Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2013-12-19 12:36:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2013-08-12 15:52:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2013-12-19 12:37:22.000000000 +0100 @@ -1,0 +2,20 @@ +Mon Dec 9 13:57:18 UTC 2013 - [email protected] + +- enable build of mls and targeted policies +- fixes to the minimum policy: +- label /var/run/rsyslog correctly + * label_var_run_rsyslog.patch +- allow systemd-tmpfiles to create devices + * systemd-tmpfiles.patch +- add rules for sysconfig + * correctly label /dev/.sysconfig/network + * added sysconfig_network_scripts.patch +- run restorecon and fixfiles only if if selinux is enabled +- fix console login + * allow-local_login_t-read-shadow.patch +- allow rsyslog to write to xconsole + * xconsole.patch +- useradd needs to call selinux_check_access (via pam_rootok) + * useradd-netlink_selinux_socket.patch + +------------------------------------------------------------------- New: ---- allow-local_login_t-read-shadow.patch label_var_run_rsyslog.patch sysconfig_network_scripts.patch systemd-tmpfiles.patch useradd-netlink_selinux_socket.patch xconsole.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.5fqKUk/_old 2013-12-19 12:37:23.000000000 +0100 +++ /var/tmp/diff_new_pack.5fqKUk/_new 2013-12-19 12:37:23.000000000 +0100 @@ -23,20 +23,20 @@ %define polyinstatiate n %define monolithic n %if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} -%define BUILD_DOC 0 +%define BUILD_DOC 1 %endif %if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} %define BUILD_TARGETED 1 %endif %if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} -%define BUILD_MINIMUM 0 +%define BUILD_MINIMUM 1 %endif %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif %define POLICYVER 29 %define POLICYCOREUTILSVER 2.1.14 -%define CHECKPOLICYVER 2.1.12 +%define CHECKPOLICYVER 2.2 Summary: SELinux policy configuration License: GPL-2.0+ Group: System/Management @@ -50,6 +50,12 @@ Patch10: type_transition_file_class.patch Patch11: type_transition_contrib.patch Patch12: label_sysconfig.selinux-policy.patch +Patch13: sysconfig_network_scripts.patch +Patch14: allow-local_login_t-read-shadow.patch +Patch15: xconsole.patch +Patch16: useradd-netlink_selinux_socket.patch +Patch17: systemd-tmpfiles.patch +Patch18: label_var_run_rsyslog.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf @@ -111,12 +117,9 @@ %defattr(-,root,root,-) %doc COPYING %dir %{_usr}/share/selinux -#%dir %{_usr}/share/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config -%dir %{_localstatedir}/adm/fillup-templates %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} -#%ghost %{_sysconfdir}/sysconfig/selinux %{_usr}/lib/tmpfiles.d/selinux-policy.conf %package devel @@ -132,13 +135,10 @@ %files devel %defattr(-,root,root,-) -#%{_mandir}/man*/* %{_mandir}/ru/*/* %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* -#%dir %{_usr}/share/selinux/devel/html -#%{_usr}/share/selinux/devel/html/*html %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/example.* @@ -148,15 +148,6 @@ Requires(pre): selinux-policy = %{version}-%{release} Requires: /usr/bin/xdg-open -%description doc -SELinux policy documentation package - -%files doc -%defattr(-,root,root,-) -%doc %{_usr}/share/doc/%{name}-%{version} -%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp -%{_usr}/share/selinux/devel/policy.* - %define makeCmds() \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ @@ -206,7 +197,8 @@ /usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \ /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ -rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern +rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern \ +ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ %nil %define fileList() \ @@ -273,13 +265,14 @@ %define relabel() \ . %{_sysconfdir}/sysconfig/selinux-policy; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ -/usr/sbin/selinuxenabled; \ +if selinuxenabled; then \ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null || true; \ +fi; %define preInstall() \ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ @@ -334,6 +327,15 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ fi; +%description doc +SELinux policy documentation package + +%files doc +%defattr(-,root,root,-) +%doc %{_usr}/share/doc/%{name}-%{version} +%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp +%{_usr}/share/selinux/devel/policy.* + %description SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 @@ -350,6 +352,12 @@ %patch -p1 %patch10 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p0 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib @@ -362,9 +370,6 @@ # Build targeted policy %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/selinux -#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig -#touch %{buildroot}%{_sysconfdir}/selinux/config -#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ @@ -426,8 +431,6 @@ %clean -#TODO: add minimum to the policies list in /etc/selinux/config once the package is built -# minimum - Modification of targeted policy. Only selected processes are protected. %post %{fillup_only} if [ ! -s /etc/selinux/config ]; then ++++++ allow-local_login_t-read-shadow.patch ++++++ Index: serefpolicy-3.12.1/policy/modules/system/locallogin.te =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/system/locallogin.te 2013-10-23 11:44:16.815098321 +0200 +++ serefpolicy-3.12.1/policy/modules/system/locallogin.te 2013-10-23 11:44:16.848098676 +0200 @@ -126,6 +126,7 @@ term_setattr_unallocated_ttys(local_logi term_relabel_all_ptys(local_login_t) term_setattr_generic_ptys(local_login_t) +auth_read_shadow(local_login_t) auth_rw_login_records(local_login_t) auth_rw_faillog(local_login_t) auth_manage_pam_console_data(local_login_t) ++++++ label_sysconfig.selinux-policy.patch ++++++ --- /var/tmp/diff_new_pack.5fqKUk/_old 2013-12-19 12:37:23.000000000 +0100 +++ /var/tmp/diff_new_pack.5fqKUk/_new 2013-12-19 12:37:23.000000000 +0100 @@ -1,7 +1,7 @@ Index: serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/system/selinuxutil.fc 2013-03-29 13:54:24.693412923 +0100 -+++ serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc 2013-03-29 14:02:18.187588333 +0100 +--- serefpolicy-3.12.1.orig/policy/modules/system/selinuxutil.fc 2013-10-23 11:44:16.817098343 +0200 ++++ serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc 2013-10-23 11:44:16.836098547 +0200 @@ -4,6 +4,7 @@ # /etc # ++++++ label_var_run_rsyslog.patch ++++++ Index: serefpolicy-3.12.1/policy/modules/system/logging.fc =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/system/logging.fc 2013-11-12 10:31:33.161234336 +0100 +++ serefpolicy-3.12.1/policy/modules/system/logging.fc 2013-11-13 15:31:41.233552569 +0100 @@ -83,6 +83,7 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) +/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) Index: serefpolicy-3.12.1/policy/modules/system/init.te =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/system/init.te 2013-11-12 10:31:33.161234336 +0100 +++ serefpolicy-3.12.1/policy/modules/system/init.te 2013-11-18 12:50:40.828965515 +0100 @@ -1577,3 +1577,8 @@ ifdef(`direct_sysadm_daemon',` allow daemon direct_run_init:process sigchld; allow direct_run_init direct_init_entry:file { getattr open read execute }; ') + + +# relabel /var/run/rsyslog +filetrans_pattern(init_t, var_run_t, syslogd_var_run_t, dir, "rsyslog") + ++++++ policy-rawhide-base.patch ++++++ ++++ 18297 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/selinux-policy/policy-rawhide-base.patch ++++ and /work/SRC/openSUSE:Factory/.selinux-policy.new/policy-rawhide-base.patch ++++++ policy-rawhide-contrib.patch ++++++ ++++ 34647 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/selinux-policy/policy-rawhide-contrib.patch ++++ and /work/SRC/openSUSE:Factory/.selinux-policy.new/policy-rawhide-contrib.patch ++++++ selinux-policy.sysconfig ++++++ --- /var/tmp/diff_new_pack.5fqKUk/_old 2013-12-19 12:37:23.000000000 +0100 +++ /var/tmp/diff_new_pack.5fqKUk/_new 2013-12-19 12:37:23.000000000 +0100 @@ -7,4 +7,5 @@ # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. -SELINUXTYPE=targeted +# minimum - Modification of targeted policy. Only selected processes are protected. +SELINUXTYPE=minimum ++++++ sysconfig_network_scripts.patch ++++++ Index: serefpolicy-3.12.1/policy/modules/system/sysnetwork.fc =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/system/sysnetwork.fc 2013-11-12 10:31:33.113233800 +0100 +++ serefpolicy-3.12.1/policy/modules/system/sysnetwork.fc 2013-11-20 15:33:05.611791575 +0100 @@ -11,6 +11,15 @@ ifdef(`distro_debian',` /dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') +# SUSE +# sysconfig network files are stored in /dev/.sysconfig +/dev/.sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +# label netconfig files in /var/adm and /var/lib and /var/run +/var/adm/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +/var/lib/ntp/var(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +/var/run/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0) + + # # /etc # @@ -36,6 +45,10 @@ ifdef(`distro_redhat',` /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') +/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +/etc/sysconfig/network/scripts/.* gen_context(system_u:object_r:bin_t,s0) +/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0) + # # /sbin # Index: serefpolicy-3.12.1/policy/modules/system/sysnetwork.te =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/system/sysnetwork.te 2013-11-12 10:31:33.113233800 +0100 +++ serefpolicy-3.12.1/policy/modules/system/sysnetwork.te 2013-11-12 10:31:33.132234012 +0100 @@ -56,7 +56,8 @@ files_config_file(net_conf_t) # # DHCP client local policy # -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +# need sys_admin to set hostname/domainname +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config sys_admin }; dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; @@ -91,6 +92,12 @@ allow dhcpc_t net_conf_t:file relabel_fi sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) +# allow relabel of /dev/.sysconfig +dev_associate(net_conf_t) + +# allow mv /etc/resolv.conf.netconfig +allow dhcpc_t etc_runtime_t:file unlink; + # create temp files manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) Index: serefpolicy-3.12.1/policy/modules/kernel/devices.fc =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.fc 2013-11-12 10:31:33.096233609 +0100 +++ serefpolicy-3.12.1/policy/modules/kernel/devices.fc 2013-11-12 10:31:33.132234012 +0100 @@ -2,6 +2,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) /dev/.* gen_context(system_u:object_r:device_t,s0) +/dev/.sysconfig(/.*)? -d gen_context(system_u:object_r:net_conf_t,s0) /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++++++ systemd-tmpfiles.patch ++++++ Index: serefpolicy-3.12.1/policy/modules/kernel/devices.if =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.if 2013-11-21 11:53:52.857807940 +0100 +++ serefpolicy-3.12.1/policy/modules/kernel/devices.if 2013-11-21 11:53:52.923808669 +0100 @@ -6506,3 +6506,25 @@ interface(`dev_filetrans_xserver_named_d filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") ') + + +######################################## +## <summary> +## Allow full relabeling (to and from) of all device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dev_create_all_dev_nodes',` + gen_require(` + attribute device_node; + type device_t; + ') + + allow $1 device_node {create}; +') + Index: serefpolicy-3.12.1/policy/modules/kernel/devices.te =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.te 2013-11-21 11:53:52.857807940 +0100 +++ serefpolicy-3.12.1/policy/modules/kernel/devices.te 2013-11-21 11:53:52.923808669 +0100 @@ -334,3 +334,4 @@ files_associate_tmp(device_node) allow devices_unconfined_type self:capability sys_rawio; allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; + Index: serefpolicy-3.12.1/policy/modules/system/systemd.te =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/system/systemd.te 2013-11-21 11:53:52.874808128 +0100 +++ serefpolicy-3.12.1/policy/modules/system/systemd.te 2013-11-21 11:55:29.271873271 +0100 @@ -274,6 +274,11 @@ dev_read_cpu_online(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t) dev_relabel_all_dev_nodes(systemd_tmpfiles_t) +# allow tmpfiles to create files/dirs in /dev +systemd_tmpfiles_xconsole_create(systemd_tmpfiles_t) +dev_getattr_autofs_dev(systemd_tmpfiles_t); +dev_getattr_lvm_control(systemd_tmpfiles_t); +dev_create_generic_dirs(systemd_tmpfiles_t); domain_obj_id_change_exemption(systemd_tmpfiles_t) # systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev @@ -606,7 +611,7 @@ optional_policy(` # # systemd_sysctl domains local policy # -allow systemd_sysctl_t self:capability net_admin; +allow systemd_sysctl_t self:capability { net_admin sys_admin }; allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; kernel_dgram_send(systemd_sysctl_t) Index: serefpolicy-3.12.1/policy/modules/system/systemd.if =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/system/systemd.if 2013-11-21 11:53:52.874808128 +0100 +++ serefpolicy-3.12.1/policy/modules/system/systemd.if 2013-11-21 11:53:52.923808669 +0100 @@ -1398,3 +1398,22 @@ interface(`systemd_dontaudit_dbus_chat', dontaudit $1 systemd_domain:dbus send_msg; ') + +######################################## +## <summary> +## Allow systemd-tmpfiles to create xconsole_device_t +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`systemd_tmpfiles_xconsole_create',` + gen_require(` + type device_t, xconsole_device_t; + ') + + create_fifo_files_pattern($1, device_t, xconsole_device_t); +') + ++++++ type_transition_file_class.patch ++++++ --- /var/tmp/diff_new_pack.5fqKUk/_old 2013-12-19 12:37:23.000000000 +0100 +++ /var/tmp/diff_new_pack.5fqKUk/_new 2013-12-19 12:37:23.000000000 +0100 @@ -1,22 +1,24 @@ Index: serefpolicy-3.12.1/policy/modules/system/miscfiles.if =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/system/miscfiles.if 2013-02-18 17:05:53.027143604 +0100 -+++ serefpolicy-3.12.1/policy/modules/system/miscfiles.if 2013-02-27 15:23:39.743957136 +0100 -@@ -836,7 +836,7 @@ interface(`miscfiles_etc_filetrans_local +--- serefpolicy-3.12.1.orig/policy/modules/system/miscfiles.if 2013-11-21 11:53:52.871808095 +0100 ++++ serefpolicy-3.12.1/policy/modules/system/miscfiles.if 2013-12-11 16:25:41.304059941 +0100 +@@ -875,7 +875,8 @@ interface(`miscfiles_etc_filetrans_local ') files_etc_filetrans($1, locale_t, lnk_file) - files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" ) + files_etc_filetrans($1, locale_t, file, "localtime" ) ++ files_etc_filetrans($1, locale_t, lnk_file, "localtime" ) files_etc_filetrans($1, locale_t, file, "locale.conf" ) files_etc_filetrans($1, locale_t, file, "timezone" ) files_etc_filetrans($1, locale_t, file, "vconsole.conf" ) -@@ -878,7 +878,7 @@ interface(`miscfiles_filetrans_locale_na +@@ -917,7 +918,8 @@ interface(`miscfiles_filetrans_locale_na type locale_t; ') - files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime") + files_etc_filetrans($1, locale_t, file, "localtime") ++ files_etc_filetrans($1, locale_t, lnk_file, "localtime") files_etc_filetrans($1, locale_t, file, "locale.conf") + files_etc_filetrans($1, locale_t, file, "vconsole.conf") files_etc_filetrans($1, locale_t, file, "locale.conf.new") - files_etc_filetrans($1, locale_t, file, "timezone") ++++++ useradd-netlink_selinux_socket.patch ++++++ Index: serefpolicy-3.12.1/policy/modules/admin/usermanage.te =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/admin/usermanage.te 2013-10-23 11:44:16.797098128 +0200 +++ serefpolicy-3.12.1/policy/modules/admin/usermanage.te 2013-10-23 11:44:16.894099171 +0200 @@ -503,6 +503,7 @@ allow useradd_t self:unix_dgram_socket c allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; +allow useradd_t self:netlink_selinux_socket create_socket_perms; manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) ++++++ xconsole.patch ++++++ Basically, /dev/xconsole is a FIFO written to by syslog, and often is present even when there is no X. Therefore, this should go into the logging policy. Patch attached. best regards, Erich Schubert -- erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_ Nothing prevents happiness like the memory of happiness. --- A. Gide //\ Die einzige Hoffnung auf Freude liegt in den menschlichen V_/_ Beziehungen. --- Antoine de Saint-Exupéry ["xconsole" (xconsole)] Index: policy/modules/services/xserver.te =================================================================== --- policy/modules/services/xserver.te.orig 2013-10-23 11:44:16.810098267 +0200 +++ policy/modules/services/xserver.te 2013-10-23 11:44:16.887099095 +0200 @@ -189,12 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; userdom_user_tmp_file(xauth_tmp_t) -# this is not actually a device, its a pipe -type xconsole_device_t; -files_type(xconsole_device_t) -fs_associate_tmpfs(xconsole_device_t) -files_associate_tmp(xconsole_device_t) - type xdm_unconfined_exec_t; application_executable_file(xdm_unconfined_exec_t) @@ -438,7 +432,6 @@ allow xdm_t self:dbus { send_msg acquire allow xdm_t xauth_home_t:file manage_file_perms; -allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -669,6 +662,10 @@ libs_exec_lib_files(xdm_t) libs_exec_ldconfig(xdm_t) logging_read_generic_logs(xdm_t) +logging_setattr_xconsole_pipes(xdm_t) + +# allow relabel of /dev/xconsole +dev_associate(xconsole_device_t) miscfiles_search_man_pages(xdm_t) miscfiles_read_fonts(xdm_t) Index: policy/modules/services/xserver.fc =================================================================== --- policy/modules/services/xserver.fc.orig 2013-10-23 11:44:16.809098257 +0200 +++ policy/modules/services/xserver.fc 2013-10-23 11:44:16.887099095 +0200 @@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) # -# /dev -# -/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0) - -# # /etc # /etc/gdm(3)?/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) Index: policy/modules/system/logging.te =================================================================== --- policy/modules/system/logging.te.orig 2013-10-23 11:44:16.815098321 +0200 +++ policy/modules/system/logging.te 2013-10-23 11:44:16.888099106 +0200 @@ -107,6 +107,12 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) ') +# this is not actually a device, its a pipe +type xconsole_device_t; +files_type(xconsole_device_t) +fs_associate_tmpfs(xconsole_device_t) +files_associate_tmp(xconsole_device_t) + ######################################## # # Auditctl local policy @@ -167,6 +173,9 @@ manage_files_pattern(auditd_t, auditd_va manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) +# log to xconsole +allow syslogd_t xconsole_device_t:fifo_file rw_file_perms; + kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app @@ -619,11 +628,6 @@ optional_policy(` udev_read_db(syslogd_t) ') -optional_policy(` - # log to the xconsole - xserver_rw_console(syslogd_t) -') - ##################################################### # # syslog client rules Index: policy/modules/system/logging.if =================================================================== --- policy/modules/system/logging.if.orig 2013-10-23 11:44:16.815098321 +0200 +++ policy/modules/system/logging.if 2013-10-23 11:44:16.888099106 +0200 @@ -1355,3 +1355,40 @@ interface(`logging_filetrans_named_conte logging_log_filetrans($1, var_log_t, dir, "anaconda") ') + +######################################## +## <summary> +## Set the attributes of the xconsole named pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_setattr_xconsole_pipes',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file setattr; +') + +######################################## +## <summary> +## Read the xconsole named pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_r_xconsole',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file { getattr read }; +') + Index: policy/modules/system/init.te =================================================================== --- policy/modules/system/init.te.orig 2013-10-23 11:44:16.813098300 +0200 +++ policy/modules/system/init.te 2013-10-23 11:44:16.888099106 +0200 @@ -731,6 +731,7 @@ logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) +logging_setattr_xconsole_pipes(initrc_t) # slapd needs to read cert files from its initscript miscfiles_manage_generic_cert_files(initrc_t) @@ -1376,9 +1377,6 @@ optional_policy(` ') optional_policy(` - # Set device ownerships/modes. - xserver_setattr_console_pipes(initrc_t) - # init script wants to check if it needs to update windowmanagerlist xserver_read_xdm_rw_config(initrc_t) ') Index: policy/modules/system/logging.fc =================================================================== --- policy/modules/system/logging.fc.orig 2013-10-23 11:44:16.815098321 +0200 +++ policy/modules/system/logging.fc 2013-10-23 11:44:16.888099106 +0200 @@ -1,4 +1,5 @@ /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0) /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) Index: policy/modules/services/xserver.if =================================================================== --- policy/modules/services/xserver.if.orig 2013-10-23 11:44:16.810098267 +0200 +++ policy/modules/services/xserver.if 2013-10-23 11:44:16.888099106 +0200 @@ -636,42 +636,6 @@ interface(`xserver_manage_user_xauth',` ######################################## ## <summary> -## Set the attributes of the X windows console named pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xserver_setattr_console_pipes',` - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; -') - -######################################## -## <summary> -## Read and write the X windows console named pipe. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`xserver_rw_console',` - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> ## Read XDM state files. ## </summary> ## <param name="domain"> -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
