From 1083f0ec2ca7f9907467ce389bcc433762b54425 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Feb 27 2017 09:54:27 +0000 Subject: * Mon Feb 27 2017 Lukas Vrabec - 3.13.1-225.11 - Add radius_use_jit boolean - Allow nfsd_t domain to create sysctls_rpc_t files - add the policy required for nextcloud - Allow can_load_kernmodule to load kernel modules. BZ(1426741) - Create kernel_create_rpc_sysctls() interface --- diff --git a/container-selinux.tgz b/container-selinux.tgz index b2f25d3..ebb3ecc 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f25-base.patch b/policy-f25-base.patch index 5b5070b..cfee1da 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -11237,7 +11237,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..e06a46c 100644 +index f962f76..12c026e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13188,20 +13188,15 @@ index f962f76..e06a46c 100644 ') ######################################## -@@ -4012,6 +4908,12 @@ interface(`files_read_kernel_modules',` +@@ -4012,6 +4908,7 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) + -+ # FIXME: -+ # needed for already labeled module deps by modules_dep_t -+ optional_policy(` -+ modutils_read_module_deps_files($1) -+ ') ') ######################################## -@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,174 +5114,218 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13506,7 +13501,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',` +@@ -4392,53 +5333,56 @@ interface(`files_read_generic_tmp_files',` ## ## # @@ -13575,7 +13570,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',` +@@ -4446,35 +5390,37 @@ interface(`files_read_generic_tmp_symlinks',` ## ## # @@ -13621,7 +13616,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4482,59 +5428,55 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -13702,7 +13697,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4542,110 +5484,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -13841,7 +13836,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',` +@@ -4653,22 +5583,17 @@ interface(`files_tmp_filetrans',` ## ## # @@ -13868,7 +13863,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',` +@@ -4676,17 +5601,17 @@ interface(`files_purge_tmp',` ## ## # @@ -13890,7 +13885,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4694,18 +5619,17 @@ interface(`files_setattr_usr_dirs',` ## ## # @@ -13913,7 +13908,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4713,35 +5642,35 @@ interface(`files_search_usr',` +@@ -4713,35 +5637,35 @@ interface(`files_search_usr',` ## ## # @@ -13958,7 +13953,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4749,36 +5673,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # @@ -14004,7 +13999,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',` +@@ -4786,17 +5709,17 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # @@ -14026,7 +14021,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',` +@@ -4804,73 +5727,59 @@ interface(`files_delete_usr_dirs',` ## ## # @@ -14119,7 +14114,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',` +@@ -4878,55 +5787,58 @@ interface(`files_read_usr_files',` ## ## # @@ -14194,7 +14189,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',` +@@ -4934,67 +5846,70 @@ interface(`files_manage_usr_files',` ## ## # @@ -14283,7 +14278,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',` +@@ -5003,35 +5918,50 @@ interface(`files_read_usr_symlinks',` ## ## # @@ -14343,7 +14338,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',` +@@ -5039,20 +5969,17 @@ interface(`files_dontaudit_search_src',` ## ## # @@ -14368,7 +14363,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',` +@@ -5060,20 +5987,18 @@ interface(`files_getattr_usr_src_files',` ## ## # @@ -14393,7 +14388,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',` +@@ -5081,38 +6006,35 @@ interface(`files_read_usr_src_files',` ## ## # @@ -14441,7 +14436,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5120,37 +6042,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # @@ -14489,7 +14484,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5158,35 +6079,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # @@ -14534,7 +14529,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5194,36 +6115,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # @@ -14600,7 +14595,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',` +@@ -5231,36 +6171,37 @@ interface(`files_dontaudit_search_var',` ## ## # @@ -14648,7 +14643,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',` +@@ -5268,17 +6209,17 @@ interface(`files_manage_var_dirs',` ## ## # @@ -14670,7 +14665,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',` +@@ -5286,17 +6227,17 @@ interface(`files_read_var_files',` ## ## # @@ -14692,7 +14687,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',` +@@ -5304,73 +6245,86 @@ interface(`files_append_var_files',` ## ## # @@ -14799,7 +14794,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',` +@@ -5378,50 +6332,41 @@ interface(`files_read_var_symlinks',` ## ## # @@ -14864,7 +14859,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',` +@@ -5429,69 +6374,56 @@ interface(`files_var_filetrans',` ## ## # @@ -14949,7 +14944,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5499,17 +6431,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # @@ -14973,7 +14968,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',` +@@ -5517,70 +6450,54 @@ interface(`files_list_var_lib',` ## ## # @@ -15057,7 +15052,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',` +@@ -5588,41 +6505,36 @@ interface(`files_read_var_lib_files',` ## ## # @@ -15109,7 +15104,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',` +@@ -5630,36 +6542,36 @@ interface(`files_manage_urandom_seed',` ## ## # @@ -15156,7 +15151,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5667,38 +6579,35 @@ interface(`files_setattr_lock_dirs',` ## ## # @@ -15204,7 +15199,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,19 +6615,17 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -15228,7 +15223,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5726,60 +6638,54 @@ interface(`files_list_locks',` +@@ -5726,60 +6633,54 @@ interface(`files_list_locks',` ## ## # @@ -15304,7 +15299,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,20 +6688,18 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -15330,7 +15325,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',` +@@ -5808,63 +6707,68 @@ interface(`files_getattr_generic_locks',` ## ## # @@ -15422,7 +15417,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',` +@@ -5872,101 +6776,87 @@ interface(`files_delete_all_locks',` ## ## # @@ -15559,7 +15554,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',` +@@ -5974,19 +6864,17 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # @@ -15583,7 +15578,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',` +@@ -5994,39 +6882,52 @@ interface(`files_setattr_pid_dirs',` ## ## # @@ -15649,7 +15644,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',` +@@ -6034,18 +6935,1302 @@ interface(`files_dontaudit_search_pids',` ## ## # @@ -16956,7 +16951,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6053,19 +8243,18 @@ interface(`files_list_pids',` +@@ -6053,19 +8238,18 @@ interface(`files_list_pids',` ## ## # @@ -16981,7 +16976,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',` +@@ -6073,43 +8257,151 @@ interface(`files_read_generic_pids',` ## ## # @@ -17160,7 +17155,7 @@ index f962f76..e06a46c 100644 ##

## ## -@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',` +@@ -6117,80 +8409,157 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ## ## @@ -17347,7 +17342,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',` +@@ -6198,19 +8567,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -17371,7 +17366,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6218,18 +8585,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -17394,7 +17389,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6237,129 +8603,119 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -17564,7 +17559,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,18 +8723,19 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -17589,7 +17584,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6386,132 +8748,227 @@ interface(`files_search_spool',` +@@ -6386,132 +8743,227 @@ interface(`files_search_spool',` ## ## # @@ -17863,7 +17858,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8971,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -17921,7 +17916,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +8989,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -21724,7 +21719,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..9ccf724 100644 +index e100d88..7a08793 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -22147,7 +22142,34 @@ index e100d88..9ccf724 100644 ######################################## ## ## Read and write RPC sysctls. -@@ -2085,9 +2261,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2071,6 +2247,26 @@ interface(`kernel_rw_rpc_sysctls',` + + ######################################## + ## ++## Read and write RPC sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_create_rpc_sysctls',` ++ gen_require(` ++ type proc_t, proc_net_t, sysctl_rpc_t; ++ ') ++ ++ create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) ++ ++') ++ ++######################################## ++## + ## Do not audit attempts to list all sysctl directories. + ## + ## +@@ -2085,9 +2281,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -22177,7 +22199,7 @@ index e100d88..9ccf724 100644 ######################################## ## ## Allow caller to read all sysctls. -@@ -2282,6 +2477,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2497,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -22203,7 +22225,7 @@ index e100d88..9ccf724 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2520,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2540,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -22212,14 +22234,17 @@ index e100d88..9ccf724 100644 ## ## # -@@ -2488,6 +2702,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,12 +2722,30 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## +-## Do not audit attempts by caller to get attributes for +-## unlabeled character devices. +## Read and write unlabeled sockets. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. +## +## @@ -22234,37 +22259,20 @@ index e100d88..9ccf724 100644 + +######################################## +## - ## Do not audit attempts by caller to get attributes for - ## unlabeled character devices. - ## -@@ -2525,7 +2757,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` - - ######################################## - ## --## Allow caller to relabel unlabeled files. -+## Allow caller to relabel unlabeled filesystems. - ## - ## - ## -@@ -2533,18 +2765,36 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ++## Do not audit attempts by caller to get attributes for ++## unlabeled character devices. ++## ++## ++## ++## Domain to not audit. ## ## # --interface(`kernel_relabelfrom_unlabeled_files',` -+interface(`kernel_relabelfrom_unlabeled_fs',` - gen_require(` - type unlabeled_t; - ') - -- kernel_list_unlabeled($1) -- allow $1 unlabeled_t:file { getattr relabelfrom }; -+ allow $1 unlabeled_t:filesystem relabelfrom; - ') +@@ -2525,6 +2777,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## --## Allow caller to relabel unlabeled symbolic links. -+## Allow caller to relabel unlabeled files. ++## Allow caller to relabel unlabeled filesystems. +## +## +## @@ -22272,22 +22280,20 @@ index e100d88..9ccf724 100644 +## +## +# -+interface(`kernel_relabelfrom_unlabeled_files',` ++interface(`kernel_relabelfrom_unlabeled_fs',` + gen_require(` + type unlabeled_t; + ') + -+ kernel_list_unlabeled($1) -+ allow $1 unlabeled_t:file { getattr relabelfrom }; ++ allow $1 unlabeled_t:filesystem relabelfrom; +') + +######################################## +## -+## Allow caller to relabel unlabeled symbolic links. + ## Allow caller to relabel unlabeled files. ## ## - ## -@@ -2667,6 +2917,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,6 +2937,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -22312,7 +22318,7 @@ index e100d88..9ccf724 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +2962,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,6 +2982,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -22338,7 +22344,7 @@ index e100d88..9ccf724 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +3090,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +3110,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -22372,7 +22378,7 @@ index e100d88..9ccf724 100644 ######################################## ## -@@ -2958,6 +3272,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3292,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -22397,7 +22403,7 @@ index e100d88..9ccf724 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3304,649 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3324,649 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -22537,7 +22543,7 @@ index e100d88..9ccf724 100644 + dontaudit $1 kernel_t:dir search_dir_perms; + dontaudit $1 kernel_t:file read_file_perms; + dontaudit $1 kernel_t:lnk_file read_lnk_file_perms; -+') + ') + +######################################## +## @@ -22638,7 +22644,7 @@ index e100d88..9ccf724 100644 + ') + + write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) - ') ++') + +######################################## +## @@ -23049,7 +23055,7 @@ index e100d88..9ccf724 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..5deb336 100644 +index 8dbab4c..88c7112 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -23344,7 +23350,16 @@ index 8dbab4c..5deb336 100644 ######################################## # # Unlabeled process local policy -@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) { +@@ -388,6 +480,8 @@ optional_policy(` + if( ! secure_mode_insmod ) { + allow can_load_kernmodule self:capability sys_module; + ++ files_load_kernel_modules(can_load_kernmodule) ++ + # load_module() calls stop_machine() which + # calls sched_setscheduler() + allow can_load_kernmodule self:capability sys_nice; +@@ -399,14 +493,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch index 94c1d52..f484928 100644 --- a/policy-f25-contrib.patch +++ b/policy-f25-contrib.patch @@ -3503,10 +3503,10 @@ index 0000000..c679dd3 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..2029082 100644 +index 7caefc3..dac9ad5 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,215 @@ +@@ -1,162 +1,217 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3535,6 +3535,7 @@ index 7caefc3..2029082 100644 +/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/rt(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -3751,6 +3752,7 @@ index 7caefc3..2029082 100644 +/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -3862,7 +3864,7 @@ index 7caefc3..2029082 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..757b864 100644 +index f6eb485..fe461a3 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -5327,7 +5329,7 @@ index f6eb485..757b864 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1625,182 @@ interface(`apache_admin',` +@@ -1224,9 +1625,183 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -5399,6 +5401,7 @@ index f6eb485..757b864 100644 + files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig") + files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde") + files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud") ++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud") + filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php") + filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty") + filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads") @@ -83981,10 +83984,24 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..0ff0178 100644 +index 403a4fe..159f21e 100644 --- a/radius.te +++ b/radius.te -@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) +@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) + # Declarations + # + ++## ++##

++## Determine whether radius can use JIT compiler. ++##

++## ++gen_tunable(radius_use_jit, false) ++ + type radiusd_t; + type radiusd_exec_t; + init_daemon_domain(radiusd_t, radiusd_exec_t) +@@ -27,6 +34,9 @@ files_type(radiusd_var_lib_t) type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) @@ -83994,7 +84011,7 @@ index 403a4fe..0ff0178 100644 ######################################## # # Local policy -@@ -49,9 +52,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) +@@ -49,9 +59,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) @@ -84005,7 +84022,7 @@ index 403a4fe..0ff0178 100644 logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) -@@ -60,11 +61,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +@@ -60,11 +68,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) @@ -84018,7 +84035,7 @@ index 403a4fe..0ff0178 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -74,12 +75,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) +@@ -74,12 +82,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) @@ -84041,7 +84058,7 @@ index 403a4fe..0ff0178 100644 corenet_sendrecv_snmp_client_packets(radiusd_t) corenet_tcp_connect_snmp_port(radiusd_t) -@@ -97,7 +108,6 @@ domain_use_interactive_fds(radiusd_t) +@@ -97,7 +115,6 @@ domain_use_interactive_fds(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) @@ -84049,7 +84066,7 @@ index 403a4fe..0ff0178 100644 files_read_etc_runtime_files(radiusd_t) files_dontaudit_list_tmp(radiusd_t) -@@ -109,7 +119,6 @@ libs_exec_lib_files(radiusd_t) +@@ -109,7 +126,6 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) @@ -84057,7 +84074,18 @@ index 403a4fe..0ff0178 100644 miscfiles_read_generic_certs(radiusd_t) sysnet_use_ldap(radiusd_t) -@@ -122,6 +131,11 @@ optional_policy(` +@@ -117,11 +133,22 @@ sysnet_use_ldap(radiusd_t) + userdom_dontaudit_use_unpriv_user_fds(radiusd_t) + userdom_dontaudit_search_user_home_dirs(radiusd_t) + ++tunable_policy(`radius_use_jit',` ++ allow radiusd_t self:process execmem; ++',` ++ dontaudit radiusd_t self:process execmem; ++') ++ + optional_policy(` + cron_system_entry(radiusd_t, radiusd_exec_t) ') optional_policy(` @@ -84069,7 +84097,7 @@ index 403a4fe..0ff0178 100644 logrotate_exec(radiusd_t) ') -@@ -140,5 +154,10 @@ optional_policy(` +@@ -140,5 +167,10 @@ optional_policy(` ') optional_policy(` @@ -91118,7 +91146,7 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..be1fab2 100644 +index 2da9fca..f97a61a 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91322,7 +91350,7 @@ index 2da9fca..be1fab2 100644 ') ######################################## -@@ -202,41 +232,62 @@ optional_policy(` +@@ -202,41 +232,63 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -91341,6 +91369,7 @@ index 2da9fca..be1fab2 100644 -# kernel_mounton_proc(nfsd_t) +kernel_mounton_proc(nfsd_t) +kernel_rw_rpc_sysctls_dirs(nfsd_t) ++kernel_create_rpc_sysctls(nfsd_t) -corenet_sendrecv_nfs_server_packets(nfsd_t) +corecmd_exec_shell(nfsd_t) @@ -91395,7 +91424,7 @@ index 2da9fca..be1fab2 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +296,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -91403,7 +91432,7 @@ index 2da9fca..be1fab2 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +307,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -91418,7 +91447,7 @@ index 2da9fca..be1fab2 100644 ') ######################################## -@@ -270,7 +320,7 @@ optional_policy(` +@@ -270,7 +321,7 @@ optional_policy(` # GSSD local policy # @@ -91427,7 +91456,7 @@ index 2da9fca..be1fab2 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +330,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -91435,7 +91464,7 @@ index 2da9fca..be1fab2 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +339,31 @@ kernel_signal(gssd_t) +@@ -288,25 +340,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -91470,7 +91499,7 @@ index 2da9fca..be1fab2 100644 ') optional_policy(` -@@ -314,9 +371,12 @@ optional_policy(` +@@ -314,9 +372,12 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 2a503dc..8b2f2ae 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 225.10%{?dist} +Release: 225.11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,13 @@ exit 0 %endif %changelog +* Mon Feb 27 2017 Lukas Vrabec - 3.13.1-225.11 +- Add radius_use_jit boolean +- Allow nfsd_t domain to create sysctls_rpc_t files +- add the policy required for nextcloud +- Allow can_load_kernmodule to load kernel modules. BZ(1426741) +- Create kernel_create_rpc_sysctls() interface + * Tue Feb 21 2017 Lukas Vrabec - 3.13.1-225.10 - FIx label for /usr/lib/libGLdispatch.so.0.0.0