From 260d2bc2111234a4537f3d3704bb6ef63871a892 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 08 2016 12:21:02 +0000 Subject: * Fri Apr 08 2016 Lukas Vrabec 3.13.1-182 - By default container domains should not be allowed to create devices - rename several contrib modules according to their filenames - Add interface gnome_filetrans_cert_home_content() - Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t. - Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used - Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454) - Allow systemd gpt generator to read removable devices. BZ(1323458) --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index b095a28..e168dc6 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 5e5cccc..9a9cb7e 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -26525,10 +26525,10 @@ index 0000000..03faeac + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..31076d7 +index 0000000..bca9f3c --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,345 @@ +@@ -0,0 +1,349 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -26766,6 +26766,10 @@ index 0000000..31076d7 + gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) + ') + ++ optional_policy(` ++ gnome_filetrans_cert_home_content(unconfined_t) ++ ') ++ + optional_policy(` + ipsec_mgmt_dbus_chat(unconfined_t) + ') @@ -48023,10 +48027,10 @@ index 0000000..3380372 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..d8fdd7b +index 0000000..6c16f21 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,920 @@ +@@ -0,0 +1,928 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48870,11 +48874,14 @@ index 0000000..d8fdd7b +# systemd_gpt_generator domain +# + ++allow systemd_gpt_generator_t self:capability sys_rawio; ++ +dev_read_sysfs(systemd_gpt_generator_t) +dev_write_kmsg(systemd_gpt_generator_t) +dev_read_nvme(systemd_gpt_generator_t) + +storage_raw_read_fixed_disk(systemd_gpt_generator_t) ++storage_raw_read_removable_device(systemd_gpt_generator_t) + +allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms; +systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file) @@ -48889,6 +48896,7 @@ index 0000000..d8fdd7b +allow systemd_resolved_t self:capability { chown setgid setpcap setuid }; +allow systemd_resolved_t self:process setcap; +allow systemd_resolved_t self:tcp_socket { accept listen }; ++allow systemd_resolved_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) +manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) @@ -48899,9 +48907,13 @@ index 0000000..d8fdd7b + +kernel_dgram_send(systemd_resolved_t) + ++auth_read_passwd(systemd_resolved_t) ++ +corenet_tcp_bind_llmnr_port(systemd_resolved_t) +corenet_udp_bind_llmnr_port(systemd_resolved_t) + ++dev_write_kmsg(systemd_resolved_t) ++ +sysnet_manage_config(systemd_resolved_t) + +optional_policy(` diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index ad14f8d..59479df 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -31776,11 +31776,11 @@ index 0000000..fc9bf19 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..b974353 +index 0000000..74ec2fd --- /dev/null +++ b/glusterd.te @@ -0,0 +1,295 @@ -+policy_module(glusterfs, 1.1.2) ++policy_module(glusterd, 1.1.3) + +## +##

@@ -32360,7 +32360,7 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..0734f6b 100644 +index ab09d61..980f1f6 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,76 @@ @@ -33409,7 +33409,7 @@ index ab09d61..0734f6b 100644 ## ## ##

-@@ -706,12 +815,985 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +815,1003 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -34318,6 +34318,24 @@ index ab09d61..0734f6b 100644 + gnome_cache_filetrans($1, config_home_t, dir, "dconf") +') + ++###################################### ++## ++## File name transition for generic home content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_filetrans_cert_home_content',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ gnome_data_filetrans($1, home_cert_t, dir, "certificates") ++') ++ +######################################## +## +## Create gnome directory in the /root directory @@ -67159,9 +67177,15 @@ index bf59ef7..0e33327 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33b..3b92c4d 100644 +index 08ec33b..3ad995c 100644 --- a/passenger.te +++ b/passenger.te +@@ -1,4 +1,4 @@ +-policy_module(passanger, 1.1.1) ++policy_module(passenger, 1.1.2) + + ######################################## + # @@ -14,6 +14,9 @@ role system_r types passenger_t; type passenger_log_t; logging_log_file(passenger_log_t) @@ -87971,11 +87995,11 @@ index 0000000..0be4cee +') diff --git a/rkhunter.te b/rkhunter.te new file mode 100644 -index 0000000..aa2d09e +index 0000000..44de480 --- /dev/null +++ b/rkhunter.te @@ -0,0 +1,4 @@ -+policy_module(rhhunter, 1.0) ++policy_module(rkhunter, 1.1) + +type rkhunter_var_lib_t; +files_type(rkhunter_var_lib_t) @@ -103248,11 +103272,11 @@ index 0000000..80c6480 +') diff --git a/stapserver.te b/stapserver.te new file mode 100644 -index 0000000..bc92f68 +index 0000000..e847ea3 --- /dev/null +++ b/stapserver.te @@ -0,0 +1,114 @@ -+policy_module(systemtap, 1.1.0) ++policy_module(stapserver, 1.1.1) + +######################################## +# @@ -111649,7 +111673,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..2a1d3e5 100644 +index f03dcf5..5e41cd6 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,395 @@ @@ -113209,7 +113233,7 @@ index f03dcf5..2a1d3e5 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1237,355 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1237,354 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -113292,7 +113316,6 @@ index f03dcf5..2a1d3e5 100644 +manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto }; +allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto }; +virt_mounton_sandbox_file(svirt_sandbox_domain) @@ -113706,7 +113729,7 @@ index f03dcf5..2a1d3e5 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1597,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -113721,7 +113744,7 @@ index f03dcf5..2a1d3e5 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1616,7 @@ optional_policy(` +@@ -1192,7 +1615,7 @@ optional_policy(` ######################################## # @@ -113730,7 +113753,7 @@ index f03dcf5..2a1d3e5 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1625,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1624,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index bd9391a..e75a885 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 181%{?dist} +Release: 182%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -651,6 +651,15 @@ exit 0 %endif %changelog +* Fri Apr 08 2016 Lukas Vrabec 3.13.1-182 +- By default container domains should not be allowed to create devices +- rename several contrib modules according to their filenames +- Add interface gnome_filetrans_cert_home_content() +- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t. +- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used +- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454) +- Allow systemd gpt generator to read removable devices. BZ(1323458) + * Fri Apr 01 2016 Lukas Vrabec 3.13.1-181 - Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075) - Label all run tgtd files, not just socket files