From 0a2a4e0719b59cbcee6f595fdb72787b874fd1d9 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 07 2014 12:17:44 +0000 Subject: * Tue Oct 07 2014 Lukas Vrabec 3.12.1-189 - Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof. - Allow nova domains to getattr on all filesystems. - Allow swift to connect to all ephemeral ports by default. - Add support for /var/lib/graphite-web - Allow usbmuxd fsedit cap. BZ #(1149451) - Dontaudit aicuu to search home config dir. BZ (#1104076) - Allow iptables read fail2ban logs. BZ (1147709) --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 073f600..2716abe 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -32015,7 +32015,7 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 5dfa44b..1c9fe59 100644 +index 5dfa44b..187eadd 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,15 @@ role iptables_roles types iptables_t; @@ -32098,16 +32098,17 @@ index 5dfa44b..1c9fe59 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +105,8 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +105,9 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) ++ fail2ban_read_log(iptables_t) + fail2ban_dontaudit_leaks(iptables_t) + fail2ban_rw_inherited_tmp_files(iptables_t) ') optional_policy(` -@@ -110,6 +115,11 @@ optional_policy(` +@@ -110,6 +116,11 @@ optional_policy(` ') optional_policy(` @@ -32119,7 +32120,7 @@ index 5dfa44b..1c9fe59 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +134,12 @@ optional_policy(` +@@ -124,6 +135,12 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -32132,7 +32133,7 @@ index 5dfa44b..1c9fe59 100644 ') optional_policy(` -@@ -135,9 +151,9 @@ optional_policy(` +@@ -135,9 +152,9 @@ optional_policy(` ') optional_policy(` diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 0a36fae..62645bb 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -1608,7 +1608,7 @@ index 3b5dcb9..fbe187f 100644 domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aiccu.te b/aiccu.te -index 72c33c2..a9039ce 100644 +index 72c33c2..7564732 100644 --- a/aiccu.te +++ b/aiccu.te @@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t) @@ -1619,17 +1619,20 @@ index 72c33c2..a9039ce 100644 corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) corenet_tcp_connect_sixxsconfig_port(aiccu_t) corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) -@@ -60,17 +59,20 @@ domain_use_interactive_fds(aiccu_t) +@@ -60,17 +59,24 @@ domain_use_interactive_fds(aiccu_t) dev_read_rand(aiccu_t) dev_read_urand(aiccu_t) -files_read_etc_files(aiccu_t) - --logging_send_syslog_msg(aiccu_t) ++ +auth_read_passwd(aiccu_t) + logging_send_syslog_msg(aiccu_t) + -miscfiles_read_localization(aiccu_t) -+logging_send_syslog_msg(aiccu_t) ++optional_policy(` ++ gnome_dontaudit_search_config(aiccu_t) ++') optional_policy(` modutils_domtrans_insmod(aiccu_t) @@ -3248,10 +3251,10 @@ index 0000000..8cc6120 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..43bb1c9 100644 +index 550a69e..100d8aa 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,161 +1,212 @@ +@@ -1,161 +1,213 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3458,6 +3461,7 @@ index 550a69e..43bb1c9 100644 +/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -50631,7 +50635,7 @@ index 687af38..a77dc09 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..919fdc3 100644 +index 9f6179e..dfca76c 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -50721,7 +50725,7 @@ index 9f6179e..919fdc3 100644 manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -@@ -93,50 +92,57 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +@@ -93,50 +92,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -50768,11 +50772,14 @@ index 9f6179e..919fdc3 100644 fs_rw_hugetlbfs_files(mysqld_t) +domain_use_interactive_fds(mysqld_t) ++domain_read_all_domains_state(mysqld_t) + +files_getattr_var_lib_dirs(mysqld_t) files_read_etc_runtime_files(mysqld_t) -files_read_usr_files(mysqld_t) +files_search_var_lib(mysqld_t) ++files_search_pids(mysqld_t) ++files_getattr_all_sockets(mysqld_t) auth_use_nsswitch(mysqld_t) @@ -50796,7 +50803,7 @@ index 9f6179e..919fdc3 100644 ') optional_policy(` -@@ -144,6 +150,10 @@ optional_policy(` +@@ -144,6 +153,10 @@ optional_policy(` ') optional_policy(` @@ -50807,7 +50814,7 @@ index 9f6179e..919fdc3 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -153,29 +163,25 @@ optional_policy(` +@@ -153,29 +166,25 @@ optional_policy(` ####################################### # @@ -50846,7 +50853,7 @@ index 9f6179e..919fdc3 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -183,21 +189,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -183,21 +192,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -50882,7 +50889,7 @@ index 9f6179e..919fdc3 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -205,7 +219,7 @@ optional_policy(` +@@ -205,7 +222,7 @@ optional_policy(` ######################################## # @@ -50891,7 +50898,7 @@ index 9f6179e..919fdc3 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +228,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +231,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -50909,7 +50916,7 @@ index 9f6179e..919fdc3 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -226,31 +241,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +244,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -53864,7 +53871,7 @@ index 0000000..ce897e2 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..40ebbed +index 0000000..e583610 --- /dev/null +++ b/nova.te @@ -0,0 +1,338 @@ @@ -53945,7 +53952,7 @@ index 0000000..40ebbed +dev_read_sysfs(nova_domain) +dev_read_urand(nova_domain) + -+fs_getattr_xattr_fs(nova_domain) ++fs_getattr_all_fs(nova_domain) + +init_read_utmp(nova_domain) + @@ -96136,10 +96143,10 @@ index 0000000..6a1f575 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..43a0495 +index 0000000..c2f086f --- /dev/null +++ b/swift.te -@@ -0,0 +1,128 @@ +@@ -0,0 +1,129 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -96234,6 +96241,7 @@ index 0000000..43a0495 +corenet_tcp_connect_swift_port(swift_t) +corenet_tcp_connect_keystone_port(swift_t) +corenet_tcp_connect_memcache_port(swift_t) ++corenet_tcp_connect_all_ephemeral_ports(swift_t) + +corecmd_exec_shell(swift_t) +corecmd_exec_bin(swift_t) @@ -100212,7 +100220,7 @@ index 1ec5e99..88e287d 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 8840be6..604c840 100644 +index 8840be6..0d1be2a 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles; @@ -100238,7 +100246,7 @@ index 8840be6..604c840 100644 # -allow usbmuxd_t self:capability { kill setgid setuid }; -+allow usbmuxd_t self:capability { chown kill setgid setuid }; ++allow usbmuxd_t self:capability { fsetid chown kill setgid setuid }; +dontaudit usbmuxd_t self:capability sys_resource; allow usbmuxd_t self:process { signal signull }; allow usbmuxd_t self:fifo_file rw_fifo_file_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 58e5b35..2fc86eb 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 188%{?dist} +Release: 189%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -582,6 +582,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Oct 07 2014 Lukas Vrabec 3.12.1-189 +- Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof. +- Allow nova domains to getattr on all filesystems. +- Allow swift to connect to all ephemeral ports by default. +- Add support for /var/lib/graphite-web +- Allow usbmuxd fsedit cap. BZ #(1149451) +- Dontaudit aicuu to search home config dir. BZ (#1104076) +- Allow iptables read fail2ban logs. BZ (1147709) + * Tue Sep 30 2014 Lukas Vrabec 3.12.1-188 - Allow collectd sys_ptrace and dac_override caps because of reading of /proc/%i/io for several processes. - Allow pppd to connect to /run/sstpc/sstpc-nm-sstp-service-28025 over unix stream socket.