[selinux-policy/f16] - Allow deltacloudd dac_override, setuid, setgid caps - Allow aisexec to execute shell - Add use_nf
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 16 13:11:24 UTC 2012
commit c1c5a5613810cb493a7b2be3e397a06111336b93
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Jan 16 14:11:10 2012 +0100
- Allow deltacloudd dac_override, setuid, setgid caps
- Allow aisexec to execute shell
- Add use_nfs_home_dirs boolean for ssh-keygen
- Allow xguest execmod on execmem_exec_t
- Dontaudit X domains trying to access dri device in a sandbox
policy-F16.patch | 102 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 9 ++++-
2 files changed, 70 insertions(+), 41 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 2475a02..ad6b068 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4771,10 +4771,10 @@ index 0000000..5901e21
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..1553356
+index 0000000..a03aec4
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,137 @@
+
+## <summary>policy for chrome</summary>
+
@@ -4889,6 +4889,10 @@ index 0000000..1553356
+interface(`chrome_role',`
+ chrome_role_notrans($1, $2)
+ chrome_domtrans_sandbox($2)
++
++ optional_policy(`
++ execmem_execmod($2)
++ ')
+')
+
+########################################
@@ -10658,10 +10662,10 @@ index 0000000..809784d
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..5e75113
+index 0000000..a53f663
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,488 @@
+@@ -0,0 +1,489 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -10871,6 +10875,7 @@ index 0000000..5e75113
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
++dev_dontaudit_rw_dri(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
@@ -14751,7 +14756,7 @@ index 6cf8784..fa24001 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..d29862e 100644
+index f820f3b..a0e6bde 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -15257,7 +15262,15 @@ index f820f3b..d29862e 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3902,25 +4176,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3860,6 +4134,7 @@ interface(`dev_list_sysfs',`
+ type sysfs_t;
+ ')
+
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+@@ -3902,25 +4177,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -15283,7 +15296,7 @@ index f820f3b..d29862e 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3972,6 +4227,42 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4228,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -15326,7 +15339,7 @@ index f820f3b..d29862e 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4360,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4361,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -15352,7 +15365,7 @@ index f820f3b..d29862e 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4103,6 +4413,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4103,6 +4414,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -15377,7 +15390,7 @@ index f820f3b..d29862e 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4495,6 +4823,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4824,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -15402,7 +15415,7 @@ index f820f3b..d29862e 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4695,6 +5041,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4695,6 +5042,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -15429,7 +15442,7 @@ index f820f3b..d29862e 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5150,822 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5151,822 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -24612,10 +24625,18 @@ index 0370dba..af5d229 100644
#
interface(`aisexec_domtrans',`
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
-index 64953f7..99a750b 100644
+index 64953f7..244259f 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
-@@ -89,6 +89,10 @@ optional_policy(`
+@@ -64,6 +64,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+ kernel_read_system_state(aisexec_t)
+
+ corecmd_exec_bin(aisexec_t)
++corecmd_exec_shell(aisexec_t)
+
+ corenet_udp_bind_netsupport_port(aisexec_t)
+ corenet_tcp_bind_reserved_port(aisexec_t)
+@@ -89,6 +90,10 @@ optional_policy(`
')
optional_policy(`
@@ -30046,10 +30067,10 @@ index 0000000..6451167
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..e1974d3
+index 0000000..f772371
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,223 @@
+@@ -0,0 +1,225 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -30122,6 +30143,8 @@ index 0000000..e1974d3
+# deltacloudd local policy
+#
+
++allow deltacloudd_t self:capability { dac_override setuid setgid };
++
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
+
@@ -35042,7 +35065,7 @@ index 5e2cea8..7a18800 100644
+ dhcpd_systemctl($1)
')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
-index d4424ad..f90959a 100644
+index d4424ad..5d01064 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -12,6 +12,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -35060,7 +35083,7 @@ index d4424ad..f90959a 100644
#
-allow dhcpd_t self:capability { net_raw sys_resource };
-+allow dhcpd_t self:capability { sys_chroot net_raw setgid setuid sys_resource };
++allow dhcpd_t self:capability { dac_override sys_chroot net_raw setgid setuid sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
-allow dhcpd_t self:process signal_perms;
+allow dhcpd_t self:process { getcap setcap signal_perms };
@@ -43284,10 +43307,10 @@ index 0000000..0d771fd
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..215407c
+index 0000000..ea433bd
--- /dev/null
+++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,97 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -43318,8 +43341,6 @@ index 0000000..215407c
+
+allow matahari_hostd_t self:capability sys_ptrace;
+
-+kernel_read_network_state(matahari_hostd_t)
-+
+dev_read_sysfs(matahari_hostd_t)
+dev_rw_mtrr(matahari_hostd_t)
+
@@ -43345,16 +43366,13 @@ index 0000000..215407c
+#
+# matahari_serviced local policy
+#
-+allow matahari_serviced_t self:process setpgid;
+
-+kernel_read_network_state(matahari_serviced_t)
++allow matahari_serviced_t self:process setpgid;
+
+dev_read_sysfs(matahari_serviced_t)
+
+domain_use_interactive_fds(matahari_serviced_t)
+
-+files_read_etc_runtime_files(matahari_serviced_t)
-+
+init_domtrans_script(matahari_serviced_t)
+
+systemd_config_all_services(matahari_serviced_t)
@@ -43376,12 +43394,14 @@ index 0000000..215407c
+allow matahari_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(matahari_domain)
++kernel_read_network_state(matahari_domain)
+
+corenet_tcp_connect_matahari_port(matahari_domain)
+
+dev_read_urand(matahari_domain)
+
+files_read_etc_files(matahari_domain)
++files_read_etc_runtime_files(matahari_domain)
+
+logging_send_syslog_msg(matahari_domain)
+
@@ -60012,7 +60032,7 @@ index 22adaca..9001bca 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..02e70c9 100644
+index 2dad3c8..e411df0 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -60350,10 +60370,6 @@ index 2dad3c8..02e70c9 100644
-
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, userdomain)
-- ')
--',`
-- optional_policy(`
-- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
@@ -60374,6 +60390,10 @@ index 2dad3c8..02e70c9 100644
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
')
+-',`
+- optional_policy(`
+- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+- ')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
@@ -60411,22 +60431,25 @@ index 2dad3c8..02e70c9 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,15 +422,91 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +422,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+userdom_use_user_terminals(ssh_keygen_t)
- optional_policy(`
+-optional_policy(`
- nscd_socket_use(ssh_keygen_t)
-+ seutil_sigchld_newrole(ssh_keygen_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(ssh_keygen_t)
++ fs_manage_nfs_dirs(ssh_keygen_t)
')
optional_policy(`
-- seutil_sigchld_newrole(ssh_keygen_t)
-+ udev_read_db(ssh_keygen_t)
+@@ -363,3 +436,82 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(ssh_keygen_t)
')
-
++
+####################################
+#
+# ssh_dyntransition domain local policy
@@ -60436,8 +60459,7 @@ index 2dad3c8..02e70c9 100644
+
+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
+
- optional_policy(`
-- udev_read_db(ssh_keygen_t)
++optional_policy(`
+ ssh_rw_stream_sockets(ssh_dyntransition_domain)
+ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
+')
@@ -60505,7 +60527,7 @@ index 2dad3c8..02e70c9 100644
+
+optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
- ')
++')
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..ce8c972 100644
--- a/policy/modules/services/sssd.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5eff3e4..c49e147 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 71%{?dist}
+Release: 72%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-72
+- Allow deltacloudd dac_override, setuid, setgid caps
+- Allow aisexec to execute shell
+- Add use_nfs_home_dirs boolean for ssh-keygen
+- Allow xguest execmod on execmem_exec_t
+- Dontaudit X domains trying to access dri device in a sandbox
+
* Wed Jan 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-71
- New fix for seunshare, requires seunshare_domains to be able to mounton /
More information about the scm-commits
mailing list