From 10a06a2f35e1689df77f89a2db400cfb82c5dd25 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jul 26 2016 15:15:26 +0000 Subject: * Tue Jul 26 2016 Lukas Vrabec 3.13.1-191.7 - Allow lsmd_plugin_t to exec ldconfig. - Allow vnstatd domain to read /sys/class/net/ files - Remove duplicate allow rules in spamassassin SELinux module - Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs - Allow ipa_dnskey domain to search cache dirs - Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file - Allow ipa-dnskey read system state. - Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245 - Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721) - Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf - sysadmin should be allowed to use docker. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index ca76565..16f1156 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 4a0ca04..f1ad4e1 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -25237,10 +25237,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..a23a472 100644 +index 2522ca6..d389826 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) +@@ -5,39 +5,92 @@ policy_module(sysadm, 2.6.1) # Declarations # @@ -25333,13 +25333,17 @@ index 2522ca6..a23a472 100644 +') + +optional_policy(` ++ docker_stream_connect(sysadm_t) ++') ++ ++optional_policy(` + ssh_filetrans_admin_home_content(sysadm_t) + ssh_filetrans_keys(sysadm_t) +') ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +104,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +108,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -25354,7 +25358,7 @@ index 2522ca6..a23a472 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +114,9 @@ optional_policy(` +@@ -71,9 +118,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -25365,7 +25369,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -87,6 +130,7 @@ optional_policy(` +@@ -87,6 +134,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -25373,7 +25377,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -110,11 +154,17 @@ optional_policy(` +@@ -110,11 +158,17 @@ optional_policy(` ') optional_policy(` @@ -25391,20 +25395,20 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -122,11 +172,27 @@ optional_policy(` +@@ -122,11 +176,27 @@ optional_policy(` ') optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) ++') ++ ++optional_policy(` ++ consoletype_exec(sysadm_t) ') optional_policy(` - cvs_exec(sysadm_t) -+ consoletype_exec(sysadm_t) -+') -+ -+optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + @@ -25421,7 +25425,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -140,6 +206,10 @@ optional_policy(` +@@ -140,6 +210,10 @@ optional_policy(` ') optional_policy(` @@ -25432,7 +25436,7 @@ index 2522ca6..a23a472 100644 dmesg_exec(sysadm_t) ') -@@ -156,6 +226,10 @@ optional_policy(` +@@ -156,6 +230,10 @@ optional_policy(` ') optional_policy(` @@ -25443,7 +25447,7 @@ index 2522ca6..a23a472 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -164,6 +238,11 @@ optional_policy(` +@@ -164,6 +242,11 @@ optional_policy(` ') optional_policy(` @@ -25455,7 +25459,7 @@ index 2522ca6..a23a472 100644 hadoop_role(sysadm_r, sysadm_t) ') -@@ -172,13 +251,31 @@ optional_policy(` +@@ -172,13 +255,31 @@ optional_policy(` # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing ipsec_exec_mgmt(sysadm_t) @@ -25487,7 +25491,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -190,11 +287,12 @@ optional_policy(` +@@ -190,11 +291,12 @@ optional_policy(` ') optional_policy(` @@ -25502,7 +25506,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -210,22 +308,21 @@ optional_policy(` +@@ -210,22 +312,21 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -25532,7 +25536,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -237,14 +334,32 @@ optional_policy(` +@@ -237,14 +338,32 @@ optional_policy(` ') optional_policy(` @@ -25565,7 +25569,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -252,10 +367,20 @@ optional_policy(` +@@ -252,10 +371,20 @@ optional_policy(` ') optional_policy(` @@ -25586,7 +25590,7 @@ index 2522ca6..a23a472 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +391,46 @@ optional_policy(` +@@ -266,35 +395,46 @@ optional_policy(` ') optional_policy(` @@ -25618,18 +25622,18 @@ index 2522ca6..a23a472 100644 optional_policy(` - rpm_run(sysadm_t, sysadm_r) + quota_filetrans_named_content(sysadm_t) - ') - - optional_policy(` -- rssh_role(sysadm_r, sysadm_t) -+ raid_domtrans_mdadm(sysadm_t) +') + +optional_policy(` -+ rpc_domtrans_nfsd(sysadm_t) ++ raid_domtrans_mdadm(sysadm_t) +') + +optional_policy(` ++ rpc_domtrans_nfsd(sysadm_t) + ') + + optional_policy(` +- rssh_role(sysadm_r, sysadm_t) + rpm_run(sysadm_t, sysadm_r) + rpm_dbus_chat(sysadm_t, sysadm_r) ') @@ -25640,7 +25644,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -308,6 +444,7 @@ optional_policy(` +@@ -308,6 +448,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -25648,7 +25652,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -315,12 +452,20 @@ optional_policy(` +@@ -315,12 +456,20 @@ optional_policy(` ') optional_policy(` @@ -25670,7 +25674,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -345,30 +490,38 @@ optional_policy(` +@@ -345,30 +494,38 @@ optional_policy(` ') optional_policy(` @@ -25718,7 +25722,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -380,10 +533,6 @@ optional_policy(` +@@ -380,10 +537,6 @@ optional_policy(` ') optional_policy(` @@ -25729,7 +25733,7 @@ index 2522ca6..a23a472 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +540,9 @@ optional_policy(` +@@ -391,6 +544,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25739,7 +25743,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -398,31 +550,34 @@ optional_policy(` +@@ -398,31 +554,34 @@ optional_policy(` ') optional_policy(` @@ -25780,7 +25784,7 @@ index 2522ca6..a23a472 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +590,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +594,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25791,7 +25795,7 @@ index 2522ca6..a23a472 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +610,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +614,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -28591,7 +28595,7 @@ index fe0c682..60003bc 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..b8e6e98 100644 +index cc877c7..80996f3 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -28678,7 +28682,7 @@ index cc877c7..b8e6e98 100644 type ssh_t; type ssh_exec_t; -@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) +@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) type ssh_tmpfs_t; typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; @@ -28699,7 +28703,11 @@ index cc877c7..b8e6e98 100644 ############################## # -@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; + # SSH client local policy + # + +-allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; ++allow ssh_t self:capability { setcap setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -36740,7 +36748,7 @@ index 79a45f6..e69fa39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..f8e16bb 100644 +index 17eda24..ca7fe18 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37035,7 +37043,7 @@ index 17eda24..f8e16bb 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +323,259 @@ ifdef(`distro_gentoo',` +@@ -186,29 +323,263 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37071,14 +37079,15 @@ index 17eda24..f8e16bb 100644 + +optional_policy(` + journalctl_exec(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + kdump_read_crash(init_t) + kdump_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + gnome_filetrans_home_content(init_t) + gnome_manage_data(init_t) + gnome_manage_config(init_t) @@ -37093,6 +37102,10 @@ index 17eda24..f8e16bb 100644 +') + +optional_policy(` ++ rpm_read_db(init_t) ++') ++ ++optional_policy(` + iscsi_read_lib_files(init_t) + iscsi_manage_lock(init_t) +') @@ -37262,14 +37275,13 @@ index 17eda24..f8e16bb 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -37277,10 +37289,9 @@ index 17eda24..f8e16bb 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. @@ -37297,14 +37308,15 @@ index 17eda24..f8e16bb 100644 + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + ssh_getattr_server_keys(init_t) ') optional_policy(` -@@ -216,7 +583,30 @@ optional_policy(` +@@ -216,7 +587,30 @@ optional_policy(` ') optional_policy(` @@ -37336,7 +37348,7 @@ index 17eda24..f8e16bb 100644 ') ######################################## -@@ -225,9 +615,9 @@ optional_policy(` +@@ -225,9 +619,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37348,7 +37360,7 @@ index 17eda24..f8e16bb 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +648,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +652,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37365,7 +37377,7 @@ index 17eda24..f8e16bb 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +673,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +677,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37408,7 +37420,7 @@ index 17eda24..f8e16bb 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +710,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +714,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37420,7 +37432,7 @@ index 17eda24..f8e16bb 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +722,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +726,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37431,7 +37443,7 @@ index 17eda24..f8e16bb 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +733,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +737,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37441,7 +37453,7 @@ index 17eda24..f8e16bb 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +742,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +746,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37449,7 +37461,7 @@ index 17eda24..f8e16bb 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +749,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +753,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37457,7 +37469,7 @@ index 17eda24..f8e16bb 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +757,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +761,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37475,7 +37487,7 @@ index 17eda24..f8e16bb 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +775,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +779,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37489,7 +37501,7 @@ index 17eda24..f8e16bb 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +790,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +794,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37503,7 +37515,7 @@ index 17eda24..f8e16bb 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +803,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +807,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37514,7 +37526,7 @@ index 17eda24..f8e16bb 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +816,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +820,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37522,7 +37534,7 @@ index 17eda24..f8e16bb 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +835,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +839,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37546,7 +37558,7 @@ index 17eda24..f8e16bb 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +868,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +872,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37554,7 +37566,7 @@ index 17eda24..f8e16bb 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +902,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +906,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37565,7 +37577,7 @@ index 17eda24..f8e16bb 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +926,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +930,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37574,7 +37586,7 @@ index 17eda24..f8e16bb 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +941,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +945,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37582,7 +37594,7 @@ index 17eda24..f8e16bb 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +962,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +966,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37590,7 +37602,7 @@ index 17eda24..f8e16bb 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +972,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +976,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37635,7 +37647,7 @@ index 17eda24..f8e16bb 100644 ') optional_policy(` -@@ -559,14 +1017,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1021,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37667,7 +37679,7 @@ index 17eda24..f8e16bb 100644 ') ') -@@ -577,6 +1052,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1056,39 @@ ifdef(`distro_suse',` ') ') @@ -37707,7 +37719,7 @@ index 17eda24..f8e16bb 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1097,8 @@ optional_policy(` +@@ -589,6 +1101,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37716,7 +37728,7 @@ index 17eda24..f8e16bb 100644 ') optional_policy(` -@@ -610,6 +1120,7 @@ optional_policy(` +@@ -610,6 +1124,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37724,7 +37736,7 @@ index 17eda24..f8e16bb 100644 ') optional_policy(` -@@ -626,6 +1137,17 @@ optional_policy(` +@@ -626,6 +1141,17 @@ optional_policy(` ') optional_policy(` @@ -37742,7 +37754,7 @@ index 17eda24..f8e16bb 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1164,13 @@ optional_policy(` +@@ -642,9 +1168,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37756,7 +37768,7 @@ index 17eda24..f8e16bb 100644 ') optional_policy(` -@@ -657,15 +1183,11 @@ optional_policy(` +@@ -657,15 +1187,11 @@ optional_policy(` ') optional_policy(` @@ -37774,7 +37786,7 @@ index 17eda24..f8e16bb 100644 ') optional_policy(` -@@ -686,6 +1208,15 @@ optional_policy(` +@@ -686,6 +1212,15 @@ optional_policy(` ') optional_policy(` @@ -37790,7 +37802,7 @@ index 17eda24..f8e16bb 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1257,7 @@ optional_policy(` +@@ -726,6 +1261,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37798,7 +37810,7 @@ index 17eda24..f8e16bb 100644 ') optional_policy(` -@@ -743,7 +1275,13 @@ optional_policy(` +@@ -743,7 +1279,13 @@ optional_policy(` ') optional_policy(` @@ -37813,7 +37825,7 @@ index 17eda24..f8e16bb 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1304,10 @@ optional_policy(` +@@ -766,6 +1308,10 @@ optional_policy(` ') optional_policy(` @@ -37824,7 +37836,7 @@ index 17eda24..f8e16bb 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1317,20 @@ optional_policy(` +@@ -775,10 +1321,20 @@ optional_policy(` ') optional_policy(` @@ -37845,7 +37857,7 @@ index 17eda24..f8e16bb 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1339,10 @@ optional_policy(` +@@ -787,6 +1343,10 @@ optional_policy(` ') optional_policy(` @@ -37856,7 +37868,7 @@ index 17eda24..f8e16bb 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1364,6 @@ optional_policy(` +@@ -808,8 +1368,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37865,7 +37877,7 @@ index 17eda24..f8e16bb 100644 ') optional_policy(` -@@ -818,6 +1372,10 @@ optional_policy(` +@@ -818,6 +1376,10 @@ optional_policy(` ') optional_policy(` @@ -37876,7 +37888,7 @@ index 17eda24..f8e16bb 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1385,12 @@ optional_policy(` +@@ -827,10 +1389,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37889,7 +37901,7 @@ index 17eda24..f8e16bb 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1417,60 @@ optional_policy(` +@@ -857,21 +1421,60 @@ optional_policy(` ') optional_policy(` @@ -37951,7 +37963,7 @@ index 17eda24..f8e16bb 100644 ') optional_policy(` -@@ -887,6 +1486,10 @@ optional_policy(` +@@ -887,6 +1490,10 @@ optional_policy(` ') optional_policy(` @@ -37962,7 +37974,7 @@ index 17eda24..f8e16bb 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1500,218 @@ optional_policy(` +@@ -897,3 +1504,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -48282,7 +48294,7 @@ index 0000000..16cd1ac +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..0800a00 +index 0000000..1d1f80b --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,950 @@ @@ -49234,7 +49246,7 @@ index 0000000..0800a00 +dev_read_sysfs(systemd_modules_load_t) + +files_read_kernel_modules(systemd_modules_load_t) -+modutils_list_module_config(systemd_modules_load_t) ++modutils_read_module_config(systemd_modules_load_t) + diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index f41857e..49fd32e 100644 @@ -50650,7 +50662,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..595ad40 100644 +index 9dc60c6..236692c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -51666,7 +51678,7 @@ index 9dc60c6..595ad40 100644 + allow $1_t self:process ~{ ptrace execmem execstack execheap }; + + tunable_policy(`selinuxuser_use_ssh_chroot',` -+ allow $1_t self:capability { setuid setgid sys_chroot }; ++ allow $1_t self:capability { sys_chroot }; + ') - allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index 937e5ee..e4152ae 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -12256,7 +12256,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..ea704c2 100644 +index 550b287..f37b9b0 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -12346,7 +12346,7 @@ index 550b287..ea704c2 100644 ') optional_policy(` -@@ -92,11 +110,58 @@ optional_policy(` +@@ -92,11 +110,60 @@ optional_policy(` ') optional_policy(` @@ -12359,8 +12359,10 @@ index 550b287..ea704c2 100644 + +optional_policy(` + ipa_manage_lib(certmonger_t) ++ ipa_manage_log(certmonger_t) + ipa_manage_pid_files(certmonger_t) + ipa_filetrans_pid(certmonger_t,"renewal.lock") ++ ipa_named_filetrans_log_dir(certmonger_t) +') + +optional_policy(` @@ -38269,10 +38271,10 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..e1ddda0 +index 0000000..1131ca0 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,19 @@ +@@ -0,0 +1,21 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0) @@ -38288,16 +38290,18 @@ index 0000000..e1ddda0 + +/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) + ++/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0) ++ +/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0) + +/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..ee3a606 +index 0000000..1a30961 --- /dev/null +++ b/ipa.if -@@ -0,0 +1,197 @@ +@@ -0,0 +1,235 @@ +## Policy for IPA services. + +######################################## @@ -38418,6 +38422,25 @@ index 0000000..ee3a606 + +######################################## +## ++## Allow domain to manage ipa log files/dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_manage_log',` ++ gen_require(` ++ type ipa_log_t; ++ ') ++ ++ manage_files_pattern($1, ipa_log_t, ipa_log_t) ++ manage_dirs_pattern($1, ipa_log_t, ipa_log_t) ++') ++ ++######################################## ++## +## Allow domain to manage ipa lib files/dirs. +## +## @@ -38495,12 +38518,31 @@ index 0000000..ee3a606 + files_search_tmp($1) + allow $1 ipa_tmp_t:file unlink; +') ++ ++######################################## ++## ++## Create log files with a named file ++## type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_named_filetrans_log_dir',` ++ gen_require(` ++ type ipa_log_t; ++ ') ++ ++ logging_log_named_filetrans($1, ipa_log_t, dir, "ipa") ++') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..3ca42f7 +index 0000000..e3b22a3 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,199 @@ +@@ -0,0 +1,201 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -38659,6 +38701,7 @@ index 0000000..3ca42f7 +files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file }) + +kernel_dgram_send(ipa_dnskey_t) ++kernel_read_system_state(ipa_dnskey_t) + +auth_use_nsswitch(ipa_dnskey_t) + @@ -38688,6 +38731,7 @@ index 0000000..3ca42f7 + bind_read_dnssec_keys(ipa_dnskey_t) + bind_manage_zone(ipa_dnskey_t) + bind_manage_zone_dirs(ipa_dnskey_t) ++ bind_search_cache(ipa_dnskey_t) +') + +optional_policy(` @@ -46711,7 +46755,7 @@ index d314333..27ede09 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..db7c68b 100644 +index 4ec0eea..693d9ae 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -46753,7 +46797,7 @@ index 4ec0eea..db7c68b 100644 allow lsmd_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -@@ -26,4 +44,69 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,71 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -46812,6 +46856,8 @@ index 4ec0eea..db7c68b 100644 +init_stream_connect(lsmd_plugin_t) +init_dontaudit_rw_stream_socket(lsmd_plugin_t) + ++libs_exec_ldconfig(lsmd_plugin_t) ++ +logging_send_syslog_msg(lsmd_plugin_t) + +miscfiles_read_certs(lsmd_plugin_t) @@ -101794,7 +101840,7 @@ index e9bd097..5724bcf 100644 +/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) diff --git a/spamassassin.if b/spamassassin.if -index 1499b0b..6950cab 100644 +index 1499b0b..e695a62 100644 --- a/spamassassin.if +++ b/spamassassin.if @@ -2,39 +2,45 @@ @@ -102178,7 +102224,7 @@ index 1499b0b..6950cab 100644 + ') + + userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") -+ userdom_user_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") ++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin") + userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") + userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor") +') @@ -102199,7 +102245,7 @@ index 1499b0b..6950cab 100644 + ') + + userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") -+ userdom_admin_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin") + userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") + userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor") +') @@ -102249,7 +102295,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..7e5c719 100644 +index cc58e35..d844f55 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) @@ -102329,7 +102375,7 @@ index cc58e35..7e5c719 100644 type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) -@@ -72,87 +46,199 @@ type spamd_log_t; +@@ -72,87 +46,197 @@ type spamd_log_t; logging_log_file(spamd_log_t) type spamd_spool_t; @@ -102466,8 +102512,6 @@ index cc58e35..7e5c719 100644 +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") -+userdom_admin_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") +userdom_home_manager(spamassassin_t) + kernel_read_kernel_sysctls(spamassassin_t) @@ -102551,7 +102595,7 @@ index cc58e35..7e5c719 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -160,6 +246,8 @@ optional_policy(` +@@ -160,6 +244,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -102560,7 +102604,7 @@ index cc58e35..7e5c719 100644 ') ######################################## -@@ -167,72 +255,95 @@ optional_policy(` +@@ -167,72 +253,95 @@ optional_policy(` # Client local policy # @@ -102687,7 +102731,7 @@ index cc58e35..7e5c719 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +354,7 @@ optional_policy(` +@@ -243,6 +352,7 @@ optional_policy(` ') optional_policy(` @@ -102695,7 +102739,7 @@ index cc58e35..7e5c719 100644 evolution_stream_connect(spamc_t) ') -@@ -251,11 +363,18 @@ optional_policy(` +@@ -251,11 +361,18 @@ optional_policy(` ') optional_policy(` @@ -102715,7 +102759,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -267,36 +386,40 @@ optional_policy(` +@@ -267,36 +384,40 @@ optional_policy(` ######################################## # @@ -102773,7 +102817,7 @@ index cc58e35..7e5c719 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +431,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +429,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -102783,7 +102827,7 @@ index cc58e35..7e5c719 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +441,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +439,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -102800,7 +102844,7 @@ index cc58e35..7e5c719 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +457,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +455,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -102905,7 +102949,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -421,21 +529,13 @@ optional_policy(` +@@ -421,21 +527,13 @@ optional_policy(` ') optional_policy(` @@ -102929,7 +102973,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -443,8 +543,8 @@ optional_policy(` +@@ -443,8 +541,8 @@ optional_policy(` ') optional_policy(` @@ -102939,7 +102983,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -455,7 +555,17 @@ optional_policy(` +@@ -455,7 +553,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -102958,7 +103002,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -463,9 +573,9 @@ optional_policy(` +@@ -463,9 +571,9 @@ optional_policy(` ') optional_policy(` @@ -102969,7 +103013,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -474,32 +584,32 @@ optional_policy(` +@@ -474,32 +582,32 @@ optional_policy(` ######################################## # @@ -103012,7 +103056,7 @@ index cc58e35..7e5c719 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +616,26 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -115812,7 +115856,7 @@ index 137ac44..b644854 100644 domain_system_change_exemption($1) role_transition $2 vnstatd_initrc_exec_t system_r; diff --git a/vnstatd.te b/vnstatd.te -index e2220ae..0dcf5f6 100644 +index e2220ae..85f393b 100644 --- a/vnstatd.te +++ b/vnstatd.te @@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen }; @@ -115824,12 +115868,16 @@ index e2220ae..0dcf5f6 100644 manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -@@ -47,14 +47,10 @@ kernel_read_system_state(vnstatd_t) +@@ -45,16 +45,14 @@ files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) + kernel_read_network_state(vnstatd_t) + kernel_read_system_state(vnstatd_t) - domain_use_interactive_fds(vnstatd_t) +-domain_use_interactive_fds(vnstatd_t) ++dev_read_sysfs(vnstatd_t) -files_read_etc_files(vnstatd_t) -- ++domain_use_interactive_fds(vnstatd_t) + fs_getattr_xattr_fs(vnstatd_t) logging_send_syslog_msg(vnstatd_t) @@ -115839,7 +115887,7 @@ index e2220ae..0dcf5f6 100644 ######################################## # # Client local policy -@@ -64,23 +60,19 @@ allow vnstat_t self:process signal; +@@ -64,23 +62,19 @@ allow vnstat_t self:process signal; allow vnstat_t self:fifo_file rw_fifo_file_perms; allow vnstat_t self:unix_stream_socket { accept listen }; diff --git a/selinux-policy.spec b/selinux-policy.spec index f8b6036..2df8c88 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191.6%{?dist} +Release: 191.7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -645,6 +645,19 @@ exit 0 %endif %changelog +* Tue Jul 26 2016 Lukas Vrabec 3.13.1-191.7 +- Allow lsmd_plugin_t to exec ldconfig. +- Allow vnstatd domain to read /sys/class/net/ files +- Remove duplicate allow rules in spamassassin SELinux module +- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs +- Allow ipa_dnskey domain to search cache dirs +- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file +- Allow ipa-dnskey read system state. +- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245 +- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721) +- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf +- sysadmin should be allowed to use docker. + * Mon Jul 18 2016 Lukas Vrabec 3.13.1-191.6 - Remove double graphite-web context declaration - Fix typo in rhsmcertd SELinux policy