[refpolicy] [PATCH 1/6] rpcbind: typo fix

[refpolicy] [PATCH 1/6] rpcbind: typo fix

[Jason Zaman]

---
 rpcbind.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rpcbind.if b/rpcbind.if
index 1a1cb99..f78fef0 100644
--- a/rpcbind.if
+++ b/rpcbind.if
@@ -21,7 +21,7 @@ interface(`rpcbind_domtrans',`
 
 ########################################
 ## <summary>
-##	Connect to rpcbindd with a
+##	Connect to rpcbind with a
 ##	unix domain stream socket.
 ## </summary>
 ## <param name="domain">
-- 
2.0.5

[refpolicy] [PATCH 2/6] git: make inetd interface optional

[Jason Zaman]

git-daemon can be run without inetd, this patch makes the
interface optional so that git.pp can be loaded without inetd
---
 git.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/git.te b/git.te
index 084ac9d..a93c976 100644
--- a/git.te
+++ b/git.te
@@ -86,7 +86,6 @@ apache_content_template(git)
 
 type git_system_t, git_daemon;
 type gitd_exec_t;
-inetd_service_domain(git_system_t, gitd_exec_t)
 init_daemon_domain(git_system_t, gitd_exec_t)
 
 type git_session_t, git_daemon;
@@ -122,6 +121,10 @@ auth_use_nsswitch(git_session_t)
 
 userdom_use_user_terminals(git_session_t)
 
+optional_policy(`
+	inetd_service_domain(git_system_t, gitd_exec_t)
+')
+
 tunable_policy(`git_session_bind_all_unreserved_ports',`
 	corenet_sendrecv_all_server_packets(git_session_t)
 	corenet_tcp_bind_all_unreserved_ports(git_session_t)
-- 
2.0.5

[refpolicy] [PATCH 3/6] rpc: introduce allow_gssd_write_tmp boolean

[Jason Zaman]

gssd needs to be able to write the user's kerberos token
into the ticket cache which is stored in /tmp

type=AVC msg=audit(1427206305.314:9914): avc:  granted  { read write
open } for  pid=22562 comm="rpc.gssd" path="/tmp/krb5cc_1000"
dev="tmpfs" ino=327516 scontext=system_u:system_r:gssd_t
tcontext=staff_u:object_r:user_tmp_t tclass=file
---
 rpc.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/rpc.te b/rpc.te
index 1a6dcc0..e2ea2eb 100644
--- a/rpc.te
+++ b/rpc.te
@@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
 
 ## <desc>
 ##	<p>
+##	Determine whether gssd can write
+##	generic user temporary content.
+##	</p>
+## </desc>
+gen_tunable(allow_gssd_write_tmp, false)
+
+## <desc>
+##	<p>
 ##	Determine whether nfs can modify
 ##	public files used for public file
 ##	transfer services. Directories/Files must
@@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
 	userdom_read_user_tmp_symlinks(gssd_t)
 ')
 
+tunable_policy(`allow_gssd_write_tmp',`
+	userdom_list_user_tmp(gssd_t)
+	userdom_rw_user_tmp_files(gssd_t)
+')
+
 optional_policy(`
 	automount_signal(gssd_t)
 ')
-- 
2.0.5

[refpolicy] [PATCH 4/6] rpc: allow setgid capability

[Jason Zaman]

rpc.gssd needs to be able to setgid, otherwise using a kerberized nfs
mount fails with permission denied.

errors:
rpc.gssd[22887]: WARNING: unable to drop supplimentary groups!
rpc.gssd[22887]: WARNING: failed to change identity: Operation not permitted

denials:
type=AVC msg=audit(1427206637.030:9956): avc:  denied  { setgid } for
pid=22887 comm="rpc.gssd" capability=6
scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t
tclass=capability permissive=0
type=SYSCALL msg=audit(1427206637.030:9956): arch=c000003e syscall=116
success=no exit=-1 a0=0 a1=0 a2=5111a30e20 a3=31fc5672090 items=0
ppid=22763 pid=22887 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd"
subj=system_u:system_r:gssd_t key=(null)
---
 rpc.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rpc.te b/rpc.te
index e2ea2eb..de897fd 100644
--- a/rpc.te
+++ b/rpc.te
@@ -278,7 +278,7 @@ optional_policy(`
 # GSSD local policy
 #
 
-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
-- 
2.0.5

[refpolicy] [PATCH 5/6] virt: add virt_tmpfs_t type and permissions

[Jason Zaman]

virtd_t writes the spice shm file in tmpfs so this allows access.

type=AVC msg=audit(1427209364.960:10357): avc:  granted  { add_name }
for  pid=24933 comm="qemu-system-x86" name="spice.24933"
scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
type=AVC msg=audit(1427209364.960:10357): avc:  granted  { write } for
pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
ino=638614 scontext=system_u:system_r:virtd_t
tcontext=system_u:object_r:tmpfs_t tclass=file
---
 virt.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/virt.te b/virt.te
index cb868d5..b20eb1c 100644
--- a/virt.te
+++ b/virt.te
@@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
 type virt_tmp_t;
 files_tmp_file(virt_tmp_t)
 
+type virt_tmpfs_t;
+files_tmpfs_file(virt_tmpfs_t)
+
 type virt_var_run_t;
 files_pid_file(virt_var_run_t)
 
@@ -480,6 +483,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
 
+manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
+
 # This needs a file context specification
 manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
 manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
-- 
2.0.5

[refpolicy] [PATCH 6/6] introduce virt_leaseshelper_t

[Jason Zaman]

---
 dnsmasq.te |  1 +
 virt.fc    |  1 +
 virt.if    | 20 ++++++++++++++++++++
 virt.te    | 23 +++++++++++++++++++++++
 4 files changed, 45 insertions(+)

diff --git a/dnsmasq.te b/dnsmasq.te
index fbfe09f..eb3c7f8 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -127,4 +127,5 @@ optional_policy(`
 	virt_manage_lib_files(dnsmasq_t)
 	virt_read_pid_files(dnsmasq_t)
 	virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+	virt_domtrans_leaseshelper(dnsmasq_t)
 ')
diff --git a/virt.fc b/virt.fc
index a4f20bc..b38007b 100644
--- a/virt.fc
+++ b/virt.fc
@@ -18,6 +18,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t
 
 /usr/libexec/libvirt_lxc	--	gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
 /usr/libexec/qemu-bridge-helper	gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+/usr/libexec/libvirt_leaseshelper	--	gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
 
 /usr/bin/virsh	--	gen_context(system_u:object_r:virsh_exec_t,s0)
 /usr/bin/virt-sandbox-service.*	--	gen_context(system_u:object_r:virsh_exec_t,s0)
diff --git a/virt.if b/virt.if
index facdee8..fd087b9 100644
--- a/virt.if
+++ b/virt.if
@@ -188,6 +188,26 @@ interface(`virt_domtrans_bridgehelper',`
 
 ########################################
 ## <summary>
+##	Execute a domain transition to
+##	run virt bridgehelper.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`virt_domtrans_leaseshelper',`
+	gen_require(`
+		type virt_leaseshelper_t, virt_leaseshelper_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, virt_leaseshelper_exec_t, virt_leaseshelper_t)
+')
+
+########################################
+## <summary>
 ##	Execute bridgehelper in the bridgehelper
 ##	domain, and allow the specified role
 ##	the bridgehelper domain.
diff --git a/virt.te b/virt.te
index b20eb1c..c1662f5 100644
--- a/virt.te
+++ b/virt.te
@@ -166,6 +166,12 @@ domain_type(virt_bridgehelper_t)
 domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
 role virt_bridgehelper_roles types virt_bridgehelper_t;
 
+type virt_leaseshelper_t;
+type virt_leaseshelper_exec_t;
+domain_type(virt_leaseshelper_t)
+domain_entry_file(virt_leaseshelper_t, virt_leaseshelper_exec_t)
+role system_r types virt_leaseshelper_t;
+
 type virtd_lxc_t;
 type virtd_lxc_exec_t;
 init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
@@ -1216,3 +1222,20 @@ corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 
 userdom_search_user_home_dirs(virt_bridgehelper_t)
 userdom_use_user_ptys(virt_bridgehelper_t)
+
+########################################
+#
+# Leaseshelper local policy
+#
+
+allow virt_leaseshelper_t virtd_t:fd use;
+allow virt_leaseshelper_t virtd_t:fifo_file write_fifo_file_perms;
+
+manage_dirs_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virt_leaseshelper_t, virt_var_lib_t, { file dir })
+
+manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
+
+kernel_dontaudit_read_system_state(virt_leaseshelper_t)
-- 
2.0.5

[refpolicy] [PATCH 1/6] rpcbind: typo fix

[Christopher J. PeBenito]

On 3/24/2015 10:24 PM, Jason Zaman wrote:
> ---
>  rpcbind.if | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/rpcbind.if b/rpcbind.if
> index 1a1cb99..f78fef0 100644
> --- a/rpcbind.if
> +++ b/rpcbind.if
> @@ -21,7 +21,7 @@ interface(`rpcbind_domtrans',`
>  
>  ########################################
>  ## <summary>
> -##	Connect to rpcbindd with a
> +##	Connect to rpcbind with a
>  ##	unix domain stream socket.
>  ## </summary>
>  ## <param name="domain">

This set is merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 5/6] virt: add virt_tmpfs_t type and permissions

[Dominick Grift]

On Wed, Mar 25, 2015 at 10:24:45AM +0800, Jason Zaman wrote:
> virtd_t writes the spice shm file in tmpfs so this allows access.

Cool, so why are you also adding an extra rule allowing it to maintain tmpfs dirs?

> 
> type=AVC msg=audit(1427209364.960:10357): avc:  granted  { add_name }
> for  pid=24933 comm="qemu-system-x86" name="spice.24933"
> scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
> tclass=dir
> type=AVC msg=audit(1427209364.960:10357): avc:  granted  { write } for
> pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
> ino=638614 scontext=system_u:system_r:virtd_t
> tcontext=system_u:object_r:tmpfs_t tclass=file
> ---
>  virt.te | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/virt.te b/virt.te
> index cb868d5..b20eb1c 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
>  type virt_tmp_t;
>  files_tmp_file(virt_tmp_t)
>  
> +type virt_tmpfs_t;
> +files_tmpfs_file(virt_tmpfs_t)
> +
>  type virt_var_run_t;
>  files_pid_file(virt_var_run_t)
>  
> @@ -480,6 +483,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
>  manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
>  files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
>  
> +manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
> +
>  # This needs a file context specification
>  manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
>  manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150325/2dd9d243/attachment.bin