[selinux-policy] - Don't audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices -
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 20 14:58:56 UTC 2013
commit 82acdf307907b0849752d4f8e882040e46dea154
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jun 20 16:58:38 2013 +0200
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow ntop to read usbmon devices
- Add labeling for new polcykit authorizor
- Dontaudit access checks from fail2ban_client
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream
- Fix labeling for all /usr/bim/razor-lightdm-* binaries
- Add filename trans for /dev/md126p1
policy-rawhide-base.patch | 327 ++++++++++++++++++++++++++++--------------
policy-rawhide-contrib.patch | 144 ++++++++++++++++--
selinux-policy.spec | 12 ++-
3 files changed, 361 insertions(+), 122 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index deb0e92..9edad61 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -15142,7 +15142,7 @@ index 54f1827..cc2de1a 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..f8f6456 100644
+index 1700ef2..38b597e 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -15181,7 +15181,15 @@ index 1700ef2..f8f6456 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -205,6 +227,7 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
+ interface(`storage_raw_rw_fixed_disk',`
+ storage_raw_read_fixed_disk($1)
+ storage_raw_write_fixed_disk($1)
++ dev_rw_generic_blk_files($1)
+ ')
+
+ ########################################
+@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',`
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
@@ -15189,7 +15197,7 @@ index 1700ef2..f8f6456 100644
dev_add_entry_generic_dirs($1)
')
-@@ -269,6 +292,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
dev_filetrans($1, fixed_disk_device_t, blk_file)
')
@@ -15238,7 +15246,7 @@ index 1700ef2..f8f6456 100644
########################################
## <summary>
## Create block devices in on a tmpfs filesystem with the
-@@ -711,6 +776,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+@@ -711,6 +777,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')
@@ -15263,7 +15271,7 @@ index 1700ef2..f8f6456 100644
########################################
## <summary>
## Allow the caller to directly read
-@@ -808,3 +891,400 @@ interface(`storage_unconfined',`
+@@ -808,3 +892,401 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -15374,6 +15382,7 @@ index 1700ef2..f8f6456 100644
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
@@ -20595,7 +20604,7 @@ index 5fc0391..994eec2 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..97140ee 100644
+index d1f64a0..156a29f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -20685,7 +20694,7 @@ index d1f64a0..97140ee 100644
+
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
-+/usr/bin/razor-lightdm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/razor-lightdm-* -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -20752,7 +20761,7 @@ index d1f64a0..97140ee 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..18223e7 100644
+index 6bf0ecc..9388756 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -21224,18 +21233,19 @@ index 6bf0ecc..18223e7 100644
')
########################################
-@@ -765,11 +904,91 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +904,92 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
- type xdm_t, xdm_tmp_t;
+ type xdm_t, xdm_tmp_t, xdm_var_run_t;
++ type xdm_dbusd_t;
')
files_search_tmp($1)
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ files_search_pids($1)
-+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
++ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, { xdm_t xdm_dbusd_t } )
+')
+
+########################################
@@ -21318,7 +21328,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
-@@ -793,6 +1012,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +1013,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -21344,7 +21354,7 @@ index 6bf0ecc..18223e7 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -806,7 +1044,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1045,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -21371,7 +21381,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
-@@ -846,7 +1102,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1103,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -21399,7 +21409,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
-@@ -869,6 +1144,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1145,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -21424,7 +21434,7 @@ index 6bf0ecc..18223e7 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -938,7 +1231,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1232,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -21452,7 +21462,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
-@@ -957,7 +1269,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1270,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -21461,66 +21471,167 @@ index 6bf0ecc..18223e7 100644
')
########################################
-@@ -1004,6 +1316,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,7 +1317,7 @@ interface(`xserver_read_xkb_libs',`
+
+ ########################################
+ ## <summary>
+-## Read xdm temporary files.
++## dontaudit access checks X keyboard extension libraries.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1012,56 +1325,57 @@ interface(`xserver_read_xkb_libs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_read_xdm_tmp_files',`
++interface(`xserver_dontaudit_xkb_libs_access',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xkb_var_lib_t;
+ ')
+
+- files_search_tmp($1)
+- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ dontaudit $1 xkb_var_lib_t:dir audit_access;
++ dontaudit $1 xkb_var_lib_t:file audit_access;
+ ')
########################################
## <summary>
+-## Do not audit attempts to read xdm temporary files.
+## Read xdm config files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain to not audit
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_dontaudit_read_xdm_tmp_files',`
+interface(`xserver_read_xdm_etc_files',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xdm_etc_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+- dontaudit $1 xdm_tmp_t:file read_file_perms;
+ files_search_etc($1)
+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read write xdm temporary files.
++## Manage xdm config files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_rw_xdm_tmp_files',`
++interface(`xserver_manage_xdm_etc_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xdm_etc_t;
+ ')
+
+- allow $1 xdm_tmp_t:dir search_dir_perms;
+- allow $1 xdm_tmp_t:file rw_file_perms;
++ files_search_etc($1)
++ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete xdm temporary files.
++## Read xdm temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1069,18 +1383,18 @@ interface(`xserver_rw_xdm_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_manage_xdm_tmp_files',`
++interface(`xserver_read_xdm_tmp_files',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ files_search_tmp($1)
++ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes of
+-## xdm temporary named sockets.
++## Do not audit attempts to read xdm temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1088,12 +1402,105 @@ interface(`xserver_manage_xdm_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
++interface(`xserver_dontaudit_read_xdm_tmp_files',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ dontaudit $1 xdm_tmp_t:dir search_dir_perms;
++ dontaudit $1 xdm_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
-+## Manage xdm config files.
++## Read write xdm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`xserver_manage_xdm_etc_files',`
++interface(`xserver_rw_xdm_tmp_files',`
+ gen_require(`
-+ type xdm_etc_t;
++ type xdm_tmp_t;
+ ')
+
-+ files_search_etc($1)
-+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
++ allow $1 xdm_tmp_t:dir search_dir_perms;
++ allow $1 xdm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
- ## Read xdm temporary files.
- ## </summary>
- ## <param name="domain">
-@@ -1017,7 +1368,7 @@ interface(`xserver_read_xdm_tmp_files',`
++## Create, read, write, and delete xdm temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_manage_xdm_tmp_files',`
+ gen_require(`
type xdm_tmp_t;
')
-- files_search_tmp($1)
-+ files_search_tmp($1)
- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
- ')
-
-@@ -1079,7 +1430,43 @@ interface(`xserver_manage_xdm_tmp_files',`
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes of
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
@@ -21558,19 +21669,24 @@ index 6bf0ecc..18223e7 100644
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
- ## xdm temporary named sockets.
- ## </summary>
- ## <param name="domain">
-@@ -1093,7 +1480,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
- type xdm_tmp_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:sock_file getattr;
++## xdm temporary named sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
-@@ -1111,8 +1498,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1518,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -21582,7 +21698,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
-@@ -1210,6 +1599,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1619,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -21608,7 +21724,7 @@ index 6bf0ecc..18223e7 100644
## Connect to the X server over a unix domain
## stream socket.
## </summary>
-@@ -1226,6 +1634,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1654,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -21635,7 +21751,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
-@@ -1251,7 +1679,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1699,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -21644,7 +21760,7 @@ index 6bf0ecc..18223e7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1689,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1709,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -21669,7 +21785,7 @@ index 6bf0ecc..18223e7 100644
')
########################################
-@@ -1284,10 +1722,604 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1742,604 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -23864,7 +23980,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..c7f52c2 100644
+index 3efd5b6..2f6ba05 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -24054,16 +24170,7 @@ index 3efd5b6..c7f52c2 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -395,6 +432,8 @@ interface(`auth_domtrans_chk_passwd',`
- ')
-
- optional_policy(`
-+ pcscd_manage_pub_files($1)
-+ pcscd_manage_pub_pipes($1)
- pcscd_read_pid_files($1)
- pcscd_stream_connect($1)
- ')
-@@ -402,6 +441,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +439,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -24072,7 +24179,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
-@@ -448,6 +489,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +487,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -24098,7 +24205,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
-@@ -467,7 +527,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +525,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -24106,7 +24213,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
-@@ -664,6 +723,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +721,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -24117,7 +24224,7 @@ index 3efd5b6..c7f52c2 100644
')
#######################################
-@@ -763,7 +826,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +824,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -24169,7 +24276,7 @@ index 3efd5b6..c7f52c2 100644
')
#######################################
-@@ -824,9 +930,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +928,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -24200,7 +24307,7 @@ index 3efd5b6..c7f52c2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -834,12 +960,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +958,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@@ -24231,7 +24338,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
-@@ -854,15 +995,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +993,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -24250,7 +24357,7 @@ index 3efd5b6..c7f52c2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -875,13 +1016,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1014,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@@ -24288,7 +24395,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
-@@ -959,9 +1120,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1118,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -24322,7 +24429,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
-@@ -1040,6 +1222,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1220,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -24333,7 +24440,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
-@@ -1176,6 +1362,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1360,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -24341,7 +24448,7 @@ index 3efd5b6..c7f52c2 100644
')
#######################################
-@@ -1576,6 +1763,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1761,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -24367,7 +24474,7 @@ index 3efd5b6..c7f52c2 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1726,24 +1932,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1930,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -24393,7 +24500,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
-@@ -1767,11 +1956,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1954,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -24410,7 +24517,7 @@ index 3efd5b6..c7f52c2 100644
')
########################################
-@@ -1805,3 +1996,219 @@ interface(`auth_unconfined',`
+@@ -1805,3 +1994,219 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -28821,7 +28928,7 @@ index 5dfa44b..2502d06 100644
optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..dc79c6f 100644
+index 73bb3c0..6e848de 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -28983,7 +29090,7 @@ index 73bb3c0..dc79c6f 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +310,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +310,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -29141,6 +29248,8 @@ index 73bb3c0..dc79c6f 100644
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/talkplugin/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
@@ -30183,7 +30292,7 @@ index 4e94884..5481f47 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..4dd92d4 100644
+index 39ea221..7094526 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -30371,7 +30480,7 @@ index 39ea221..4dd92d4 100644
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 { syslog block_suspend };
# setpgid for metalog
@@ -36903,10 +37012,10 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..1749342 100644
+index a5ec88b..e7663f3 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
-@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
+@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -36921,8 +37030,13 @@ index a5ec88b..1749342 100644
+typealias udev_var_run_t alias udev_tbl_t;
init_daemon_run_dir(udev_var_run_t, "udev")
++type udev_tmp_t;
++files_tmp_file(udev_tmp_t)
++
ifdef(`enable_mcs',`
-@@ -37,9 +35,11 @@ ifdef(`enable_mcs',`
+ kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+@@ -37,9 +38,11 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -36936,7 +37050,7 @@ index a5ec88b..1749342 100644
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -53,6 +53,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -36944,14 +37058,17 @@ index a5ec88b..1749342 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -63,31 +64,36 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -63,31 +67,40 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
-# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
--
++allow udev_t udev_tmp_t:dir manage_dir_perms;
++allow udev_t udev_tmp_t:file manage_file_perms;
++files_tmp_filetrans(udev_t, udev_tmp_t, { file dir })
+
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
-read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
@@ -36988,7 +37105,7 @@ index a5ec88b..1749342 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -98,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -98,6 +111,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -36996,7 +37113,7 @@ index a5ec88b..1749342 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -106,23 +113,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -106,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -37032,7 +37149,7 @@ index a5ec88b..1749342 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -144,17 +159,20 @@ auth_use_nsswitch(udev_t)
+@@ -144,17 +166,20 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -37054,7 +37171,7 @@ index a5ec88b..1749342 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -170,6 +188,9 @@ sysnet_signal_dhcpc(udev_t)
+@@ -170,6 +195,9 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -37064,7 +37181,7 @@ index a5ec88b..1749342 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -179,16 +200,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +207,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37083,7 +37200,7 @@ index a5ec88b..1749342 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -226,19 +240,34 @@ optional_policy(`
+@@ -226,19 +247,34 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -37118,7 +37235,7 @@ index a5ec88b..1749342 100644
')
optional_policy(`
-@@ -264,6 +293,10 @@ optional_policy(`
+@@ -264,6 +300,10 @@ optional_policy(`
')
optional_policy(`
@@ -37129,7 +37246,7 @@ index a5ec88b..1749342 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -278,6 +311,15 @@ optional_policy(`
+@@ -278,6 +318,15 @@ optional_policy(`
')
optional_policy(`
@@ -37145,7 +37262,7 @@ index a5ec88b..1749342 100644
unconfined_signal(udev_t)
')
-@@ -290,6 +332,7 @@ optional_policy(`
+@@ -290,6 +339,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 41328d9..2e38254 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -10904,7 +10904,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..770ae51 100644
+index 914ee2d..1544e9b 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -10934,10 +10934,12 @@ index 914ee2d..770ae51 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
++domain_dontaudit_getsession_all_domains(chronyd_t)
++
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
+
@@ -23011,7 +23013,7 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..5d49b4f 100644
+index 0872e50..d336d7f 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
@@ -23056,7 +23058,15 @@ index 0872e50..5d49b4f 100644
iptables_domtrans(fail2ban_t)
')
-@@ -137,14 +137,12 @@ corecmd_exec_bin(fail2ban_client_t)
+@@ -129,6 +129,7 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+
+ domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+
++dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+ stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+
+ kernel_read_system_state(fail2ban_client_t)
+@@ -137,14 +138,12 @@ corecmd_exec_bin(fail2ban_client_t)
domain_use_interactive_fds(fail2ban_client_t)
@@ -27140,7 +27150,7 @@ index d03fd43..26023f7 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..6af4e62 100644
+index 20f726b..8e905be 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -27368,7 +27378,7 @@ index 20f726b..6af4e62 100644
+')
+
+optional_policy(`
-+ gnome_read_home_config(gnomesystemmm_t)
++ gnome_manage_home_config(gnomesystemmm_t)
+')
+
+optional_policy(`
@@ -37396,11 +37406,104 @@ index 0000000..67b8b3d
+tunable_policy(`mock_enable_homedirs',`
+ userdom_read_user_home_content_files(mock_build_t)
+')
+diff --git a/modemmanager.fc b/modemmanager.fc
+index a83894c..481dca3 100644
+--- a/modemmanager.fc
++++ b/modemmanager.fc
+@@ -1 +1,4 @@
+ /usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
++/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
++
++/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
+diff --git a/modemmanager.if b/modemmanager.if
+index b1ac8b5..90ca430 100644
+--- a/modemmanager.if
++++ b/modemmanager.if
+@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute modemmanager server in the modemmanager domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`modemmanager_systemctl',`
++ gen_require(`
++ type modemmanager_t;
++ type modemmanager_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 modemmanager_unit_file_t:file read_file_perms;
++ allow $1 modemmanager_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, modemmanager_t)
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## modemmanager over dbus.
+ ## </summary>
+@@ -39,3 +63,38 @@ interface(`modemmanager_dbus_chat',`
+ allow $1 modemmanager_t:dbus send_msg;
+ allow modemmanager_t $1:dbus send_msg;
+ ')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an modemmanager environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`modemmanager_admin',`
++ gen_require(`
++ type modemmanager_t;
++ type modemmanager_unit_file_t;
++ ')
++
++ allow $1 modemmanager_t:process { ptrace signal_perms };
++ ps_process_pattern($1, modemmanager_t)
++
++ modemmanager_systemctl($1)
++ admin_pattern($1, modemmanager_unit_file_t)
++ allow $1 modemmanager_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..d744144 100644
+index cb4c13d..ab6fb25 100644
--- a/modemmanager.te
+++ b/modemmanager.te
-@@ -27,12 +27,12 @@ kernel_read_system_state(modemmanager_t)
+@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
+ typealias modemmanager_t alias ModemManager_t;
+ typealias modemmanager_exec_t alias ModemManager_exec_t;
+
++type modemmanager_unit_file_t;
++systemd_unit_file(modemmanager_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
dev_read_sysfs(modemmanager_t)
dev_rw_modem(modemmanager_t)
@@ -47550,7 +47653,7 @@ index 0000000..7d839fe
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
-index 52757d8..638c3d2 100644
+index 52757d8..6ce5c69 100644
--- a/ntop.te
+++ b/ntop.te
@@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t)
@@ -47561,7 +47664,12 @@ index 52757d8..638c3d2 100644
corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t)
-@@ -81,7 +80,6 @@ dev_rw_generic_usb_dev(ntop_t)
+@@ -78,10 +77,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
+
+ dev_read_sysfs(ntop_t)
+ dev_rw_generic_usb_dev(ntop_t)
++dev_read_usbmon_dev(ntop_t)
++dev_write_usbmon_dev(ntop_t)
domain_use_interactive_fds(ntop_t)
@@ -49990,10 +50098,10 @@ index 0000000..bddd4b3
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..877c71a
+index 0000000..35f9df0
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,546 @@
+@@ -0,0 +1,547 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -50041,6 +50149,7 @@ index 0000000..877c71a
+files_pid_file(openshift_var_run_t)
+
+type openshift_var_lib_t, openshift_file_type;
++userdom_user_home_content(openshift_var_lib_t)
+files_poly(openshift_var_lib_t)
+files_poly_parent(openshift_var_lib_t)
+files_mountpoint(openshift_var_lib_t)
@@ -54227,10 +54336,10 @@ index a14b3bc..b196183 100644
userdom_signal_unpriv_users(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
-index 1d76c72..4718a93 100644
+index 1d76c72..eeb33d9 100644
--- a/policykit.fc
+++ b/policykit.fc
-@@ -1,23 +1,20 @@
+@@ -1,23 +1,21 @@
-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-
@@ -54241,6 +54350,7 @@ index 1d76c72..4718a93 100644
-/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
++/usr/bin/pkla-check-authorization -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
@@ -74663,10 +74773,10 @@ index 0000000..5da5bff
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..81198c3
+index 0000000..cb720ee
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,463 @@
+@@ -0,0 +1,465 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -74774,6 +74884,8 @@ index 0000000..81198c3
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
+
++xserver_read_xkb_libs(sandbox_xserver_t)
++xserver_dontaudit_xkb_libs_access(sandbox_xserver_t)
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a2c9477..116a81e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 53%{?dist}
+Release: 54%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -535,6 +535,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jun 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-54
+- Don't audit access checks by sandbox xserver on xdb var_lib
+- Allow ntop to read usbmon devices
+- Add labeling for new polcykit authorizor
+- Dontaudit access checks from fail2ban_client
+- Don't audit access checks by sandbox xserver on xdb var_lib
+- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream
+- Fix labeling for all /usr/bim/razor-lightdm-* binaries
+- Add filename trans for /dev/md126p1
+
* Tue Jun 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-53
- Make vdagent able to request loading kernel module
- Add support for cloud-init make it as unconfined domain
More information about the scm-commits
mailing list