SE Linux policy update
I'd like to include a new version of the SE Linux policy in the Squeeze point
release. I've pasted in the changelog from the new version I just uploaded to
Unstable which is the same as the one I'd like to get in Squeeze.
The user friendly change list is that this makes USB flash storage devices
usable by default on the desktop, Iceweasel works correctly, upowerd is run
correctly in the devicekit_power_t domain, KDE mysqld access works, fetchmail
works as a daemon, Xen starts DomUs on boot, and NetworkManager and similar
programs (such as wicd) give more functionality.
These are all serious updates that can be considered as "a truly critical
functionality problem" for some users.
I've attached a full diff between the version in Squeeze and my proposed
update.
Please let me know what else I have to do to get this included.
refpolicy (2:0.2.20100524-8) unstable; urgency=low
.
* Add tunable user_manage_dos_files which defaults to true
* Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub
* Allow mozilla to create directories under /tmp
* Use correct label for /usr/lib/libgconf2-4/gconfd-2 and load gnome.pp on
installation if libgconf2-4 is installed
* Use correct label for /usr/lib/upower/upowerd
* Dontaudit bind_t write attempts to / for lwresd calling access(".", W_OK)
* Allow user domains to execute mysqld_exec_t, for KDE
* Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t.
* Label /var/lib/fetchmail as fetchmail_uidl_cache_t and allow fetchmail_t
to
search /var/lib and manage fetchmail_uidl_cache_t dirs
* Allow xm_t to read kernel image files, needed for DomU startup on boot
* Allow gpg_agent_t to read etc_t files and sysctl_crypto_t.
* Allow network manager to run wpa_cli_exec_t programs.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
diff -ru /tmp/t/refpolicy//debian/changelog ./debian/changelog
--- /tmp/t/refpolicy//debian/changelog 2011-03-11 23:19:40.337436375 +1100
+++ ./debian/changelog 2011-03-11 14:29:09.565411812 +1100
@@ -1,3 +1,22 @@
+refpolicy (2:0.2.20100524-8) unstable; urgency=low
+
+ * Add tunable user_manage_dos_files which defaults to true
+ * Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub
+ * Allow mozilla to create directories under /tmp
+ * Use correct label for /usr/lib/libgconf2-4/gconfd-2 and load gnome.pp on
+ installation if libgconf2-4 is installed
+ * Use correct label for /usr/lib/upower/upowerd
+ * Dontaudit bind_t write attempts to / for lwresd calling access(".", W_OK)
+ * Allow user domains to execute mysqld_exec_t, for KDE
+ * Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t.
+ * Label /var/lib/fetchmail as fetchmail_uidl_cache_t and allow fetchmail_t to
+ search /var/lib and manage fetchmail_uidl_cache_t dirs
+ * Allow xm_t to read kernel image files, needed for DomU startup on boot
+ * Allow gpg_agent_t to read etc_t files and sysctl_crypto_t.
+ * Allow network manager to run wpa_cli_exec_t programs.
+
+ -- Russell Coker <russell@coker.com.au> Fri, 11 Mar 2011 14:28:58 +1100
+
refpolicy (2:0.2.20100524-7) unstable; urgency=low
* Allow crontab_t to create a directory of type crontab_tmp_t, necessary to
diff -ru /tmp/t/refpolicy//debian/postinst.policy ./debian/postinst.policy
--- /tmp/t/refpolicy//debian/postinst.policy 2011-03-11 23:19:40.337436375 +1100
+++ ./debian/postinst.policy 2011-01-17 14:42:35.052961684 +1100
@@ -90,6 +90,7 @@
'finger' => [ 'finger', '*fingerd' ],
'ftp' => [ 'ftp', '*ftpd' ],
'gitosis' => [ 'gitosis' ],
+ 'gnome' => [ 'libgconf2-4' ],
'gpg' => [ 'gnupg' ],
'hddtemp' => [ 'hddtemp' ],
'hwclock' => [ 'util-linux' ],
diff -ru /tmp/t/refpolicy//policy/global_tunables ./policy/global_tunables
--- /tmp/t/refpolicy//policy/global_tunables 2009-07-23 04:15:30.000000000 +1000
+++ ./policy/global_tunables 2011-01-17 13:04:07.996933057 +1100
@@ -104,3 +104,10 @@
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to manage files on dosfs_t devices, usually removable media
+## </p>
+## </desc>
+gen_tunable(user_manage_dos_files,true)
diff -ru /tmp/t/refpolicy//policy/modules/apps/gnome.fc ./policy/modules/apps/gnome.fc
--- /tmp/t/refpolicy//policy/modules/apps/gnome.fc 2010-03-05 03:51:48.000000000 +1100
+++ ./policy/modules/apps/gnome.fc 2011-01-17 14:41:34.352998066 +1100
@@ -5,4 +5,8 @@
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
+ifdef(`distro_debian', `
+/usr/lib/libgconf2-4/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+', `
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+')
diff -ru /tmp/t/refpolicy//policy/modules/apps/gpg.te ./policy/modules/apps/gpg.te
--- /tmp/t/refpolicy//policy/modules/apps/gpg.te 2010-05-25 05:31:36.000000000 +1000
+++ ./policy/modules/apps/gpg.te 2011-02-27 15:38:35.813449687 +1100
@@ -223,6 +223,8 @@
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+files_read_etc_files(gpg_agent_t)
+kernel_read_crypto_sysctls(gpg_agent_t)
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
diff -ru /tmp/t/refpolicy//policy/modules/apps/mozilla.fc ./policy/modules/apps/mozilla.fc
--- /tmp/t/refpolicy//policy/modules/apps/mozilla.fc 2011-03-11 23:19:40.429412252 +1100
+++ ./policy/modules/apps/mozilla.fc 2011-01-17 14:22:52.088932730 +1100
@@ -32,3 +32,4 @@
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/chromium-browser/chromium-browser-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
/usr/lib/chromium-browser/chromium-browser -- gen_context(system_u:object_r:chrome_browser_exec_t,s0)
+/usr/lib/xulrunner-1.9.1/xulrunner-stub -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff -ru /tmp/t/refpolicy//policy/modules/apps/mozilla.te ./policy/modules/apps/mozilla.te
--- /tmp/t/refpolicy//policy/modules/apps/mozilla.te 2011-03-11 23:19:40.429412252 +1100
+++ ./policy/modules/apps/mozilla.te 2011-01-17 14:25:11.360932873 +1100
@@ -48,8 +48,9 @@
type mozilla_tmp_t;
files_tmp_file(mozilla_tmp_t)
ubac_constrained(mozilla_tmp_t)
-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, file)
+files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
allow mozilla_t mozilla_tmp_t:file manage_file_perms;
+allow mozilla_t mozilla_tmp_t:dir manage_dir_perms;
allow mozilla_t self:unix_dgram_socket sendto;
allow mozilla_t chrome_browser_exec_t:file execute_no_trans;
# for V8
diff -ru /tmp/t/refpolicy//policy/modules/kernel/files.fc ./policy/modules/kernel/files.fc
--- /tmp/t/refpolicy//policy/modules/kernel/files.fc 2011-03-11 23:19:40.372420590 +1100
+++ ./policy/modules/kernel/files.fc 2011-02-10 13:04:15.583492220 +1100
@@ -119,7 +119,7 @@
#
# Mount points; do not relabel subdirectories, since
# we don't want to change any removable media by default.
-/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
+/media/[^/]* -l gen_context(system_u:object_r:mnt_t,s0)
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/media/[^/]*/.* <<none>>
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
diff -ru /tmp/t/refpolicy//policy/modules/services/bind.te ./policy/modules/services/bind.te
--- /tmp/t/refpolicy//policy/modules/services/bind.te 2011-03-11 23:19:40.353409447 +1100
+++ ./policy/modules/services/bind.te 2011-01-21 17:21:08.888931056 +1100
@@ -70,6 +70,9 @@
allow named_t self:tcp_socket create_stream_socket_perms;
allow named_t self:udp_socket create_socket_perms;
+# because lwresd calls access(".", W_OK)
+files_dontaudit_rw_root_dir(named_t)
+
allow named_t dnssec_t:file read_file_perms;
# read configuration
diff -ru /tmp/t/refpolicy//policy/modules/services/dbus.if ./policy/modules/services/dbus.if
--- /tmp/t/refpolicy//policy/modules/services/dbus.if 2011-03-11 23:19:40.349412023 +1100
+++ ./policy/modules/services/dbus.if 2011-02-19 13:06:32.484410674 +1100
@@ -163,6 +163,10 @@
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
+
+ optional_policy(`
+ gnome_role($2, $1_dbusd_t)
+ ')
')
#######################################
diff -ru /tmp/t/refpolicy//policy/modules/services/devicekit.fc ./policy/modules/services/devicekit.fc
--- /tmp/t/refpolicy//policy/modules/services/devicekit.fc 2011-03-11 23:19:40.353409447 +1100
+++ ./policy/modules/services/devicekit.fc 2011-01-19 12:43:37.677955981 +1100
@@ -4,7 +4,11 @@
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+', `
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+')
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
diff -ru /tmp/t/refpolicy//policy/modules/services/fetchmail.fc ./policy/modules/services/fetchmail.fc
--- /tmp/t/refpolicy//policy/modules/services/fetchmail.fc 2010-03-05 03:51:49.000000000 +1100
+++ ./policy/modules/services/fetchmail.fc 2011-02-25 17:42:57.637458245 +1100
@@ -17,3 +17,4 @@
/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
diff -ru /tmp/t/refpolicy//policy/modules/services/fetchmail.te ./policy/modules/services/fetchmail.te
--- /tmp/t/refpolicy//policy/modules/services/fetchmail.te 2011-03-11 23:19:40.349412023 +1100
+++ ./policy/modules/services/fetchmail.te 2011-02-25 18:14:25.889459277 +1100
@@ -41,11 +41,13 @@
allow fetchmail_t fetchmail_etc_t:file read_file_perms;
files_read_usr_files(fetchmail_t)
+allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, file)
+files_search_var_lib(fetchmail_t)
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
diff -ru /tmp/t/refpolicy//policy/modules/services/mysql.if ./policy/modules/services/mysql.if
--- /tmp/t/refpolicy//policy/modules/services/mysql.if 2010-03-17 02:32:05.000000000 +1100
+++ ./policy/modules/services/mysql.if 2011-01-21 17:36:43.761933064 +1100
@@ -353,3 +353,23 @@
admin_pattern($1, mysqld_tmp_t)
')
+
+########################################
+## <summary>
+## Execute mysqld in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysqld_exec',`
+ gen_require(`
+ type mysqld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, mysqld_exec_t)
+')
diff -ru /tmp/t/refpolicy//policy/modules/services/mysql.te ./policy/modules/services/mysql.te
--- /tmp/t/refpolicy//policy/modules/services/mysql.te 2011-03-11 23:19:40.360430274 +1100
+++ ./policy/modules/services/mysql.te 2011-02-09 10:18:33.395481018 +1100
@@ -242,3 +242,4 @@
miscfiles_read_localization(mysqlmanagerd_t)
userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+
diff -ru /tmp/t/refpolicy//policy/modules/services/networkmanager.te ./policy/modules/services/networkmanager.te
--- /tmp/t/refpolicy//policy/modules/services/networkmanager.te 2010-05-25 05:31:36.000000000 +1000
+++ ./policy/modules/services/networkmanager.te 2011-03-04 23:53:14.824419976 +1100
@@ -271,6 +271,7 @@
# wpa_cli local policy
#
+domain_auto_trans(NetworkManager_t, wpa_cli_exec_t, wpa_cli_t)
allow wpa_cli_t self:capability dac_override;
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
diff -ru /tmp/t/refpolicy//policy/modules/system/userdomain.if ./policy/modules/system/userdomain.if
--- /tmp/t/refpolicy//policy/modules/system/userdomain.if 2011-03-11 23:19:40.380409920 +1100
+++ ./policy/modules/system/userdomain.if 2011-01-21 17:38:15.220964097 +1100
@@ -118,6 +118,11 @@
allow $1_t self:process execstack;
')
+ tunable_policy(`user_manage_dos_files',`
+ fs_manage_dos_dirs($1_t)
+ fs_manage_dos_files($1_t)
+ ')
+
ifdef(`distro_debian', `
# allow reading /var/lib/apt/lists
apt_read_db($1_t)
@@ -1018,6 +1023,10 @@
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
+
+ optional_policy(`
+ mysqld_exec($1_t)
+ ')
')
#######################################
diff -ru /tmp/t/refpolicy//policy/modules/system/xen.te ./policy/modules/system/xen.te
--- /tmp/t/refpolicy//policy/modules/system/xen.te 2011-03-11 23:19:40.420411117 +1100
+++ ./policy/modules/system/xen.te 2011-02-25 17:45:53.676411874 +1100
@@ -404,6 +404,7 @@
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
files_search_var_lib(xm_t)
+files_read_kernel_img(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
allow xm_t xen_image_t:file read_file_perms;
Reply to: