc @@ -1,5 +1,9 @@ @@ -88344,7 +88703,7 @@ index 8185d5a..97926d2 100644 /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) -+/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0) ++/var/log/sensor.* gen_context(system_u:object_r:sensord_log_t,s0) + /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) diff --git a/sensord.if b/sensord.if @@ -89538,7 +89897,7 @@ index 7880d1f..8804935 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/slocate.te b/slocate.te -index ba26427..8417705 100644 +index ba26427..669d253 100644 --- a/slocate.te +++ b/slocate.te @@ -18,7 +18,7 @@ files_type(locate_var_lib_t) @@ -89558,6 +89917,15 @@ index ba26427..8417705 100644 ifdef(`enable_mls',` files_dontaudit_getattr_all_dirs(locate_t) +@@ -62,3 +61,8 @@ ifdef(`enable_mls',` + optional_policy(` + cron_system_entry(locate_t, locate_exec_t) + ') ++ ++optional_policy(` ++ mock_getattr_lib(locate_t) ++') ++ diff --git a/slpd.if b/slpd.if index ca32e89..98278dd 100644 --- a/slpd.if @@ -90308,10 +90676,10 @@ index cbfe369..6594af3 100644 files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 -index 0000000..660fcd2 +index 0000000..d1d72f2 --- /dev/null +++ b/snapper.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,10 @@ +HOME_DIR/\.snapshots -d gen_context(system_u:object_r:snapperd_home_t,s0) + +/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) @@ -90320,6 +90688,8 @@ index 0000000..660fcd2 +/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0) + +/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) ++ ++/mnt/(.*/)?.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) diff --git a/snapper.if b/snapper.if new file mode 100644 index 0000000..94105ee @@ -96087,7 +96457,7 @@ index 5406b6e..dc5b46e 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index c93c973..60f4ce9 100644 +index c93c973..704a0e2 100644 --- a/tgtd.te +++ b/tgtd.te @@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t) @@ -96099,8 +96469,11 @@ index c93c973..60f4ce9 100644 allow tgtd_t self:capability2 block_suspend; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; -@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t) +@@ -56,29 +56,30 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) + + kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) ++kernel_read_network_state(tgtd_t) corenet_all_recvfrom_netlabel(tgtd_t) -corenet_all_recvfrom_unlabeled(tgtd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 32d10d7..97c4076 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 156%{?dist} +Release: 157%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,28 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Apr 25 2014 Lukas Vrabec 3.12.1-157 +- Added fprintd dontaudit tmp dirs rule +- Add interface to allow tools to check the processes state of bind/named +- ALlow rhsmcertd-worker connect to tcp/8080 +- Allow locate to getattr any files in mock_var_lib +- Fix label on sensor logs +- Add cockpit policy +- Allow locate to getattr any files in mock_var_lib +- Allow docker to start systemd service +- Allow mock-build to write all inherited ttys and ptys +- Fix mock_read_lib_files() interface +- Allow sys_ptrace for mock-build +- Additional access required for gear management of openshift directories +- Allow tgtd to read /proc/net/psched +- Add glance_use_fusefs() boolean +- Allow ifconfig to manage lnk files +- Allow ipsec_mgmt_t to read state of the bind process +- If you use ldap you should be able to read certs +- Dontaudit access to this leaked fifo_file +- Remove dup sysnet_manage_ifconfig_run() interface +- systemd calling needs to be optional + * Fri Apr 18 2014 Lukas Vrabec 3.12.1-156 - Allow init_t to setattr/relabelfrom dhcp state files - Dontaudit antivirus domains read access on all security files by default