diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 8e3e35a..3c28671 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -8921,7 +8921,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..c431f61 100644 +index cf04cb5..64d9761 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -9060,7 +9060,7 @@ index cf04cb5..c431f61 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +233,334 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +233,338 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9276,6 +9276,10 @@ index cf04cb5..c431f61 100644 +') + +optional_policy(` ++ userdom_filetrans_named_user_tmp_files(named_filetrans_domain) ++') ++ ++optional_policy(` + virt_filetrans_named_content(named_filetrans_domain) +') + @@ -9396,7 +9400,7 @@ index cf04cb5..c431f61 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..2f8648d 100644 +index c2c6e05..7996499 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9530,7 +9534,7 @@ index c2c6e05..2f8648d 100644 # # /selinux # -@@ -178,25 +191,29 @@ ifdef(`distro_debian',` +@@ -178,13 +191,14 @@ ifdef(`distro_debian',` # # /srv # @@ -9547,11 +9551,7 @@ index c2c6e05..2f8648d 100644 /tmp/.* <> /tmp/\.journal <> - /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) - /tmp/lost\+found/.* <> -+/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) -+/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) - +@@ -194,9 +208,10 @@ ifdef(`distro_debian',` # # /usr # @@ -9563,7 +9563,7 @@ index c2c6e05..2f8648d 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +221,9 @@ ifdef(`distro_debian',` +@@ -204,15 +219,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9580,7 +9580,7 @@ index c2c6e05..2f8648d 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +231,6 @@ ifdef(`distro_debian',` +@@ -220,8 +229,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9589,7 +9589,7 @@ index c2c6e05..2f8648d 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +238,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +236,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9598,7 +9598,7 @@ index c2c6e05..2f8648d 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +246,25 @@ ifndef(`distro_redhat',` +@@ -237,11 +244,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9625,7 +9625,7 @@ index c2c6e05..2f8648d 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +279,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +277,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9640,14 +9640,14 @@ index c2c6e05..2f8648d 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +295,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +293,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..d2cb90d 100644 +index 64ff4d7..2dd815a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -15138,7 +15138,7 @@ index 64ff4d7..d2cb90d 100644 ## ## ## -@@ -6368,132 +8382,207 @@ interface(`files_search_spool',` +@@ -6368,132 +8382,206 @@ interface(`files_search_spool',` ## ## # @@ -15264,7 +15264,6 @@ index 64ff4d7..d2cb90d 100644 + files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") -+ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") @@ -15397,7 +15396,7 @@ index 64ff4d7..d2cb90d 100644 ## ## ## -@@ -6501,53 +8590,17 @@ interface(`files_spool_filetrans',` +@@ -6501,53 +8589,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -15455,7 +15454,7 @@ index 64ff4d7..d2cb90d 100644 ## ## ## -@@ -6555,10 +8608,10 @@ interface(`files_polyinstantiate_all',` +@@ -6555,10 +8607,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -26311,7 +26310,7 @@ index 6bf0ecc..0d55916 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..8834d25 100644 +index 2696452..5be1645 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -26949,7 +26948,7 @@ index 2696452..8834d25 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +689,149 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +689,151 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -26972,12 +26971,14 @@ index 2696452..8834d25 100644 + fs_manage_nfs_dirs(xdm_t) + fs_manage_nfs_files(xdm_t) + fs_manage_nfs_symlinks(xdm_t) ++ fs_append_nfs_files(xdm_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(xdm_t) + fs_manage_cifs_files(xdm_t) + fs_manage_cifs_symlinks(xdm_t) ++ fs_append_cifs_files(xdm_t) +') + +tunable_policy(`use_fusefs_home_dirs',` @@ -27105,7 +27106,7 @@ index 2696452..8834d25 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +845,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +847,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -27132,7 +27133,7 @@ index 2696452..8834d25 100644 ') optional_policy(` -@@ -514,12 +872,57 @@ optional_policy(` +@@ -514,12 +874,57 @@ optional_policy(` ') optional_policy(` @@ -27190,7 +27191,7 @@ index 2696452..8834d25 100644 hostname_exec(xdm_t) ') -@@ -537,28 +940,78 @@ optional_policy(` +@@ -537,28 +942,78 @@ optional_policy(` ') optional_policy(` @@ -27278,7 +27279,7 @@ index 2696452..8834d25 100644 ') optional_policy(` -@@ -570,6 +1023,14 @@ optional_policy(` +@@ -570,6 +1025,14 @@ optional_policy(` ') optional_policy(` @@ -27293,7 +27294,7 @@ index 2696452..8834d25 100644 xfs_stream_connect(xdm_t) ') -@@ -584,7 +1045,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -584,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -27302,7 +27303,7 @@ index 2696452..8834d25 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -594,8 +1055,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -27315,7 +27316,7 @@ index 2696452..8834d25 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1072,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -27331,7 +27332,7 @@ index 2696452..8834d25 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1088,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -27342,7 +27343,7 @@ index 2696452..8834d25 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1103,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -27364,7 +27365,7 @@ index 2696452..8834d25 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1123,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -27378,7 +27379,7 @@ index 2696452..8834d25 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1149,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -27410,7 +27411,7 @@ index 2696452..8834d25 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1181,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -27428,7 +27429,7 @@ index 2696452..8834d25 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1204,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1206,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -27452,7 +27453,7 @@ index 2696452..8834d25 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1223,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -27461,7 +27462,7 @@ index 2696452..8834d25 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1267,44 @@ optional_policy(` +@@ -775,16 +1269,44 @@ optional_policy(` ') optional_policy(` @@ -27507,7 +27508,7 @@ index 2696452..8834d25 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1313,10 @@ optional_policy(` +@@ -793,6 +1315,10 @@ optional_policy(` ') optional_policy(` @@ -27518,7 +27519,7 @@ index 2696452..8834d25 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1332,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -27532,7 +27533,7 @@ index 2696452..8834d25 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1343,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -27541,7 +27542,7 @@ index 2696452..8834d25 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1356,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1358,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -27576,7 +27577,7 @@ index 2696452..8834d25 100644 ') optional_policy(` -@@ -902,7 +1421,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -27585,7 +27586,7 @@ index 2696452..8834d25 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1475,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -27617,7 +27618,7 @@ index 2696452..8834d25 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1521,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -35057,7 +35058,7 @@ index 4e94884..b144ffe 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..80f47a6 100644 +index 39ea221..553ae21 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -35248,7 +35249,7 @@ index 39ea221..80f47a6 100644 # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; -+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid }; ++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; dontaudit syslogd_t self:capability sys_tty_config; +allow syslogd_t self:capability2 { syslog block_suspend }; # setpgid for metalog @@ -35259,15 +35260,18 @@ index 39ea221..80f47a6 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,6 +409,7 @@ allow syslogd_t self:udp_socket create_socket_perms; +@@ -367,8 +407,10 @@ allow syslogd_t self:unix_dgram_socket sendto; + allow syslogd_t self:fifo_file rw_fifo_file_perms; + allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; ++allow syslogd_t self:rawip_socket create_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; +allow syslogd_t syslog_conf_t:dir list_dir_perms; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -377,6 +418,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -377,6 +419,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -35275,7 +35279,7 @@ index 39ea221..80f47a6 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -386,28 +428,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -386,28 +429,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -35320,7 +35324,7 @@ index 39ea221..80f47a6 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -417,6 +472,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -417,6 +473,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -35329,7 +35333,7 @@ index 39ea221..80f47a6 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -427,9 +484,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,9 +485,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -35357,7 +35361,7 @@ index 39ea221..80f47a6 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -442,14 +516,19 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +517,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -35377,7 +35381,7 @@ index 39ea221..80f47a6 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +540,11 @@ init_use_fds(syslogd_t) +@@ -461,11 +541,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -35392,7 +35396,7 @@ index 39ea221..80f47a6 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -492,6 +571,8 @@ optional_policy(` +@@ -492,6 +572,8 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -35401,7 +35405,7 @@ index 39ea221..80f47a6 100644 ') optional_policy(` -@@ -502,15 +583,40 @@ optional_policy(` +@@ -502,15 +584,40 @@ optional_policy(` ') optional_policy(` @@ -35442,7 +35446,7 @@ index 39ea221..80f47a6 100644 ') optional_policy(` -@@ -521,3 +627,26 @@ optional_policy(` +@@ -521,3 +628,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -43517,10 +43521,10 @@ index 0280b32..61f19e9 100644 -') +attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..e4eb903 100644 +index db75976..4ca3a28 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,24 @@ +@@ -1,4 +1,28 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -43546,8 +43550,12 @@ index db75976..e4eb903 100644 +HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) ++ ++/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) ++/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) ++ diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..1aa193b 100644 +index 3c5dba7..333f640 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -45777,7 +45785,34 @@ index 3c5dba7..1aa193b 100644 ') ######################################## -@@ -2664,6 +3312,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2541,6 +3189,26 @@ interface(`userdom_manage_user_tmp_files',` + ######################################## + ## + ## Create, read, write, and delete user ++## temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_filetrans_named_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user + ## temporary symbolic links. + ## + ## +@@ -2664,6 +3332,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -45803,7 +45838,7 @@ index 3c5dba7..1aa193b 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3347,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3367,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -45819,7 +45854,7 @@ index 3c5dba7..1aa193b 100644 ## ## ## -@@ -2707,7 +3375,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3395,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -45828,7 +45863,7 @@ index 3c5dba7..1aa193b 100644 ## ## ## -@@ -2715,14 +3383,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3403,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -45863,7 +45898,7 @@ index 3c5dba7..1aa193b 100644 ') ######################################## -@@ -2817,6 +3501,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3521,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -45888,7 +45923,7 @@ index 3c5dba7..1aa193b 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3537,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3557,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -45931,7 +45966,7 @@ index 3c5dba7..1aa193b 100644 ## ## ## -@@ -2859,14 +3573,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3593,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -45969,7 +46004,7 @@ index 3c5dba7..1aa193b 100644 ') ######################################## -@@ -2885,8 +3618,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3638,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -45999,7 +46034,7 @@ index 3c5dba7..1aa193b 100644 ') ######################################## -@@ -2958,69 +3710,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3730,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -46100,7 +46135,7 @@ index 3c5dba7..1aa193b 100644 ## ## ## -@@ -3028,12 +3779,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3799,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -46115,7 +46150,7 @@ index 3c5dba7..1aa193b 100644 ') ######################################## -@@ -3097,7 +3848,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3868,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -46124,7 +46159,7 @@ index 3c5dba7..1aa193b 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3864,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3884,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -46158,7 +46193,7 @@ index 3c5dba7..1aa193b 100644 ') ######################################## -@@ -3217,7 +3952,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3972,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -46185,106 +46220,37 @@ index 3c5dba7..1aa193b 100644 ') ######################################## -@@ -3272,12 +4025,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +4045,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') - allow $1 user_tmp_t:file write_file_perms; + write_files_pattern($1, user_tmp_t, user_tmp_t) - ') - - ######################################## - ## --## Do not audit attempts to use user ttys. -+## Do not audit attempts to write users -+## temporary files. - ## - ## - ## -@@ -3285,44 +4039,120 @@ interface(`userdom_write_user_tmp_files',` - ## - ## - # --interface(`userdom_dontaudit_use_user_ttys',` -+interface(`userdom_dontaudit_write_user_tmp_files',` - gen_require(` -- type user_tty_device_t; -+ type user_tmp_t; - ') - -- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; -+ dontaudit $1 user_tmp_t:file write; - ') - - ######################################## - ## --## Read the process state of all user domains. -+## Do not audit attempts to delete users -+## temporary files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_read_all_users_state',` -+interface(`userdom_dontaudit_delete_user_tmp_files',` - gen_require(` -- attribute userdomain; -+ type user_tmp_t; - ') - -- read_files_pattern($1, userdomain, userdomain) -- kernel_search_proc($1) -+ dontaudit $1 user_tmp_t:file delete_file_perms; - ') - - ######################################## - ## --## Get the attributes of all user domains. -+## Do not audit attempts to read/write users -+## temporary fifo files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_getattr_all_users',` -+interface(`userdom_dontaudit_rw_user_tmp_pipes',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Allow domain to read/write inherited users -+## fifo files. ++## Do not audit attempts to write users ++## temporary files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_rw_inherited_user_pipes',` ++interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` -+ attribute userdomain; ++ type user_tmp_t; + ') + -+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 user_tmp_t:file write; +') + +######################################## +## -+## Do not audit attempts to use user ttys. ++## Do not audit attempts to delete users ++## temporary files. +## +## +## @@ -46292,37 +46258,37 @@ index 3c5dba7..1aa193b 100644 +## +## +# -+interface(`userdom_dontaudit_use_user_ttys',` ++interface(`userdom_dontaudit_delete_user_tmp_files',` + gen_require(` -+ type user_tty_device_t; ++ type user_tmp_t; + ') + -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; ++ dontaudit $1 user_tmp_t:file delete_file_perms; +') + +######################################## +## -+## Read the process state of all user domains. ++## Do not audit attempts to read/write users ++## temporary fifo files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` -+ attribute userdomain; ++ type user_tmp_t; + ') + -+ read_files_pattern($1, userdomain, userdomain) -+ read_lnk_files_pattern($1,userdomain,userdomain) -+ kernel_search_proc($1) ++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Get the attributes of all user domains. ++## Allow domain to read/write inherited users ++## fifo files. +## +## +## @@ -46330,11 +46296,33 @@ index 3c5dba7..1aa193b 100644 +## +## +# -+interface(`userdom_getattr_all_users',` - gen_require(` - attribute userdomain; ++interface(`userdom_rw_inherited_user_pipes',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -3290,7 +4139,7 @@ interface(`userdom_dontaudit_use_user_ttys',` + type user_tty_device_t; ') -@@ -3385,6 +4215,42 @@ interface(`userdom_signal_all_users',` + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; + ') + + ######################################## +@@ -3309,6 +4158,7 @@ interface(`userdom_read_all_users_state',` + ') + + read_files_pattern($1, userdomain, userdomain) ++ read_lnk_files_pattern($1,userdomain,userdomain) + kernel_search_proc($1) + ') + +@@ -3385,6 +4235,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -46377,7 +46365,7 @@ index 3c5dba7..1aa193b 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4271,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4291,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -46402,7 +46390,7 @@ index 3c5dba7..1aa193b 100644 ## Create keys for all user domains. ## ## -@@ -3423,6 +4307,24 @@ interface(`userdom_create_all_users_keys',` +@@ -3423,6 +4327,24 @@ interface(`userdom_create_all_users_keys',` ######################################## ## @@ -46427,7 +46415,7 @@ index 3c5dba7..1aa193b 100644 ## Send a dbus message to all user domains. ## ## -@@ -3438,4 +4340,1661 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4360,1661 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 560a4d1..19dd80d 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -53466,7 +53466,7 @@ index 97df768..852d1c6 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index a3e56f0..2c5b389 100644 +index a3e56f0..c37998e 100644 --- a/nslcd.te +++ b/nslcd.te @@ -1,4 +1,4 @@ @@ -53486,7 +53486,7 @@ index a3e56f0..2c5b389 100644 -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; -allow nslcd_t self:unix_stream_socket { accept listen }; -+allow nslcd_t self:capability { dac_override setgid setuid sys_nice }; ++allow nslcd_t self:capability { chown dac_override setgid setuid sys_nice }; +allow nslcd_t self:process { setsched signal signull }; +allow nslcd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index ac56074..7173126 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 151%{?dist} +Release: 152%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,12 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 8 2014 Miroslav Grepl 3.12.1-152 +- Change hsperfdata_root to have as user_tmp_t +- Allow rsyslog low-level network access +- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm +- nslcd wants chown capability + * Fri Apr 4 2014 Lukas Vrabec 3.12.1-151 - Fix Multiple same specifications for /var/named/chroot/dev/zero - Add labels for /var/named/chroot_sdb/dev devices