[selinux-policy] - Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add mi
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 28 19:55:48 UTC 2010
commit 7a208696f9f4b236db73579a73f0c606723b5b17
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Oct 28 15:55:48 2010 -0400
- Dontaudit sandbox sending sigkill to all user domains
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/*
.gitignore | 1 +
policy-F14.patch | 405 +++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 13 ++-
sources | 1 +
4 files changed, 330 insertions(+), 90 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index c87b0e2..6fce5d5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -227,3 +227,4 @@ serefpolicy*
/serefpolicy-3.9.4.tgz
/serefpolicy-3.9.5.tgz
/serefpolicy-3.9.6.tgz
+/config.tgz
diff --git a/policy-F14.patch b/policy-F14.patch
index 00cfae2..4a79637 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -148,6 +148,42 @@ index 0000000..e9c43b1
+This manual page was written by Dominick Grift <domg472 at gmail.com>.
+.SH "SEE ALSO"
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
+diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
+index 6760c95..34edd2a 100644
+--- a/policy/flask/access_vectors
++++ b/policy/flask/access_vectors
+@@ -27,6 +27,8 @@ common file
+ swapon
+ quotaon
+ mounton
++ audit_access
++ execmod
+ }
+
+
+@@ -160,19 +162,20 @@ inherits file
+ {
+ execute_no_trans
+ entrypoint
+- execmod
+ open
+ }
+
+ class lnk_file
+ inherits file
++{
++ open
++}
+
+ class chr_file
+ inherits file
+ {
+ execute_no_trans
+ entrypoint
+- execmod
+ open
+ }
+
diff --git a/policy/global_tunables b/policy/global_tunables
index 3316f6e..6e82b1e 100644
--- a/policy/global_tunables
@@ -479,7 +515,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..b845467 100644
+index 75ce30f..f3347aa 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t)
@@ -502,14 +538,13 @@ index 75ce30f..b845467 100644
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -92,8 +98,16 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +98,20 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
--
--mta_send_mail(logwatch_t)
+userdom_dontaudit_list_admin_dir(logwatch_t)
-+
+
+-mta_send_mail(logwatch_t)
+#mta_send_mail(logwatch_t)
+mta_base_mail_template(logwatch)
+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
@@ -521,6 +556,10 @@ index 75ce30f..b845467 100644
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
++ files_getattr_all_files(logwatch_t)
+ files_getattr_all_file_type_fs(logwatch_t)
+ ')
+
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 0e19d80..9d58abe 100644
--- a/policy/modules/admin/mrtg.te
@@ -5439,10 +5478,21 @@ index c1d5f50..989f88c 100644
+
+
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index a3225d4..7551020 100644
+index a3225d4..9cd8b55 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
-@@ -102,6 +102,10 @@ optional_policy(`
+@@ -90,7 +90,9 @@ tunable_policy(`qemu_use_usb',`
+ ')
+
+ optional_policy(`
+- samba_domtrans_smbd(qemu_t)
++ tunable_policy(`qemu_use_cifs',`
++ samba_domtrans_smbd(qemu_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -102,6 +104,10 @@ optional_policy(`
xen_rw_image_files(qemu_t)
')
@@ -5453,7 +5503,7 @@ index a3225d4..7551020 100644
########################################
#
# Unconfined qemu local policy
-@@ -112,6 +116,8 @@ optional_policy(`
+@@ -112,6 +118,8 @@ optional_policy(`
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain(unconfined_qemu_t)
@@ -5462,6 +5512,83 @@ index a3225d4..7551020 100644
allow unconfined_qemu_t self:process { execstack execmem };
allow unconfined_qemu_t qemu_exec_t:file execmod;
+diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc
+index 4c091ca..a58f123 100644
+--- a/policy/modules/apps/rssh.fc
++++ b/policy/modules/apps/rssh.fc
+@@ -1 +1,3 @@
+ /usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
++
++/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
+diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
+index 7cdac1e..6f9f6e6 100644
+--- a/policy/modules/apps/rssh.if
++++ b/policy/modules/apps/rssh.if
+@@ -64,3 +64,21 @@ interface(`rssh_read_ro_content',`
+ read_files_pattern($1, rssh_ro_t, rssh_ro_t)
+ read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t)
+ ')
++
++########################################
++## <summary>
++## Execute a domain transition to run rssh_chroot_helper.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rssh_domtrans_chroot_helper',`
++ gen_require(`
++ type rssh_chroot_helper_t, rssh_chroot_helper_exec_t;
++ ')
++
++ domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t)
++')
+diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
+index c605046..15c17a0 100644
+--- a/policy/modules/apps/rssh.te
++++ b/policy/modules/apps/rssh.te
+@@ -31,6 +31,12 @@ typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
+ typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
+ userdom_user_home_content(rssh_rw_t)
+
++type rssh_chroot_helper_t;
++type rssh_chroot_helper_exec_t;
++init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)
++
++permissive rssh_chroot_helper_t;
++
+ ##############################
+ #
+ # Local policy
+@@ -78,3 +84,25 @@ ssh_rw_stream_sockets(rssh_t)
+ optional_policy(`
+ nis_use_ypbind(rssh_t)
+ ')
++
++########################################
++#
++# rssh_chroot_helper local policy
++#
++rssh_domtrans_chroot_helper(rssh_t)
++
++allow rssh_chroot_helper_t self:capability { sys_chroot setuid };
++
++allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
++allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
++
++domain_use_interactive_fds(rssh_chroot_helper_t)
++
++files_read_etc_files(rssh_chroot_helper_t)
++
++auth_use_nsswitch(rssh_chroot_helper_t)
++
++logging_send_syslog_msg(rssh_chroot_helper_t)
++
++miscfiles_read_localization(rssh_chroot_helper_t)
++
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
index 9ec1478..26bb71c 100644
--- a/policy/modules/apps/sambagui.te
@@ -5503,7 +5630,7 @@ index 0000000..15778fd
+# No types are sandbox_exec_t
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
-index 0000000..587c440
+index 0000000..9783c8f
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
@@ -0,0 +1,339 @@
@@ -5558,7 +5685,7 @@ index 0000000..587c440
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
-+ dontaudit sandbox_x_domain $1:process signal;
++ dontaudit sandbox_x_domain $1:process { signal sigkill };
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
@@ -5848,10 +5975,10 @@ index 0000000..587c440
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..10b7c23
+index 0000000..c575b31
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,427 @@
+@@ -0,0 +1,428 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6053,6 +6180,7 @@ index 0000000..10b7c23
+term_use_ptmx(sandbox_x_domain)
+
+application_dontaudit_signal(sandbox_x_domain)
++application_dontaudit_sigkill(sandbox_x_domain)
+
+logging_send_syslog_msg(sandbox_x_domain)
+logging_dontaudit_search_logs(sandbox_x_domain)
@@ -8404,7 +8532,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..06efed6 100644
+index 5302dac..2e30bb2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8837,7 +8965,35 @@ index 5302dac..06efed6 100644
')
########################################
-@@ -5317,6 +5624,43 @@ interface(`files_search_pids',`
+@@ -5189,6 +5496,27 @@ interface(`files_delete_all_locks',`
+
+ ########################################
+ ## <summary>
++## Relabel all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_all_lock_dirs',`
++ gen_require(`
++ attribute lockfile;
++ type var_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
+ ## Read all lock files.
+ ## </summary>
+ ## <param name="domain">
+@@ -5317,6 +5645,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -8881,7 +9037,7 @@ index 5302dac..06efed6 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5524,6 +5868,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5889,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -8944,7 +9100,7 @@ index 5302dac..06efed6 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5541,6 +5941,44 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5962,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -8989,7 +9145,7 @@ index 5302dac..06efed6 100644
')
########################################
-@@ -5826,3 +6264,247 @@ interface(`files_unconfined',`
+@@ -5826,3 +6285,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -9695,7 +9851,7 @@ index 437a42a..54a884b 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 0dff98e..a09ab47 100644
+index 0dff98e..7f1a558 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -9763,11 +9919,12 @@ index 0dff98e..a09ab47 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -247,6 +266,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -247,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
+files_type(removable_t)
++dev_node(removable_t)
files_mountpoint(removable_t)
#
@@ -18497,7 +18654,7 @@ index e182bf4..f80e725 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..ea74262 100644
+index 0d5711c..27a2b36 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -18512,7 +18669,17 @@ index 0d5711c..ea74262 100644
')
##############################
-@@ -76,7 +76,7 @@ template(`dbus_role_template',`
+@@ -52,8 +52,7 @@ template(`dbus_role_template',`
+ #
+
+ type $1_dbusd_t, session_bus_type;
+- domain_type($1_dbusd_t)
+- domain_entry_file($1_dbusd_t, dbusd_exec_t)
++ application_domain($1_dbusd_t, dbusd_exec_t)
+ ubac_constrained($1_dbusd_t)
+ role $2 types $1_dbusd_t;
+
+@@ -76,7 +75,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
@@ -18521,7 +18688,7 @@ index 0d5711c..ea74262 100644
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-@@ -88,14 +88,15 @@ template(`dbus_role_template',`
+@@ -88,14 +87,15 @@ template(`dbus_role_template',`
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
@@ -18540,7 +18707,7 @@ index 0d5711c..ea74262 100644
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
-@@ -116,7 +117,7 @@ template(`dbus_role_template',`
+@@ -116,7 +116,7 @@ template(`dbus_role_template',`
dev_read_urand($1_dbusd_t)
@@ -18549,7 +18716,7 @@ index 0d5711c..ea74262 100644
domain_read_all_domains_state($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
-@@ -149,17 +150,25 @@ template(`dbus_role_template',`
+@@ -149,17 +149,25 @@ template(`dbus_role_template',`
term_use_all_terms($1_dbusd_t)
@@ -18577,7 +18744,7 @@ index 0d5711c..ea74262 100644
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
-@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,10 +189,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -18590,7 +18757,7 @@ index 0d5711c..ea74262 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -431,14 +442,27 @@ interface(`dbus_system_domain',`
+@@ -431,14 +441,27 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -18619,7 +18786,7 @@ index 0d5711c..ea74262 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +521,22 @@ interface(`dbus_unconfined',`
+@@ -497,3 +520,22 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -24435,7 +24602,7 @@ index da5b33d..b9ab551 100644
optional_policy(`
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..e0aab89 100644
+index 386543b..ee7bed8 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
@@ -1,7 +1,13 @@
@@ -24452,6 +24619,16 @@ index 386543b..e0aab89 100644
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+@@ -16,7 +22,8 @@
+ /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+ /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+
+-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
++/var/log/wicd.*
++
+ /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+
+ /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 2324d9e..8069487 100644
--- a/policy/modules/services/networkmanager.if
@@ -38179,10 +38356,10 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index ac50333..a5678f1 100644
+index ac50333..9017b02 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -130,3 +130,57 @@ interface(`application_signull',`
+@@ -130,3 +130,75 @@ interface(`application_signull',`
allow $1 application_domain_type:process signull;
')
@@ -38225,6 +38402,24 @@ index ac50333..a5678f1 100644
+
+########################################
+## <summary>
++## Dontaudit kill signal sent to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`application_dontaudit_sigkill',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ dontaudit $1 application_domain_type:process sigkill;
++')
++
++########################################
++## <summary>
+## Send signal to all application domains.
+## </summary>
+## <param name="domain">
@@ -38288,7 +38483,7 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..ce67a96 100644
+index bea0ade..a1069bf 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -38481,7 +38676,34 @@ index bea0ade..ce67a96 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -1500,6 +1587,8 @@ interface(`auth_manage_login_records',`
+@@ -896,6 +983,26 @@ interface(`auth_manage_var_auth',`
+
+ ########################################
+ ## <summary>
++## Relabel all var auth files. Used by various other applications
++## and pam applets etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_relabel_var_auth_dirs',`
++ gen_require(`
++ type var_auth_t;
++ ')
++
++ files_search_var($1)
++ relabel_dirs_pattern($1, var_auth_t, var_auth_t)
++')
++
++########################################
++## <summary>
+ ## Read PAM PID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1500,6 +1607,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -38490,7 +38712,7 @@ index bea0ade..ce67a96 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1620,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1640,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -38854,7 +39076,7 @@ index 15e02e4..7c6933f 100644
files_read_kernel_modules(hotplug_t)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 9775375..51bde2a 100644
+index 9775375..36cc87d 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -24,7 +24,19 @@ ifdef(`distro_gentoo',`
@@ -38867,7 +39089,7 @@ index 9775375..51bde2a 100644
+#
+# systemd init scripts
+#
-+/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
++/lib/systemd/[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+#
+# /sbin
@@ -39278,7 +39500,7 @@ index df3fa64..73dc579 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..aa33f57 100644
+index 8a105fd..fc65044 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -39326,15 +39548,16 @@ index 8a105fd..aa33f57 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
-@@ -63,6 +85,7 @@ role system_r types initrc_t;
+@@ -63,6 +85,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
+corecmd_bin_entry_type(initrc_t)
++corecmd_bin_domtrans(init_t, initrc_t)
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -87,7 +110,7 @@ ifdef(`enable_mls',`
+@@ -87,7 +111,7 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -39343,7 +39566,7 @@ index 8a105fd..aa33f57 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -100,7 +123,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -100,7 +124,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -39354,7 +39577,7 @@ index 8a105fd..aa33f57 100644
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -114,11 +139,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,11 +140,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -39368,7 +39591,7 @@ index 8a105fd..aa33f57 100644
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
-@@ -127,9 +154,13 @@ domain_kill_all_domains(init_t)
+@@ -127,9 +155,13 @@ domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -39382,7 +39605,7 @@ index 8a105fd..aa33f57 100644
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
files_manage_etc_runtime_files(init_t)
-@@ -162,12 +193,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +194,15 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -39398,7 +39621,7 @@ index 8a105fd..aa33f57 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +212,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +213,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -39407,7 +39630,7 @@ index 8a105fd..aa33f57 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +220,96 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +221,99 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -39469,16 +39692,19 @@ index 8a105fd..aa33f57 100644
+
+ seutil_read_file_contexts(init_t)
+
++
+ # Permissions for systemd-tmpfiles, needs its own policy.
-+ files_relabel_all_pid_files(init_t)
-+ files_relabel_all_pid_files(init_t)
-+ files_manage_all_pids(init_t)
-+ files_manage_all_locks(init_t)
-+ files_manage_generic_tmp_dirs(init_t)
-+ files_manage_generic_tmp_files(init_t)
-+ files_relabelfrom_tmp_files(init_t)
++ files_relabel_all_lock_dirs(initrc_t)
++ files_relabel_all_pid_files(initrc_t)
++ files_relabel_all_pid_files(initrc_t)
++ files_manage_all_pids(initrc_t)
++ files_manage_all_locks(initrc_t)
++ files_manage_generic_tmp_files(initrc_t)
++ files_manage_generic_tmp_dirs(initrc_t)
++ files_relabelfrom_tmp_files(initrc_t)
+
-+ auth_manage_var_auth(init_t)
++ auth_manage_var_auth(initrc_t)
++ auth_relabel_var_auth_dirs(initrc_t)
+')
+
optional_policy(`
@@ -39504,7 +39730,7 @@ index 8a105fd..aa33f57 100644
')
optional_policy(`
-@@ -199,10 +317,23 @@ optional_policy(`
+@@ -199,10 +321,23 @@ optional_policy(`
')
optional_policy(`
@@ -39528,7 +39754,7 @@ index 8a105fd..aa33f57 100644
unconfined_domain(init_t)
')
-@@ -212,7 +343,7 @@ optional_policy(`
+@@ -212,7 +347,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -39537,7 +39763,7 @@ index 8a105fd..aa33f57 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,6 +372,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +376,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -39545,7 +39771,7 @@ index 8a105fd..aa33f57 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +390,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +394,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -39569,7 +39795,7 @@ index 8a105fd..aa33f57 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +435,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +439,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -39577,7 +39803,7 @@ index 8a105fd..aa33f57 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +443,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +447,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -39593,7 +39819,7 @@ index 8a105fd..aa33f57 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +468,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +472,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -39605,7 +39831,7 @@ index 8a105fd..aa33f57 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +487,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +491,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -39619,7 +39845,7 @@ index 8a105fd..aa33f57 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +502,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +506,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -39628,7 +39854,7 @@ index 8a105fd..aa33f57 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +516,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +520,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -39636,7 +39862,7 @@ index 8a105fd..aa33f57 100644
selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +534,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +538,7 @@ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@@ -39644,7 +39870,7 @@ index 8a105fd..aa33f57 100644
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
-@@ -394,13 +549,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +553,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -39660,7 +39886,7 @@ index 8a105fd..aa33f57 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +629,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +633,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -39669,7 +39895,7 @@ index 8a105fd..aa33f57 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +675,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +679,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -39689,7 +39915,7 @@ index 8a105fd..aa33f57 100644
')
optional_policy(`
-@@ -526,10 +695,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +699,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -39707,7 +39933,7 @@ index 8a105fd..aa33f57 100644
')
optional_policy(`
-@@ -544,6 +720,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +724,35 @@ ifdef(`distro_suse',`
')
')
@@ -39743,7 +39969,7 @@ index 8a105fd..aa33f57 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +761,8 @@ optional_policy(`
+@@ -556,6 +765,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -39752,7 +39978,7 @@ index 8a105fd..aa33f57 100644
')
optional_policy(`
-@@ -572,6 +779,7 @@ optional_policy(`
+@@ -572,6 +783,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -39760,7 +39986,7 @@ index 8a105fd..aa33f57 100644
')
optional_policy(`
-@@ -584,6 +792,11 @@ optional_policy(`
+@@ -584,6 +796,11 @@ optional_policy(`
')
optional_policy(`
@@ -39772,7 +39998,7 @@ index 8a105fd..aa33f57 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +813,9 @@ optional_policy(`
+@@ -600,6 +817,9 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -39782,7 +40008,7 @@ index 8a105fd..aa33f57 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +917,13 @@ optional_policy(`
+@@ -701,7 +921,13 @@ optional_policy(`
')
optional_policy(`
@@ -39796,7 +40022,7 @@ index 8a105fd..aa33f57 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +946,10 @@ optional_policy(`
+@@ -724,6 +950,10 @@ optional_policy(`
')
optional_policy(`
@@ -39807,7 +40033,7 @@ index 8a105fd..aa33f57 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +971,10 @@ optional_policy(`
+@@ -745,6 +975,10 @@ optional_policy(`
')
optional_policy(`
@@ -39818,7 +40044,7 @@ index 8a105fd..aa33f57 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +996,6 @@ optional_policy(`
+@@ -766,8 +1000,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -39827,7 +40053,7 @@ index 8a105fd..aa33f57 100644
')
optional_policy(`
-@@ -776,14 +1004,21 @@ optional_policy(`
+@@ -776,14 +1008,21 @@ optional_policy(`
')
optional_policy(`
@@ -39849,7 +40075,7 @@ index 8a105fd..aa33f57 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1040,19 @@ optional_policy(`
+@@ -805,11 +1044,19 @@ optional_policy(`
')
optional_policy(`
@@ -39870,14 +40096,13 @@ index 8a105fd..aa33f57 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1062,25 @@ optional_policy(`
+@@ -819,6 +1066,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
+
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
-+
+
+ optional_policy(`
+ gen_require(`
@@ -39892,11 +40117,12 @@ index 8a105fd..aa33f57 100644
+')
+
+optional_policy(`
++ rpm_read_db(initrc_t)
+ rpm_delete_db(initrc_t)
')
optional_policy(`
-@@ -844,3 +1106,59 @@ optional_policy(`
+@@ -844,3 +1110,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -43774,7 +44000,7 @@ index 025348a..5b277ea 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..4867243 100644
+index a054cf5..f24ab6b 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -43785,16 +44011,17 @@ index a054cf5..4867243 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -72,7 +73,7 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+@@ -72,7 +73,8 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
++allow udev_t udev_var_run_t:file mounton;
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -111,15 +112,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -111,15 +113,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -43816,7 +44043,7 @@ index a054cf5..4867243 100644
mcs_ptrace_all(udev_t)
-@@ -186,6 +192,7 @@ ifdef(`distro_redhat',`
+@@ -186,6 +193,7 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -43824,7 +44051,7 @@ index a054cf5..4867243 100644
term_search_ptys(udev_t)
-@@ -216,11 +223,16 @@ optional_policy(`
+@@ -216,11 +224,16 @@ optional_policy(`
')
optional_policy(`
@@ -43841,7 +44068,7 @@ index a054cf5..4867243 100644
')
optional_policy(`
-@@ -233,6 +245,10 @@ optional_policy(`
+@@ -233,6 +246,10 @@ optional_policy(`
')
optional_policy(`
@@ -43852,7 +44079,7 @@ index a054cf5..4867243 100644
lvm_domtrans(udev_t)
')
-@@ -259,6 +275,10 @@ optional_policy(`
+@@ -259,6 +276,10 @@ optional_policy(`
')
optional_policy(`
@@ -43863,7 +44090,7 @@ index a054cf5..4867243 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +293,11 @@ optional_policy(`
+@@ -273,6 +294,11 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d0fa46a..b3e6413 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,17 @@ exit 0
%endif
%changelog
+* Thu Oct 28 2010 Dan Walsh <dwalsh at redhat.com> 3.9.7-7
+- Dontaudit sandbox sending sigkill to all user domains
+- Add policy for rssh_chroot_helper
+- Add missing flask definitions
+- Allow udev to relabelto removable_t
+- Fix label on /var/log/wicd.log
+- Transition to initrc_t from init when executing bin_t
+- Add audit_access permissions to file
+- Make removable_t a device_node
+- Fix label on /lib/systemd/*
+
* Fri Oct 22 2010 Dan Walsh <dwalsh at redhat.com> 3.9.7-6
- Fixes for systemd to manage /var/run
- Dontaudit leaks by firstboot
diff --git a/sources b/sources
index 6d66d22..5a31809 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
04730b4c56ff60274b246bcf4576355c serefpolicy-3.9.7.tgz
+409b40c8102b1617681ba17c31032e66 config.tgz
More information about the scm-commits
mailing list