From 4380b300b9fa2a8929564715965a753efd8f92b2 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Feb 25 2016 12:56:04 +0000 Subject: * Thu Feb 25 2016 Lukas Vrabec 3.13.1-172 - Allow modemmanager to read /etc/passwd file. - Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy. - Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033 - Allow collectd setgid capability Resolves:#1310896 - Allow adcli running as sssd_t to write krb5.keytab file. - Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304) - Allow kexec to read kernel module files in /usr/lib/modules. - Add httpd_log_t for /var/log/graphite-web rhbz#1306981 - Remove redudant rules and fix _admin interface. - Add SELinux policy for LTTng 2.x central tracing registry session daemon. - Allow create mongodb unix dgram sockets. rhbz#1306819 - Support for InnoDB Tablespace Encryption. - Dontaudit leaded file descriptors from firewalld - Add port for rkt services - Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 1868e25..94df09c 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index ac108ca..f6f8c8e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5718,7 +5718,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..e66e77a 100644 +index b191055..5ee0a46 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5874,7 +5874,7 @@ index b191055..e66e77a 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +179,55 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +179,57 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5915,7 +5915,9 @@ index b191055..e66e77a 100644 +network_port(kerberos_password, tcp,464,s0, udp,464,s0) +network_port(keystone, tcp, 35357,s0, udp, 35357,s0) +network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0) ++network_port(lltng, tcp, 5345, s0) +network_port(rabbitmq, tcp,25672,s0) ++network_port(rkt, tcp,18112,s0) +network_port(rlogin, tcp,543,s0, tcp,2105,s0) +network_port(rtsclient, tcp,2501,s0) network_port(kprop, tcp,754,s0) @@ -5945,7 +5947,7 @@ index b191055..e66e77a 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,101 +235,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,101 +237,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -6090,7 +6092,7 @@ index b191055..e66e77a 100644 network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) -@@ -288,19 +362,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +364,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -6117,7 +6119,7 @@ index b191055..e66e77a 100644 ######################################## # -@@ -333,6 +411,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +413,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -6126,7 +6128,7 @@ index b191055..e66e77a 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +425,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +427,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -36340,7 +36342,7 @@ index c42fbc3..bf211db 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..bce6063 100644 +index be8ed1e..e336bc1 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,18 @@ role iptables_roles types iptables_t; @@ -36455,20 +36457,21 @@ index be8ed1e..bce6063 100644 ') optional_policy(` -@@ -110,6 +126,12 @@ optional_policy(` +@@ -110,6 +126,13 @@ optional_policy(` ') optional_policy(` + firewalld_read_config(iptables_t) + firewalld_read_pid_files(iptables_t) + firewalld_dontaudit_write_tmp_files(iptables_t) ++ firewalld_dontaudit_leaks(iptables_t) +') + +optional_policy(` modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +146,16 @@ optional_policy(` +@@ -124,6 +147,16 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -36485,7 +36488,7 @@ index be8ed1e..bce6063 100644 ') optional_policy(` -@@ -135,9 +167,9 @@ optional_policy(` +@@ -135,9 +168,9 @@ optional_policy(` ') optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c6d4153..d3c8d76 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..11582eb 100644 +index eb50f07..22f5977 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1044,7 +1044,7 @@ index eb50f07..11582eb 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +468,76 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +468,78 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1094,6 +1094,8 @@ index eb50f07..11582eb 100644 + +auth_read_passwd(abrt_dump_oops_t) + ++corecmd_getattr_all_executables(abrt_dump_oops_t) ++ +dev_read_urand(abrt_dump_oops_t) +dev_read_rand(abrt_dump_oops_t) @@ -1102,10 +1104,10 @@ index eb50f07..11582eb 100644 +domain_ptrace_all_domains(abrt_dump_oops_t) +domain_read_all_domains_state(abrt_dump_oops_t) +domain_getattr_all_domains(abrt_dump_oops_t) - ++ +files_manage_non_security_dirs(abrt_dump_oops_t) +files_manage_non_security_files(abrt_dump_oops_t) -+ + +fs_getattr_all_fs(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) +fs_list_pstorefs(abrt_dump_oops_t) @@ -1125,7 +1127,7 @@ index eb50f07..11582eb 100644 ####################################### # -@@ -404,25 +545,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +547,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1188,7 +1190,7 @@ index eb50f07..11582eb 100644 ') ####################################### -@@ -430,10 +606,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +608,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -3449,10 +3451,10 @@ index 0000000..d8b04b5 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..b25689b 100644 +index 7caefc3..4313ba3 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,211 @@ +@@ -1,162 +1,212 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3710,6 +3712,7 @@ index 7caefc3..b25689b 100644 +/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/graphite-web(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -15295,7 +15298,7 @@ index 954309e..6780142 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..3baa00b 100644 +index 6471fa8..3f5989f 100644 --- a/collectd.te +++ b/collectd.te @@ -26,43 +26,59 @@ files_type(collectd_var_lib_t) @@ -15317,7 +15320,7 @@ index 6471fa8..3baa00b 100644 # -allow collectd_t self:capability { ipc_lock sys_nice }; -+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override }; ++allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override setuid setgid }; allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; @@ -20550,7 +20553,7 @@ index 3023be7..0317731 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..3d89006 100644 +index c91813c..65e9a4d 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -20914,6 +20917,15 @@ index c91813c..3d89006 100644 samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) samba_stream_connect_nmbd(cupsd_t) +@@ -326,7 +387,7 @@ optional_policy(` + ') + + optional_policy(` +- snmp_read_snmp_var_lib_files(cupsd_t) ++ snmp_manage_var_lib_files(cupsd_t) + ') + + optional_policy(` @@ -334,7 +395,11 @@ optional_policy(` ') @@ -40567,10 +40579,10 @@ index 3a00b3a..92f125f 100644 +') + diff --git a/kdump.te b/kdump.te -index 715fc21..8bcd248 100644 +index 715fc21..e8792ed 100644 --- a/kdump.te +++ b/kdump.te -@@ -12,35 +12,57 @@ init_system_domain(kdump_t, kdump_exec_t) +@@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t) type kdump_etc_t; files_config_file(kdump_etc_t) @@ -40620,6 +40632,7 @@ index 715fc21..8bcd248 100644 -files_read_etc_files(kdump_t) files_read_etc_runtime_files(kdump_t) +files_read_kernel_symbol_table(kdump_t) ++files_read_kernel_modules(kdump_t) files_read_kernel_img(kdump_t) +kernel_read_system_state(kdump_t) @@ -40633,7 +40646,7 @@ index 715fc21..8bcd248 100644 dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) -@@ -48,22 +70,35 @@ term_use_console(kdump_t) +@@ -48,22 +71,35 @@ term_use_console(kdump_t) ####################################### # @@ -40673,7 +40686,7 @@ index 715fc21..8bcd248 100644 kernel_read_system_state(kdumpctl_t) -@@ -71,46 +106,56 @@ corecmd_exec_bin(kdumpctl_t) +@@ -71,46 +107,56 @@ corecmd_exec_bin(kdumpctl_t) corecmd_exec_shell(kdumpctl_t) dev_read_sysfs(kdumpctl_t) @@ -46094,6 +46107,187 @@ index 4ec0eea..03738f2 100644 +storage_raw_rw_fixed_disk(lsmd_plugin_t) +storage_read_scsi_generic(lsmd_plugin_t) +storage_write_scsi_generic(lsmd_plugin_t) +diff --git a/lttng-tools.fc b/lttng-tools.fc +new file mode 100644 +index 0000000..bdd17ca +--- /dev/null ++++ b/lttng-tools.fc +@@ -0,0 +1,5 @@ ++/usr/bin/lttng-sessiond -- gen_context(system_u:object_r:lttng_sessiond_exec_t,s0) ++ ++/usr/lib/systemd/system/lttng-sessiond.service -- gen_context(system_u:object_r:lttng_sessiond_unit_file_t,s0) ++ ++/var/run/lttng(/.*)? gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0) +diff --git a/lttng-tools.if b/lttng-tools.if +new file mode 100644 +index 0000000..6b0da33 +--- /dev/null ++++ b/lttng-tools.if +@@ -0,0 +1,98 @@ ++ ++## LTTng 2.x central tracing registry session daemon. ++ ++######################################## ++## ++## Execute lttng_sessiond_exec_t in the lttng_sessiond domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lttng_sessiond_domtrans',` ++ gen_require(` ++ type lttng_sessiond_t, lttng_sessiond_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, lttng_sessiond_exec_t, lttng_sessiond_t) ++') ++ ++###################################### ++## ++## Execute lttng_sessiond in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lttng_sessiond_exec',` ++ gen_require(` ++ type lttng_sessiond_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, lttng_sessiond_exec_t) ++') ++ ++######################################## ++## ++## Execute lttng_sessiond server in the lttng_sessiond domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lttng_sessiond_systemctl',` ++ gen_require(` ++ type lttng_sessiond_t; ++ type lttng_sessiond_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 lttng_sessiond_unit_file_t:file read_file_perms; ++ allow $1 lttng_sessiond_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, lttng_sessiond_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an lttng_sessiond environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lttng_sessiond_admin',` ++ gen_require(` ++ type lttng_sessiond_t; ++ type lttng_sessiond_unit_file_t; ++ ') ++ ++ allow $1 lttng_sessiond_t:process { signal_perms }; ++ ps_process_pattern($1, lttng_sessiond_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 lttng_sessiond_t:process ptrace; ++ ') ++ ++ lttng_sessiond_systemctl($1) ++ admin_pattern($1, lttng_sessiond_unit_file_t) ++ allow $1 lttng_sessiond_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/lttng-tools.te b/lttng-tools.te +new file mode 100644 +index 0000000..0b9ade5 +--- /dev/null ++++ b/lttng-tools.te +@@ -0,0 +1,60 @@ ++policy_module(lttng-tools, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type lttng_sessiond_t; ++type lttng_sessiond_exec_t; ++init_daemon_domain(lttng_sessiond_t, lttng_sessiond_exec_t) ++ ++type lttng_sessiond_tmpfs_t; ++files_tmpfs_file(lttng_sessiond_tmpfs_t) ++ ++type lttng_sessiond_var_run_t; ++files_pid_file(lttng_sessiond_var_run_t) ++ ++type lttng_sessiond_unit_file_t; ++systemd_unit_file(lttng_sessiond_unit_file_t) ++ ++######################################## ++# ++# lttng_sessiond local policy ++# ++ ++allow lttng_sessiond_t self:capability { chown setgid setuid fsetid net_admin sys_resource }; ++ ++allow lttng_sessiond_t self:process { setrlimit signal_perms }; ++allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms; ++allow lttng_sessiond_t self:tcp_socket listen; ++allow lttng_sessiond_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) ++manage_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) ++manage_lnk_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) ++manage_sock_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t) ++files_pid_filetrans(lttng_sessiond_t, lttng_sessiond_var_run_t, { dir }) ++ ++manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t) ++manage_files_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t) ++fs_tmpfs_filetrans(lttng_sessiond_t, lttng_sessiond_tmpfs_t, { dir file }) ++ ++kernel_read_system_state(lttng_sessiond_t) ++kernel_read_net_sysctls(lttng_sessiond_t) ++kernel_read_fs_sysctls(lttng_sessiond_t) ++ ++corecmd_exec_shell(lttng_sessiond_t) ++ ++corenet_tcp_bind_generic_node(lttng_sessiond_t) ++corenet_tcp_bind_lltng_port(lttng_sessiond_t) ++ ++dev_read_sysfs(lttng_sessiond_t) ++ ++fs_getattr_tmpfs(lttng_sessiond_t) ++ ++auth_use_nsswitch(lttng_sessiond_t) ++ ++modutils_exec_insmod(lttng_sessiond_t) ++modutils_read_module_config(lttng_sessiond_t) ++files_read_kernel_modules(lttng_sessiond_t) diff --git a/mailman.fc b/mailman.fc index 995d0a5..3d40d59 100644 --- a/mailman.fc @@ -49489,7 +49683,7 @@ index 6fcfc31..e9e6bc5 100644 +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/mongodb.te b/mongodb.te -index 169f236..608c584 100644 +index 169f236..f19680b 100644 --- a/mongodb.te +++ b/mongodb.te @@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t) @@ -49502,7 +49696,7 @@ index 169f236..608c584 100644 type mongod_log_t; logging_log_file(mongod_log_t) -@@ -21,19 +24,25 @@ files_type(mongod_var_lib_t) +@@ -21,19 +24,26 @@ files_type(mongod_var_lib_t) type mongod_var_run_t; files_pid_file(mongod_var_run_t) @@ -49526,6 +49720,7 @@ index 169f236..608c584 100644 -logging_log_filetrans(mongod_t, mongod_log_t, dir) +allow mongod_t self:netlink_route_socket r_netlink_socket_perms; +allow mongod_t self:unix_stream_socket create_stream_socket_perms; ++allow mongod_t self:unix_dgram_socket create_socket_perms; +allow mongod_t self:udp_socket create_socket_perms; +allow mongod_t self:tcp_socket { accept listen }; + @@ -49534,7 +49729,7 @@ index 169f236..608c584 100644 manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -@@ -41,21 +50,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) +@@ -41,21 +51,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) @@ -54602,7 +54797,7 @@ index b708708..f4c0e61 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index 06f8666..4599ab5 100644 +index 06f8666..2accd90 100644 --- a/mysql.fc +++ b/mysql.fc @@ -1,27 +1,46 @@ @@ -54656,7 +54851,7 @@ index 06f8666..4599ab5 100644 +# +# /var +# -+/var/lib/mysql(-files)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) ++/var/lib/mysql(-files|-keyring)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) +/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) /var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) @@ -102307,7 +102502,7 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..edad970 100644 +index 2d8db1f..a696686 100644 --- a/sssd.te +++ b/sssd.te @@ -28,17 +28,25 @@ logging_log_file(sssd_var_log_t) @@ -102350,7 +102545,7 @@ index 2d8db1f..edad970 100644 logging_log_filetrans(sssd_t, sssd_var_log_t, file) manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -@@ -62,17 +68,12 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +@@ -62,17 +68,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) @@ -102368,10 +102563,11 @@ index 2d8db1f..edad970 100644 corenet_dontaudit_udp_bind_all_ports(sssd_t) +corenet_tcp_connect_kerberos_password_port(sssd_t) +corenet_tcp_connect_smbd_port(sssd_t) ++corenet_tcp_connect_http_port(sssd_t) corecmd_exec_bin(sssd_t) -@@ -83,28 +84,35 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +85,35 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -102411,7 +102607,7 @@ index 2d8db1f..edad970 100644 init_read_utmp(sssd_t) -@@ -112,18 +120,63 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +121,64 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -102438,6 +102634,7 @@ index 2d8db1f..edad970 100644 + kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0") + kerberos_read_home_content(sssd_t) + kerberos_rw_config(sssd_t) ++ kerberos_rw_keytab(sssd_t) +') + +optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index d550adf..cd8a368 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 171%{?dist} +Release: 172%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -673,6 +673,23 @@ exit 0 %endif %changelog +* Thu Feb 25 2016 Lukas Vrabec 3.13.1-172 +- Allow modemmanager to read /etc/passwd file. +- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy. +- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033 +- Allow collectd setgid capability Resolves:#1310896 +- Allow adcli running as sssd_t to write krb5.keytab file. +- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304) +- Allow kexec to read kernel module files in /usr/lib/modules. +- Add httpd_log_t for /var/log/graphite-web rhbz#1306981 +- Remove redudant rules and fix _admin interface. +- Add SELinux policy for LTTng 2.x central tracing registry session daemon. +- Allow create mongodb unix dgram sockets. rhbz#1306819 +- Support for InnoDB Tablespace Encryption. +- Dontaudit leaded file descriptors from firewalld +- Add port for rkt services +- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon. + * Thu Feb 11 2016 Lukas Vrabec 3.13.1-171 - Allow setroubleshoot_fixit_t to use temporary files