From 78a5071a53b9e27fb0956563b5456e0925381ecc Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jan 08 2017 19:34:14 +0000 Subject: * Sun Jan 08 2017 Lukas Vrabec - 3.13.1-225.4 - Fix broken interfaces - Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977) - Allow tlp_t domain to read proc_net_t BZ(1403487) - Allow virt domain to use interited virtlogd domains fifo_file - Fixes for containers - Allow tlp_t domain to read/write cpu microcode BZ(1403103) - Allow glusterd_t to bind on glusterd_port_t udp ports. - Revert "Allow glusterd_t to bind on med_tlp port." - Allow glusterd_t to bind on med_tlp port. - Update ctdbd_t policy to reflect all changes. - Allow ctdbd_t domain transition to rpcd_t - Allow zabbix_agent_t domain setrlimit BZ(1349998) - Allow pptp_t to read /dev/random BZ(1404248) - Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t - Allow systemd to stop glusterd_t domains. - Revert "Label tcp port 24009 as med_tlp_port_t" - Label tcp port 24009 as med_tlp_port_t - Allow systemd_gpt_generator_t to read efivarfs files. BZ(1403909) - Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323) --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 489f535..467dbd3 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f25-base.patch b/policy-f25-base.patch index c2288f8..ea2f688 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -39984,7 +39984,7 @@ index c42fbc3..bf211db 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..218750e 100644 +index be8ed1e..aa38f90 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,21 @@ role iptables_roles types iptables_t; @@ -40120,7 +40120,16 @@ index be8ed1e..218750e 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +154,16 @@ optional_policy(` +@@ -119,11 +149,25 @@ optional_policy(` + ') + + optional_policy(` ++ plymouthd_exec_plymouth(iptables_t) ++') ++ ++optional_policy(` + ppp_dontaudit_use_fds(iptables_t) + ') optional_policy(` psad_rw_tmp_files(iptables_t) @@ -40137,7 +40146,7 @@ index be8ed1e..218750e 100644 ') optional_policy(` -@@ -135,9 +175,9 @@ optional_policy(` +@@ -135,9 +179,9 @@ optional_policy(` ') optional_policy(` @@ -40184,7 +40193,7 @@ index 0000000..c814795 +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..549c41b 100644 +index 73bb3c0..fffae71 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -40222,7 +40231,12 @@ index 73bb3c0..549c41b 100644 /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -103,6 +106,12 @@ ifdef(`distro_redhat',` +@@ -99,10 +102,17 @@ ifdef(`distro_redhat',` + # /sbin + # + /sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) ++/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0) + # # /usr # @@ -40235,7 +40249,7 @@ index 73bb3c0..549c41b 100644 /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -111,12 +120,12 @@ ifdef(`distro_redhat',` +@@ -111,12 +121,12 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -40250,7 +40264,7 @@ index 73bb3c0..549c41b 100644 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -@@ -125,10 +134,12 @@ ifdef(`distro_redhat',` +@@ -125,10 +135,12 @@ ifdef(`distro_redhat',` /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40263,7 +40277,7 @@ index 73bb3c0..549c41b 100644 /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -141,19 +152,23 @@ ifdef(`distro_redhat',` +@@ -141,19 +153,23 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40292,7 +40306,7 @@ index 73bb3c0..549c41b 100644 /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -182,11 +197,13 @@ ifdef(`distro_redhat',` +@@ -182,11 +198,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40306,7 +40320,7 @@ index 73bb3c0..549c41b 100644 /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -241,13 +258,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -241,13 +259,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40322,7 +40336,7 @@ index 73bb3c0..549c41b 100644 # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +284,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -269,20 +285,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40353,7 +40367,7 @@ index 73bb3c0..549c41b 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +313,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +314,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -49419,10 +49433,10 @@ index 0000000..86e3d01 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..caba12b +index 0000000..0c415d2 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,978 @@ +@@ -0,0 +1,980 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50298,6 +50312,8 @@ index 0000000..caba12b +dev_write_kmsg(systemd_gpt_generator_t) +dev_read_nvme(systemd_gpt_generator_t) + ++fs_read_efivarfs_files(systemd_gpt_generator_t) ++ +fstools_exec(systemd_gpt_generator_t) + +storage_raw_read_fixed_disk(systemd_gpt_generator_t) diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch index 6b39114..22390c1 100644 --- a/policy-f25-contrib.patch +++ b/policy-f25-contrib.patch @@ -20522,7 +20522,7 @@ index b25b01d..06895f3 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..47199aa 100644 +index 001b502..ac0508e 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -20576,7 +20576,7 @@ index 001b502..47199aa 100644 kernel_read_network_state(ctdbd_t) kernel_read_system_state(ctdbd_t) kernel_rw_net_sysctls(ctdbd_t) -@@ -72,9 +89,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t) +@@ -72,27 +89,38 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -20588,9 +20588,15 @@ index 001b502..47199aa 100644 +corenet_tcp_bind_smbd_port(ctdbd_t) +corenet_tcp_connect_ctdb_port(ctdbd_t) corenet_tcp_sendrecv_ctdb_port(ctdbd_t) ++corenet_tcp_connect_gluster_port(ctdbd_t) ++corenet_tcp_connect_nfs_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,14 +106,18 @@ dev_read_urand(ctdbd_t) + corecmd_exec_shell(ctdbd_t) ++corecmd_getattr_all_executables(ctdbd_t) + + dev_read_sysfs(ctdbd_t) + dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -20611,10 +20617,16 @@ index 001b502..47199aa 100644 optional_policy(` consoletype_exec(ctdbd_t) ') -@@ -106,9 +131,16 @@ optional_policy(` +@@ -106,9 +134,22 @@ optional_policy(` ') optional_policy(` ++ rpc_domtrans_rpcd(ctdbd_t) ++ rpc_manage_nfs_state_data_dir(ctdbd_t) ++ rpc_read_nfs_state_data(ctdbd_t) ++') ++ ++optional_policy(` + samba_signull_smbd(ctdbd_t) samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) @@ -32116,10 +32128,10 @@ index 5cd0909..bd3c3d2 100644 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..52b4110 +index 0000000..a3633cd --- /dev/null +++ b/glusterd.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,29 @@ +/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + +/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) @@ -32128,6 +32140,13 @@ index 0000000..52b4110 +/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + ++/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ ++ ++/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ +/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) @@ -32411,10 +32430,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..0a33da3 +index 0000000..03db2af --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,305 @@ +@@ -0,0 +1,308 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32549,6 +32568,7 @@ index 0000000..0a33da3 + +corenet_tcp_connect_gluster_port(glusterd_t) +corenet_tcp_bind_gluster_port(glusterd_t) ++corenet_udp_bind_gluster_port(glusterd_t) + +# replacement for rpc.mountd +corenet_sendrecv_all_server_packets(glusterd_t) @@ -32604,6 +32624,7 @@ index 0000000..0a33da3 +init_rw_script_tmp_files(glusterd_t) +init_manage_script_status_files(glusterd_t) +init_status(glusterd_t) ++init_stop_transient_unit(glusterd_t) + +systemd_config_systemd_services(glusterd_t) +systemd_signal_passwd_agent(glusterd_t) @@ -32622,6 +32643,7 @@ index 0000000..0a33da3 +userdom_delete_user_tmp_files(glusterd_t) +userdom_rw_user_tmp_files(glusterd_t) +userdom_kill_all_users(glusterd_t) ++userdom_signal_unpriv_users(glusterd_t) + +mount_domtrans(glusterd_t) + @@ -76636,7 +76658,7 @@ index cd8b8b9..2cfa88a 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..e4fc9c0 100644 +index d616ca3..001dc51 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -76911,7 +76933,7 @@ index d616ca3..e4fc9c0 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +266,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +266,44 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -76940,6 +76962,7 @@ index d616ca3..e4fc9c0 100644 kernel_signal(pptp_t) +dev_read_sysfs(pptp_t) ++dev_read_rand(pptp_t) + corecmd_exec_shell(pptp_t) corecmd_read_bin_symlinks(pptp_t) @@ -76968,7 +76991,7 @@ index d616ca3..e4fc9c0 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +310,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +311,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -76983,7 +77006,7 @@ index d616ca3..e4fc9c0 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +327,10 @@ optional_policy(` +@@ -299,6 +328,10 @@ optional_policy(` ') optional_policy(` @@ -109119,14 +109142,16 @@ index 97cd155..49321a5 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tlp.fc b/tlp.fc new file mode 100644 -index 0000000..8b8cf4a +index 0000000..eef708d --- /dev/null +++ b/tlp.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ +/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*)) -- gen_context(system_u:object_r:tlp_unit_file_t,s0) + +/usr/sbin/tlp -- gen_context(system_u:object_r:tlp_exec_t,s0) + ++/var/lib/tlp(/.*)? gen_context(system_u:object_r:tlp_var_lib_t,s0) ++ +/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0) diff --git a/tlp.if b/tlp.if new file mode 100644 @@ -109320,10 +109345,10 @@ index 0000000..46f12a4 +') diff --git a/tlp.te b/tlp.te new file mode 100644 -index 0000000..98e708a +index 0000000..8a5f47b --- /dev/null +++ b/tlp.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,64 @@ +policy_module(tlp, 1.0.0) + +######################################## @@ -109338,6 +109363,9 @@ index 0000000..98e708a +type tlp_var_run_t; +files_pid_file(tlp_var_run_t) + ++type tlp_var_lib_t; ++files_type(tlp_var_lib_t) ++ +type tlp_unit_file_t; +systemd_unit_file(tlp_unit_file_t) + @@ -109354,7 +109382,12 @@ index 0000000..98e708a +manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t) +files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file }) + ++manage_dirs_pattern(tlp_t, tlp_var_lib_t, tlp_var_lib_t) ++manage_files_pattern(tlp_t, tlp_var_lib_t, tlp_var_lib_t) ++files_var_lib_filetrans(tlp_t, tlp_var_lib_t, dir) ++ +kernel_read_system_state(tlp_t) ++kernel_read_network_state(tlp_t) +kernel_read_fs_sysctls(tlp_t) +kernel_rw_fs_sysctls(tlp_t) +kernel_rw_kernel_sysctl(tlp_t) @@ -109366,6 +109399,7 @@ index 0000000..98e708a + +dev_list_sysfs(tlp_t) +dev_manage_sysfs(tlp_t) ++dev_rw_cpu_microcode(tlp_t) + +files_read_kernel_modules(tlp_t) + @@ -114603,7 +114637,7 @@ index facdee8..2cff369 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..9bde200 100644 +index f03dcf5..481f902 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,403 @@ @@ -115374,18 +115408,19 @@ index f03dcf5..9bde200 100644 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +-can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) - --can_exec(virtd_t, virt_tmp_t) ++allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) @@ -115557,12 +115592,11 @@ index f03dcf5..9bde200 100644 ') optional_policy(` -- iptables_domtrans(virtd_t) + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` -+ iptables_domtrans(virtd_t) + iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + @@ -115814,7 +115848,7 @@ index f03dcf5..9bde200 100644 +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) -+ + +term_use_all_inherited_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) @@ -115827,7 +115861,7 @@ index f03dcf5..9bde200 100644 +optional_policy(` + alsa_read_rw_config(virt_domain) +') - ++ +optional_policy(` + nscd_dontaudit_write_sock_file(virt_domain) +') @@ -116187,7 +116221,7 @@ index f03dcf5..9bde200 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1260,372 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1260,376 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116474,6 +116508,7 @@ index f03dcf5..9bde200 100644 + fs_manage_nfs_symlinks(svirt_sandbox_domain) + fs_mount_nfs(svirt_sandbox_domain) + fs_unmount_nfs(svirt_sandbox_domain) ++ fs_exec_nfs_files(svirt_sandbox_domain) + kernel_rw_fs_sysctls(svirt_sandbox_domain) +') + @@ -116482,6 +116517,7 @@ index f03dcf5..9bde200 100644 + fs_manage_cifs_dirs(svirt_sandbox_domain) + fs_manage_cifs_named_sockets(svirt_sandbox_domain) + fs_manage_cifs_symlinks(svirt_sandbox_domain) ++ fs_exec_cifs_files(svirt_sandbox_domain) +') + +tunable_policy(`virt_sandbox_use_fusefs',` @@ -116490,6 +116526,7 @@ index f03dcf5..9bde200 100644 + fs_manage_fusefs_symlinks(svirt_sandbox_domain) + fs_mount_fusefs(svirt_sandbox_domain) + fs_unmount_fusefs(svirt_sandbox_domain) ++ fs_exec_fusefs_files(svirt_sandbox_domain) ') optional_policy(` @@ -116517,6 +116554,7 @@ index f03dcf5..9bde200 100644 +dontaudit container_t self:capability2 block_suspend ; +allow container_t self:process { execstack execmem }; +manage_chr_files_pattern(container_t, container_file_t, container_file_t) ++manage_blk_files_pattern(container_t, container_file_t, container_file_t) + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_t self:capability sys_admin; @@ -116704,7 +116742,7 @@ index f03dcf5..9bde200 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1638,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1642,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116719,7 +116757,7 @@ index f03dcf5..9bde200 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1656,7 @@ optional_policy(` +@@ -1192,7 +1660,7 @@ optional_policy(` ######################################## # @@ -116728,7 +116766,7 @@ index f03dcf5..9bde200 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1665,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1669,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -120348,7 +120386,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..fccb7b1 100644 +index 7f496c6..aab4f86 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -120526,7 +120564,7 @@ index 7f496c6..fccb7b1 100644 ') ######################################## -@@ -132,18 +161,7 @@ optional_policy(` +@@ -132,18 +161,9 @@ optional_policy(` # Agent local policy # @@ -120537,7 +120575,8 @@ index 7f496c6..fccb7b1 100644 -allow zabbix_agent_t self:shm create_shm_perms; -allow zabbix_agent_t self:tcp_socket { accept listen }; -allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; -- ++allow zabbix_agent_t self:process { setrlimit }; + -append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) @@ -120546,7 +120585,7 @@ index 7f496c6..fccb7b1 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +169,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +171,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) @@ -120566,7 +120605,7 @@ index 7f496c6..fccb7b1 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -170,6 +185,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) +@@ -170,6 +187,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) corenet_tcp_connect_ssh_port(zabbix_agent_t) corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) @@ -120597,7 +120636,7 @@ index 7f496c6..fccb7b1 100644 corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) corenet_tcp_connect_zabbix_port(zabbix_agent_t) corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) -@@ -177,21 +216,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +218,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9d97759..8fd3902 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 225.3%{?dist} +Release: 225.4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,27 @@ exit 0 %endif %changelog +* Sun Jan 08 2017 Lukas Vrabec - 3.13.1-225.4 +- Fix broken interfaces +- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977) +- Allow tlp_t domain to read proc_net_t BZ(1403487) +- Allow virt domain to use interited virtlogd domains fifo_file +- Fixes for containers +- Allow tlp_t domain to read/write cpu microcode BZ(1403103) +- Allow glusterd_t to bind on glusterd_port_t udp ports. +- Revert "Allow glusterd_t to bind on med_tlp port." +- Allow glusterd_t to bind on med_tlp port. +- Update ctdbd_t policy to reflect all changes. +- Allow ctdbd_t domain transition to rpcd_t +- Allow zabbix_agent_t domain setrlimit BZ(1349998) +- Allow pptp_t to read /dev/random BZ(1404248) +- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t +- Allow systemd to stop glusterd_t domains. +- Revert "Label tcp port 24009 as med_tlp_port_t" +- Label tcp port 24009 as med_tlp_port_t +- Allow systemd_gpt_generator_t to read efivarfs files. BZ(1403909) +- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323) + * Thu Dec 08 2016 Lukas Vrabec - 3.13.1-225.3 - Label /usr/bin/rpcbind as rpcbind_exec_t - Dontaudit mozilla plugin rawip socket creation. BZ(1275961)