From 81ba2580f8839f490dcbfded7c219fd57511d17c Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jan 08 2017 22:02:04 +0000 Subject: * Sun Jan 08 2016 Lukas Vrabec 3.13.1-191.24 - Allow thumb domain sendto via dgram sockets. BZ(1398813) - Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077) - Allow cobbler domain to create netlink_audit sockets BZ(1384600) - Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626) - Add dhcpd_t domain fowner capability BZ(1409963) - Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942) - Fixes for containers - Allow virt domain to use interited virtlogd domains fifo_file - Allow glusterd_t to bind on glusterd_port_t udp ports. - Revert "Allow glusterd_t to bind on med_tlp port." - Allow glusterd_t to bind on med_tlp port. - Update ctdbd_t policy to reflect all changes. - Allow ctdbd_t domain transition to rpcd_t - Allow zabbix_agent_t domain setrlimit BZ(1349998) - Allow pptp_t to read /dev/random BZ(1404248) - Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t - Allow systemd to stop glusterd_t domains. - Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456) - Allow user_t run systemctl --user BZ(1401625) - Revert "Label tcp port 24009 as med_tlp_port_t" - Label tcp port 24009 as med_tlp_port_t - Allow systemd_gpt_generator_t to read efivarfs files. BZ(1403909) - Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323) --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 17b17f6..921a131 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 7152b78..a54c8f5 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -27815,7 +27815,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..656a8c4 100644 +index 6d77e81..20657b8 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -27831,7 +27831,7 @@ index 6d77e81..656a8c4 100644 # this module should be named user, but that is # a compile error since user is a keyword. -@@ -12,12 +19,98 @@ role user_r; +@@ -12,12 +19,103 @@ role user_r; userdom_unpriv_user_template(user) @@ -27919,6 +27919,11 @@ index 6d77e81..656a8c4 100644 +') + +optional_policy(` ++ systemd_read_unit_files(user_t) ++ systemd_exec_systemctl(user_t) ++') ++ ++optional_policy(` + sandbox_transition(user_t, user_r) +') + @@ -27931,29 +27936,29 @@ index 6d77e81..656a8c4 100644 ') optional_policy(` -@@ -25,11 +118,19 @@ optional_policy(` +@@ -25,11 +123,19 @@ optional_policy(` ') optional_policy(` - vlock_run(user_t, user_r) + setroubleshoot_dontaudit_stream_connect(user_t) -+') -+ + ') + +#optional_policy(` +# telepathy_dbus_session_role(user_r, user_t) +#') + -+optional_policy(` -+ usbmuxd_stream_connect(user_t) - ') - optional_policy(` - xserver_role(user_r, user_t) ++ usbmuxd_stream_connect(user_t) ++') ++ ++optional_policy(` + vlock_run(user_t, user_r) ') ifndef(`distro_redhat',` -@@ -102,10 +203,6 @@ ifndef(`distro_redhat',` +@@ -102,10 +208,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -27964,7 +27969,7 @@ index 6d77e81..656a8c4 100644 postgresql_role(user_r, user_t) ') -@@ -128,7 +225,6 @@ ifndef(`distro_redhat',` +@@ -128,7 +230,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') @@ -27972,7 +27977,7 @@ index 6d77e81..656a8c4 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -160,4 +256,24 @@ ifndef(`distro_redhat',` +@@ -160,4 +261,24 @@ ifndef(`distro_redhat',` optional_policy(` wireshark_role(user_r, user_t) ') @@ -40023,7 +40028,7 @@ index 0000000..c814795 +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..0dd3f58 100644 +index 73bb3c0..43d3ea7 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -40061,7 +40066,12 @@ index 73bb3c0..0dd3f58 100644 /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -103,6 +106,12 @@ ifdef(`distro_redhat',` +@@ -99,10 +102,17 @@ ifdef(`distro_redhat',` + # /sbin + # + /sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) ++/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0) + # # /usr # @@ -40074,7 +40084,7 @@ index 73bb3c0..0dd3f58 100644 /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -111,12 +120,12 @@ ifdef(`distro_redhat',` +@@ -111,12 +121,12 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -40089,7 +40099,7 @@ index 73bb3c0..0dd3f58 100644 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -@@ -125,10 +134,12 @@ ifdef(`distro_redhat',` +@@ -125,10 +135,12 @@ ifdef(`distro_redhat',` /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40102,7 +40112,7 @@ index 73bb3c0..0dd3f58 100644 /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -141,19 +152,21 @@ ifdef(`distro_redhat',` +@@ -141,19 +153,21 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40129,7 +40139,7 @@ index 73bb3c0..0dd3f58 100644 /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -182,11 +195,13 @@ ifdef(`distro_redhat',` +@@ -182,11 +196,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40143,7 +40153,7 @@ index 73bb3c0..0dd3f58 100644 /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -241,13 +256,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -241,13 +257,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40159,7 +40169,7 @@ index 73bb3c0..0dd3f58 100644 # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +282,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -269,20 +283,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40190,7 +40200,7 @@ index 73bb3c0..0dd3f58 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +311,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +312,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -45415,7 +45425,7 @@ index 3822072..d358162 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc46420..9edcb69 100644 +index dc46420..8d4ed0f 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -45833,9 +45843,9 @@ index dc46420..9edcb69 100644 -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) - --domain_use_interactive_fds(semanage_t) - +-domain_use_interactive_fds(semanage_t) + -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) @@ -45858,11 +45868,11 @@ index dc46420..9edcb69 100644 -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) +- +-logging_send_syslog_msg(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) --logging_send_syslog_msg(semanage_t) -- -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) @@ -45950,7 +45960,7 @@ index dc46420..9edcb69 100644 ') ######################################## -@@ -522,111 +597,197 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +597,201 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -46029,23 +46039,27 @@ index dc46420..9edcb69 100644 +optional_policy(` + cloudform_dontaudit_write_cloud_log(setfiles_t) +') -+ + +-seutil_libselinux_linked(setfiles_t) +optional_policy(` + devicekit_dontaudit_read_pid_files(setfiles_t) + devicekit_dontaudit_rw_log(setfiles_t) +') --seutil_libselinux_linked(setfiles_t) +-userdom_use_all_users_fds(setfiles_t) +optional_policy(` + # pki is leaking + pki_dontaudit_write_log(setfiles_t) +') + +optional_policy(` ++ kdump_rw_inherited_kdumpctl_tmp_pipes(setfiles_t) ++') ++ ++optional_policy(` + xserver_append_xdm_tmp_files(setfiles_t) +') - --userdom_use_all_users_fds(setfiles_t) ++ +ifdef(`hide_broken_symptoms',` + + optional_policy(` @@ -49226,10 +49240,10 @@ index 0000000..86e3d01 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..2addd9d +index 0000000..e2178ae --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,966 @@ +@@ -0,0 +1,968 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50095,6 +50109,8 @@ index 0000000..2addd9d +dev_write_kmsg(systemd_gpt_generator_t) +dev_read_nvme(systemd_gpt_generator_t) + ++fs_read_efivarfs_files(systemd_gpt_generator_t) ++ +fstools_exec(systemd_gpt_generator_t) + +storage_raw_read_fixed_disk(systemd_gpt_generator_t) diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index a1302f3..1c30786 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -3203,10 +3203,10 @@ index 0000000..36251b9 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..6bd2eb9 +index 0000000..c679dd3 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,273 @@ +@@ -0,0 +1,274 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -3298,7 +3298,8 @@ index 0000000..6bd2eb9 +manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) -+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } ) ++manage_lnk_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) ++files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir lnk_file sock_file } ) + +manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) +manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) @@ -14957,10 +14958,18 @@ index c223f81..8b567c1 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 5f306dd..578b615 100644 +index 5f306dd..cf347c6 100644 --- a/cobbler.te +++ b/cobbler.te -@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +@@ -67,6 +67,7 @@ dontaudit cobblerd_t self:capability sys_tty_config; + allow cobblerd_t self:process { getsched setsched signal }; + allow cobblerd_t self:fifo_file rw_fifo_file_perms; + allow cobblerd_t self:tcp_socket { accept listen }; ++allow cobblerd_t self:netlink_audit_socket create_socket_perms; + + allow cobblerd_t cobbler_etc_t:dir list_dir_perms; + allow cobblerd_t cobbler_etc_t:file read_file_perms; +@@ -81,6 +82,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir) @@ -14968,7 +14977,7 @@ index 5f306dd..578b615 100644 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +@@ -89,7 +91,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) kernel_read_system_state(cobblerd_t) @@ -14977,7 +14986,7 @@ index 5f306dd..578b615 100644 corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) -@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t) +@@ -112,14 +114,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t) corenet_tcp_connect_http_port(cobblerd_t) corenet_sendrecv_http_client_packets(cobblerd_t) @@ -14993,7 +15002,7 @@ index 5f306dd..578b615 100644 fs_getattr_all_fs(cobblerd_t) fs_read_iso9660_files(cobblerd_t) -@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t) +@@ -128,6 +129,8 @@ selinux_get_enforce_mode(cobblerd_t) term_use_console(cobblerd_t) @@ -15002,7 +15011,7 @@ index 5f306dd..578b615 100644 logging_send_syslog_msg(cobblerd_t) miscfiles_read_localization(cobblerd_t) -@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',` +@@ -160,6 +163,7 @@ tunable_policy(`cobbler_use_nfs',` ') optional_policy(` @@ -15010,7 +15019,7 @@ index 5f306dd..578b615 100644 apache_search_sys_content(cobblerd_t) ') -@@ -170,6 +173,7 @@ optional_policy(` +@@ -170,6 +174,7 @@ optional_policy(` bind_domtrans(cobblerd_t) bind_initrc_domtrans(cobblerd_t) bind_manage_zone(cobblerd_t) @@ -15018,7 +15027,7 @@ index 5f306dd..578b615 100644 ') optional_policy(` -@@ -179,12 +183,22 @@ optional_policy(` +@@ -179,12 +184,22 @@ optional_policy(` optional_policy(` dhcpd_domtrans(cobblerd_t) dhcpd_initrc_domtrans(cobblerd_t) @@ -15041,7 +15050,7 @@ index 5f306dd..578b615 100644 ') optional_policy(` -@@ -192,13 +206,14 @@ optional_policy(` +@@ -192,13 +207,14 @@ optional_policy(` ') optional_policy(` @@ -16416,7 +16425,7 @@ index 881d92f..a2d588a 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040..dc29445 100644 +index ce9f040..320d6e8 100644 --- a/condor.te +++ b/condor.te @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) @@ -16527,7 +16536,7 @@ index ce9f040..dc29445 100644 ##################################### # # Negotiator local policy -@@ -183,6 +200,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -183,12 +200,15 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -16536,7 +16545,14 @@ index ce9f040..dc29445 100644 ###################################### # # Procd local policy -@@ -206,6 +225,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; + # + + allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; ++allow condor_procd_t self:cap_userns { sys_ptrace }; + + allow condor_procd_t condor_domain:process sigkill; + +@@ -206,6 +226,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -16545,7 +16561,7 @@ index ce9f040..dc29445 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -214,6 +235,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -214,6 +236,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -16554,7 +16570,7 @@ index ce9f040..dc29445 100644 ##################################### # # Startd local policy -@@ -238,11 +261,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -238,11 +262,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -16567,7 +16583,7 @@ index ce9f040..dc29445 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -254,3 +276,7 @@ optional_policy(` +@@ -254,3 +277,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -20521,7 +20537,7 @@ index b25b01d..06895f3 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..47199aa 100644 +index 001b502..ac0508e 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -20575,7 +20591,7 @@ index 001b502..47199aa 100644 kernel_read_network_state(ctdbd_t) kernel_read_system_state(ctdbd_t) kernel_rw_net_sysctls(ctdbd_t) -@@ -72,9 +89,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t) +@@ -72,27 +89,38 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -20587,9 +20603,15 @@ index 001b502..47199aa 100644 +corenet_tcp_bind_smbd_port(ctdbd_t) +corenet_tcp_connect_ctdb_port(ctdbd_t) corenet_tcp_sendrecv_ctdb_port(ctdbd_t) ++corenet_tcp_connect_gluster_port(ctdbd_t) ++corenet_tcp_connect_nfs_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,14 +106,18 @@ dev_read_urand(ctdbd_t) + corecmd_exec_shell(ctdbd_t) ++corecmd_getattr_all_executables(ctdbd_t) + + dev_read_sysfs(ctdbd_t) + dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -20610,10 +20632,16 @@ index 001b502..47199aa 100644 optional_policy(` consoletype_exec(ctdbd_t) ') -@@ -106,9 +131,16 @@ optional_policy(` +@@ -106,9 +134,22 @@ optional_policy(` ') optional_policy(` ++ rpc_domtrans_rpcd(ctdbd_t) ++ rpc_manage_nfs_state_data_dir(ctdbd_t) ++ rpc_read_nfs_state_data(ctdbd_t) ++') ++ ++optional_policy(` + samba_signull_smbd(ctdbd_t) samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) @@ -24562,7 +24590,7 @@ index c697edb..954c090 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 98a24b9..cb5795e 100644 +index 98a24b9..02c58ea 100644 --- a/dhcp.te +++ b/dhcp.te @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -24580,7 +24608,7 @@ index 98a24b9..cb5795e 100644 # -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; -+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw kill setgid setuid setpcap sys_resource }; ++allow dhcpd_t self:capability { chown dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; allow dhcpd_t self:process { getcap setcap signal_perms }; allow dhcpd_t self:fifo_file rw_fifo_file_perms; @@ -32024,10 +32052,10 @@ index 5cd0909..bd3c3d2 100644 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..52b4110 +index 0000000..a3633cd --- /dev/null +++ b/glusterd.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,29 @@ +/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + +/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) @@ -32036,6 +32064,13 @@ index 0000000..52b4110 +/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + ++/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ ++ ++/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ +/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) @@ -32319,10 +32354,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..3ba328e +index 0000000..747c376 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,303 @@ +@@ -0,0 +1,306 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32457,6 +32492,7 @@ index 0000000..3ba328e + +corenet_tcp_connect_gluster_port(glusterd_t) +corenet_tcp_bind_gluster_port(glusterd_t) ++corenet_udp_bind_gluster_port(glusterd_t) + +# replacement for rpc.mountd +corenet_sendrecv_all_server_packets(glusterd_t) @@ -32510,6 +32546,7 @@ index 0000000..3ba328e +init_rw_script_tmp_files(glusterd_t) +init_manage_script_status_files(glusterd_t) +init_status(glusterd_t) ++init_stop_transient_unit(glusterd_t) + +systemd_config_systemd_services(glusterd_t) +systemd_signal_passwd_agent(glusterd_t) @@ -32528,6 +32565,7 @@ index 0000000..3ba328e +userdom_delete_user_tmp_files(glusterd_t) +userdom_rw_user_tmp_files(glusterd_t) +userdom_kill_all_users(glusterd_t) ++userdom_signal_unpriv_users(glusterd_t) + +mount_domtrans(glusterd_t) + @@ -52232,7 +52270,7 @@ index 6194b80..e27c53d 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..9336364 100644 +index 11ac8e4..7d5d385 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -52685,7 +52723,7 @@ index 11ac8e4..9336364 100644 ') optional_policy(` -@@ -300,259 +339,257 @@ optional_policy(` +@@ -300,259 +339,258 @@ optional_policy(` ######################################## # @@ -52699,6 +52737,7 @@ index 11ac8e4..9336364 100644 +dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config }; +dontaudit mozilla_plugin_t self:capability2 block_suspend; +dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace }; ++dontaudit mozilla_plugin_t self:rawip_socket create_socket_perms; + + +allow mozilla_plugin_t self:cap_userns {sys_admin sys_chroot}; @@ -53089,7 +53128,7 @@ index 11ac8e4..9336364 100644 ') optional_policy(` -@@ -560,7 +597,11 @@ optional_policy(` +@@ -560,7 +598,11 @@ optional_policy(` ') optional_policy(` @@ -53102,7 +53141,7 @@ index 11ac8e4..9336364 100644 ') optional_policy(` -@@ -568,108 +609,144 @@ optional_policy(` +@@ -568,108 +610,144 @@ optional_policy(` ') optional_policy(` @@ -59282,7 +59321,7 @@ index 86dc29d..c7d9376 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..ab2d757 100644 +index 55f2009..a9d078b 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -59373,7 +59412,7 @@ index 55f2009..ab2d757 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,30 +102,29 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,30 +102,30 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -59385,7 +59424,8 @@ index 55f2009..ab2d757 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) -+files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, { dir file }) ++manage_lnk_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) @@ -59408,7 +59448,7 @@ index 55f2009..ab2d757 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,36 +135,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,36 +136,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -59450,7 +59490,7 @@ index 55f2009..ab2d757 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +161,36 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +162,36 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -59488,7 +59528,7 @@ index 55f2009..ab2d757 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +205,36 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +206,36 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -59529,7 +59569,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -196,10 +250,6 @@ optional_policy(` +@@ -196,10 +251,6 @@ optional_policy(` ') optional_policy(` @@ -59540,7 +59580,7 @@ index 55f2009..ab2d757 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,31 +260,34 @@ optional_policy(` +@@ -210,31 +261,34 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -59583,7 +59623,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -246,10 +299,26 @@ optional_policy(` +@@ -246,10 +300,26 @@ optional_policy(` ') optional_policy(` @@ -59610,7 +59650,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -257,15 +326,19 @@ optional_policy(` +@@ -257,15 +327,19 @@ optional_policy(` ') optional_policy(` @@ -59632,7 +59672,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -274,10 +347,17 @@ optional_policy(` +@@ -274,10 +348,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -59650,7 +59690,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -286,9 +366,12 @@ optional_policy(` +@@ -286,9 +367,12 @@ optional_policy(` openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) openvpn_signull(NetworkManager_t) @@ -59663,7 +59703,7 @@ index 55f2009..ab2d757 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +379,7 @@ optional_policy(` +@@ -296,7 +380,7 @@ optional_policy(` ') optional_policy(` @@ -59672,7 +59712,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -307,6 +390,7 @@ optional_policy(` +@@ -307,6 +391,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -59680,7 +59720,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -320,14 +404,21 @@ optional_policy(` +@@ -320,14 +405,21 @@ optional_policy(` ') optional_policy(` @@ -59707,7 +59747,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -338,6 +429,13 @@ optional_policy(` +@@ -338,6 +430,13 @@ optional_policy(` vpn_relabelfrom_tun_socket(NetworkManager_t) ') @@ -59721,7 +59761,7 @@ index 55f2009..ab2d757 100644 ######################################## # # wpa_cli local policy -@@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +456,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -76499,7 +76539,7 @@ index cd8b8b9..2cfa88a 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..e4fc9c0 100644 +index d616ca3..76f9b25 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -76774,7 +76814,7 @@ index d616ca3..e4fc9c0 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +266,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +266,46 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -76803,6 +76843,9 @@ index d616ca3..e4fc9c0 100644 kernel_signal(pptp_t) +dev_read_sysfs(pptp_t) ++dev_read_rand(pptp_t) ++dev_read_urand(pptp_t) ++dev_read_rand(pptp_t) + corecmd_exec_shell(pptp_t) corecmd_read_bin_symlinks(pptp_t) @@ -76831,7 +76874,7 @@ index d616ca3..e4fc9c0 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +310,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +313,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -76846,7 +76889,7 @@ index d616ca3..e4fc9c0 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +327,10 @@ optional_policy(` +@@ -299,6 +330,10 @@ optional_policy(` ') optional_policy(` @@ -102919,7 +102962,7 @@ index 1499b0b..e695a62 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..d844f55 100644 +index cc58e35..cf012df 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) @@ -103383,7 +103426,7 @@ index cc58e35..d844f55 100644 ') optional_policy(` -@@ -267,36 +384,40 @@ optional_policy(` +@@ -267,48 +384,54 @@ optional_policy(` ######################################## # @@ -103441,7 +103484,13 @@ index cc58e35..d844f55 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +429,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) + manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) + manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) +-files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) ++manage_lnk_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) ++files_spool_filetrans(spamd_t, spamd_spool_t, { file dir lnk_file }) + + manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -103451,7 +103500,7 @@ index cc58e35..d844f55 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +439,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +440,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -103468,7 +103517,7 @@ index cc58e35..d844f55 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +455,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +456,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -103573,7 +103622,7 @@ index cc58e35..d844f55 100644 ') optional_policy(` -@@ -421,21 +527,13 @@ optional_policy(` +@@ -421,21 +528,13 @@ optional_policy(` ') optional_policy(` @@ -103597,7 +103646,7 @@ index cc58e35..d844f55 100644 ') optional_policy(` -@@ -443,8 +541,8 @@ optional_policy(` +@@ -443,8 +542,8 @@ optional_policy(` ') optional_policy(` @@ -103607,7 +103656,7 @@ index cc58e35..d844f55 100644 ') optional_policy(` -@@ -455,7 +553,17 @@ optional_policy(` +@@ -455,7 +554,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -103626,7 +103675,7 @@ index cc58e35..d844f55 100644 ') optional_policy(` -@@ -463,9 +571,9 @@ optional_policy(` +@@ -463,9 +572,9 @@ optional_policy(` ') optional_policy(` @@ -103637,7 +103686,7 @@ index cc58e35..d844f55 100644 ') optional_policy(` -@@ -474,32 +582,32 @@ optional_policy(` +@@ -474,32 +583,32 @@ optional_policy(` ######################################## # @@ -103680,7 +103729,7 @@ index cc58e35..d844f55 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +616,26 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -108666,10 +108715,10 @@ index 0000000..9524b50 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..3f3a239 +index 0000000..ab916b7 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,165 @@ +@@ -0,0 +1,167 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -108709,6 +108758,7 @@ index 0000000..3f3a239 +allow thumb_t self:fifo_file manage_fifo_file_perms; +allow thumb_t self:unix_stream_socket create_stream_socket_perms; +allow thumb_t self:netlink_route_socket r_netlink_socket_perms; ++allow thumb_t self:netlink_kobject_uevent_socket create_socket_perms; +allow thumb_t self:udp_socket create_socket_perms; +allow thumb_t self:tcp_socket create_socket_perms; +allow thumb_t self:shm create_shm_perms; @@ -108736,6 +108786,7 @@ index 0000000..3f3a239 +can_exec(thumb_t, thumb_exec_t) + +kernel_read_system_state(thumb_t) ++kernel_dgram_send(thumb_t) + +corecmd_exec_bin(thumb_t) +corecmd_exec_shell(thumb_t) @@ -113837,7 +113888,7 @@ index facdee8..ee9e63e 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..f7ed200 100644 +index f03dcf5..d641932 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -114607,18 +114658,19 @@ index f03dcf5..f7ed200 100644 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +-can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) - --can_exec(virtd_t, virt_tmp_t) ++allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) @@ -114790,12 +114842,11 @@ index f03dcf5..f7ed200 100644 ') optional_policy(` -- iptables_domtrans(virtd_t) + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` -+ iptables_domtrans(virtd_t) + iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + @@ -115064,7 +115115,7 @@ index f03dcf5..f7ed200 100644 +optional_policy(` + nscd_dontaudit_write_sock_file(virt_domain) +') -+ + +optional_policy(` + nscd_dontaudit_read_pid(virt_domain) +') @@ -115164,7 +115215,7 @@ index f03dcf5..f7ed200 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; - ++ +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -115420,7 +115471,7 @@ index f03dcf5..f7ed200 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1259,359 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1259,363 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -115705,6 +115756,7 @@ index f03dcf5..f7ed200 100644 + fs_manage_nfs_files(svirt_sandbox_domain) + fs_manage_nfs_named_sockets(svirt_sandbox_domain) + fs_manage_nfs_symlinks(svirt_sandbox_domain) ++ fs_exec_nfs_files(svirt_sandbox_domain) +') + +tunable_policy(`virt_use_samba',` @@ -115712,12 +115764,14 @@ index f03dcf5..f7ed200 100644 + fs_manage_cifs_dirs(svirt_sandbox_domain) + fs_manage_cifs_named_sockets(svirt_sandbox_domain) + fs_manage_cifs_symlinks(svirt_sandbox_domain) ++ fs_exec_cifs_files(svirt_sandbox_domain) +') + +tunable_policy(`virt_sandbox_use_fusefs',` + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) ++ fs_exec_fusefs(svirt_sandbox_domain) ') optional_policy(` @@ -115745,6 +115799,7 @@ index f03dcf5..f7ed200 100644 +allow svirt_lxc_net_t self:process { execstack execmem }; +manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t) +kernel_load_module(svirt_lxc_net_t) ++manage_blk_files_pattern(container_t, container_file_t, container_file_t) + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow svirt_lxc_net_t self:capability sys_admin; @@ -115921,7 +115976,7 @@ index f03dcf5..f7ed200 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1624,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1628,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -115936,7 +115991,7 @@ index f03dcf5..f7ed200 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1642,7 @@ optional_policy(` +@@ -1192,7 +1646,7 @@ optional_policy(` ######################################## # @@ -115945,7 +116000,7 @@ index f03dcf5..f7ed200 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1651,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1655,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -119560,7 +119615,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..fccb7b1 100644 +index 7f496c6..aab4f86 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -119738,7 +119793,7 @@ index 7f496c6..fccb7b1 100644 ') ######################################## -@@ -132,18 +161,7 @@ optional_policy(` +@@ -132,18 +161,9 @@ optional_policy(` # Agent local policy # @@ -119749,7 +119804,8 @@ index 7f496c6..fccb7b1 100644 -allow zabbix_agent_t self:shm create_shm_perms; -allow zabbix_agent_t self:tcp_socket { accept listen }; -allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; -- ++allow zabbix_agent_t self:process { setrlimit }; + -append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) @@ -119758,7 +119814,7 @@ index 7f496c6..fccb7b1 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +169,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +171,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) @@ -119778,7 +119834,7 @@ index 7f496c6..fccb7b1 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -170,6 +185,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) +@@ -170,6 +187,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) corenet_tcp_connect_ssh_port(zabbix_agent_t) corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) @@ -119809,7 +119865,7 @@ index 7f496c6..fccb7b1 100644 corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) corenet_tcp_connect_zabbix_port(zabbix_agent_t) corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) -@@ -177,21 +216,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +218,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9f4c5e1..7bfc323 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191.23%{?dist} +Release: 191.24%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -672,6 +672,31 @@ exit 0 %endif %changelog +* Sun Jan 08 2016 Lukas Vrabec 3.13.1-191.24 +- Allow thumb domain sendto via dgram sockets. BZ(1398813) +- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077) +- Allow cobbler domain to create netlink_audit sockets BZ(1384600) +- Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626) +- Add dhcpd_t domain fowner capability BZ(1409963) +- Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942) +- Fixes for containers +- Allow virt domain to use interited virtlogd domains fifo_file +- Allow glusterd_t to bind on glusterd_port_t udp ports. +- Revert "Allow glusterd_t to bind on med_tlp port." +- Allow glusterd_t to bind on med_tlp port. +- Update ctdbd_t policy to reflect all changes. +- Allow ctdbd_t domain transition to rpcd_t +- Allow zabbix_agent_t domain setrlimit BZ(1349998) +- Allow pptp_t to read /dev/random BZ(1404248) +- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t +- Allow systemd to stop glusterd_t domains. +- Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456) +- Allow user_t run systemctl --user BZ(1401625) +- Revert "Label tcp port 24009 as med_tlp_port_t" +- Label tcp port 24009 as med_tlp_port_t +- Allow systemd_gpt_generator_t to read efivarfs files. BZ(1403909) +- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323) + * Mon Dec 05 2016 Lukas Vrabec 3.13.1-191.23 - Fix some boolean descriptions. - Allow puppetagent_t to access timedated dbus