From 5d165e36c42c09ca3e5392c4f8badaadffa0fd37 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jan 13 2016 15:26:02 +0000 Subject: * Wed Jan 13 2016 Lukas Vrabec 3.13.1-166 - Allow logrotate to systemctl rsyslog service. BZ(1284173) - Allow condor_master_t domain capability chown. BZ(1297048) - Allow chronyd to be dbus bus client. BZ(1297129) - Allow openvswitch read/write hugetlb filesystem. - Revert "Allow openvswitch read/write hugetlb filesystem." - Allow smbcontrol domain to send sigchld to ctdbd domain. - Allow openvswitch read/write hugetlb filesystem. - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930) - Allow keepalived to connect to 3306/tcp port - mysqld_port_t. - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib - Merge pull request #86 from rhatdan/rawhide-contrib - Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146) - Added interface logging_systemctl_syslogd - Label rsyslog unit file - Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 5bf5064..013c2b7 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b4a8532..ec2e279 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -19566,7 +19566,7 @@ index e100d88..65a3b6d 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..a85c5d7 100644 +index 8dbab4c..7c405f5 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -19722,7 +19722,7 @@ index 8dbab4c..a85c5d7 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +315,54 @@ files_list_root(kernel_t) +@@ -277,13 +315,23 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -19746,11 +19746,10 @@ index 8dbab4c..a85c5d7 100644 ifdef(`distro_redhat',` # Bugzilla 222337 - fs_rw_tmpfs_chr_files(kernel_t) +@@ -291,11 +339,29 @@ ifdef(`distro_redhat',` ') -+ -+optional_policy(` + optional_policy(` + abrt_filetrans_named_content(kernel_t) + abrt_dump_oops_domtrans(kernel_t) +') @@ -19767,7 +19766,7 @@ index 8dbab4c..a85c5d7 100644 + kerberos_filetrans_home_content(kernel_t) +') + - optional_policy(` ++optional_policy(` hotplug_search_config(kernel_t) ') @@ -19777,7 +19776,7 @@ index 8dbab4c..a85c5d7 100644 ') optional_policy(` -@@ -305,6 +372,19 @@ optional_policy(` +@@ -305,6 +371,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -19797,7 +19796,7 @@ index 8dbab4c..a85c5d7 100644 ') optional_policy(` -@@ -312,6 +392,11 @@ optional_policy(` +@@ -312,6 +391,11 @@ optional_policy(` ') optional_policy(` @@ -19809,7 +19808,7 @@ index 8dbab4c..a85c5d7 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +417,6 @@ optional_policy(` +@@ -332,9 +416,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -19819,7 +19818,7 @@ index 8dbab4c..a85c5d7 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +425,7 @@ optional_policy(` +@@ -343,9 +424,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -19830,7 +19829,7 @@ index 8dbab4c..a85c5d7 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +434,7 @@ optional_policy(` +@@ -354,7 +433,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -19839,7 +19838,14 @@ index 8dbab4c..a85c5d7 100644 ') ') -@@ -367,6 +447,15 @@ optional_policy(` +@@ -364,9 +443,22 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_coredump_domtrans(kernel_t) ++') ++ ++optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -19855,7 +19861,7 @@ index 8dbab4c..a85c5d7 100644 ######################################## # # Unlabeled process local policy -@@ -399,14 +488,39 @@ if( ! secure_mode_insmod ) { +@@ -399,14 +491,39 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -37265,10 +37271,10 @@ index 446fa99..22f539c 100644 + plymouthd_exec_plymouth(sulogin_t) ') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index b50c5fe..13da95a 100644 +index b50c5fe..5c39fe5 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc -@@ -1,11 +1,14 @@ +@@ -1,11 +1,15 @@ -/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/dev/log -l gen_context(system_u:object_r:devlog_t,mls_systemhigh) @@ -37280,11 +37286,12 @@ index b50c5fe..13da95a 100644 /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0) ++/usr/lib/systemd/system/syslogd.* -- gen_context(system_u:object_r:syslogd_unit_file_t,s0) + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) -@@ -17,12 +20,25 @@ +@@ -17,12 +21,25 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -37311,7 +37318,7 @@ index b50c5fe..13da95a 100644 /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -@@ -38,21 +54,22 @@ ifdef(`distro_suse', ` +@@ -38,21 +55,22 @@ ifdef(`distro_suse', ` /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -37337,7 +37344,7 @@ index b50c5fe..13da95a 100644 ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -@@ -65,11 +82,16 @@ ifdef(`distro_redhat',` +@@ -65,11 +83,16 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) @@ -37356,7 +37363,7 @@ index b50c5fe..13da95a 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..3c33045 100644 +index 4e94884..41a18bc 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -37470,21 +37477,14 @@ index 4e94884..3c33045 100644 +interface(`logging_create_devlog_dev',` + gen_require(` + type devlog_t; - ') - -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; ++ ') ++ + allow $1 devlog_t:lnk_file manage_lnk_file_perms; + dev_filetrans($1, devlog_t, lnk_file, "log") + init_pid_filetrans($1, devlog_t, sock_file, "syslog") + logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log") +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Relabel the devlog sock_file. @@ -37498,16 +37498,19 @@ index 4e94884..3c33045 100644 +interface(`logging_relabel_devlog_dev',` + gen_require(` + type devlog_t; -+ ') + ') -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; + allow $1 devlog_t:sock_file relabel_sock_file_perms; + allow $1 devlog_t:lnk_file relabelto_lnk_file_perms; +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Allow domain to read the syslog pid files. @@ -37522,7 +37525,11 @@ index 4e94884..3c33045 100644 + gen_require(` + type syslogd_var_run_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') @@ -37767,7 +37774,7 @@ index 4e94884..3c33045 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1286,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1286,55 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -37798,10 +37805,32 @@ index 4e94884..3c33045 100644 + allow $1 auditd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, auditd_t) ++') ++######################################## ++## ++## Execute auditd server in the auditd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`logging_systemctl_syslogd',` ++ gen_require(` ++ type syslogd_t; ++ type syslogd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 syslogd_unit_file_t:file read_file_perms; ++ allow $1 syslog_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, syslogd_t) ') ######################################## -@@ -1032,10 +1341,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1363,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -37819,7 +37848,7 @@ index 4e94884..3c33045 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1371,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1393,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -37828,7 +37857,7 @@ index 4e94884..3c33045 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1401,90 @@ interface(`logging_admin',` +@@ -1085,3 +1423,90 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -37920,7 +37949,7 @@ index 4e94884..3c33045 100644 + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..e1ec2e8 100644 +index 59b04c1..6810e0b 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -37979,7 +38008,7 @@ index 59b04c1..e1ec2e8 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t) +@@ -71,16 +99,23 @@ init_script_file(syslogd_initrc_exec_t) type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) @@ -37995,7 +38024,15 @@ index 59b04c1..e1ec2e8 100644 type var_log_t; logging_log_file(var_log_t) -@@ -94,6 +126,8 @@ ifdef(`enable_mls',` + files_mountpoint(var_log_t) + ++type syslogd_unit_file_t; ++systemd_unit_file(syslogd_unit_file_t) ++ + ifdef(`enable_mls',` + init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) + init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) +@@ -94,6 +129,8 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; @@ -38004,7 +38041,7 @@ index 59b04c1..e1ec2e8 100644 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; -@@ -111,7 +145,9 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +148,9 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -38015,7 +38052,7 @@ index 59b04c1..e1ec2e8 100644 init_dontaudit_use_fds(auditctl_t) -@@ -136,9 +172,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; +@@ -136,9 +175,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file read_file_perms; @@ -38027,7 +38064,7 @@ index 59b04c1..e1ec2e8 100644 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -@@ -148,6 +185,7 @@ kernel_read_kernel_sysctls(auditd_t) +@@ -148,6 +188,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) @@ -38035,7 +38072,7 @@ index 59b04c1..e1ec2e8 100644 dev_read_sysfs(auditd_t) -@@ -155,9 +193,6 @@ fs_getattr_all_fs(auditd_t) +@@ -155,9 +196,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) @@ -38045,7 +38082,7 @@ index 59b04c1..e1ec2e8 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +218,17 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +221,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -38067,7 +38104,7 @@ index 59b04c1..e1ec2e8 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,19 +273,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -38099,7 +38136,7 @@ index 59b04c1..e1ec2e8 100644 ') ######################################## -@@ -266,9 +312,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +@@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) @@ -38111,7 +38148,7 @@ index 59b04c1..e1ec2e8 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,13 +327,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,13 +330,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -38139,7 +38176,7 @@ index 59b04c1..e1ec2e8 100644 ######################################## # # klogd local policy -@@ -326,7 +386,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +389,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -38147,7 +38184,7 @@ index 59b04c1..e1ec2e8 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +414,12 @@ optional_policy(` +@@ -355,13 +417,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -38164,7 +38201,7 @@ index 59b04c1..e1ec2e8 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,11 +427,15 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,11 +430,15 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -38181,7 +38218,7 @@ index 59b04c1..e1ec2e8 100644 files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. -@@ -389,30 +451,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +454,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -38232,7 +38269,7 @@ index 59b04c1..e1ec2e8 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +501,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +504,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -38241,7 +38278,7 @@ index 59b04c1..e1ec2e8 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +513,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +516,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -38275,7 +38312,7 @@ index 59b04c1..e1ec2e8 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +552,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +555,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -38293,7 +38330,7 @@ index 59b04c1..e1ec2e8 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +574,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +577,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -38309,7 +38346,7 @@ index 59b04c1..e1ec2e8 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +606,7 @@ optional_policy(` +@@ -497,6 +609,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -38317,7 +38354,7 @@ index 59b04c1..e1ec2e8 100644 ') optional_policy(` -@@ -507,15 +617,40 @@ optional_policy(` +@@ -507,15 +620,44 @@ optional_policy(` ') optional_policy(` @@ -38354,11 +38391,15 @@ index 59b04c1..e1ec2e8 100644 +') + +optional_policy(` ++ systemd_rw_coredump_tmpfs_files(syslogd_t) ++') ++ ++optional_policy(` + daemontools_search_svc_dir(syslogd_t) ') optional_policy(` -@@ -526,3 +661,26 @@ optional_policy(` +@@ -526,3 +668,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -43551,10 +43592,10 @@ index a392fc4..78fa512 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..884ac5c +index 0000000..b53de2b --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,59 @@ +@@ -0,0 +1,61 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -43565,6 +43606,7 @@ index 0000000..884ac5c +/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) ++/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) + +/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) @@ -43596,6 +43638,7 @@ index 0000000..884ac5c +/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0) +/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) +/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) ++/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) + +/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0) +/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0) @@ -43616,10 +43659,10 @@ index 0000000..884ac5c +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..c253b33 +index 0000000..300bf59 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1640 @@ +@@ -0,0 +1,1676 @@ +## SELinux policy for systemd components + +###################################### @@ -45260,12 +45303,48 @@ index 0000000..c253b33 + allow systemd_machined_t $1:dbus send_msg; + ps_process_pattern(systemd_machined_t, $1) +') ++ ++####################################### ++## ++## Execute a domain transition to run systemd-coredump. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_coredump_domtrans',` ++ gen_require(` ++ type systemd_coredump_t, systemd_coredump_exec_t; ++ ') ++ ++ domtrans_pattern($1, systemd_coredump_exec_t, systemd_coredump_t) ++') ++ ++######################################## ++## ++## Read and write to systemd-coredump temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_rw_coredump_tmpfs_files',` ++ gen_require(` ++ type systemd_coredump_tmpfs_t; ++ ') ++ ++ allow $1 systemd_coredump_tmpfs_t:file rw_file_perms; ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..b4a073f +index 0000000..eb1b3c3 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,825 @@ +@@ -0,0 +1,842 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -45301,6 +45380,11 @@ index 0000000..b4a073f +files_security_file(random_seed_t) +files_mountpoint(random_seed_t) + ++systemd_domain_template(systemd_coredump) ++ ++type systemd_coredump_tmpfs_t; ++files_tmpfs_file(systemd_coredump_tmpfs_t) ++ +systemd_domain_template(systemd_networkd) + +type systemd_networkd_unit_file_t; @@ -46052,6 +46136,18 @@ index 0000000..b4a073f + +logging_send_syslog_msg(systemd_sysctl_t) + ++####################################### ++# ++# systemd_coredump domains ++# ++ ++manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t) ++fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file ) ++ ++optional_policy(` ++ unconfined_domain(systemd_coredump_t) ++') ++ +######################################## +# +# Common rules for systemd domains diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 90745cc..c84486c 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -13298,7 +13298,7 @@ index 32e8265..c5a2913 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..135100a 100644 +index e5b621c..74e168f 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -13329,7 +13329,7 @@ index e5b621c..135100a 100644 allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +83,38 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +83,41 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -13355,6 +13355,9 @@ index e5b621c..135100a 100644 +systemd_exec_systemctl(chronyd_t) + +userdom_dgram_send(chronyd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(chronyd_t) optional_policy(` gpsd_rw_shm(chronyd_t) @@ -16066,7 +16069,7 @@ index 881d92f..a2d588a 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040..32ebb0c 100644 +index ce9f040..dc29445 100644 --- a/condor.te +++ b/condor.te @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) @@ -16144,7 +16147,7 @@ index ce9f040..32ebb0c 100644 # -allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; -+allow condor_master_t self:capability { setuid setgid sys_ptrace }; ++allow condor_master_t self:capability { chown setuid setgid sys_ptrace }; allow condor_master_t condor_domain:process { sigkill signal }; @@ -19829,10 +19832,10 @@ index 8401fe6..d58f3e7 100644 /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/ctdb.if b/ctdb.if -index b25b01d..6b7d687 100644 +index b25b01d..06895f3 100644 --- a/ctdb.if +++ b/ctdb.if -@@ -1,9 +1,161 @@ +@@ -1,9 +1,178 @@ -## Clustered Database based on Samba Trivial Database. + +## policy for ctdbd @@ -19891,6 +19894,23 @@ index b25b01d..6b7d687 100644 + allow $1 ctdbd_t:process signal; +') + ++####################################### ++## ++## Allow domain to sigchld ctdbd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_sigchld',` ++ gen_require(` ++ type ctdbd_t; ++ ') ++ allow $1 ctdbd_t:process sigchld; ++') ++ +######################################## +## +## Read ctdbd's log files. @@ -19997,7 +20017,7 @@ index b25b01d..6b7d687 100644 ## ## ## -@@ -17,13 +169,12 @@ interface(`ctdbd_manage_lib_files',` +@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',` ') files_search_var_lib($1) @@ -20014,7 +20034,7 @@ index b25b01d..6b7d687 100644 ## ## ## -@@ -31,19 +182,58 @@ interface(`ctdbd_manage_lib_files',` +@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',` ## ## # @@ -20078,7 +20098,7 @@ index b25b01d..6b7d687 100644 ## ## ## -@@ -57,16 +247,19 @@ interface(`ctdbd_stream_connect',` +@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',` ## ## # @@ -20102,7 +20122,7 @@ index b25b01d..6b7d687 100644 domain_system_change_exemption($1) role_transition $2 ctdbd_initrc_exec_t system_r; allow $2 system_r; -@@ -74,12 +267,10 @@ interface(`ctdb_admin',` +@@ -74,12 +284,10 @@ interface(`ctdb_admin',` logging_search_logs($1) admin_pattern($1, ctdbd_log_t) @@ -37248,10 +37268,10 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..749756a +index 0000000..3a71430 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,11 @@ +@@ -0,0 +1,13 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) @@ -37261,6 +37281,8 @@ index 0000000..749756a + +/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) + ++/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0) ++ +/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) + diff --git a/ipa.if b/ipa.if @@ -37449,10 +37471,10 @@ index 0000000..904782d +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..694c092 +index 0000000..af46439 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,122 @@ +@@ -0,0 +1,130 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -37472,6 +37494,9 @@ index 0000000..694c092 +type ipa_otpd_unit_file_t; +systemd_unit_file(ipa_otpd_unit_file_t) + ++type ipa_log_t; ++logging_log_file(ipa_log_t) ++ +type ipa_var_lib_t; +files_type(ipa_var_lib_t) + @@ -37529,10 +37554,15 @@ index 0000000..694c092 +allow ipa_helper_t self:fifo_file rw_fifo_file_perms; +allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms; + ++manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t) ++logging_log_filetrans(ipa_helper_t, ipa_log_t, file) ++ +kernel_read_system_state(ipa_helper_t) + +corenet_tcp_connect_ldap_port(ipa_helper_t) +corenet_tcp_connect_smbd_port(ipa_helper_t) ++corenet_tcp_connect_http_port(ipa_helper_t) ++corenet_tcp_connect_kerberos_password_port(ipa_helper_t) + +corecmd_exec_bin(ipa_helper_t) +corecmd_exec_shell(ipa_helper_t) @@ -40563,10 +40593,10 @@ index 0000000..bd7e7fa +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..20adcb3 +index 0000000..8ab40b5 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,90 @@ +@@ -0,0 +1,91 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -40613,6 +40643,7 @@ index 0000000..20adcb3 + +corenet_tcp_connect_connlcli_port(keepalived_t) +corenet_tcp_connect_http_port(keepalived_t) ++corenet_tcp_connect_mysqld_port(keepalived_t) +corenet_tcp_connect_smtp_port(keepalived_t) +corenet_tcp_connect_snmp_port(keepalived_t) +corenet_tcp_connect_agentx_port(keepalived_t) @@ -44665,7 +44696,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..08c168f 100644 +index be0ab84..24e669e 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -44787,7 +44818,7 @@ index be0ab84..08c168f 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +123,51 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +123,52 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -44804,6 +44835,7 @@ index be0ab84..08c168f 100644 logging_send_audit_msgs(logrotate_t) +# cjp: why is this needed? logging_exec_all_logs(logrotate_t) ++logging_systemctl_syslogd(logrotate_t) -miscfiles_read_localization(logrotate_t) +systemd_exec_systemctl(logrotate_t) @@ -44845,7 +44877,7 @@ index be0ab84..08c168f 100644 ') optional_policy(` -@@ -135,16 +182,17 @@ optional_policy(` +@@ -135,16 +183,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -44865,7 +44897,7 @@ index be0ab84..08c168f 100644 ') optional_policy(` -@@ -170,6 +218,11 @@ optional_policy(` +@@ -170,6 +219,11 @@ optional_policy(` ') optional_policy(` @@ -44877,7 +44909,7 @@ index be0ab84..08c168f 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +231,7 @@ optional_policy(` +@@ -178,7 +232,7 @@ optional_policy(` ') optional_policy(` @@ -44886,7 +44918,7 @@ index be0ab84..08c168f 100644 ') optional_policy(` -@@ -198,17 +251,18 @@ optional_policy(` +@@ -198,17 +252,18 @@ optional_policy(` ') optional_policy(` @@ -44908,7 +44940,7 @@ index be0ab84..08c168f 100644 ') optional_policy(` -@@ -216,6 +270,14 @@ optional_policy(` +@@ -216,6 +271,14 @@ optional_policy(` ') optional_policy(` @@ -44923,7 +44955,7 @@ index be0ab84..08c168f 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +290,43 @@ optional_policy(` +@@ -228,26 +291,43 @@ optional_policy(` ') optional_policy(` @@ -59456,10 +59488,10 @@ index bcd7d0a..0188086 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/nsd.fc b/nsd.fc -index 4f2b1b6..5348e92 100644 +index 4f2b1b6..adea830 100644 --- a/nsd.fc +++ b/nsd.fc -@@ -1,16 +1,13 @@ +@@ -1,16 +1,17 @@ -/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) -/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) @@ -59480,6 +59512,10 @@ index 4f2b1b6..5348e92 100644 -/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) +/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd-checkconf -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd-checkzone -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd-control -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd-control-setup -- gen_context(system_u:object_r:nsd_exec_t,s0) +/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) @@ -59573,7 +59609,7 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d2..a97c60f 100644 +index 47bb1d2..3316c17 100644 --- a/nsd.te +++ b/nsd.te @@ -9,9 +9,7 @@ type nsd_t; @@ -59587,7 +59623,7 @@ index 47bb1d2..a97c60f 100644 type nsd_conf_t; files_type(nsd_conf_t) -@@ -20,32 +18,28 @@ domain_type(nsd_crond_t) +@@ -20,32 +18,31 @@ domain_type(nsd_crond_t) domain_entry_file(nsd_crond_t, nsd_exec_t) role system_r types nsd_crond_t; @@ -59602,13 +59638,17 @@ index 47bb1d2..a97c60f 100644 +type nsd_zone_t alias nsd_db_t; files_type(nsd_zone_t) ++type nsd_tmp_t; ++files_tmp_file(nsd_tmp_t) ++ ######################################## # -# Local policy +# NSD Local policy # - allow nsd_t self:capability { chown dac_override kill setgid setuid }; +-allow nsd_t self:capability { chown dac_override kill setgid setuid }; ++allow nsd_t self:capability { chown dac_override kill setgid setuid net_admin }; dontaudit nsd_t self:capability sys_tty_config; allow nsd_t self:process signal_perms; +allow nsd_t self:tcp_socket create_stream_socket_perms; @@ -59627,7 +59667,18 @@ index 47bb1d2..a97c60f 100644 manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) files_pid_filetrans(nsd_t, nsd_var_run_t, file) -@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t) +@@ -55,6 +52,10 @@ manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) + manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) + files_var_lib_filetrans(nsd_t, nsd_zone_t, dir) + ++manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t) ++manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t) ++files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir }) ++ + can_exec(nsd_t, nsd_exec_t) + + kernel_read_system_state(nsd_t) +@@ -62,7 +63,6 @@ kernel_read_kernel_sysctls(nsd_t) corecmd_exec_bin(nsd_t) @@ -59635,7 +59686,7 @@ index 47bb1d2..a97c60f 100644 corenet_all_recvfrom_netlabel(nsd_t) corenet_tcp_sendrecv_generic_if(nsd_t) corenet_udp_sendrecv_generic_if(nsd_t) -@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t) +@@ -72,16 +72,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t) corenet_udp_sendrecv_all_ports(nsd_t) corenet_tcp_bind_generic_node(nsd_t) corenet_udp_bind_generic_node(nsd_t) @@ -59655,7 +59706,7 @@ index 47bb1d2..a97c60f 100644 fs_getattr_all_fs(nsd_t) fs_search_auto_mountpoints(nsd_t) -@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t) +@@ -90,8 +91,6 @@ auth_use_nsswitch(nsd_t) logging_send_syslog_msg(nsd_t) @@ -59664,7 +59715,7 @@ index 47bb1d2..a97c60f 100644 userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) -@@ -105,23 +97,24 @@ optional_policy(` +@@ -105,23 +104,24 @@ optional_policy(` ######################################## # @@ -59697,7 +59748,7 @@ index 47bb1d2..a97c60f 100644 manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) -@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t) +@@ -133,27 +133,27 @@ kernel_read_system_state(nsd_crond_t) corecmd_exec_bin(nsd_crond_t) corecmd_exec_shell(nsd_crond_t) @@ -65138,7 +65189,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..a17af8b 100644 +index 44dbc99..fce33b0 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -65204,7 +65255,7 @@ index 44dbc99..a17af8b 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -65,33 +69,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -65,33 +69,48 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -65240,9 +65291,10 @@ index 44dbc99..a17af8b 100644 fs_getattr_all_fs(openvswitch_t) fs_search_cgroup_dirs(openvswitch_t) - -+auth_use_nsswitch(openvswitch_t) ++fs_rw_hugetlbfs_files(openvswitch_t) + ++auth_use_nsswitch(openvswitch_t) + logging_send_syslog_msg(openvswitch_t) -miscfiles_read_localization(openvswitch_t) @@ -92007,7 +92059,7 @@ index 50d07fb..e9569d2 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..0232e85 100644 +index 2b7c441..ca83568 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -92835,7 +92887,7 @@ index 2b7c441..0232e85 100644 samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -627,16 +716,13 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,39 +716,38 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -92854,7 +92906,8 @@ index 2b7c441..0232e85 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +730,23 @@ optional_policy(` ++ ctdbd_sigchld(smbcontrol_t) + ') ######################################## # @@ -92886,7 +92939,7 @@ index 2b7c441..0232e85 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +755,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +756,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -92922,7 +92975,7 @@ index 2b7c441..0232e85 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +782,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +783,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -93014,7 +93067,7 @@ index 2b7c441..0232e85 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +861,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +862,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -93038,7 +93091,7 @@ index 2b7c441..0232e85 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +875,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +876,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -93081,7 +93134,7 @@ index 2b7c441..0232e85 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +905,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +906,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -93095,7 +93148,7 @@ index 2b7c441..0232e85 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +928,20 @@ optional_policy(` +@@ -840,17 +929,20 @@ optional_policy(` # Winbind local policy # @@ -93121,7 +93174,7 @@ index 2b7c441..0232e85 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +951,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +952,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -93132,7 +93185,7 @@ index 2b7c441..0232e85 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +962,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +963,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -93186,7 +93239,7 @@ index 2b7c441..0232e85 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1005,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1006,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -93245,7 +93298,7 @@ index 2b7c441..0232e85 100644 ') optional_policy(` -@@ -959,31 +1066,36 @@ optional_policy(` +@@ -959,31 +1067,36 @@ optional_policy(` # Winbind helper local policy # @@ -93289,7 +93342,7 @@ index 2b7c441..0232e85 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1109,38 @@ optional_policy(` +@@ -997,25 +1110,38 @@ optional_policy(` ######################################## # diff --git a/selinux-policy.spec b/selinux-policy.spec index 57fbaa3..6b7292c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 165%{?dist} +Release: 166%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -664,6 +664,25 @@ exit 0 %endif %changelog +* Wed Jan 13 2016 Lukas Vrabec 3.13.1-166 +- Allow logrotate to systemctl rsyslog service. BZ(1284173) +- Allow condor_master_t domain capability chown. BZ(1297048) +- Allow chronyd to be dbus bus client. BZ(1297129) +- Allow openvswitch read/write hugetlb filesystem. +- Revert "Allow openvswitch read/write hugetlb filesystem." +- Allow smbcontrol domain to send sigchld to ctdbd domain. +- Allow openvswitch read/write hugetlb filesystem. +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930) +- Allow keepalived to connect to 3306/tcp port - mysqld_port_t. +- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib +- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib +- Merge pull request #86 from rhatdan/rawhide-contrib +- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146) +- Added interface logging_systemctl_syslogd +- Label rsyslog unit file +- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now. + * Wed Jan 06 2016 Lukas Vrabec 3.13.1-165 - Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."