---
rpcbind.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpcbind.if b/rpcbind.if
index 1a1cb99..f78fef0 100644
--- a/rpcbind.if
+++ b/rpcbind.if
@@ -21,7 +21,7 @@ interface(`rpcbind_domtrans',`
########################################
## <summary>
-## Connect to rpcbindd with a
+## Connect to rpcbind with a
## unix domain stream socket.
## </summary>
## <param name="domain">
--
2.0.5
git-daemon can be run without inetd, this patch makes the
interface optional so that git.pp can be loaded without inetd
---
git.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/git.te b/git.te
index 084ac9d..a93c976 100644
--- a/git.te
+++ b/git.te
@@ -86,7 +86,6 @@ apache_content_template(git)
type git_system_t, git_daemon;
type gitd_exec_t;
-inetd_service_domain(git_system_t, gitd_exec_t)
init_daemon_domain(git_system_t, gitd_exec_t)
type git_session_t, git_daemon;
@@ -122,6 +121,10 @@ auth_use_nsswitch(git_session_t)
userdom_use_user_terminals(git_session_t)
+optional_policy(`
+ inetd_service_domain(git_system_t, gitd_exec_t)
+')
+
tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_sendrecv_all_server_packets(git_session_t)
corenet_tcp_bind_all_unreserved_ports(git_session_t)
--
2.0.5
gssd needs to be able to write the user's kerberos token
into the ticket cache which is stored in /tmp
type=AVC msg=audit(1427206305.314:9914): avc: granted { read write
open } for pid=22562 comm="rpc.gssd" path="/tmp/krb5cc_1000"
dev="tmpfs" ino=327516 scontext=system_u:system_r:gssd_t
tcontext=staff_u:object_r:user_tmp_t tclass=file
---
rpc.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/rpc.te b/rpc.te
index 1a6dcc0..e2ea2eb 100644
--- a/rpc.te
+++ b/rpc.te
@@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
## <desc>
## <p>
+## Determine whether gssd can write
+## generic user temporary content.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_write_tmp, false)
+
+## <desc>
+## <p>
## Determine whether nfs can modify
## public files used for public file
## transfer services. Directories/Files must
@@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
userdom_read_user_tmp_symlinks(gssd_t)
')
+tunable_policy(`allow_gssd_write_tmp',`
+ userdom_list_user_tmp(gssd_t)
+ userdom_rw_user_tmp_files(gssd_t)
+')
+
optional_policy(`
automount_signal(gssd_t)
')
--
2.0.5
rpc.gssd needs to be able to setgid, otherwise using a kerberized nfs
mount fails with permission denied.
errors:
rpc.gssd[22887]: WARNING: unable to drop supplimentary groups!
rpc.gssd[22887]: WARNING: failed to change identity: Operation not permitted
denials:
type=AVC msg=audit(1427206637.030:9956): avc: denied { setgid } for
pid=22887 comm="rpc.gssd" capability=6
scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t
tclass=capability permissive=0
type=SYSCALL msg=audit(1427206637.030:9956): arch=c000003e syscall=116
success=no exit=-1 a0=0 a1=0 a2=5111a30e20 a3=31fc5672090 items=0
ppid=22763 pid=22887 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd"
subj=system_u:system_r:gssd_t key=(null)
---
rpc.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpc.te b/rpc.te
index e2ea2eb..de897fd 100644
--- a/rpc.te
+++ b/rpc.te
@@ -278,7 +278,7 @@ optional_policy(`
# GSSD local policy
#
-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
--
2.0.5
virtd_t writes the spice shm file in tmpfs so this allows access.
type=AVC msg=audit(1427209364.960:10357): avc: granted { add_name }
for pid=24933 comm="qemu-system-x86" name="spice.24933"
scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
type=AVC msg=audit(1427209364.960:10357): avc: granted { write } for
pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
ino=638614 scontext=system_u:system_r:virtd_t
tcontext=system_u:object_r:tmpfs_t tclass=file
---
virt.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/virt.te b/virt.te
index cb868d5..b20eb1c 100644
--- a/virt.te
+++ b/virt.te
@@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
type virt_tmp_t;
files_tmp_file(virt_tmp_t)
+type virt_tmpfs_t;
+files_tmpfs_file(virt_tmpfs_t)
+
type virt_var_run_t;
files_pid_file(virt_var_run_t)
@@ -480,6 +483,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
+
# This needs a file context specification
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
--
2.0.5
---
dnsmasq.te | 1 +
virt.fc | 1 +
virt.if | 20 ++++++++++++++++++++
virt.te | 23 +++++++++++++++++++++++
4 files changed, 45 insertions(+)
diff --git a/dnsmasq.te b/dnsmasq.te
index fbfe09f..eb3c7f8 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -127,4 +127,5 @@ optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+ virt_domtrans_leaseshelper(dnsmasq_t)
')
diff --git a/virt.fc b/virt.fc
index a4f20bc..b38007b 100644
--- a/virt.fc
+++ b/virt.fc
@@ -18,6 +18,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
diff --git a/virt.if b/virt.if
index facdee8..fd087b9 100644
--- a/virt.if
+++ b/virt.if
@@ -188,6 +188,26 @@ interface(`virt_domtrans_bridgehelper',`
########################################
## <summary>
+## Execute a domain transition to
+## run virt bridgehelper.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_domtrans_leaseshelper',`
+ gen_require(`
+ type virt_leaseshelper_t, virt_leaseshelper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, virt_leaseshelper_exec_t, virt_leaseshelper_t)
+')
+
+########################################
+## <summary>
## Execute bridgehelper in the bridgehelper
## domain, and allow the specified role
## the bridgehelper domain.
diff --git a/virt.te b/virt.te
index b20eb1c..c1662f5 100644
--- a/virt.te
+++ b/virt.te
@@ -166,6 +166,12 @@ domain_type(virt_bridgehelper_t)
domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
role virt_bridgehelper_roles types virt_bridgehelper_t;
+type virt_leaseshelper_t;
+type virt_leaseshelper_exec_t;
+domain_type(virt_leaseshelper_t)
+domain_entry_file(virt_leaseshelper_t, virt_leaseshelper_exec_t)
+role system_r types virt_leaseshelper_t;
+
type virtd_lxc_t;
type virtd_lxc_exec_t;
init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
@@ -1216,3 +1222,20 @@ corenet_rw_tun_tap_dev(virt_bridgehelper_t)
userdom_search_user_home_dirs(virt_bridgehelper_t)
userdom_use_user_ptys(virt_bridgehelper_t)
+
+########################################
+#
+# Leaseshelper local policy
+#
+
+allow virt_leaseshelper_t virtd_t:fd use;
+allow virt_leaseshelper_t virtd_t:fifo_file write_fifo_file_perms;
+
+manage_dirs_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virt_leaseshelper_t, virt_var_lib_t, { file dir })
+
+manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
+
+kernel_dontaudit_read_system_state(virt_leaseshelper_t)
--
2.0.5
On 3/24/2015 10:24 PM, Jason Zaman wrote:
> ---
> rpcbind.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/rpcbind.if b/rpcbind.if
> index 1a1cb99..f78fef0 100644
> --- a/rpcbind.if
> +++ b/rpcbind.if
> @@ -21,7 +21,7 @@ interface(`rpcbind_domtrans',`
>
> ########################################
> ## <summary>
> -## Connect to rpcbindd with a
> +## Connect to rpcbind with a
> ## unix domain stream socket.
> ## </summary>
> ## <param name="domain">
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, Mar 25, 2015 at 10:24:45AM +0800, Jason Zaman wrote:
> virtd_t writes the spice shm file in tmpfs so this allows access.
Cool, so why are you also adding an extra rule allowing it to maintain tmpfs dirs?
>
> type=AVC msg=audit(1427209364.960:10357): avc: granted { add_name }
> for pid=24933 comm="qemu-system-x86" name="spice.24933"
> scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
> tclass=dir
> type=AVC msg=audit(1427209364.960:10357): avc: granted { write } for
> pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
> ino=638614 scontext=system_u:system_r:virtd_t
> tcontext=system_u:object_r:tmpfs_t tclass=file
> ---
> virt.te | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/virt.te b/virt.te
> index cb868d5..b20eb1c 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
> type virt_tmp_t;
> files_tmp_file(virt_tmp_t)
>
> +type virt_tmpfs_t;
> +files_tmpfs_file(virt_tmpfs_t)
> +
> type virt_var_run_t;
> files_pid_file(virt_var_run_t)
>
> @@ -480,6 +483,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
>
> +manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
> +
> # This needs a file context specification
> manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
> manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150325/2dd9d243/attachment.bin