SE Linux policy update

To: debian-release@lists.debian.org
Subject: SE Linux policy update
From: Russell Coker <russell@coker.com.au>
Date: Fri, 11 Mar 2011 23:21:53 +1100
Message-id: <[🔎] 201103112321.54091.russell@coker.com.au>
Reply-to: russell@coker.com.au

I'd like to include a new version of the SE Linux policy in the Squeeze point 
release.  I've pasted in the changelog from the new version I just uploaded to 
Unstable which is the same as the one I'd like to get in Squeeze.

The user friendly change list is that this makes USB flash storage devices 
usable by default on the desktop, Iceweasel works correctly, upowerd is run 
correctly in the devicekit_power_t domain, KDE mysqld access works, fetchmail 
works as a daemon, Xen starts DomUs on boot, and NetworkManager and similar 
programs (such as wicd) give more functionality.

These are all serious updates that can be considered as "a truly critical 
functionality problem" for some users.

I've attached a full diff between the version in Squeeze and my proposed 
update.

Please let me know what else I have to do to get this included.

 refpolicy (2:0.2.20100524-8) unstable; urgency=low
 .
   * Add tunable user_manage_dos_files which defaults to true
   * Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub
   * Allow mozilla to create directories under /tmp
   * Use correct label for /usr/lib/libgconf2-4/gconfd-2 and load gnome.pp on
     installation if libgconf2-4 is installed
   * Use correct label for /usr/lib/upower/upowerd
   * Dontaudit bind_t write attempts to / for lwresd calling access(".", W_OK)
   * Allow user domains to execute mysqld_exec_t, for KDE
   * Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t.
   * Label /var/lib/fetchmail as fetchmail_uidl_cache_t and allow fetchmail_t 
to
     search /var/lib and manage fetchmail_uidl_cache_t dirs
   * Allow xm_t to read kernel image files, needed for DomU startup on boot
   * Allow gpg_agent_t to read etc_t files and sysctl_crypto_t.
   * Allow network manager to run wpa_cli_exec_t programs.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

diff -ru /tmp/t/refpolicy//debian/changelog ./debian/changelog
--- /tmp/t/refpolicy//debian/changelog	2011-03-11 23:19:40.337436375 +1100
+++ ./debian/changelog	2011-03-11 14:29:09.565411812 +1100
@@ -1,3 +1,22 @@
+refpolicy (2:0.2.20100524-8) unstable; urgency=low
+
+  * Add tunable user_manage_dos_files which defaults to true
+  * Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub
+  * Allow mozilla to create directories under /tmp
+  * Use correct label for /usr/lib/libgconf2-4/gconfd-2 and load gnome.pp on
+    installation if libgconf2-4 is installed
+  * Use correct label for /usr/lib/upower/upowerd
+  * Dontaudit bind_t write attempts to / for lwresd calling access(".", W_OK)
+  * Allow user domains to execute mysqld_exec_t, for KDE
+  * Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t.
+  * Label /var/lib/fetchmail as fetchmail_uidl_cache_t and allow fetchmail_t to
+    search /var/lib and manage fetchmail_uidl_cache_t dirs
+  * Allow xm_t to read kernel image files, needed for DomU startup on boot
+  * Allow gpg_agent_t to read etc_t files and sysctl_crypto_t.
+  * Allow network manager to run wpa_cli_exec_t programs.
+
+ -- Russell Coker <russell@coker.com.au>  Fri, 11 Mar 2011 14:28:58 +1100
+
 refpolicy (2:0.2.20100524-7) unstable; urgency=low
 
   * Allow crontab_t to create a directory of type crontab_tmp_t, necessary to
diff -ru /tmp/t/refpolicy//debian/postinst.policy ./debian/postinst.policy
--- /tmp/t/refpolicy//debian/postinst.policy	2011-03-11 23:19:40.337436375 +1100
+++ ./debian/postinst.policy	2011-01-17 14:42:35.052961684 +1100
@@ -90,6 +90,7 @@
            'finger'          => [ 'finger', '*fingerd' ],
            'ftp'             => [ 'ftp', '*ftpd' ],
            'gitosis'         => [ 'gitosis' ],
+           'gnome'           => [ 'libgconf2-4' ],
            'gpg'             => [ 'gnupg' ],
            'hddtemp'         => [ 'hddtemp' ],
            'hwclock'         => [ 'util-linux' ],
diff -ru /tmp/t/refpolicy//policy/global_tunables ./policy/global_tunables
--- /tmp/t/refpolicy//policy/global_tunables	2009-07-23 04:15:30.000000000 +1000
+++ ./policy/global_tunables	2011-01-17 13:04:07.996933057 +1100
@@ -104,3 +104,10 @@
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to manage files on dosfs_t devices, usually removable media
+## </p>
+## </desc>
+gen_tunable(user_manage_dos_files,true)
diff -ru /tmp/t/refpolicy//policy/modules/apps/gnome.fc ./policy/modules/apps/gnome.fc
--- /tmp/t/refpolicy//policy/modules/apps/gnome.fc	2010-03-05 03:51:48.000000000 +1100
+++ ./policy/modules/apps/gnome.fc	2011-01-17 14:41:34.352998066 +1100
@@ -5,4 +5,8 @@
 
 /tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:gconf_tmp_t,s0)
 
+ifdef(`distro_debian', `
+/usr/lib/libgconf2-4/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+', `
 /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
+')
diff -ru /tmp/t/refpolicy//policy/modules/apps/gpg.te ./policy/modules/apps/gpg.te
--- /tmp/t/refpolicy//policy/modules/apps/gpg.te	2010-05-25 05:31:36.000000000 +1000
+++ ./policy/modules/apps/gpg.te	2011-02-27 15:38:35.813449687 +1100
@@ -223,6 +223,8 @@
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+files_read_etc_files(gpg_agent_t)
+kernel_read_crypto_sysctls(gpg_agent_t)
 
 # allow gpg to connect to the gpg agent
 stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
diff -ru /tmp/t/refpolicy//policy/modules/apps/mozilla.fc ./policy/modules/apps/mozilla.fc
--- /tmp/t/refpolicy//policy/modules/apps/mozilla.fc	2011-03-11 23:19:40.429412252 +1100
+++ ./policy/modules/apps/mozilla.fc	2011-01-17 14:22:52.088932730 +1100
@@ -32,3 +32,4 @@
 /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib/chromium-browser/chromium-browser-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 /usr/lib/chromium-browser/chromium-browser -- gen_context(system_u:object_r:chrome_browser_exec_t,s0)
+/usr/lib/xulrunner-1.9.1/xulrunner-stub -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff -ru /tmp/t/refpolicy//policy/modules/apps/mozilla.te ./policy/modules/apps/mozilla.te
--- /tmp/t/refpolicy//policy/modules/apps/mozilla.te	2011-03-11 23:19:40.429412252 +1100
+++ ./policy/modules/apps/mozilla.te	2011-01-17 14:25:11.360932873 +1100
@@ -48,8 +48,9 @@
 type mozilla_tmp_t;
 files_tmp_file(mozilla_tmp_t)
 ubac_constrained(mozilla_tmp_t)
-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, file)
+files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
 allow mozilla_t mozilla_tmp_t:file manage_file_perms;
+allow mozilla_t mozilla_tmp_t:dir manage_dir_perms;
 allow mozilla_t self:unix_dgram_socket sendto;
 allow mozilla_t chrome_browser_exec_t:file execute_no_trans;
 # for V8
diff -ru /tmp/t/refpolicy//policy/modules/kernel/files.fc ./policy/modules/kernel/files.fc
--- /tmp/t/refpolicy//policy/modules/kernel/files.fc	2011-03-11 23:19:40.372420590 +1100
+++ ./policy/modules/kernel/files.fc	2011-02-10 13:04:15.583492220 +1100
@@ -119,7 +119,7 @@
 #
 # Mount points; do not relabel subdirectories, since
 # we don't want to change any removable media by default.
-/media(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
+/media/[^/]*		-l	gen_context(system_u:object_r:mnt_t,s0)
 /media(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /media/[^/]*/.*			<<none>>
 /media/\.hal-.*		--	gen_context(system_u:object_r:mnt_t,s0)
diff -ru /tmp/t/refpolicy//policy/modules/services/bind.te ./policy/modules/services/bind.te
--- /tmp/t/refpolicy//policy/modules/services/bind.te	2011-03-11 23:19:40.353409447 +1100
+++ ./policy/modules/services/bind.te	2011-01-21 17:21:08.888931056 +1100
@@ -70,6 +70,9 @@
 allow named_t self:tcp_socket create_stream_socket_perms;
 allow named_t self:udp_socket create_socket_perms;
 
+# because lwresd calls access(".", W_OK)
+files_dontaudit_rw_root_dir(named_t)
+
 allow named_t dnssec_t:file read_file_perms;
 
 # read configuration
diff -ru /tmp/t/refpolicy//policy/modules/services/dbus.if ./policy/modules/services/dbus.if
--- /tmp/t/refpolicy//policy/modules/services/dbus.if	2011-03-11 23:19:40.349412023 +1100
+++ ./policy/modules/services/dbus.if	2011-02-19 13:06:32.484410674 +1100
@@ -163,6 +163,10 @@
 		xserver_use_xdm_fds($1_dbusd_t)
 		xserver_rw_xdm_pipes($1_dbusd_t)
 	')
+
+	optional_policy(`
+		gnome_role($2, $1_dbusd_t)
+	')
 ')
 
 #######################################
diff -ru /tmp/t/refpolicy//policy/modules/services/devicekit.fc ./policy/modules/services/devicekit.fc
--- /tmp/t/refpolicy//policy/modules/services/devicekit.fc	2011-03-11 23:19:40.353409447 +1100
+++ ./policy/modules/services/devicekit.fc	2011-01-19 12:43:37.677955981 +1100
@@ -4,7 +4,11 @@
 /usr/libexec/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 /usr/lib/udisks/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/upower/upowerd		--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+', `
 /usr/libexec/upowerd		--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+')
 
 /var/lib/DeviceKit-.*			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
 /var/lib/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
diff -ru /tmp/t/refpolicy//policy/modules/services/fetchmail.fc ./policy/modules/services/fetchmail.fc
--- /tmp/t/refpolicy//policy/modules/services/fetchmail.fc	2010-03-05 03:51:49.000000000 +1100
+++ ./policy/modules/services/fetchmail.fc	2011-02-25 17:42:57.637458245 +1100
@@ -17,3 +17,4 @@
 
 /var/run/fetchmail/.*		--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)
 /var/mail/\.fetchmail-UIDL-cache --	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+/var/lib/fetchmail(/.*)?		gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
diff -ru /tmp/t/refpolicy//policy/modules/services/fetchmail.te ./policy/modules/services/fetchmail.te
--- /tmp/t/refpolicy//policy/modules/services/fetchmail.te	2011-03-11 23:19:40.349412023 +1100
+++ ./policy/modules/services/fetchmail.te	2011-02-25 18:14:25.889459277 +1100
@@ -41,11 +41,13 @@
 allow fetchmail_t fetchmail_etc_t:file read_file_perms;
 files_read_usr_files(fetchmail_t)
 
+allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
 allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
 mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
 
 manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
 files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, file)
+files_search_var_lib(fetchmail_t)
 
 kernel_read_kernel_sysctls(fetchmail_t)
 kernel_list_proc(fetchmail_t)
diff -ru /tmp/t/refpolicy//policy/modules/services/mysql.if ./policy/modules/services/mysql.if
--- /tmp/t/refpolicy//policy/modules/services/mysql.if	2010-03-17 02:32:05.000000000 +1100
+++ ./policy/modules/services/mysql.if	2011-01-21 17:36:43.761933064 +1100
@@ -353,3 +353,23 @@
 
 	admin_pattern($1, mysqld_tmp_t)
 ')
+
+########################################
+## <summary>
+##	Execute mysqld in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysqld_exec',`
+	gen_require(`
+		type mysqld_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, mysqld_exec_t)
+')
diff -ru /tmp/t/refpolicy//policy/modules/services/mysql.te ./policy/modules/services/mysql.te
--- /tmp/t/refpolicy//policy/modules/services/mysql.te	2011-03-11 23:19:40.360430274 +1100
+++ ./policy/modules/services/mysql.te	2011-02-09 10:18:33.395481018 +1100
@@ -242,3 +242,4 @@
 miscfiles_read_localization(mysqlmanagerd_t)
 
 userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+
diff -ru /tmp/t/refpolicy//policy/modules/services/networkmanager.te ./policy/modules/services/networkmanager.te
--- /tmp/t/refpolicy//policy/modules/services/networkmanager.te	2010-05-25 05:31:36.000000000 +1000
+++ ./policy/modules/services/networkmanager.te	2011-03-04 23:53:14.824419976 +1100
@@ -271,6 +271,7 @@
 # wpa_cli local policy
 #
 
+domain_auto_trans(NetworkManager_t, wpa_cli_exec_t, wpa_cli_t)
 allow wpa_cli_t self:capability dac_override;
 allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
 
diff -ru /tmp/t/refpolicy//policy/modules/system/userdomain.if ./policy/modules/system/userdomain.if
--- /tmp/t/refpolicy//policy/modules/system/userdomain.if	2011-03-11 23:19:40.380409920 +1100
+++ ./policy/modules/system/userdomain.if	2011-01-21 17:38:15.220964097 +1100
@@ -118,6 +118,11 @@
 		allow $1_t self:process execstack;
 	')
 
+	tunable_policy(`user_manage_dos_files',`
+		fs_manage_dos_dirs($1_t)
+		fs_manage_dos_files($1_t)
+	')
+
 	ifdef(`distro_debian', `
 		# allow reading /var/lib/apt/lists
 		apt_read_db($1_t)
@@ -1018,6 +1023,10 @@
 	optional_policy(`
 		setroubleshoot_stream_connect($1_t)
 	')
+
+	optional_policy(`
+		mysqld_exec($1_t)
+	')
 ')
 
 #######################################
diff -ru /tmp/t/refpolicy//policy/modules/system/xen.te ./policy/modules/system/xen.te
--- /tmp/t/refpolicy//policy/modules/system/xen.te	2011-03-11 23:19:40.420411117 +1100
+++ ./policy/modules/system/xen.te	2011-02-25 17:45:53.676411874 +1100
@@ -404,6 +404,7 @@
 manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
 manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
 files_search_var_lib(xm_t)
+files_read_kernel_img(xm_t)
 
 allow xm_t xen_image_t:dir rw_dir_perms;
 allow xm_t xen_image_t:file read_file_perms;

Reply to:

Follow-Ups:
- Re: SE Linux policy update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: [SRM] update for network-manager in 6.0.1
Next by Date: Re: [SRM] update for network-manager in 6.0.1
Previous by thread: Re: [SRU] update for powertop in 6.0.1
Next by thread: Re: SE Linux policy update
Index(es):
- Date
- Thread