From 7e6e1f3b220c05aed3d4becf395c0ce9eda6fd3c Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 11 2013 13:57:20 +0000 Subject: * Tue Sep 11 2013 Lukas Vrabec 3.12.1-74.3 - Treat usr_t just like bin_t for transitions and executions - Allow memcache to read sysfs data - openct needs to be able to create netlink_object_uevent_sockets - Allow nslcd to read /sys/devices/system/cpu - Allow mdadm to read /dev/mei - amanda_exec_t needs to be executable file - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - Allow setpgid and r/w cluster tmpfs for fenced_t - Allow block_suspend cap for samba-net - Allow mpd setcap which is needed by pulseaudio - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow glance-api to connect to amqp port - Fix wrong capabilities in rhcs policy --- diff --git a/policy-f19-base.patch b/policy-f19-base.patch index 906d448..2050d8a 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -3582,7 +3582,7 @@ index 644d4d7..f9bcd44 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..7f08657 100644 +index 9e9263a..77e6c8c 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -3608,7 +3608,19 @@ index 9e9263a..7f08657 100644 ######################################## ## ## Make the specified type usable for files -@@ -122,6 +138,7 @@ interface(`corecmd_search_bin',` +@@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',` + interface(`corecmd_bin_entry_type',` + gen_require(` + type bin_t; ++ type usr_t; + ') + + domain_entry_file($1, bin_t) ++ domain_entry_file($1, usr_t) + ') + + ######################################## +@@ -122,6 +140,7 @@ interface(`corecmd_search_bin',` type bin_t; ') @@ -3616,7 +3628,7 @@ index 9e9263a..7f08657 100644 search_dirs_pattern($1, bin_t, bin_t) ') -@@ -158,6 +175,7 @@ interface(`corecmd_list_bin',` +@@ -158,6 +177,7 @@ interface(`corecmd_list_bin',` type bin_t; ') @@ -3624,7 +3636,7 @@ index 9e9263a..7f08657 100644 list_dirs_pattern($1, bin_t, bin_t) ') -@@ -203,7 +221,7 @@ interface(`corecmd_getattr_bin_files',` +@@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',` ## ## ## @@ -3633,7 +3645,7 @@ index 9e9263a..7f08657 100644 ## ## # -@@ -231,6 +249,7 @@ interface(`corecmd_read_bin_files',` +@@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',` type bin_t; ') @@ -3641,7 +3653,7 @@ index 9e9263a..7f08657 100644 read_files_pattern($1, bin_t, bin_t) ') -@@ -254,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',` +@@ -254,6 +275,24 @@ interface(`corecmd_dontaudit_write_bin_files',` ######################################## ## @@ -3666,7 +3678,7 @@ index 9e9263a..7f08657 100644 ## Read symbolic links in bin directories. ## ## -@@ -285,6 +322,7 @@ interface(`corecmd_read_bin_pipes',` +@@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',` type bin_t; ') @@ -3674,7 +3686,7 @@ index 9e9263a..7f08657 100644 read_fifo_files_pattern($1, bin_t, bin_t) ') -@@ -303,6 +341,7 @@ interface(`corecmd_read_bin_sockets',` +@@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',` type bin_t; ') @@ -3682,7 +3694,7 @@ index 9e9263a..7f08657 100644 read_sock_files_pattern($1, bin_t, bin_t) ') -@@ -345,6 +384,10 @@ interface(`corecmd_exec_bin',` +@@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',` read_lnk_files_pattern($1, bin_t, bin_t) list_dirs_pattern($1, bin_t, bin_t) can_exec($1, bin_t) @@ -3693,7 +3705,7 @@ index 9e9263a..7f08657 100644 ') ######################################## -@@ -362,6 +405,7 @@ interface(`corecmd_manage_bin_files',` +@@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',` type bin_t; ') @@ -3701,7 +3713,7 @@ index 9e9263a..7f08657 100644 manage_files_pattern($1, bin_t, bin_t) ') -@@ -398,6 +442,7 @@ interface(`corecmd_mmap_bin_files',` +@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',` type bin_t; ') @@ -3709,7 +3721,7 @@ index 9e9263a..7f08657 100644 mmap_files_pattern($1, bin_t, bin_t) ') -@@ -440,10 +485,14 @@ interface(`corecmd_mmap_bin_files',` +@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',` interface(`corecmd_bin_spec_domtrans',` gen_require(` type bin_t; @@ -3724,7 +3736,7 @@ index 9e9263a..7f08657 100644 ') ######################################## -@@ -483,10 +532,12 @@ interface(`corecmd_bin_spec_domtrans',` +@@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',` interface(`corecmd_bin_domtrans',` gen_require(` type bin_t; @@ -3737,7 +3749,7 @@ index 9e9263a..7f08657 100644 ') ######################################## -@@ -945,6 +996,7 @@ interface(`corecmd_shell_domtrans',` +@@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',` interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; @@ -3745,7 +3757,7 @@ index 9e9263a..7f08657 100644 ') read_lnk_files_pattern($1, bin_t, bin_t) -@@ -954,6 +1006,24 @@ interface(`corecmd_exec_chroot',` +@@ -954,6 +1008,24 @@ interface(`corecmd_exec_chroot',` ######################################## ## @@ -3770,7 +3782,7 @@ index 9e9263a..7f08657 100644 ## Get the attributes of all executable files. ## ## -@@ -1012,6 +1082,10 @@ interface(`corecmd_exec_all_executables',` +@@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',` can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) @@ -3781,7 +3793,7 @@ index 9e9263a..7f08657 100644 ') ######################################## -@@ -1049,6 +1123,7 @@ interface(`corecmd_manage_all_executables',` +@@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -3789,7 +3801,7 @@ index 9e9263a..7f08657 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1166,36 @@ interface(`corecmd_mmap_all_executables',` +@@ -1091,3 +1168,36 @@ interface(`corecmd_mmap_all_executables',` mmap_files_pattern($1, bin_t, exec_type) ') diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index c1ad325..35a932e 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -2023,16 +2023,17 @@ index 7f4dfbc..4d750fa 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index ed45974..cd5a4fa 100644 +index ed45974..d4df671 100644 --- a/amanda.te +++ b/amanda.te -@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles; +@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; roleattribute system_r amanda_recover_roles; type amanda_t; +type amanda_exec_t; type amanda_inetd_exec_t; -inetd_service_domain(amanda_t, amanda_inetd_exec_t) ++application_executable_file(amanda_exec_t) +init_daemon_domain(amanda_t, amanda_inetd_exec_t) +role system_r types amanda_t; @@ -2043,7 +2044,7 @@ index ed45974..cd5a4fa 100644 type amanda_log_t; logging_log_file(amanda_log_t) -@@ -60,7 +62,7 @@ optional_policy(` +@@ -60,7 +63,7 @@ optional_policy(` # allow amanda_t self:capability { chown dac_override setuid kill }; @@ -2052,7 +2053,7 @@ index ed45974..cd5a4fa 100644 allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; allow amanda_t self:tcp_socket { accept listen }; -@@ -71,6 +73,7 @@ allow amanda_t amanda_config_t:file read_file_perms; +@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms; manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) @@ -2060,7 +2061,7 @@ index ed45974..cd5a4fa 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,13 +103,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2076,7 +2077,7 @@ index ed45974..cd5a4fa 100644 corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -170,7 +174,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +175,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2084,7 +2085,7 @@ index ed45974..cd5a4fa 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +198,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +199,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -2682,10 +2683,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..849c983 +index 0000000..f44287f --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,256 @@ +@@ -0,0 +1,268 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2740,6 +2741,9 @@ index 0000000..849c983 +typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t }; +files_type(antivirus_db_t) + ++type antivirus_home_t; ++userdom_user_home_content(antivirus_home_t) ++ +type antivirus_tmp_t; +typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t }; +files_tmp_file(antivirus_tmp_t) @@ -2766,6 +2770,11 @@ index 0000000..849c983 +manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) +manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) + ++manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++ +manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) @@ -2783,14 +2792,12 @@ index 0000000..849c983 + +can_exec(antivirus_domain, antivirus_exec_t) + ++kernel_read_network_state(antivirus_t) +kernel_read_net_sysctls(antivirus_t) +kernel_read_kernel_sysctls(antivirus_domain) +kernel_read_sysctl(antivirus_domain) +kernel_read_system_state(antivirus_t) + -+kernel_dontaudit_list_proc(antivirus_domain) -+kernel_dontaudit_read_proc_symlinks(antivirus_domain) -+ +corecmd_exec_bin(antivirus_domain) +corecmd_exec_shell(antivirus_domain) + @@ -2827,6 +2834,10 @@ index 0000000..849c983 +corenet_tcp_connect_http_port(antivirus_domain) +corenet_tcp_sendrecv_http_port(antivirus_domain) + ++corenet_sendrecv_http_cache_client_packets(antivirus_domain) ++corenet_tcp_connect_http_cache_port(antivirus_domain) ++corenet_tcp_sendrecv_http_cache_port(antivirus_domain) ++ +corenet_sendrecv_snmp_client_packets(antivirus_domain) +corenet_tcp_connect_snmp_port(antivirus_domain) + @@ -2851,6 +2862,7 @@ index 0000000..849c983 +init_read_state(antivirus_domain) +init_read_utmp(antivirus_domain) +init_stream_connect_script(antivirus_domain) ++init_dontaudit_write_utmp(antivirus_domain) + +logging_send_syslog_msg(antivirus_t) + @@ -2858,6 +2870,7 @@ index 0000000..849c983 + +sysnet_use_ldap(antivirus_domain) + ++userdom_stream_connect(antivirus_domain) +userdom_dontaudit_search_user_home_dirs(antivirus_domain) + +tunable_policy(`antivirus_can_scan_system',` @@ -25152,7 +25165,7 @@ index 9eacb2c..229782f 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index e0a4f46..95cf77c 100644 +index e0a4f46..16dcb5b 100644 --- a/glance.te +++ b/glance.te @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) @@ -25233,7 +25246,7 @@ index e0a4f46..95cf77c 100644 logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -25246,6 +25259,7 @@ index e0a4f46..95cf77c 100644 +corenet_tcp_bind_glance_port(glance_api_t) corenet_sendrecv_glance_registry_client_packets(glance_api_t) ++corenet_tcp_connect_amqp_port(glance_api_t) corenet_tcp_connect_glance_registry_port(glance_api_t) +corenet_tcp_connect_mysqld_port(glance_api_t) +corenet_tcp_connect_http_port(glance_api_t) @@ -37646,7 +37660,7 @@ index 1d4eb19..650014e 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index 4926208..018a640 100644 +index 4926208..4396320 100644 --- a/memcached.te +++ b/memcached.te @@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) @@ -37658,7 +37672,15 @@ index 4926208..018a640 100644 dontaudit memcached_t self:capability sys_tty_config; allow memcached_t self:process { setrlimit signal_perms }; allow memcached_t self:tcp_socket { accept listen }; -@@ -57,4 +57,3 @@ term_dontaudit_use_console(memcached_t) +@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t) + corenet_udp_bind_memcache_port(memcached_t) + corenet_udp_sendrecv_all_ports(memcached_t) + ++dev_read_sysfs(memcached_t) ++ + term_dontaudit_use_all_ptys(memcached_t) + term_dontaudit_use_all_ttys(memcached_t) + term_dontaudit_use_console(memcached_t) auth_use_nsswitch(memcached_t) @@ -40848,10 +40870,10 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7c8afcc..2f41af9 100644 +index 7c8afcc..29d8881 100644 --- a/mpd.te +++ b/mpd.te -@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t) +@@ -62,18 +62,22 @@ files_type(mpd_var_lib_t) type mpd_user_data_t; userdom_user_home_content(mpd_user_data_t) # customizable @@ -40861,7 +40883,13 @@ index 7c8afcc..2f41af9 100644 ######################################## # # Local policy -@@ -74,6 +77,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen }; + # + + allow mpd_t self:capability { dac_override kill setgid setuid }; +-allow mpd_t self:process { getsched setsched setrlimit signal signull }; ++allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; + allow mpd_t self:fifo_file rw_fifo_file_perms; + allow mpd_t self:unix_stream_socket { accept connectto listen }; allow mpd_t self:unix_dgram_socket sendto; allow mpd_t self:tcp_socket { accept listen }; allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -48252,7 +48280,7 @@ index 97df768..852d1c6 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index a3e56f0..8903423 100644 +index a3e56f0..f70a784 100644 --- a/nslcd.te +++ b/nslcd.te @@ -1,4 +1,4 @@ @@ -48278,8 +48306,12 @@ index a3e56f0..8903423 100644 allow nslcd_t nslcd_conf_t:file read_file_perms; -@@ -38,12 +38,8 @@ kernel_read_system_state(nslcd_t) +@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) + + kernel_read_system_state(nslcd_t) ++dev_read_sysfs(nslcd_t) ++ corenet_all_recvfrom_unlabeled(nslcd_t) corenet_all_recvfrom_netlabel(nslcd_t) -corenet_tcp_sendrecv_generic_if(nslcd_t) @@ -48292,7 +48324,7 @@ index a3e56f0..8903423 100644 files_read_usr_symlinks(nslcd_t) files_list_tmp(nslcd_t) -@@ -52,10 +48,14 @@ auth_use_nsswitch(nslcd_t) +@@ -52,10 +50,14 @@ auth_use_nsswitch(nslcd_t) logging_send_syslog_msg(nslcd_t) @@ -50565,10 +50597,17 @@ index 296a1d3..edc3e32 100644 +userdom_stream_connect(oddjob_mkhomedir_t) + diff --git a/openct.te b/openct.te -index 8467596..66f068f 100644 +index 8467596..428ae48 100644 --- a/openct.te +++ b/openct.te -@@ -28,12 +28,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) +@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t) + + dontaudit openct_t self:capability sys_tty_config; + allow openct_t self:process signal_perms; ++allow openct_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) + manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) @@ -50583,7 +50622,7 @@ index 8467596..66f068f 100644 dev_read_sysfs(openct_t) dev_rw_usbfs(openct_t) dev_rw_smartcard(openct_t) -@@ -41,15 +41,12 @@ dev_rw_generic_usb_dev(openct_t) +@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t) domain_use_interactive_fds(openct_t) @@ -67216,7 +67255,7 @@ index 951db7f..7736755 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..8e46216 100644 +index 2c1730b..6f60d73 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t; @@ -67268,7 +67307,7 @@ index 2c1730b..8e46216 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -49,19 +63,27 @@ corecmd_exec_shell(mdadm_t) +@@ -49,19 +63,28 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -67277,6 +67316,7 @@ index 2c1730b..8e46216 100644 dev_read_realtime_clock(mdadm_t) dev_read_raw_memory(mdadm_t) +dev_read_kvm(mdadm_t) ++dev_read_mei(mdadm_t) +dev_read_nvram(mdadm_t) +dev_read_generic_files(mdadm_t) +dev_read_generic_usb_dev(mdadm_t) @@ -67298,7 +67338,7 @@ index 2c1730b..8e46216 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +92,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +93,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -67320,7 +67360,7 @@ index 2c1730b..8e46216 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -97,9 +124,17 @@ optional_policy(` +@@ -97,9 +125,17 @@ optional_policy(` ') optional_policy(` @@ -69813,7 +69853,7 @@ index 56bc01f..b8d154e 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..6b7a0f6 100644 +index 2c2de9a..a499664 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -70139,7 +70179,7 @@ index 2c2de9a..6b7a0f6 100644 allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -@@ -98,6 +366,16 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -98,16 +366,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -70156,11 +70196,12 @@ index 2c2de9a..6b7a0f6 100644 ####################################### # # fenced local policy -@@ -105,9 +383,13 @@ init_rw_script_tmp_files(dlm_controld_t) + # allow fenced_t self:capability { sys_rawio sys_resource }; - allow fenced_t self:process { getsched signal_perms }; +-allow fenced_t self:process { getsched signal_perms }; -allow fenced_t self:tcp_socket { accept listen }; ++allow fenced_t self:process { getsched signal_perms setpgid }; + +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; @@ -70202,16 +70243,17 @@ index 2c2de9a..6b7a0f6 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +461,7 @@ optional_policy(` +@@ -182,7 +461,8 @@ optional_policy(` ') optional_policy(` - corosync_exec(fenced_t) + rhcs_exec_cluster(fenced_t) ++ rhcs_rw_cluster_tmpfs(fenced_t) ') optional_policy(` -@@ -190,12 +469,12 @@ optional_policy(` +@@ -190,12 +470,12 @@ optional_policy(` ') optional_policy(` @@ -70227,7 +70269,7 @@ index 2c2de9a..6b7a0f6 100644 ') optional_policy(` -@@ -203,6 +482,13 @@ optional_policy(` +@@ -203,6 +483,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -70241,7 +70283,7 @@ index 2c2de9a..6b7a0f6 100644 ####################################### # # foghorn local policy -@@ -221,16 +507,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -70262,7 +70304,7 @@ index 2c2de9a..6b7a0f6 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +545,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -70271,7 +70313,7 @@ index 2c2de9a..6b7a0f6 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +565,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -70313,7 +70355,7 @@ index 2c2de9a..6b7a0f6 100644 ###################################### # # qdiskd local policy -@@ -321,6 +640,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -75694,7 +75736,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..aa2be40 100644 +index 57c034b..d48911d 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -75880,7 +75922,7 @@ index 57c034b..aa2be40 100644 type swat_t; type swat_exec_t; -@@ -170,27 +154,28 @@ type winbind_exec_t; +@@ -170,27 +154,29 @@ type winbind_exec_t; init_daemon_domain(winbind_t, winbind_exec_t) type winbind_helper_t; @@ -75908,6 +75950,7 @@ index 57c034b..aa2be40 100644 # - allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; ++allow samba_net_t self:capability2 block_suspend; allow samba_net_t self:process { getsched setsched }; -allow samba_net_t self:unix_stream_socket { accept listen }; +allow samba_net_t self:unix_dgram_socket create_socket_perms; @@ -75917,7 +75960,7 @@ index 57c034b..aa2be40 100644 allow samba_net_t samba_etc_t:file read_file_perms; -@@ -206,17 +191,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) +@@ -206,17 +192,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") @@ -75944,7 +75987,7 @@ index 57c034b..aa2be40 100644 dev_read_urand(samba_net_t) -@@ -229,15 +219,16 @@ auth_manage_cache(samba_net_t) +@@ -229,15 +220,16 @@ auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) @@ -75965,7 +76008,7 @@ index 57c034b..aa2be40 100644 ') optional_policy(` -@@ -245,44 +236,56 @@ optional_policy(` +@@ -245,44 +237,56 @@ optional_policy(` ') optional_policy(` @@ -76034,7 +76077,7 @@ index 57c034b..aa2be40 100644 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) allow smbd_t samba_share_t:filesystem { getattr quotaget }; -@@ -292,6 +295,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -292,6 +296,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -76043,7 +76086,7 @@ index 57c034b..aa2be40 100644 manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) -@@ -301,11 +306,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) +@@ -301,11 +307,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) @@ -76059,7 +76102,7 @@ index 57c034b..aa2be40 100644 kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -315,43 +320,33 @@ kernel_read_kernel_sysctls(smbd_t) +@@ -315,43 +321,33 @@ kernel_read_kernel_sysctls(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -76114,7 +76157,7 @@ index 57c034b..aa2be40 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) -@@ -360,44 +355,54 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -360,44 +356,54 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -76180,7 +76223,7 @@ index 57c034b..aa2be40 100644 ') tunable_policy(`samba_domain_controller',` -@@ -413,20 +418,10 @@ tunable_policy(`samba_domain_controller',` +@@ -413,20 +419,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -76203,7 +76246,7 @@ index 57c034b..aa2be40 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -435,6 +430,7 @@ tunable_policy(`samba_share_nfs',` +@@ -435,6 +431,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -76211,7 +76254,7 @@ index 57c034b..aa2be40 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -442,17 +438,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -442,17 +439,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -76229,7 +76272,7 @@ index 57c034b..aa2be40 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -473,6 +458,11 @@ optional_policy(` +@@ -473,6 +459,11 @@ optional_policy(` ') optional_policy(` @@ -76241,7 +76284,7 @@ index 57c034b..aa2be40 100644 lpd_exec_lpr(smbd_t) ') -@@ -493,9 +483,33 @@ optional_policy(` +@@ -493,9 +484,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -76276,7 +76319,7 @@ index 57c034b..aa2be40 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +520,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +521,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -76291,7 +76334,7 @@ index 57c034b..aa2be40 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +536,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +537,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -76315,7 +76358,7 @@ index 57c034b..aa2be40 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +553,40 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +554,40 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -76380,7 +76423,7 @@ index 57c034b..aa2be40 100644 ') optional_policy(` -@@ -600,17 +599,24 @@ optional_policy(` +@@ -600,17 +600,24 @@ optional_policy(` ######################################## # @@ -76409,7 +76452,7 @@ index 57c034b..aa2be40 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -620,16 +626,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +627,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -76427,7 +76470,7 @@ index 57c034b..aa2be40 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +639,23 @@ optional_policy(` +@@ -637,22 +640,23 @@ optional_policy(` ######################################## # @@ -76459,7 +76502,7 @@ index 57c034b..aa2be40 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +664,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +665,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -76495,7 +76538,7 @@ index 57c034b..aa2be40 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +691,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +692,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -76587,7 +76630,7 @@ index 57c034b..aa2be40 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +770,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +771,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -76611,7 +76654,7 @@ index 57c034b..aa2be40 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +784,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +785,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -76654,7 +76697,7 @@ index 57c034b..aa2be40 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +814,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +815,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -76668,7 +76711,7 @@ index 57c034b..aa2be40 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -834,16 +838,19 @@ optional_policy(` +@@ -834,16 +839,19 @@ optional_policy(` # allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; @@ -76692,7 +76735,7 @@ index 57c034b..aa2be40 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +860,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +861,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -76703,7 +76746,7 @@ index 57c034b..aa2be40 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +871,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +872,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -76733,7 +76776,7 @@ index 57c034b..aa2be40 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +894,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +895,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -76754,7 +76797,7 @@ index 57c034b..aa2be40 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +912,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +913,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -76765,7 +76808,7 @@ index 57c034b..aa2be40 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,18 +920,24 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,18 +921,24 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -76792,7 +76835,7 @@ index 57c034b..aa2be40 100644 optional_policy(` ctdbd_stream_connect(winbind_t) -@@ -936,7 +945,12 @@ optional_policy(` +@@ -936,7 +946,12 @@ optional_policy(` ') optional_policy(` @@ -76805,7 +76848,7 @@ index 57c034b..aa2be40 100644 ') optional_policy(` -@@ -952,31 +966,29 @@ optional_policy(` +@@ -952,31 +967,29 @@ optional_policy(` # Winbind helper local policy # @@ -76843,7 +76886,7 @@ index 57c034b..aa2be40 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1002,38 @@ optional_policy(` +@@ -990,25 +1003,38 @@ optional_policy(` ######################################## # @@ -89851,10 +89894,10 @@ index 0be8535..b96e329 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index c30da4c..b81eaa0 100644 +index c30da4c..459fbcf 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,52 +1,86 @@ +@@ -1,52 +1,91 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -89918,18 +89961,18 @@ index c30da4c..b81eaa0 100644 -/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) -- --/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -- --/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +- +-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +- -/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) @@ -89969,16 +90012,21 @@ index c30da4c..b81eaa0 100644 +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + -+/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) ++/etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) +/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) ++/var/run/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) ++ ++/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) + +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) + +/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) ++ +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) ++ +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if index 9dec06c..4e31afe 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index 8e60b16..aeb892b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.2%{?dist} +Release: 74.3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,21 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Sep 11 2013 Lukas Vrabec 3.12.1-74.3 +- Treat usr_t just like bin_t for transitions and executions +- Allow memcache to read sysfs data +- openct needs to be able to create netlink_object_uevent_sockets +- Allow nslcd to read /sys/devices/system/cpu +- Allow mdadm to read /dev/mei +- amanda_exec_t needs to be executable file +- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts +- Allow setpgid and r/w cluster tmpfs for fenced_t +- Allow block_suspend cap for samba-net +- Allow mpd setcap which is needed by pulseaudio +- Add antivirus_home_t type for antivirus date in HOMEDIRS +- Allow glance-api to connect to amqp port +- Fix wrong capabilities in rhcs policy + * Fri Sep 06 2013 Lukas Vrabec 3.12.1-74.2 - Fix lsm.fc for pid files - Allow init_t to transition to all inetd domains