Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
---
policy/mcs | 3 +++
policy/mls | 8 ++++++++
policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++
policy/modules/kernel/mls.te | 3 +++
4 files changed, 55 insertions(+)
diff --git a/policy/mcs b/policy/mcs
index 4d030112..94319570 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain process { signal }
mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+mlsconstrain key { create link read search setattr view write }
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
#
# MCS policy for SELinux-enabled databases
#
diff --git a/policy/mls b/policy/mls
index 69ca7263..2dadd205 100644
--- a/policy/mls
+++ b/policy/mls
@@ -281,6 +281,14 @@ mlsconstrain msg send
# { ipc sem msgq shm } associate
+#
+# MLS policy for the key class
+#
+
+mlsconstrain key { create link read search setattr view write }
+ (( l1 eq l2 ) or
+ (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlskeywrite ));
#
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 3929ffc4..b09c0a5a 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`
########################################
## <summary>
+## Make specified domain MLS trusted
+## for writing to keys up to
+## its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_to_clearance',`
+ gen_require(`
+ attribute mlskeywritetoclr;
+ ')
+
+ typeattribute $1 mlskeywritetoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to keys at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_all_levels',`
+ gen_require(`
+ attribute mlskeywrite;
+ ')
+
+ typeattribute $1 mlskeywrite;
+')
+
+########################################
+## <summary>
## Allow the specified domain to do a MLS
## range transition that changes
## the current level.
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 15e50a36..e879ddd3 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
attribute mlsipcwrite;
attribute mlsipcwritetoclr;
+attribute mlskeywrite;
+attribute mlskeywritetoclr;
+
attribute mlsprocread;
attribute mlsprocreadtoclr;
attribute mlsprocwrite;
--
2.13.6
Mostly taken from the fedora rawhide policy
---
policy/modules/kernel/kernel.if | 36 ++++++++++++++++++
policy/modules/services/ssh.if | 1 +
policy/modules/services/ssh.te | 1 +
policy/modules/services/xserver.if | 18 +++++++++
policy/modules/services/xserver.te | 1 +
policy/modules/system/authlogin.te | 2 +
policy/modules/system/locallogin.te | 1 +
policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
8 files changed, 133 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 25467d0a..843b26e3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
########################################
## <summary>
+## Allow view the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
+## dontaudit view the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
## Allows caller to read the ring buffer.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index aa906680..4f20137a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -338,6 +338,7 @@ template(`ssh_role_template',`
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5b939d0c..eaabdcd7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:key manage_key_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e0c5be82..e70046db 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Manage keys for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_keys',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:key { read write setattr };
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 758292be..ef56563c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
+kernel_view_key(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 11a8ec1c..0f4ee19f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -419,6 +419,8 @@ optional_policy(`
# nsswitch_domain local policy
#
+allow nsswitch_domain self:key manage_key_perms;
+
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 5a0c508f..269a61e0 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_tmp_files(local_login_t)
xserver_rw_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_keys(local_login_t)
')
#################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 750bc722..efb31d0a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
+ allow $1_t self:key manage_key_perms;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -4020,6 +4021,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
+## Read keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key read;
+')
+
+########################################
+## <summary>
+## Write keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key write;
+')
+
+########################################
+## <summary>
+## Read and write keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key { read view write };
+')
+
+########################################
+## <summary>
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -4038,6 +4093,24 @@ interface(`userdom_create_all_users_keys',`
########################################
## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+########################################
+## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
--
2.13.6
kernel AVC:
* Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
* start-stop-daemon: failed to start `gssproxy'
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
---
policy/modules/kernel/kernel.te | 4 ++++
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/system/userdomain.if | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 0fc74648..22d1ebaf 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
+ optional_policy(`
+ gssproxy_stream_connect(kernel_t)
+ ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 93c9ee5f..d25dd34b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -455,6 +455,10 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_admin(sysadm_t)
+')
+
+optional_policy(`
hadoop_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index efb31d0a..49eff3a6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
')
optional_policy(`
+ gssproxy_stream_connect($1_t)
+ ')
+
+ optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')
--
2.13.6
On 11/02/2017 01:30 PM, Jason Zaman wrote:
> Taken from fedoras policy
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
> ---
> policy/mcs | 3 +++
> policy/mls | 8 ++++++++
> policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/mls.te | 3 +++
> 4 files changed, 55 insertions(+)
>
> diff --git a/policy/mcs b/policy/mcs
> index 4d030112..94319570 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -123,6 +123,9 @@ mlsconstrain process { signal }
> mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
>
> +mlsconstrain key { create link read search setattr view write }
> + (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
> #
> # MCS policy for SELinux-enabled databases
> #
> diff --git a/policy/mls b/policy/mls
> index 69ca7263..2dadd205 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -281,6 +281,14 @@ mlsconstrain msg send
> # { ipc sem msgq shm } associate
>
>
> +#
> +# MLS policy for the key class
> +#
> +
> +mlsconstrain key { create link read search setattr view write }
> + (( l1 eq l2 ) or
> + (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> + ( t1 == mlskeywrite ));
>
>
> #
> diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
> index 3929ffc4..b09c0a5a 100644
> --- a/policy/modules/kernel/mls.if
> +++ b/policy/modules/kernel/mls.if
> @@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`
>
> ########################################
> ## <summary>
> +## Make specified domain MLS trusted
> +## for writing to keys up to
> +## its clearance.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_key_write_to_clearance',`
> + gen_require(`
> + attribute mlskeywritetoclr;
> + ')
> +
> + typeattribute $1 mlskeywritetoclr;
> +')
> +
> +########################################
> +## <summary>
> +## Make specified domain MLS trusted
> +## for writing to keys at all levels.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_key_write_all_levels',`
> + gen_require(`
> + attribute mlskeywrite;
> + ')
> +
> + typeattribute $1 mlskeywrite;
> +')
> +
> +########################################
> +## <summary>
> ## Allow the specified domain to do a MLS
> ## range transition that changes
> ## the current level.
> diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
> index 15e50a36..e879ddd3 100644
> --- a/policy/modules/kernel/mls.te
> +++ b/policy/modules/kernel/mls.te
> @@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
> attribute mlsipcwrite;
> attribute mlsipcwritetoclr;
>
> +attribute mlskeywrite;
> +attribute mlskeywritetoclr;
> +
> attribute mlsprocread;
> attribute mlsprocreadtoclr;
> attribute mlsprocwrite;
Merged.
--
Chris PeBenito
On 11/02/2017 01:30 PM, Jason Zaman wrote:
> Mostly taken from the fedora rawhide policy
> ---
> policy/modules/kernel/kernel.if | 36 ++++++++++++++++++
> policy/modules/services/ssh.if | 1 +
> policy/modules/services/ssh.te | 1 +
> policy/modules/services/xserver.if | 18 +++++++++
> policy/modules/services/xserver.te | 1 +
> policy/modules/system/authlogin.te | 2 +
> policy/modules/system/locallogin.te | 1 +
> policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
> 8 files changed, 133 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 25467d0a..843b26e3 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
>
> ########################################
> ## <summary>
> +## Allow view the kernel key ring.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_view_key',`
> + gen_require(`
> + type kernel_t;
> + ')
> +
> + allow $1 kernel_t:key view;
> +')
> +
> +########################################
> +## <summary>
> +## dontaudit view the kernel key ring.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_view_key',`
> + gen_require(`
> + type kernel_t;
> + ')
> +
> + dontaudit $1 kernel_t:key view;
> +')
> +
> +########################################
> +## <summary>
> ## Allows caller to read the ring buffer.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index aa906680..4f20137a 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -338,6 +338,7 @@ template(`ssh_role_template',`
> # for rsync
> allow ssh_t $3:unix_stream_socket rw_socket_perms;
> allow ssh_t $3:unix_stream_socket connectto;
> + allow ssh_t $3:key manage_key_perms;
>
> # user can manage the keys and config
> manage_files_pattern($3, ssh_home_t, ssh_home_t)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 5b939d0c..eaabdcd7 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
> allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow ssh_t self:fd use;
> allow ssh_t self:fifo_file rw_fifo_file_perms;
> +allow ssh_t self:key manage_key_perms;
> allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
> allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow ssh_t self:shm create_shm_perms;
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index e0c5be82..e70046db 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Manage keys for xdm.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xdm_keys',`
> + gen_require(`
> + type xdm_t;
> + ')
> +
> + allow $1 xdm_t:key { read write setattr };
> +')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 758292be..ef56563c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
> kernel_read_kernel_sysctls(xdm_t)
> kernel_read_net_sysctls(xdm_t)
> kernel_read_network_state(xdm_t)
> +kernel_view_key(xdm_t)
>
> corecmd_exec_shell(xdm_t)
> corecmd_exec_bin(xdm_t)
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 11a8ec1c..0f4ee19f 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -419,6 +419,8 @@ optional_policy(`
> # nsswitch_domain local policy
> #
>
> +allow nsswitch_domain self:key manage_key_perms;
> +
> files_list_var_lib(nsswitch_domain)
>
> # read /etc/nsswitch.conf
> diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
> index 5a0c508f..269a61e0 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -209,6 +209,7 @@ optional_policy(`
> optional_policy(`
> xserver_read_xdm_tmp_files(local_login_t)
> xserver_rw_xdm_tmp_files(local_login_t)
> + xserver_rw_xdm_keys(local_login_t)
> ')
>
> #################################
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 750bc722..efb31d0a 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
>
> allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
> allow $1_t self:fd use;
> + allow $1_t self:key manage_key_perms;
> allow $1_t self:fifo_file rw_fifo_file_perms;
> allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
> allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
> @@ -4020,6 +4021,60 @@ interface(`userdom_sigchld_all_users',`
>
> ########################################
> ## <summary>
> +## Read keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_read_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key read;
> +')
> +
> +########################################
> +## <summary>
> +## Write keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_write_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key write;
> +')
> +
> +########################################
> +## <summary>
> +## Read and write keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_rw_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key { read view write };
> +')
> +
> +########################################
> +## <summary>
> ## Create keys for all user domains.
> ## </summary>
> ## <param name="domain">
> @@ -4038,6 +4093,24 @@ interface(`userdom_create_all_users_keys',`
>
> ########################################
> ## <summary>
> +## Manage keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_manage_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key manage_key_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Send a dbus message to all user domains.
> ## </summary>
> ## <param name="domain">
Merged.
--
Chris PeBenito
On 11/02/2017 01:30 PM, Jason Zaman wrote:
> kernel AVC:
> * Starting gssproxy ...
> Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
> * start-stop-daemon: failed to start `gssproxy'
>
> type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
> ---
> policy/modules/kernel/kernel.te | 4 ++++
> policy/modules/roles/sysadm.te | 4 ++++
> policy/modules/system/userdomain.if | 4 ++++
> 3 files changed, 12 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 0fc74648..22d1ebaf 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -423,6 +423,10 @@ optional_policy(`
> rpc_tcp_rw_nfs_sockets(kernel_t)
> rpc_udp_rw_nfs_sockets(kernel_t)
>
> + optional_policy(`
> + gssproxy_stream_connect(kernel_t)
> + ')
> +
> tunable_policy(`nfs_export_all_ro',`
> fs_getattr_noxattr_fs(kernel_t)
> fs_list_noxattr_fs(kernel_t)
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 93c9ee5f..d25dd34b 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -455,6 +455,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gssproxy_admin(sysadm_t)
> +')
> +
> +optional_policy(`
> hadoop_role(sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index efb31d0a..49eff3a6 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
> ')
>
> optional_policy(`
> + gssproxy_stream_connect($1_t)
> + ')
> +
> + optional_policy(`
> hwloc_exec_dhwd($1_t)
> hwloc_read_runtime_files($1_t)
> ')
Merged.
--
Chris PeBenito