This is a small set of policy updates that have been in the Gentoo policy for a while and are ready for upstreaming.
Added the auth_pid_filetrans_pam_var_run as Nicolas Iooss correctly found; shame that I missed it, I checked it against the wrong repository :(
Sven Vermeulen (8):
Run grub(2)-mkconfig in bootloader domain
Add auth_pid_filetrans_pam_var_run
New sudo manages timestamp directory in /var/run/sudo
xfce4-notifyd is an executable
Mark f2fs as a SELinux capable file system
Add in LightDM contexts
Add gfisk and efibootmgr as fsadm_exec_t
Add /var/lib/racoon as runtime directory for ipsec
policy/modules/admin/bootloader.fc | 1 +
policy/modules/admin/sudo.if | 3 ++-
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/kernel/filesystem.te | 1 +
policy/modules/services/xserver.fc | 7 +++++++
policy/modules/system/authlogin.if | 31 +++++++++++++++++++++++++++++++
policy/modules/system/fstools.fc | 2 ++
policy/modules/system/ipsec.fc | 2 ++
8 files changed, 47 insertions(+), 1 deletion(-)
--
2.0.4
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
---
policy/modules/admin/bootloader.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d56f931..d908d56 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -9,4 +9,5 @@
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--
2.0.4
---
policy/modules/system/authlogin.if | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 3efd5b6..f05d7bf 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1004,6 +1004,37 @@ interface(`auth_dontaudit_read_pam_pid',`
########################################
## <summary>
+## Create specified objects in
+## pid directories with the pam var
+## run file type using a
+## file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`auth_pid_filetrans_pam_var_run',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_pid_filetrans($1, pam_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
## Delete pam PID files.
## </summary>
## <param name="domain">
--
2.0.4
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
---
policy/modules/admin/sudo.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3..2ee052b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -52,7 +52,7 @@ template(`sudo_role_template',`
#
# Use capabilities.
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
@@ -117,6 +117,7 @@ template(`sudo_role_template',`
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
+ auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
auth_use_nsswitch($1_sudo_t)
init_rw_utmp($1_sudo_t)
--
2.0.4
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index c860d81..958fad7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -239,6 +239,7 @@ ifdef(`distro_gentoo',`
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/session/balou-export-theme -- gen_context(system_u:object_r:bin_t,s0)
--
2.0.4
Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index cf04fb7..fd1e7fe 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -27,6 +27,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
--
2.0.4
---
policy/modules/services/xserver.fc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 3fe4eef..71b307c 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -22,6 +22,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/lightdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+
/etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -92,12 +94,16 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -107,6 +113,7 @@ ifndef(`distro_debian',`
/var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
--
2.0.4
---
policy/modules/system/fstools.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 3101274..d10368d 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -51,8 +51,10 @@
/usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
--
2.0.4
---
policy/modules/system/ipsec.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 662e79b..0f1e351 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -31,6 +31,8 @@
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+/var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
--
2.0.4
On 11/22/2014 4:16 PM, Sven Vermeulen wrote:
> This is a small set of policy updates that have been in the Gentoo policy for a while and are ready for upstreaming.
>
> Added the auth_pid_filetrans_pam_var_run as Nicolas Iooss correctly found; shame that I missed it, I checked it against the wrong repository :(
>
> Sven Vermeulen (8):
> Run grub(2)-mkconfig in bootloader domain
> Add auth_pid_filetrans_pam_var_run
> New sudo manages timestamp directory in /var/run/sudo
> xfce4-notifyd is an executable
> Mark f2fs as a SELinux capable file system
> Add in LightDM contexts
> Add gfisk and efibootmgr as fsadm_exec_t
> Add /var/lib/racoon as runtime directory for ipsec
>
> policy/modules/admin/bootloader.fc | 1 +
> policy/modules/admin/sudo.if | 3 ++-
> policy/modules/kernel/corecommands.fc | 1 +
> policy/modules/kernel/filesystem.te | 1 +
> policy/modules/services/xserver.fc | 7 +++++++
> policy/modules/system/authlogin.if | 31 +++++++++++++++++++++++++++++++
> policy/modules/system/fstools.fc | 2 ++
> policy/modules/system/ipsec.fc | 2 ++
> 8 files changed, 47 insertions(+), 1 deletion(-)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com