[selinux-policy: 3158/3172] Allow sudo to send signals to any domains the user could have transitioned to. Passwd in single user
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:40:53 UTC 2010
commit b45aaab97cd0560613863a2616d271f739fbf2e0
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Oct 1 11:58:15 2010 -0400
Allow sudo to send signals to any domains the user could have transitioned to.
Passwd in single user mode needs to talk to console_device_t
Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
locate tried to read a symbolic link, will dontaudit
New labels for telepathy-sunshine content in homedir
Google is storing other binaries under /opt/google/talkplugin
bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
modemmanger and bluetooth send dbus messages to devicekit_power
Samba needs to getquota on filesystems labeld samba_share_t
policy/modules/admin/sudo.if | 2 ++
policy/modules/admin/usermanage.te | 4 +---
policy/modules/apps/mozilla.te | 15 ++++++++++++++-
policy/modules/apps/slocate.te | 1 +
policy/modules/apps/telepathy.fc | 3 ++-
policy/modules/apps/telepathy.te | 9 ++++++++-
policy/modules/kernel/corecommands.fc | 2 +-
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/roles/unconfineduser.te | 30 ++++++++++++++++++++++--------
policy/modules/services/accountsd.if | 2 +-
policy/modules/services/bluetooth.te | 8 ++++++++
policy/modules/services/consolekit.if | 18 ++++++++++++++++++
policy/modules/services/devicekit.te | 4 ++++
policy/modules/services/modemmanager.te | 4 ++++
policy/modules/services/samba.te | 2 +-
policy/modules/services/xserver.te | 1 +
policy/modules/system/authlogin.if | 19 +++++++++++++++++++
policy/modules/system/userdomain.if | 2 ++
19 files changed, 145 insertions(+), 17 deletions(-)
---
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 2993130..bb95e79 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -124,6 +124,8 @@ template(`sudo_role_template',`
auth_manage_pam_pid($1_sudo_t)
auth_use_nsswitch($1_sudo_t)
+ application_signal($1_sudo_t)
+
init_rw_utmp($1_sudo_t)
logging_send_audit_msgs($1_sudo_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 961424f..b1a841a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -291,9 +291,7 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
-term_use_all_ttys(passwd_t)
-term_use_all_ptys(passwd_t)
-term_use_generic_ptys(passwd_t)
+term_use_all_terms(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 3ecd99b..70d899d 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -328,8 +328,18 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+
dev_read_urand(mozilla_plugin_t)
dev_read_video_dev(mozilla_plugin_t)
+dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
dev_read_sound(mozilla_plugin_t)
dev_write_sound(mozilla_plugin_t)
@@ -365,6 +375,7 @@ userdom_read_user_home_content_symlinks(mozilla_plugin_t)
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_home_files(mozilla_plugin_t)
')
optional_policy(`
@@ -387,8 +398,10 @@ optional_policy(`
')
optional_policy(`
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
- pulseaudio_rw_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
')
optional_policy(`
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index e9134f0..3d2ef30 100644
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -38,6 +38,7 @@ dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
+files_dontaudit_read_all_symlinks(locate_t)
files_getattr_all_files(locate_t)
files_getattr_all_pipes(locate_t)
files_getattr_all_sockets(locate_t)
diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
index 1e47b96..809bb65 100644
--- a/policy/modules/apps/telepathy.fc
+++ b/policy/modules/apps/telepathy.fc
@@ -1,6 +1,7 @@
HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index c4fe796..34a2b48 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -31,6 +31,9 @@ userdom_user_home_content(telepathy_mission_control_home_t)
type telepathy_mission_control_cache_home_t;
userdom_user_home_content(telepathy_mission_control_cache_home_t)
+type telepathy_sunshine_home_t;
+userdom_user_home_content(telepathy_sunshine_home_t)
+
telepathy_domain_template(msn)
telepathy_domain_template(salut)
telepathy_domain_template(sofiasip)
@@ -251,12 +254,16 @@ sysnet_read_config(telepathy_sofiasip_t)
#
# Telepathy Sunshine local policy.
#
+manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_sunshine_t)
manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
-corecmd_list_bin(telepathy_sunshine_t)
+corecmd_exec_bin(telepathy_sunshine_t)
dev_read_urand(telepathy_sunshine_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 38d675c..46af2a4 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -157,7 +157,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/opt/google/talkplugin/cron(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 000c53a..a738502 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6250,6 +6250,24 @@ interface(`files_dontaudit_getattr_tmpfs_files',`
########################################
## <summary>
+## Allow read write all tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_rw_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ allow $1 tmpfsfile:file { read write };
+')
+
+########################################
+## <summary>
## Do not audit attempts to read security files
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 46e9859..10c14fe 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2420,6 +2420,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
+## Read and write unlabeled sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_socket',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:socket rw_socket_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index a09ca52..0e47a85 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -8,13 +8,27 @@ attribute unconfined_login_domain;
## <desc>
## <p>
-## Transition to confined nsplugin domains from unconfined user
+## Transition unconfined user to the nsplugin domains when running nspluginviewer
## </p>
## </desc>
gen_tunable(allow_unconfined_nsplugin_transition, false)
## <desc>
## <p>
+## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container.
+## </p>
+## </desc>
+gen_tunable(unconfined_mozilla_plugin_transition, false)
+
+## <desc>
+## <p>
+## Transition unconfined user to telepathy confined domains.
+## </p>
+## </desc>
+gen_tunable(unconfined_telepathy_transition, false)
+
+## <desc>
+## <p>
## Allow vidio playing tools to tun unconfined
## </p>
## </desc>
@@ -160,10 +174,6 @@ optional_policy(`
')
optional_policy(`
- iptables_run(unconfined_usertype, unconfined_r)
- ')
-
- optional_policy(`
networkmanager_dbus_chat(unconfined_usertype)
')
@@ -329,8 +339,11 @@ optional_policy(`
role system_r types unconfined_mono_t;
')
+
optional_policy(`
- mozilla_run_plugin(unconfined_usertype, unconfined_r)
+ tunable_policy(`unconfined_mozilla_plugin_transition', `
+ mozilla_run_plugin(unconfined_usertype, unconfined_r)
+ ')
')
optional_policy(`
@@ -391,7 +404,9 @@ optional_policy(`
')
optional_policy(`
- telepathy_dbus_session_role(unconfined_r, unconfined_t)
+ tunable_policy(`unconfined_telepathy_transition', `
+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
+ ')
')
optional_policy(`
@@ -475,4 +490,3 @@ domain_ptrace_all_domains(unconfined_notrans_t)
#
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index fe060aa..d639ae0 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 08afbb9..67818fe 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -100,6 +100,10 @@ kernel_request_load_module(bluetooth_t)
#search debugfs - redhat bug 548206
kernel_search_debugfs(bluetooth_t)
+ifdef(`hide_broken_symptoms', `
+ kernel_rw_unlabeled_socket(bluetooth_t)
+')
+
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
corenet_tcp_sendrecv_generic_if(bluetooth_t)
@@ -148,6 +152,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
+ devicekit_dbus_chat_power(bluetooth_t)
+')
+
+optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index 53b10e3..ac43a92 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -41,6 +41,24 @@ interface(`consolekit_dbus_chat',`
########################################
## <summary>
+## Dontaudit attempts to read consolekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`consolekit_dontaudit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read consolekit log files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 58416a0..184b4b5 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -292,6 +292,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index 3dd940c..7f18c33 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -39,6 +39,10 @@ logging_send_syslog_msg(modemmanager_t)
networkmanager_dbus_chat(modemmanager_t)
optional_policy(`
+ devicekit_dbus_chat_power(modemmanager_t)
+')
+
+optional_policy(`
policykit_dbus_chat(modemmanager_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 85203da..e4334a6 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -260,7 +260,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
-allow smbd_t samba_share_t:filesystem getattr;
+allow smbd_t samba_share_t:filesystem { getattr quotaget };
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 69093aa..f37e8ae 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -969,6 +969,7 @@ domain_signal_all_domains(xserver_t)
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
+files_rw_tmpfs_files(xserver_t)
# brought on by rhgb
files_search_mnt(xserver_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index c411b5e..149e383 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1432,6 +1432,25 @@ interface(`auth_read_login_records',`
########################################
## <summary>
+## Read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_dontaudit_read_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ dontaudit $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read login records
## files (/var/log/wtmp).
## </summary>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b4d758b..54365f8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1006,6 +1006,7 @@ template(`userdom_restricted_xwindows_user_template',`
auth_role($1_r, $1_t)
auth_search_pam_console_data($1_usertype)
+ auth_dontaudit_read_login_records($1_usertype)
dev_read_sound($1_usertype)
dev_write_sound($1_usertype)
@@ -1057,6 +1058,7 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
consolekit_dbus_chat($1_usertype)
')
More information about the scm-commits
mailing list