From 4009efd1bb1fe8d4bd215ac47ad62cee25b2b6e6 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Mar 19 2014 18:23:38 +0000
Subject: * Wed Mar 19 2014 Miroslav Grepl 3.12.1-142
- Add support for /var/spool/rhsm/debug
- Make virt_sandbox_use_audit as True by default
- Allow svirt_sandbox_domains to ptrace themselves
---
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 4147183..7ec52d7 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..44e709c 100644
+index e4f84de..439ee6d 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,43 @@
+@@ -1,30 +1,44 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -47,6 +47,7 @@ index e4f84de..44e709c 100644
-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
@@ -89647,7 +89648,7 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 81864ce..7408ed7 100644
+index 81864ce..e0f790d 100644
--- a/snmp.te
+++ b/snmp.te
@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
@@ -89703,7 +89704,14 @@ index 81864ce..7408ed7 100644
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
-@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t)
+@@ -107,15 +107,19 @@ fs_search_auto_mountpoints(snmpd_t)
+ storage_dontaudit_read_fixed_disk(snmpd_t)
+ storage_dontaudit_read_removable_device(snmpd_t)
+ storage_dontaudit_write_removable_device(snmpd_t)
++storage_getattr_fixed_disk_dev(snmpd_t)
++storage_getattr_removable_dev(snmpd_t)
+
+ auth_use_nsswitch(snmpd_t)
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
@@ -89717,7 +89725,7 @@ index 81864ce..7408ed7 100644
seutil_dontaudit_search_config(snmpd_t)
-@@ -131,7 +133,11 @@ optional_policy(`
+@@ -131,7 +135,11 @@ optional_policy(`
')
optional_policy(`
@@ -89730,7 +89738,7 @@ index 81864ce..7408ed7 100644
')
optional_policy(`
-@@ -140,6 +146,7 @@ optional_policy(`
+@@ -140,6 +148,7 @@ optional_policy(`
optional_policy(`
mta_read_config(snmpd_t)
@@ -100219,7 +100227,7 @@ index 9dec06c..88dcafb 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..afa8936 100644
+index 1f22fba..3ecf9e4 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,194 @@
@@ -100376,7 +100384,7 @@ index 1f22fba..afa8936 100644
+## Allow sandbox containers to send audit messages
+##
+##
-+gen_tunable(virt_sandbox_use_audit, false)
++gen_tunable(virt_sandbox_use_audit, true)
-attribute_role virt_bridgehelper_roles;
-roleattribute system_r virt_bridgehelper_roles;
@@ -101287,7 +101295,7 @@ index 1f22fba..afa8936 100644
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+miscfiles_read_generic_certs(virt_domain)
-+
+
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
@@ -101397,7 +101405,7 @@ index 1f22fba..afa8936 100644
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-
++
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
@@ -101485,10 +101493,10 @@ index 1f22fba..afa8936 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -101652,7 +101660,7 @@ index 1f22fba..afa8936 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1111,278 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1111,282 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -101681,7 +101689,8 @@ index 1f22fba..afa8936 100644
+optional_policy(`
+ docker_exec_lib(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -101689,8 +101698,7 @@ index 1f22fba..afa8936 100644
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -101710,79 +101718,9 @@ index 1f22fba..afa8936 100644
+allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow svirt_sandbox_domain self:passwd rootok;
+
-+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
-+
-+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
-+allow svirt_sandbox_domain virtd_lxc_t:fd use;
-+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-+
-+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
-+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+
-+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
-+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
-+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
-+
-+kernel_getattr_proc(svirt_sandbox_domain)
-+kernel_list_all_proc(svirt_sandbox_domain)
-+kernel_read_all_sysctls(svirt_sandbox_domain)
-+kernel_rw_net_sysctls(svirt_sandbox_domain)
-+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
-+
-+corecmd_exec_all_executables(svirt_sandbox_domain)
-+
-+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
-+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
-+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
-+files_entrypoint_all_files(svirt_sandbox_domain)
-+files_list_var(svirt_sandbox_domain)
-+files_list_var_lib(svirt_sandbox_domain)
-+files_search_all(svirt_sandbox_domain)
-+files_read_config_files(svirt_sandbox_domain)
-+files_read_usr_symlinks(svirt_sandbox_domain)
-+files_search_locks(svirt_sandbox_domain)
-+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
-+
-+fs_getattr_all_fs(svirt_sandbox_domain)
-+fs_list_inotifyfs(svirt_sandbox_domain)
-+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
-+fs_read_fusefs_files(svirt_sandbox_domain)
-+
-+auth_dontaudit_read_passwd(svirt_sandbox_domain)
-+auth_dontaudit_read_login_records(svirt_sandbox_domain)
-+auth_dontaudit_write_login_records(svirt_sandbox_domain)
-+auth_search_pam_console_data(svirt_sandbox_domain)
-+
-+clock_read_adjtime(svirt_sandbox_domain)
-+
-+init_read_utmp(svirt_sandbox_domain)
-+init_dontaudit_write_utmp(svirt_sandbox_domain)
-+
-+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
-+
-+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
-+miscfiles_read_fonts(svirt_sandbox_domain)
-+miscfiles_read_hwdata(svirt_sandbox_domain)
-+
-+systemd_read_unit_files(svirt_sandbox_domain)
-+
-+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
-+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
-+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
++tunable_policy(`deny_ptrace',`',`
++ allow svirt_sandbox_domain self:process ptrace;
++')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -101866,12 +101804,89 @@ index 1f22fba..afa8936 100644
-miscfiles_read_fonts(svirt_lxc_domain)
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
++
++allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
++allow svirt_sandbox_domain virtd_lxc_t:fd use;
++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
++
++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++
++allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
++
++kernel_getattr_proc(svirt_sandbox_domain)
++kernel_list_all_proc(svirt_sandbox_domain)
++kernel_read_all_sysctls(svirt_sandbox_domain)
++kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++
++corecmd_exec_all_executables(svirt_sandbox_domain)
++
++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
++files_dontaudit_getattr_all_files(svirt_sandbox_domain)
++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
++files_entrypoint_all_files(svirt_sandbox_domain)
++files_list_var(svirt_sandbox_domain)
++files_list_var_lib(svirt_sandbox_domain)
++files_search_all(svirt_sandbox_domain)
++files_read_config_files(svirt_sandbox_domain)
++files_read_usr_symlinks(svirt_sandbox_domain)
++files_search_locks(svirt_sandbox_domain)
++files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
++
++fs_getattr_all_fs(svirt_sandbox_domain)
++fs_list_inotifyfs(svirt_sandbox_domain)
++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
++fs_read_fusefs_files(svirt_sandbox_domain)
++
++auth_dontaudit_read_passwd(svirt_sandbox_domain)
++auth_dontaudit_read_login_records(svirt_sandbox_domain)
++auth_dontaudit_write_login_records(svirt_sandbox_domain)
++auth_search_pam_console_data(svirt_sandbox_domain)
++
++clock_read_adjtime(svirt_sandbox_domain)
++
++init_read_utmp(svirt_sandbox_domain)
++init_dontaudit_write_utmp(svirt_sandbox_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
++
++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
++miscfiles_read_fonts(svirt_sandbox_domain)
++miscfiles_read_hwdata(svirt_sandbox_domain)
++
++systemd_read_unit_files(svirt_sandbox_domain)
++
++userdom_use_inherited_user_terminals(svirt_sandbox_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
+
+ optional_policy(`
+- udev_read_pid_files(svirt_lxc_domain)
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- apache_exec_modules(svirt_lxc_domain)
+- apache_read_sys_content(svirt_lxc_domain)
+ docker_manage_lib_files(svirt_lxc_net_t)
+ docker_manage_lib_dirs(svirt_lxc_net_t)
+ docker_read_share_files(svirt_sandbox_domain)
@@ -101886,15 +101901,12 @@ index 1f22fba..afa8936 100644
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
-
- optional_policy(`
-- udev_read_pid_files(svirt_lxc_domain)
++
++optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
- ')
-
- optional_policy(`
-- apache_exec_modules(svirt_lxc_domain)
-- apache_read_sys_content(svirt_lxc_domain)
++')
++
++optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
')
@@ -101936,10 +101948,7 @@ index 1f22fba..afa8936 100644
+tunable_policy(`virt_sandbox_use_sys_admin',`
+ allow svirt_lxc_net_t self:capability sys_admin;
+')
-
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
++
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -101948,11 +101957,14 @@ index 1f22fba..afa8936 100644
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
-+
+
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_lxc_net_t)
+dev_read_sysfs(svirt_lxc_net_t)
@@ -102019,8 +102031,7 @@ index 1f22fba..afa8936 100644
+dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+
@@ -102045,7 +102056,8 @@ index 1f22fba..afa8936 100644
+auth_use_nsswitch(svirt_qemu_net_t)
+
+rpm_read_db(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+logging_send_syslog_msg(svirt_qemu_net_t)
+
+tunable_policy(`virt_sandbox_use_audit',`
@@ -102068,7 +102080,7 @@ index 1f22fba..afa8936 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1395,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1399,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -102083,7 +102095,7 @@ index 1f22fba..afa8936 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1413,8 @@ optional_policy(`
+@@ -1183,9 +1417,8 @@ optional_policy(`
########################################
#
@@ -102094,7 +102106,7 @@ index 1f22fba..afa8936 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1427,216 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1431,216 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6b9120e..6cda278 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 141%{?dist}
+Release: 142%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 19 2014 Miroslav Grepl 3.12.1-142
+- Add support for /var/spool/rhsm/debug
+- Make virt_sandbox_use_audit as True by default
+- Allow svirt_sandbox_domains to ptrace themselves
+
* Wed Mar 19 2014 Miroslav Grepl 3.12.1-141
- Allow docker containers to manage /var/lib/docker content