From c676ba31c152aa2b07356547fc074dbf1290e639 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 29 2010 17:33:15 +0000 Subject: - Fixups for xguest policy - Fixes for running sandbox firefox Resolves: #587263 --- diff --git a/policy-F13.patch b/policy-F13.patch index f1a0bd1..c6a2cbc 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -50,8 +50,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls --- nsaserefpolicy/policy/mls 2010-03-08 14:49:44.000000000 -0500 -+++ serefpolicy-3.7.19/policy/mls 2010-04-14 10:48:18.000000000 -0400 -@@ -214,6 +214,7 @@ ++++ serefpolicy-3.7.19/policy/mls 2010-04-29 13:30:49.000000000 -0400 +@@ -208,12 +208,14 @@ + (( l1 eq l2 ) or + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ++ ( t2 == mlstrustedobject ) or + ( t1 == mlsnetwrite )); + + mlsconstrain unix_dgram_socket sendto (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or @@ -5421,7 +5428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud /var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-03-29 15:04:22.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-04-27 10:22:12.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-04-29 10:59:16.000000000 -0400 @@ -186,6 +186,25 @@ ######################################## @@ -5726,8 +5733,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# No types are sandbox_exec_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-04-27 09:54:37.000000000 -0400 -@@ -0,0 +1,287 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-04-29 12:27:51.000000000 -0400 +@@ -0,0 +1,292 @@ + +## policy for sandbox + @@ -5758,7 +5765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + allow $1 sandbox_domain:process transition; + dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; + role $2 types sandbox_domain; -+ allow sandbox_domain $1:process sigchld; ++ allow sandbox_domain $1:process { sigchld signull }; + allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; + + allow $1 sandbox_x_domain:process { signal_perms transition }; @@ -5772,7 +5779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; + allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; + -+ allow sandbox_x_domain $1:process { sigchld signal }; ++ allow sandbox_x_domain $1:process { sigchld signal signull }; + allow sandbox_x_domain sandbox_x_domain:process signal; + # Dontaudit leaked file descriptors + dontaudit sandbox_x_domain $1:fifo_file { read write }; @@ -5787,6 +5794,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type); + relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type) + relabel_files_pattern($1, sandbox_file_type, sandbox_file_type) ++ relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type) ++ relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type) ++ relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) +') + +######################################## @@ -5876,6 +5886,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + + manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) + fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) ++ # Pulseaudio tmpfs files with different MCS labels ++ dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; + allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; + + domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) @@ -6017,8 +6029,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,368 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-04-29 12:22:20.000000000 -0400 +@@ -0,0 +1,382 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6181,7 +6193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +dev_read_urand(sandbox_x_domain) +dev_dontaudit_read_rand(sandbox_x_domain) -+dev_list_sysfs(sandbox_x_domain) ++dev_read_sysfs(sandbox_x_domain) + +files_entrypoint_all_files(sandbox_x_domain) +files_read_etc_files(sandbox_x_domain) @@ -6273,6 +6285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_web_client_t self:capability { setuid setgid }; +allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay; +allow sandbox_web_client_t self:process setsched; ++dontaudit sandbox_web_client_t self:process setrlimit; + +allow sandbox_web_client_t self:tcp_socket create_socket_perms; +allow sandbox_web_client_t self:udp_socket create_socket_perms; @@ -6331,12 +6344,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +userdom_rw_user_tmpfs_files(sandbox_web_client_t) + +optional_policy(` ++ hal_dbus_chat(sandbox_web_client_t) ++') ++ ++optional_policy(` + nsplugin_read_rw_files(sandbox_web_client_t) + nsplugin_rw_exec(sandbox_web_client_t) +') + +optional_policy(` -+ hal_dbus_chat(sandbox_web_client_t) ++ pulseaudio_stream_connect(sandbox_web_client_t) ++ allow sandbox_web_client_t self:netlink_kobject_uevent_socket create_socket_perms; ++') ++ ++optional_policy(` ++ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_client_t) ++') ++ ++optional_policy(` ++ networkmanager_dontaudit_dbus_chat(sandbox_web_client_t) +') + +######################################## @@ -7143,7 +7169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 14:43:42.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-04-21 12:35:46.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-04-29 12:54:00.000000000 -0400 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -7265,7 +7291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) -@@ -201,7 +220,7 @@ +@@ -201,13 +220,13 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -7274,6 +7300,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) + network_port(xen, tcp,8002,s0) + network_port(xfs, tcp,7100,s0) +-network_port(xserver, tcp,6000-6020,s0) ++network_port(xserver, tcp,6000-6150,s0) + network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) + network_port(zope, tcp,8021,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.19/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc 2010-04-14 10:48:18.000000000 -0400 @@ -9083,8 +9116,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-27 09:14:39.000000000 -0400 -@@ -1959,7 +1959,7 @@ ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-29 10:22:42.000000000 -0400 +@@ -534,6 +534,37 @@ + + ######################################## + ## ++## Dontaudit caller request the kernel to load a module ++## ++## ++##

++## Allow the specified domain to request that the kernel ++## load a kernel module. An example of this is the ++## auto-loading of network drivers when doing an ++## ioctl() on a network interface. ++##

++##

++## In the specific case of a module loading request ++## on a network interface, the domain will also ++## need the net_admin capability. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_dontaudit_request_load_module',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ dontaudit $1 kernel_t:system module_request; ++') ++ ++######################################## ++## + ## Get information on all System V IPC objects. + ## + ## +@@ -1959,7 +1990,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -9093,7 +9164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -@@ -2046,6 +2046,24 @@ +@@ -2046,6 +2077,24 @@ allow $1 unlabeled_t:filesystem mount; ') @@ -9118,7 +9189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## ## -@@ -2195,6 +2213,24 @@ +@@ -2195,6 +2244,24 @@ ######################################## ## @@ -9143,7 +9214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Do not audit attempts by caller to get the ## attributes of an unlabeled file. ## -@@ -2792,6 +2828,24 @@ +@@ -2792,6 +2859,24 @@ ######################################## ## @@ -9168,7 +9239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2807,3 +2861,23 @@ +@@ -2807,3 +2892,23 @@ typeattribute $1 kern_unconfined; ') @@ -10718,8 +10789,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-04-21 11:40:24.000000000 -0400 -@@ -0,0 +1,433 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-04-29 07:45:09.000000000 -0400 +@@ -0,0 +1,434 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -10756,7 +10827,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +userdom_manage_home_role(unconfined_r, unconfined_t) +userdom_manage_tmp_role(unconfined_r, unconfined_t) +userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -+userdom_execmod_user_home_files(unconfined_t) +userdom_unpriv_usertype(unconfined, unconfined_t) + +type unconfined_exec_t; @@ -10828,6 +10898,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + allow unconfined_t self:process execstack; +') + ++tunable_policy(`allow_execmod',` ++ userdom_execmod_user_home_files(unconfined_usertype) ++') ++ +tunable_policy(`unconfined_login',` + corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) + allow unconfined_t unconfined_login_domain:fd use; @@ -10848,8 +10922,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + ') + ') + -+ userdom_execmod_user_home_files(unconfined_usertype) -+ + optional_policy(` + abrt_dbus_chat(unconfined_usertype) + abrt_run_helper(unconfined_usertype, unconfined_r) @@ -11211,7 +11283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-03-10 15:28:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-04-29 10:23:43.000000000 -0400 @@ -15,7 +15,7 @@ ## @@ -11235,7 +11307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ifndef(`enable_mls',` fs_exec_noxattr(xguest_t) -@@ -49,6 +49,14 @@ +@@ -49,12 +49,21 @@ storage_raw_read_removable_device(xguest_t) ') ') @@ -11243,6 +11315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. +mount_dontaudit_exec_fusermount(xguest_t) + +allow xguest_t self:process execmem; ++kernel_dontaudit_request_load_module(xguest_t) + +tunable_policy(`allow_execstack',` + allow xguest_t self:process execstack; @@ -11250,7 +11323,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. # Allow mounting of file systems optional_policy(` -@@ -63,10 +71,9 @@ + tunable_policy(`xguest_mount_media',` + kernel_read_fs_sysctls(xguest_t) +- ++ kernel_request_load_module(xguest_t) + files_dontaudit_getattr_boot_dirs(xguest_t) + files_search_mnt(xguest_t) + +@@ -63,10 +72,9 @@ fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -11262,20 +11342,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ') ') -@@ -81,19 +88,66 @@ +@@ -81,19 +89,66 @@ ') optional_policy(` - java_role(xguest_r, xguest_t) + apache_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` ++ java_role_template(xguest, xguest_r, xguest_t) ') optional_policy(` - mozilla_role(xguest_r, xguest_t) -+ java_role_template(xguest, xguest_r, xguest_t) -+') -+ -+optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) +') + @@ -11320,19 +11400,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + corenet_tcp_connect_speech_port(xguest_usertype) + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) -+ ') -+') -+ + ') + ') + +-#gen_user(xguest_u,, xguest_r, s0, s0) +optional_policy(` + gen_require(` + type mozilla_t; - ') ++ ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; - ') - --#gen_user(xguest_u,, xguest_r, s0, s0) ++') ++ +gen_user(xguest_u, user, xguest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 @@ -19844,8 +19924,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.19/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-04-14 10:48:18.000000000 -0400 -@@ -118,6 +118,24 @@ ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-04-29 12:21:46.000000000 -0400 +@@ -100,6 +100,27 @@ + + ######################################## + ## ++## Send and receive messages from ++## NetworkManager over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_dontaudit_dbus_chat',` ++ gen_require(` ++ type NetworkManager_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 NetworkManager_t:dbus send_msg; ++ dontaudit NetworkManager_t $1:dbus send_msg; ++') ++ ++######################################## ++## + ## Send a generic signal to NetworkManager + ## + ## +@@ -118,6 +139,24 @@ ######################################## ## @@ -19870,7 +19978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ## Read NetworkManager PID files. ## ## -@@ -134,3 +152,71 @@ +@@ -134,3 +173,71 @@ files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -24378,6 +24486,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +') + auth_can_read_shadow_passwords(rsync_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.19/policy/modules/services/rtkit.if +--- nsaserefpolicy/policy/modules/services/rtkit.if 2010-03-23 10:55:15.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/rtkit.if 2010-04-29 12:22:59.000000000 -0400 +@@ -41,6 +41,27 @@ + + ######################################## + ## ++## Do not audit send and receive messages from ++## rtkit_daemon over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rtkit_daemon_dontaudit_dbus_chat',` ++ gen_require(` ++ type rtkit_daemon_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 rtkit_daemon_t:dbus send_msg; ++ dontaudit rtkit_daemon_t $1:dbus send_msg; ++') ++ ++######################################## ++## + ## Allow rtkit to control scheduling for your process + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.19/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-04-14 10:48:18.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 9217055..02c4c1b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -468,6 +468,11 @@ exit 0 %endif %changelog +* Thu Apr 29 2010 Dan Walsh 3.7.19-9 +- Fixups for xguest policy +- Fixes for running sandbox firefox +Resolves: #587263 + * Wed Apr 28 2010 Dan Walsh 3.7.19-8 - Allow ksmtuned to use terminals Resolves: #586663