From 4cbdab30e7051d13b0a572c0507ef7056703b954 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jan 17 2017 09:05:15 +0000 Subject: * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-225.7 - After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017) - Tighten security on containe types - Make working cracklib_password_check for MariaDB service - Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505) --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 1e6fede..34e3204 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f25-base.patch b/policy-f25-base.patch index a6d8bea..cb9387c 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -5948,7 +5948,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..9729941 100644 +index b191055..4d57db3 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6302,8 +6302,9 @@ index b191055..9729941 100644 +network_port(swift, tcp,6200-6203,s0) network_port(sype_transport, tcp,9911,s0, udp,9911,s0) -network_port(syslogd, udp,514,s0) -+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0) - network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +-network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) ++network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0, tcp,20514,s0, udp,20514,s0) ++network_port(syslog_tls, tcp,6514,s0, udp,6514,s0, tcp,10514,s0, udp,10514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch index f47a776..759d08c 100644 --- a/policy-f25-contrib.patch +++ b/policy-f25-contrib.patch @@ -56762,7 +56762,7 @@ index 687af38..5381f1b 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..31069d2 100644 +index 7584bbe..1443a3a 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) @@ -56850,11 +56850,13 @@ index 7584bbe..31069d2 100644 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -@@ -95,50 +100,64 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +@@ -95,50 +100,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) -kernel_read_kernel_sysctls(mysqld_t) ++usermanage_read_crack_db(mysqld_t) ++ +userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + kernel_read_network_state(mysqld_t) @@ -56933,7 +56935,7 @@ index 7584bbe..31069d2 100644 ') optional_policy(` -@@ -146,6 +165,10 @@ optional_policy(` +@@ -146,6 +167,10 @@ optional_policy(` ') optional_policy(` @@ -56944,7 +56946,7 @@ index 7584bbe..31069d2 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +178,20 @@ optional_policy(` +@@ -155,21 +180,20 @@ optional_policy(` ####################################### # @@ -56972,7 +56974,7 @@ index 7584bbe..31069d2 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +199,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +201,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -56983,7 +56985,7 @@ index 7584bbe..31069d2 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +207,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +209,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -56999,9 +57001,9 @@ index 7584bbe..31069d2 100644 +files_dontaudit_access_check_root(mysqld_safe_t) files_dontaudit_search_all_mountpoints(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) - -+files_write_root_dirs(mysqld_safe_t) + ++files_write_root_dirs(mysqld_safe_t) + +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) logging_send_syslog_msg(mysqld_safe_t) @@ -57019,7 +57021,7 @@ index 7584bbe..31069d2 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +237,7 @@ optional_policy(` +@@ -209,7 +239,7 @@ optional_policy(` ######################################## # @@ -57028,7 +57030,7 @@ index 7584bbe..31069d2 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +246,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -218,11 +248,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -57046,7 +57048,7 @@ index 7584bbe..31069d2 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +259,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +261,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -69237,10 +69239,6 @@ index 0000000..80246e6 + can_exec($1, pcp_pmlogger_exec_t) +') + -diff --git a/pcp.pp b/pcp.pp -new file mode 100644 -index 0000000..fa4cfaa -Binary files /dev/null and b/pcp.pp differ diff --git a/pcp.te b/pcp.te new file mode 100644 index 0000000..04a0b20 @@ -91062,7 +91060,7 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..6935f5c 100644 +index 2da9fca..a37f579 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91317,7 +91315,8 @@ index 2da9fca..6935f5c 100644 -# fs_manage_nfsd_fs(nfsd_t) +fs_manage_nfsd_fs(nfsd_t) - storage_dontaudit_read_fixed_disk(nfsd_t) +-storage_dontaudit_read_fixed_disk(nfsd_t) ++storage_raw_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) +allow nfsd_t nfsd_unit_file_t:file manage_file_perms; @@ -114656,10 +114655,10 @@ index facdee8..2cff369 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..481f902 100644 +index f03dcf5..8036117 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,403 @@ +@@ -1,451 +1,410 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -114742,6 +114741,13 @@ index f03dcf5..481f902 100644 -## can use nfs file systems. -##

+##

++## Allow sandbox containers to share apache content ++##

++## ++gen_tunable(virt_sandbox_share_apache_content, false) ++ ++## ++##

+## Allow sandbox containers manage fuse files +##

+## @@ -114826,15 +114832,15 @@ index f03dcf5..481f902 100644 +##

+## +gen_tunable(virt_sandbox_use_audit, true) -+ + +-attribute svirt_lxc_domain; +## +##

+## Allow sandbox containers to use netlink system calls +##

+## +gen_tunable(virt_sandbox_use_netlink, false) - --attribute svirt_lxc_domain; ++ +## +##

+## Allow sandbox containers to use sys_admin system calls, for example mount @@ -114883,10 +114889,10 @@ index f03dcf5..481f902 100644 + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; ++ ++type qemu_exec_t, virt_file_type; -type virt_cache_t alias svirt_cache_t; -+type qemu_exec_t, virt_file_type; -+ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -115255,11 +115261,9 @@ index f03dcf5..481f902 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -+allow svirt_t self:process ptrace; - +- -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; ++allow svirt_t self:process ptrace; -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - @@ -115267,7 +115271,9 @@ index f03dcf5..481f902 100644 -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) @@ -115373,7 +115379,7 @@ index f03dcf5..481f902 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +407,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +414,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -115420,22 +115426,22 @@ index f03dcf5..481f902 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +442,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +449,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- -can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) @@ -115454,7 +115460,7 @@ index f03dcf5..481f902 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +467,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +474,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -115482,7 +115488,7 @@ index f03dcf5..481f902 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +487,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +494,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -115513,7 +115519,7 @@ index f03dcf5..481f902 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +539,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +546,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -115533,7 +115539,7 @@ index f03dcf5..481f902 100644 selinux_validate_context(virtd_t) -@@ -620,18 +561,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +568,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -115570,7 +115576,7 @@ index f03dcf5..481f902 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +589,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +596,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -115579,7 +115585,7 @@ index f03dcf5..481f902 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +614,12 @@ optional_policy(` +@@ -665,20 +621,12 @@ optional_policy(` ') optional_policy(` @@ -115600,7 +115606,7 @@ index f03dcf5..481f902 100644 ') optional_policy(` -@@ -691,20 +632,26 @@ optional_policy(` +@@ -691,20 +639,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -115631,7 +115637,7 @@ index f03dcf5..481f902 100644 ') optional_policy(` -@@ -712,11 +659,18 @@ optional_policy(` +@@ -712,11 +666,18 @@ optional_policy(` ') optional_policy(` @@ -115650,7 +115656,7 @@ index f03dcf5..481f902 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +681,18 @@ optional_policy(` +@@ -727,10 +688,18 @@ optional_policy(` ') optional_policy(` @@ -115669,7 +115675,7 @@ index f03dcf5..481f902 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +708,336 @@ optional_policy(` +@@ -746,44 +715,336 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -115867,7 +115873,7 @@ index f03dcf5..481f902 100644 +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) - ++ +term_use_all_inherited_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) @@ -115984,7 +115990,7 @@ index f03dcf5..481f902 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; -+ + +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -116028,7 +116034,7 @@ index f03dcf5..481f902 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1048,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1055,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -116055,7 +116061,7 @@ index f03dcf5..481f902 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1068,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1075,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -116072,10 +116078,10 @@ index f03dcf5..481f902 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -116089,7 +116095,7 @@ index f03dcf5..481f902 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1105,20 @@ optional_policy(` +@@ -856,14 +1112,20 @@ optional_policy(` ') optional_policy(` @@ -116111,7 +116117,7 @@ index f03dcf5..481f902 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1143,66 @@ optional_policy(` +@@ -888,49 +1150,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -116196,7 +116202,7 @@ index f03dcf5..481f902 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1214,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1221,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -116216,7 +116222,7 @@ index f03dcf5..481f902 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1235,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1242,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -116240,7 +116246,7 @@ index f03dcf5..481f902 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1260,376 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1267,370 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116267,12 +116273,12 @@ index f03dcf5..481f902 100644 + hal_dbus_chat(virtd_lxc_t) + ') +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + container_exec_lib(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -116313,7 +116319,89 @@ index f03dcf5..481f902 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') -+ + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -116411,96 +116499,12 @@ index f03dcf5..481f902 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -+optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') + +optional_policy(` -+ gear_read_pid_files(svirt_sandbox_domain) ++tunable_policy(`virt_sandbox_share_apache_content',` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++ ') +') + +optional_policy(` @@ -116590,15 +116594,11 @@ index f03dcf5..481f902 100644 -allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; -+tunable_policy(`virt_sandbox_use_mknod',` -+ allow container_t self:capability mknod; -+') - +- -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_all_caps',` -+ allow container_t self:capability all_capability_perms; -+ allow container_t self:capability2 all_capability2_perms; ++tunable_policy(`virt_sandbox_use_mknod',` ++ allow container_t self:capability mknod; +') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) @@ -116611,6 +116611,14 @@ index f03dcf5..481f902 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_all_caps',` ++ allow container_t self:capability all_capability_perms; ++ allow container_t self:capability2 all_capability2_perms; ++') + +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +tunable_policy(`virt_sandbox_use_netlink',` + allow container_t self:netlink_socket create_socket_perms; + allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -116627,32 +116635,30 @@ index f03dcf5..481f902 100644 + logging_dontaudit_send_audit_msgs(container_t) +') --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) -+allow container_t virt_lxc_var_run_t:dir list_dir_perms; -+allow container_t virt_lxc_var_run_t:file read_file_perms; - -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) -+kernel_read_irq_sysctls(container_t) -+kernel_read_messages(container_t) ++allow container_t virt_lxc_var_run_t:dir list_dir_perms; ++allow container_t virt_lxc_var_run_t:file read_file_perms; -dev_getattr_mtrr_dev(svirt_lxc_net_t) -dev_read_rand(svirt_lxc_net_t) -dev_read_sysfs(svirt_lxc_net_t) -dev_read_urand(svirt_lxc_net_t) ++kernel_read_irq_sysctls(container_t) ++kernel_read_messages(container_t) + +-files_read_kernel_modules(svirt_lxc_net_t) +dev_read_sysfs(container_t) +dev_read_mtrr(container_t) +dev_read_rand(container_t) +dev_read_urand(container_t) --files_read_kernel_modules(svirt_lxc_net_t) -+files_read_kernel_modules(container_t) - -fs_mount_cgroup(svirt_lxc_net_t) -fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) ++files_read_kernel_modules(container_t) + +-auth_use_nsswitch(svirt_lxc_net_t) +fs_noxattr_type(container_file_t) +# Do we actually need these? +fs_mount_cgroup(container_t) @@ -116661,19 +116667,14 @@ index f03dcf5..481f902 100644 +# Needed for docker +fs_unmount_xattr_fs(container_t) --auth_use_nsswitch(svirt_lxc_net_t) -+term_pty(container_file_t) - -logging_send_audit_msgs(svirt_lxc_net_t) -+auth_use_nsswitch(container_t) ++term_pty(container_file_t) -userdom_use_user_ptys(svirt_lxc_net_t) -+rpm_read_db(container_t) ++logging_send_syslog_msg(container_t) -optional_policy(` - rpm_read_db(svirt_lxc_net_t) -+logging_send_syslog_msg(container_t) -+ +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(container_t) ') @@ -116761,7 +116762,7 @@ index f03dcf5..481f902 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1642,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116776,7 +116777,7 @@ index f03dcf5..481f902 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1660,7 @@ optional_policy(` +@@ -1192,7 +1661,7 @@ optional_policy(` ######################################## # @@ -116785,7 +116786,7 @@ index f03dcf5..481f902 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1669,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1670,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index faed55f..3c6c596 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 225.6%{?dist} +Release: 225.7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,12 @@ exit 0 %endif %changelog +* Tue Jan 17 2017 Lukas Vrabec - 3.13.1-225.7 +- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017) +- Tighten security on containe types +- Make working cracklib_password_check for MariaDB service +- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505) + * Sun Jan 08 2017 Lukas Vrabec - 3.13.1-225.6 - Allow thumb domain sendto via dgram sockets. BZ(1398813) - Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)