From 4009efd1bb1fe8d4bd215ac47ad62cee25b2b6e6 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 19 2014 18:23:38 +0000 Subject: * Wed Mar 19 2014 Miroslav Grepl 3.12.1-142 - Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves --- diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 4147183..7ec52d7 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index e4f84de..44e709c 100644 +index e4f84de..439ee6d 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,30 +1,43 @@ +@@ -1,30 +1,44 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -47,6 +47,7 @@ index e4f84de..44e709c 100644 -/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) @@ -89647,7 +89648,7 @@ index 7a9cc9d..86cbca9 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 81864ce..7408ed7 100644 +index 81864ce..e0f790d 100644 --- a/snmp.te +++ b/snmp.te @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) @@ -89703,7 +89704,14 @@ index 81864ce..7408ed7 100644 files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) -@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t) +@@ -107,15 +107,19 @@ fs_search_auto_mountpoints(snmpd_t) + storage_dontaudit_read_fixed_disk(snmpd_t) + storage_dontaudit_read_removable_device(snmpd_t) + storage_dontaudit_write_removable_device(snmpd_t) ++storage_getattr_fixed_disk_dev(snmpd_t) ++storage_getattr_removable_dev(snmpd_t) + + auth_use_nsswitch(snmpd_t) init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) @@ -89717,7 +89725,7 @@ index 81864ce..7408ed7 100644 seutil_dontaudit_search_config(snmpd_t) -@@ -131,7 +133,11 @@ optional_policy(` +@@ -131,7 +135,11 @@ optional_policy(` ') optional_policy(` @@ -89730,7 +89738,7 @@ index 81864ce..7408ed7 100644 ') optional_policy(` -@@ -140,6 +146,7 @@ optional_policy(` +@@ -140,6 +148,7 @@ optional_policy(` optional_policy(` mta_read_config(snmpd_t) @@ -100219,7 +100227,7 @@ index 9dec06c..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..afa8936 100644 +index 1f22fba..3ecf9e4 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,194 @@ @@ -100376,7 +100384,7 @@ index 1f22fba..afa8936 100644 +## Allow sandbox containers to send audit messages +##

+## -+gen_tunable(virt_sandbox_use_audit, false) ++gen_tunable(virt_sandbox_use_audit, true) -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; @@ -101287,7 +101295,7 @@ index 1f22fba..afa8936 100644 +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +miscfiles_read_generic_certs(virt_domain) -+ + +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) @@ -101397,7 +101405,7 @@ index 1f22fba..afa8936 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; - ++ +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -101485,10 +101493,10 @@ index 1f22fba..afa8936 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -101652,7 +101660,7 @@ index 1f22fba..afa8936 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1111,278 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1111,282 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -101681,7 +101689,8 @@ index 1f22fba..afa8936 100644 +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -101689,8 +101698,7 @@ index 1f22fba..afa8936 100644 +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -101710,79 +101718,9 @@ index 1f22fba..afa8936 100644 +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow svirt_sandbox_domain self:passwd rootok; + -+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; -+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; -+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; -+ -+allow svirt_sandbox_domain virtd_lxc_t:process sigchld; -+allow svirt_sandbox_domain virtd_lxc_t:fd use; -+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -+ -+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr; -+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ -+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; -+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; -+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; -+ -+kernel_getattr_proc(svirt_sandbox_domain) -+kernel_list_all_proc(svirt_sandbox_domain) -+kernel_read_all_sysctls(svirt_sandbox_domain) -+kernel_rw_net_sysctls(svirt_sandbox_domain) -+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) -+ -+corecmd_exec_all_executables(svirt_sandbox_domain) -+ -+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) -+files_dontaudit_getattr_all_files(svirt_sandbox_domain) -+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) -+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) -+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) -+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) -+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) -+files_entrypoint_all_files(svirt_sandbox_domain) -+files_list_var(svirt_sandbox_domain) -+files_list_var_lib(svirt_sandbox_domain) -+files_search_all(svirt_sandbox_domain) -+files_read_config_files(svirt_sandbox_domain) -+files_read_usr_symlinks(svirt_sandbox_domain) -+files_search_locks(svirt_sandbox_domain) -+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) -+ -+fs_getattr_all_fs(svirt_sandbox_domain) -+fs_list_inotifyfs(svirt_sandbox_domain) -+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) -+fs_read_fusefs_files(svirt_sandbox_domain) -+ -+auth_dontaudit_read_passwd(svirt_sandbox_domain) -+auth_dontaudit_read_login_records(svirt_sandbox_domain) -+auth_dontaudit_write_login_records(svirt_sandbox_domain) -+auth_search_pam_console_data(svirt_sandbox_domain) -+ -+clock_read_adjtime(svirt_sandbox_domain) -+ -+init_read_utmp(svirt_sandbox_domain) -+init_dontaudit_write_utmp(svirt_sandbox_domain) -+ -+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) -+ -+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) -+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) -+miscfiles_read_fonts(svirt_sandbox_domain) -+miscfiles_read_hwdata(svirt_sandbox_domain) -+ -+systemd_read_unit_files(svirt_sandbox_domain) -+ -+userdom_use_inherited_user_terminals(svirt_sandbox_domain) -+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) -+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) ++tunable_policy(`deny_ptrace',`',` ++ allow svirt_sandbox_domain self:process ptrace; ++') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -101866,12 +101804,89 @@ index 1f22fba..afa8936 100644 -miscfiles_read_fonts(svirt_lxc_domain) - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -+optional_policy(` ++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; ++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; ++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; ++ ++allow svirt_sandbox_domain virtd_lxc_t:process sigchld; ++allow svirt_sandbox_domain virtd_lxc_t:fd use; ++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; ++ ++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr; ++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++ ++allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; ++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; ++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; ++ ++kernel_getattr_proc(svirt_sandbox_domain) ++kernel_list_all_proc(svirt_sandbox_domain) ++kernel_read_all_sysctls(svirt_sandbox_domain) ++kernel_rw_net_sysctls(svirt_sandbox_domain) ++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) ++ ++corecmd_exec_all_executables(svirt_sandbox_domain) ++ ++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) ++files_dontaudit_getattr_all_files(svirt_sandbox_domain) ++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) ++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) ++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) ++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) ++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) ++files_entrypoint_all_files(svirt_sandbox_domain) ++files_list_var(svirt_sandbox_domain) ++files_list_var_lib(svirt_sandbox_domain) ++files_search_all(svirt_sandbox_domain) ++files_read_config_files(svirt_sandbox_domain) ++files_read_usr_symlinks(svirt_sandbox_domain) ++files_search_locks(svirt_sandbox_domain) ++files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) ++ ++fs_getattr_all_fs(svirt_sandbox_domain) ++fs_list_inotifyfs(svirt_sandbox_domain) ++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) ++fs_read_fusefs_files(svirt_sandbox_domain) ++ ++auth_dontaudit_read_passwd(svirt_sandbox_domain) ++auth_dontaudit_read_login_records(svirt_sandbox_domain) ++auth_dontaudit_write_login_records(svirt_sandbox_domain) ++auth_search_pam_console_data(svirt_sandbox_domain) ++ ++clock_read_adjtime(svirt_sandbox_domain) ++ ++init_read_utmp(svirt_sandbox_domain) ++init_dontaudit_write_utmp(svirt_sandbox_domain) ++ ++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) ++ ++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) ++miscfiles_read_fonts(svirt_sandbox_domain) ++miscfiles_read_hwdata(svirt_sandbox_domain) ++ ++systemd_read_unit_files(svirt_sandbox_domain) ++ ++userdom_use_inherited_user_terminals(svirt_sandbox_domain) ++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) ++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + docker_manage_lib_files(svirt_lxc_net_t) + docker_manage_lib_dirs(svirt_lxc_net_t) + docker_read_share_files(svirt_sandbox_domain) @@ -101886,15 +101901,12 @@ index 1f22fba..afa8936 100644 +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) ++') ++ ++optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) ') @@ -101936,10 +101948,7 @@ index 1f22fba..afa8936 100644 +tunable_policy(`virt_sandbox_use_sys_admin',` + allow svirt_lxc_net_t self:capability sys_admin; +') - --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) ++ +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -101948,11 +101957,14 @@ index 1f22fba..afa8936 100644 + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') --corenet_sendrecv_all_client_packets(svirt_lxc_net_t) --corenet_tcp_connect_all_ports(svirt_lxc_net_t) +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; -+ + +-corenet_sendrecv_all_client_packets(svirt_lxc_net_t) +-corenet_tcp_connect_all_ports(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) @@ -102019,8 +102031,7 @@ index 1f22fba..afa8936 100644 +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) + @@ -102045,7 +102056,8 @@ index 1f22fba..afa8936 100644 +auth_use_nsswitch(svirt_qemu_net_t) + +rpm_read_db(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +logging_send_syslog_msg(svirt_qemu_net_t) + +tunable_policy(`virt_sandbox_use_audit',` @@ -102068,7 +102080,7 @@ index 1f22fba..afa8936 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1395,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1399,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -102083,7 +102095,7 @@ index 1f22fba..afa8936 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1413,8 @@ optional_policy(` +@@ -1183,9 +1417,8 @@ optional_policy(` ######################################## # @@ -102094,7 +102106,7 @@ index 1f22fba..afa8936 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1427,216 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1431,216 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6b9120e..6cda278 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 141%{?dist} +Release: 142%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 19 2014 Miroslav Grepl 3.12.1-142 +- Add support for /var/spool/rhsm/debug +- Make virt_sandbox_use_audit as True by default +- Allow svirt_sandbox_domains to ptrace themselves + * Wed Mar 19 2014 Miroslav Grepl 3.12.1-141 - Allow docker containers to manage /var/lib/docker content