[selinux-policy/f20] - Modify xdm_write_home to allow create files/links in /root with xdm_home_ - Allow virt domains to
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 7 09:47:28 UTC 2014
commit 8e0046a456ce73131f96afe9a7188e15451f93ce
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 7 10:47:11 2014 +0100
- Modify xdm_write_home to allow create files/links in /root with xdm_home_
- Allow virt domains to read network state
policy-f20-base.patch | 49 +++++++++++++++++++++++----------------------
policy-f20-contrib.patch | 25 ++++++++++++-----------
selinux-policy.spec | 4 +++
3 files changed, 42 insertions(+), 36 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index d9ee08e..5a37828 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -26223,7 +26223,7 @@ index 6bf0ecc..0d55916 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..a2c6981 100644
+index 2696452..e71983d 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -26860,7 +26860,7 @@ index 2696452..a2c6981 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +688,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +688,145 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -26873,6 +26873,7 @@ index 2696452..a2c6981 100644
+#userdom_home_manager(xdm_t)
+tunable_policy(`xdm_write_home',`
+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
++ userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
+',`
+ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
+')
@@ -27011,7 +27012,7 @@ index 2696452..a2c6981 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +839,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +840,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -27038,7 +27039,7 @@ index 2696452..a2c6981 100644
')
optional_policy(`
-@@ -514,12 +866,57 @@ optional_policy(`
+@@ -514,12 +867,57 @@ optional_policy(`
')
optional_policy(`
@@ -27096,7 +27097,7 @@ index 2696452..a2c6981 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +934,78 @@ optional_policy(`
+@@ -537,28 +935,78 @@ optional_policy(`
')
optional_policy(`
@@ -27184,7 +27185,7 @@ index 2696452..a2c6981 100644
')
optional_policy(`
-@@ -570,6 +1017,14 @@ optional_policy(`
+@@ -570,6 +1018,14 @@ optional_policy(`
')
optional_policy(`
@@ -27199,7 +27200,7 @@ index 2696452..a2c6981 100644
xfs_stream_connect(xdm_t)
')
-@@ -584,7 +1039,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -584,7 +1040,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -27208,7 +27209,7 @@ index 2696452..a2c6981 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -27221,7 +27222,7 @@ index 2696452..a2c6981 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -27237,7 +27238,7 @@ index 2696452..a2c6981 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -27248,7 +27249,7 @@ index 2696452..a2c6981 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -27270,7 +27271,7 @@ index 2696452..a2c6981 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -27284,7 +27285,7 @@ index 2696452..a2c6981 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -27316,7 +27317,7 @@ index 2696452..a2c6981 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -27334,7 +27335,7 @@ index 2696452..a2c6981 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1198,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1199,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -27358,7 +27359,7 @@ index 2696452..a2c6981 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -27367,7 +27368,7 @@ index 2696452..a2c6981 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1261,44 @@ optional_policy(`
+@@ -775,16 +1262,44 @@ optional_policy(`
')
optional_policy(`
@@ -27413,7 +27414,7 @@ index 2696452..a2c6981 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1307,10 @@ optional_policy(`
+@@ -793,6 +1308,10 @@ optional_policy(`
')
optional_policy(`
@@ -27424,7 +27425,7 @@ index 2696452..a2c6981 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -27438,7 +27439,7 @@ index 2696452..a2c6981 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -27447,7 +27448,7 @@ index 2696452..a2c6981 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1350,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1351,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27482,7 +27483,7 @@ index 2696452..a2c6981 100644
')
optional_policy(`
-@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -27491,7 +27492,7 @@ index 2696452..a2c6981 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -27523,7 +27524,7 @@ index 2696452..a2c6981 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 348ca46..2d08b5b 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -99937,7 +99937,7 @@ index 9dec06c..fddb027 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..f48af33 100644
+index 1f22fba..2dba7ec 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,194 @@
@@ -100858,7 +100858,7 @@ index 1f22fba..f48af33 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +619,276 @@ optional_policy(`
+@@ -737,44 +619,277 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -100902,6 +100902,7 @@ index 1f22fba..f48af33 100644
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+kernel_read_net_sysctls(virt_domain)
++kernel_read_network_state(virt_domain)
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
@@ -101158,7 +101159,7 @@ index 1f22fba..f48af33 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +899,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +900,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -101185,7 +101186,7 @@ index 1f22fba..f48af33 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +919,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +920,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -101219,7 +101220,7 @@ index 1f22fba..f48af33 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +956,20 @@ optional_policy(`
+@@ -847,14 +957,20 @@ optional_policy(`
')
optional_policy(`
@@ -101241,7 +101242,7 @@ index 1f22fba..f48af33 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +994,65 @@ optional_policy(`
+@@ -879,49 +995,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -101325,7 +101326,7 @@ index 1f22fba..f48af33 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1064,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1065,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -101345,7 +101346,7 @@ index 1f22fba..f48af33 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1085,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1086,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -101369,7 +101370,7 @@ index 1f22fba..f48af33 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1110,272 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1111,272 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -101780,7 +101781,7 @@ index 1f22fba..f48af33 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1388,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1389,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -101795,7 +101796,7 @@ index 1f22fba..f48af33 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1406,8 @@ optional_policy(`
+@@ -1183,9 +1407,8 @@ optional_policy(`
########################################
#
@@ -101806,7 +101807,7 @@ index 1f22fba..f48af33 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1420,206 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1421,206 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 208f93c..24ce689 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -579,6 +579,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 7 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-132
+- Modify xdm_write_home to allow create files/links in /root with xdm_home_
+- Allow virt domains to read network state
+
* Thu Mar 6 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-131
- Added pcp rules
- dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6
More information about the scm-commits
mailing list