From 0bfe8f44523ccfa2e41dee7023ef4e9fb439725a Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 20 2015 12:45:47 +0000 Subject: * Mon Apr 20 2015 Lukas Vrabec 3.13.1-125 - Define ipa_var_run_t type - Allow certmonger to manage renewal.lock. BZ(1213256) - Add ipa_manage_pid_files interface. - Add rules for netlink_socket in iotop. - Allow iotop netlink socket. - cloudinit and rhsmcertd need to communicate with dbus - Allow apcupsd to use USBttys. BZ(1210960) - Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574) - Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user. - Allow syslogd_t to manage devlog_t lnk files. BZ(1210968) --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c20f6c9..61760b8 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -35422,7 +35422,7 @@ index 4e94884..7ab6191 100644 + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..9d8e11d 100644 +index 59b04c1..aaf4124 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -35646,7 +35646,7 @@ index 59b04c1..9d8e11d 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,11 +412,15 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -35658,7 +35658,12 @@ index 59b04c1..9d8e11d 100644 # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -389,30 +434,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) ++# now is /dev/log lnk_file ++allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms; + files_pid_filetrans(syslogd_t, devlog_t, sock_file) + + # create/append log files. +@@ -389,30 +436,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -35709,7 +35714,7 @@ index 59b04c1..9d8e11d 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +484,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +486,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -35718,7 +35723,7 @@ index 59b04c1..9d8e11d 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +496,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +498,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -35746,7 +35751,7 @@ index 59b04c1..9d8e11d 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +529,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +531,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -35764,7 +35769,7 @@ index 59b04c1..9d8e11d 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +551,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +553,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -35780,7 +35785,7 @@ index 59b04c1..9d8e11d 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +583,7 @@ optional_policy(` +@@ -497,6 +585,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -35788,7 +35793,7 @@ index 59b04c1..9d8e11d 100644 ') optional_policy(` -@@ -507,15 +594,40 @@ optional_policy(` +@@ -507,15 +596,40 @@ optional_policy(` ') optional_policy(` @@ -35829,7 +35834,7 @@ index 59b04c1..9d8e11d 100644 ') optional_policy(` -@@ -526,3 +638,26 @@ optional_policy(` +@@ -526,3 +640,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 6d743c7..55d5d91 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -7617,7 +7617,7 @@ index f3c0aba..f6e25ed 100644 + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..de60b99 100644 +index 080bc4d..12d701e 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t) @@ -7655,7 +7655,7 @@ index 080bc4d..de60b99 100644 corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -@@ -67,26 +73,35 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) +@@ -67,26 +73,36 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t) @@ -7678,6 +7678,7 @@ index 080bc4d..de60b99 100644 -term_use_unallocated_ttys(apcupsd_t) +term_use_all_terms(apcupsd_t) ++term_use_usb_ttys(apcupsd_t) -logging_send_syslog_msg(apcupsd_t) +#apcupsd runs shutdown, probably need a shutdown domain @@ -7696,7 +7697,7 @@ index 080bc4d..de60b99 100644 optional_policy(` hostname_exec(apcupsd_t) -@@ -101,6 +116,11 @@ optional_policy(` +@@ -101,6 +117,11 @@ optional_policy(` shutdown_domtrans(apcupsd_t) ') @@ -7708,7 +7709,7 @@ index 080bc4d..de60b99 100644 ######################################## # # CGI local policy -@@ -108,20 +128,20 @@ optional_policy(` +@@ -108,20 +129,20 @@ optional_policy(` optional_policy(` apache_content_template(apcupsd_cgi) @@ -11578,7 +11579,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..7f683e5 100644 +index 550b287..fc5b086 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -11667,7 +11668,7 @@ index 550b287..7f683e5 100644 ') optional_policy(` -@@ -92,11 +109,56 @@ optional_policy(` +@@ -92,11 +109,57 @@ optional_policy(` ') optional_policy(` @@ -11680,6 +11681,7 @@ index 550b287..7f683e5 100644 + +optional_policy(` + ipa_manage_lib(certmonger_t) ++ ipa_manage_pid_files(certmonger_t) +') + +optional_policy(` @@ -13531,10 +13533,10 @@ index 0000000..a06f04b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..8c06c5d +index 0000000..ec3a39a --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,240 @@ +@@ -0,0 +1,244 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -13654,6 +13656,10 @@ index 0000000..8c06c5d +') + +optional_policy(` ++ rhsmcertd_dbus_chat(cloud_init_t) ++') ++ ++optional_policy(` + networkmanager_dbus_chat(cloud_init_t) +') + @@ -35693,16 +35699,17 @@ index 0000000..7fc3464 +') diff --git a/iotop.te b/iotop.te new file mode 100644 -index 0000000..51d7e34 +index 0000000..61f2003 --- /dev/null +++ b/iotop.te -@@ -0,0 +1,37 @@ +@@ -0,0 +1,39 @@ +policy_module(iotop, 1.0.0) + +######################################## +# +# Declarations +# ++ +attribute_role iotop_roles; +roleattribute system_r iotop_roles; + @@ -35719,6 +35726,7 @@ index 0000000..51d7e34 + +allow iotop_t self:capability net_admin; +allow iotop_t self:netlink_route_socket r_netlink_socket_perms; ++allow iotop_t self:netlink_socket create_socket_perms; + +kernel_read_system_state(iotop_t) + @@ -35736,22 +35744,24 @@ index 0000000..51d7e34 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..48d7322 +index 0000000..877a747 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,6 @@ +@@ -0,0 +1,8 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) + +/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) + ++/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) ++ diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..123e906 +index 0000000..789b3e8 --- /dev/null +++ b/ipa.if -@@ -0,0 +1,94 @@ +@@ -0,0 +1,112 @@ +## Policy for IPA services. + +######################################## @@ -35846,12 +35856,30 @@ index 0000000..123e906 + list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) +') + ++######################################## ++## ++## Allow domain to manage ipa run files/dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_manage_pid_files',` ++ gen_require(` ++ type ipa_var_run_t; ++ ') ++ manage_files_pattern($1, ipa_var_run_t, ipa_var_run_t) ++ manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t) ++') ++ diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..b60bc5f +index 0000000..a7f09d25 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,50 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -35871,6 +35899,9 @@ index 0000000..b60bc5f +type ipa_var_lib_t; +files_type(ipa_var_lib_t) + ++type ipa_var_run_t; ++files_pid_file(ipa_var_run_t) ++ +######################################## +# +# ipa_otpd local policy @@ -35881,6 +35912,10 @@ index 0000000..b60bc5f +allow ipa_otpd_t self:fifo_file rw_fifo_file_perms; +allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms; + ++manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t) ++manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t) ++files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file) ++ +corenet_tcp_connect_radius_port(ipa_otpd_t) + +dev_read_urand(ipa_otpd_t) @@ -63782,7 +63817,7 @@ index bf59ef7..0e33327 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33b..231f2e2 100644 +index 08ec33b..56fba2e 100644 --- a/passenger.te +++ b/passenger.te @@ -14,6 +14,9 @@ role system_r types passenger_t; @@ -63809,7 +63844,7 @@ index 08ec33b..231f2e2 100644 +allow passenger_t self:process { setpgid setsched getsession signal_perms }; allow passenger_t self:fifo_file rw_fifo_file_perms; -allow passenger_t self:unix_stream_socket { accept connectto listen }; -+allow passenger_t self:tcp_socket listen; ++allow passenger_t self:tcp_socket { accept listen }; +allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +can_exec(passenger_t, passenger_exec_t) @@ -80283,7 +80318,7 @@ index 16c8ecb..4e021ec 100644 + ') ') diff --git a/redis.te b/redis.te -index 25cd417..178198b 100644 +index 25cd417..e331b5d 100644 --- a/redis.te +++ b/redis.te @@ -21,6 +21,9 @@ files_type(redis_var_lib_t) @@ -80296,7 +80331,15 @@ index 25cd417..178198b 100644 ######################################## # # Local policy -@@ -60,6 +63,4 @@ dev_read_urand(redis_t) +@@ -42,6 +45,7 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) + manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) + manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) + manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) + + kernel_read_system_state(redis_t) + +@@ -60,6 +64,4 @@ dev_read_urand(redis_t) logging_send_syslog_msg(redis_t) @@ -81906,7 +81949,7 @@ index c8bdea2..bf60580 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..bfaf5c6 100644 +index 6cf79c4..a70327a 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -82270,7 +82313,7 @@ index 6cf79c4..bfaf5c6 100644 -allow fenced_t self:capability { sys_rawio sys_resource }; -allow fenced_t self:process { getsched signal_perms }; -allow fenced_t self:tcp_socket { accept listen }; -+allow fenced_t self:capability { net_admin sys_rawio sys_resource }; ++allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin }; +allow fenced_t self:process { getsched setpgid signal_perms }; + +allow fenced_t self:tcp_socket create_stream_socket_perms; @@ -93053,7 +93096,7 @@ index 3a9a70b..903109c 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index ce67935..88fea69 100644 +index ce67935..130eca9 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1) @@ -93086,8 +93129,9 @@ index ce67935..88fea69 100644 +# setroubleshootd local policy # - allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; +-allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; ++allow setroubleshootd_t self:capability { sys_nice sys_ptrace sys_tty_config }; +dontaudit setroubleshootd_t self:capability net_admin; + +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; @@ -93326,10 +93370,10 @@ index 0000000..c9d2d9c + diff --git a/sge.te b/sge.te new file mode 100644 -index 0000000..af30acf +index 0000000..b2096dd --- /dev/null +++ b/sge.te -@@ -0,0 +1,195 @@ +@@ -0,0 +1,196 @@ +policy_module(sge, 1.0.0) + +######################################## @@ -93489,6 +93533,7 @@ index 0000000..af30acf +manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t) + +manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t) ++manage_lnk_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t) +manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t) +files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir }) + @@ -99729,7 +99774,7 @@ index 42946bc..9f70e4c 100644 + can_exec($1, telepathy_executable) ') diff --git a/telepathy.te b/telepathy.te -index 9afcbc9..b19622d 100644 +index 9afcbc9..7b8ddb4 100644 --- a/telepathy.te +++ b/telepathy.te @@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2) @@ -99841,14 +99886,14 @@ index 9afcbc9..b19622d 100644 - corenet_sendrecv_generic_client_packets(telepathy_gabble_t) corenet_tcp_connect_generic_port(telepathy_gabble_t) - corenet_tcp_sendrecv_generic_port(telepathy_gabble_t) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(telepathy_gabble_t) -- fs_manage_nfs_files(telepathy_gabble_t) + corenet_sendrecv_generic_client_packets(telepathy_gabble_t) ') +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_gabble_t) +- fs_manage_nfs_files(telepathy_gabble_t) +-') +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_gabble_t) - fs_manage_cifs_files(telepathy_gabble_t) @@ -99961,11 +100006,11 @@ index 9afcbc9..b19622d 100644 manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") +userdom_search_user_home_dirs(telepathy_mission_control_t) -+ -+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) ++manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) ++manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) ++ +manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t }) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) -filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") @@ -100008,7 +100053,7 @@ index 9afcbc9..b19622d 100644 optional_policy(` dbus_system_bus_client(telepathy_mission_control_t) -@@ -248,59 +225,47 @@ optional_policy(` +@@ -248,59 +225,48 @@ optional_policy(` devicekit_dbus_chat_power(telepathy_mission_control_t) ') optional_policy(` @@ -100046,8 +100091,8 @@ index 9afcbc9..b19622d 100644 files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) - userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) -- +userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) + can_exec(telepathy_msn_t, telepathy_msn_tmp_t) corenet_all_recvfrom_netlabel(telepathy_msn_t) @@ -100082,7 +100127,7 @@ index 9afcbc9..b19622d 100644 init_read_state(telepathy_msn_t) -@@ -310,18 +275,19 @@ logging_send_syslog_msg(telepathy_msn_t) +@@ -310,18 +276,19 @@ logging_send_syslog_msg(telepathy_msn_t) miscfiles_read_all_certs(telepathy_msn_t) @@ -100107,7 +100152,7 @@ index 9afcbc9..b19622d 100644 ') optional_policy(` -@@ -332,43 +298,33 @@ optional_policy(` +@@ -332,43 +299,33 @@ optional_policy(` ') ') @@ -100156,7 +100201,7 @@ index 9afcbc9..b19622d 100644 ') optional_policy(` -@@ -381,73 +337,51 @@ optional_policy(` +@@ -381,73 +338,51 @@ optional_policy(` ####################################### # @@ -100240,7 +100285,7 @@ index 9afcbc9..b19622d 100644 optional_policy(` xserver_read_xdm_pid(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t) -@@ -455,31 +389,51 @@ optional_policy(` +@@ -455,31 +390,51 @@ optional_policy(` ####################################### # @@ -100275,6 +100320,7 @@ index 9afcbc9..b19622d 100644 -miscfiles_read_localization(telepathy_domain) +userdom_search_user_tmp_dirs(telepathy_domain) +userdom_search_user_home_dirs(telepathy_domain) ++userdom_use_inherited_user_ttys(telepathy_domain) optional_policy(` automount_dontaudit_getattr_tmp_dirs(telepathy_domain) @@ -100298,7 +100344,6 @@ index 9afcbc9..b19622d 100644 +optional_policy(` xserver_rw_xdm_pipes(telepathy_domain) ') -+ diff --git a/telnet.te b/telnet.te index d7c8633..a91c027 100644 --- a/telnet.te @@ -106115,7 +106160,7 @@ index facdee8..c930866 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..e8341d7 100644 +index f03dcf5..6fb7d3f 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,241 @@ @@ -107205,7 +107250,7 @@ index f03dcf5..e8341d7 100644 -can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -107279,7 +107324,7 @@ index f03dcf5..e8341d7 100644 +optional_policy(` + pulseaudio_dontaudit_exec(virt_domain) +') - ++ +optional_policy(` + sssd_dontaudit_stream_connect(virt_domain) + sssd_dontaudit_read_lib(virt_domain) @@ -107615,7 +107660,7 @@ index f03dcf5..e8341d7 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1171,310 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1171,314 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -107631,21 +107676,21 @@ index f03dcf5..e8341d7 100644 +optional_policy(` + dbus_system_bus_client(virtd_lxc_t) + init_dbus_chat(virtd_lxc_t) -+ + +-miscfiles_read_localization(virtd_lxc_t) + optional_policy(` + hal_dbus_chat(virtd_lxc_t) + ') +') --miscfiles_read_localization(virtd_lxc_t) -+optional_policy(` -+ gnome_read_generic_cache_files(virtd_lxc_t) -+') - -seutil_domtrans_setfiles(virtd_lxc_t) -seutil_read_config(virtd_lxc_t) -seutil_read_default_contexts(virtd_lxc_t) +optional_policy(` ++ gnome_read_generic_cache_files(virtd_lxc_t) ++') ++ ++optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') @@ -107671,10 +107716,6 @@ index f03dcf5..e8341d7 100644 +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow svirt_sandbox_domain self:passwd rootok; +allow svirt_sandbox_domain self:filesystem associate; -+ -+tunable_policy(`deny_ptrace',`',` -+ allow svirt_sandbox_domain self:process ptrace; -+') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -107758,6 +107799,14 @@ index f03dcf5..e8341d7 100644 -miscfiles_read_fonts(svirt_lxc_domain) - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) ++ ++fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) ++ ++tunable_policy(`deny_ptrace',`',` ++ allow svirt_sandbox_domain self:process ptrace; ++') ++ +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -107836,28 +107885,28 @@ index f03dcf5..e8341d7 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) -+ gear_read_pid_files(svirt_sandbox_domain) +') + +optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ gear_read_pid_files(svirt_sandbox_domain) +') + +optional_policy(` -+ ssh_use_ptys(svirt_sandbox_domain) ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) ++ ssh_use_ptys(svirt_sandbox_domain) + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + udev_read_pid_files(svirt_sandbox_domain) +') + @@ -108067,7 +108116,7 @@ index f03dcf5..e8341d7 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1487,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1491,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -108082,7 +108131,7 @@ index f03dcf5..e8341d7 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1505,8 @@ optional_policy(` +@@ -1192,9 +1509,8 @@ optional_policy(` ######################################## # @@ -108093,7 +108142,7 @@ index f03dcf5..e8341d7 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1519,238 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1523,240 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -108315,6 +108364,7 @@ index f03dcf5..e8341d7 100644 +allow sandbox_net_domain self:packet_socket create_socket_perms; +allow sandbox_net_domain self:socket create_socket_perms; +allow sandbox_net_domain self:rawip_socket create_socket_perms; ++allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms; + +corenet_tcp_bind_generic_node(sandbox_net_domain) +corenet_udp_bind_generic_node(sandbox_net_domain) @@ -108334,6 +108384,7 @@ index f03dcf5..e8341d7 100644 +') + +allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; ++ diff --git a/vlock.te b/vlock.te index 6b72968..de409cc 100644 --- a/vlock.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 261ecaa..75cdc34 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 124%{?dist} +Release: 125%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Apr 20 2015 Lukas Vrabec 3.13.1-125 +- Define ipa_var_run_t type +- Allow certmonger to manage renewal.lock. BZ(1213256) +- Add ipa_manage_pid_files interface. +- Add rules for netlink_socket in iotop. +- Allow iotop netlink socket. +- cloudinit and rhsmcertd need to communicate with dbus +- Allow apcupsd to use USBttys. BZ(1210960) +- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574) +- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user. +- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968) + * Wed Apr 15 2015 Lukas Vrabec 3.13.1-124 - Add more restriction on entrypoint for unconfined domains.