From 8f0d7175774c41221294c51e80c8e3931c9b306f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 14 2014 09:59:24 +0000 Subject: * Tue Oct 14 2014 Lukas Vrabec 3.12.1-190 - Add support for /etc/.updated and /var/.updated - Allow dnssec_trigger_t to execute unbound-control in own domain. - Allow neutron connections to system dbus. - Add support for /var/lib/swiftdirectory. - Allow nova-scheduler to read certs. - Allow openvpn to access /sys/fs/cgroup dir. - Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd - ALlow sanlock to send a signal to virtd_t. - Allow read antivirus domain all kernel sysctls. - Allow mandb to getattr on file systems - Add support for /etc/.updated and /var/.updated - Allow iptables read fail2ban logs. BZ (1147709) --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 2716abe..caa9692 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -9516,7 +9516,7 @@ index cf04cb5..a290c56 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..7996499 100644 +index c2c6e05..1a210d2 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9536,7 +9536,7 @@ index c2c6e05..7996499 100644 /boot/.* gen_context(system_u:object_r:boot_t,s0) /boot/\.journal <> /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) -@@ -38,13 +39,13 @@ ifdef(`distro_suse',` +@@ -38,27 +39,32 @@ ifdef(`distro_suse',` # # /emul # @@ -9551,8 +9551,9 @@ index c2c6e05..7996499 100644 +/etc gen_context(system_u:object_r:etc_t,s0) /etc/.* gen_context(system_u:object_r:etc_t,s0) /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/etc/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -52,13 +53,17 @@ ifdef(`distro_suse',` + /etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9575,7 +9576,7 @@ index c2c6e05..7996499 100644 /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) -@@ -70,7 +75,10 @@ ifdef(`distro_suse',` +@@ -70,7 +76,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9587,7 +9588,7 @@ index c2c6e05..7996499 100644 ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', ` +@@ -78,10 +87,6 @@ ifdef(`distro_gentoo', ` /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -9598,7 +9599,7 @@ index c2c6e05..7996499 100644 ifdef(`distro_suse',` /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <> +@@ -104,7 +109,7 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) # @@ -9607,16 +9608,17 @@ index c2c6e05..7996499 100644 # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -@@ -129,6 +133,8 @@ ifdef(`distro_debian',` +@@ -129,6 +134,9 @@ ifdef(`distro_debian',` /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /media/[^/]*/.* <> /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) +/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) +/var/run/media/.* <> ++/var/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0) # # /misc -@@ -150,10 +156,10 @@ ifdef(`distro_debian',` +@@ -150,10 +158,10 @@ ifdef(`distro_debian',` # # /opt # @@ -9629,7 +9631,7 @@ index c2c6e05..7996499 100644 # # /proc -@@ -161,6 +167,12 @@ ifdef(`distro_debian',` +@@ -161,6 +169,12 @@ ifdef(`distro_debian',` /proc -d <> /proc/.* <> @@ -9642,7 +9644,7 @@ index c2c6e05..7996499 100644 # # /run # -@@ -169,6 +181,7 @@ ifdef(`distro_debian',` +@@ -169,6 +183,7 @@ ifdef(`distro_debian',` /run/.*\.*pid <> /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) @@ -9650,7 +9652,7 @@ index c2c6e05..7996499 100644 # # /selinux # -@@ -178,13 +191,14 @@ ifdef(`distro_debian',` +@@ -178,13 +193,14 @@ ifdef(`distro_debian',` # # /srv # @@ -9667,7 +9669,7 @@ index c2c6e05..7996499 100644 /tmp/.* <> /tmp/\.journal <> -@@ -194,9 +208,10 @@ ifdef(`distro_debian',` +@@ -194,9 +210,10 @@ ifdef(`distro_debian',` # # /usr # @@ -9679,7 +9681,7 @@ index c2c6e05..7996499 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +219,9 @@ ifdef(`distro_debian',` +@@ -204,15 +221,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9696,7 +9698,7 @@ index c2c6e05..7996499 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +229,6 @@ ifdef(`distro_debian',` +@@ -220,8 +231,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9705,7 +9707,7 @@ index c2c6e05..7996499 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +236,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +238,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9714,7 +9716,7 @@ index c2c6e05..7996499 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +244,25 @@ ifndef(`distro_redhat',` +@@ -237,11 +246,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9741,7 +9743,7 @@ index c2c6e05..7996499 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +277,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +279,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9756,14 +9758,14 @@ index c2c6e05..7996499 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +293,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +295,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..51cce06 100644 +index 64ff4d7..1e53061 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -12833,7 +12835,7 @@ index 64ff4d7..51cce06 100644 ## ## ## -@@ -6501,64 +7857,887 @@ interface(`files_spool_filetrans',` +@@ -6501,64 +7857,889 @@ interface(`files_spool_filetrans',` ## ## # @@ -13623,6 +13625,7 @@ index 64ff4d7..51cce06 100644 + files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac") + files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac") + files_etc_filetrans($1, etc_t, file, "hwdb.bin") ++ files_etc_filetrans_etc_runtime($1, file, ".updated") + files_etc_filetrans_etc_runtime($1, file, "runtime") + files_etc_filetrans_etc_runtime($1, dir, "blkid") + files_etc_filetrans_etc_runtime($1, dir, "cmtab") @@ -13636,7 +13639,8 @@ index 64ff4d7..51cce06 100644 + files_etc_filetrans_etc_runtime($1, file, "iptables.save") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") -+ files_var_filetrans($1, var_run_t, dir, "run") ++ files_var_filetrans($1, var_run_t, dir, "run") ++ files_var_filetrans($1, etc_runtime_t, file, ".updated") +') + +######################################## diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 62645bb..993e74a 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -2973,10 +2973,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..8cc6120 +index 0000000..6d1de2c --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,273 @@ +@@ -0,0 +1,271 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -3082,11 +3082,9 @@ index 0000000..8cc6120 + +can_exec(antivirus_domain, antivirus_exec_t) + -+kernel_read_network_state(antivirus_t) -+kernel_read_net_sysctls(antivirus_t) -+kernel_read_kernel_sysctls(antivirus_domain) -+kernel_read_sysctl(antivirus_domain) -+kernel_read_system_state(antivirus_t) ++kernel_read_network_state(antivirus_domain) ++kernel_read_system_state(antivirus_domain) ++kernel_read_all_sysctls(antivirus_domain) + +corecmd_exec_bin(antivirus_domain) +corecmd_exec_shell(antivirus_domain) @@ -23887,10 +23885,10 @@ index 0000000..a952041 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..c1ab586 +index 0000000..7f0943f --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,58 @@ +@@ -0,0 +1,59 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -23944,6 +23942,7 @@ index 0000000..c1ab586 +sysnet_manage_config(dnssec_trigger_t) + +optional_policy(` ++ bind_domtrans(dnssec_trigger_t) + bind_read_config(dnssec_trigger_t) + bind_read_dnssec_keys(dnssec_trigger_t) +') @@ -42658,10 +42657,10 @@ index 327f3f7..4f61561 100644 + ') ') diff --git a/mandb.te b/mandb.te -index 5a414e0..24f45a8 100644 +index 5a414e0..8fc7de0 100644 --- a/mandb.te +++ b/mandb.te -@@ -10,28 +10,52 @@ roleattribute system_r mandb_roles; +@@ -10,28 +10,54 @@ roleattribute system_r mandb_roles; type mandb_t; type mandb_exec_t; @@ -42709,6 +42708,8 @@ index 5a414e0..24f45a8 100644 -files_read_etc_files(mandb_t) +files_search_locks(mandb_t) +files_dontaudit_search_all_mountpoints(mandb_t) ++ ++fs_getattr_all_fs(mandb_t) miscfiles_manage_man_cache(mandb_t) +miscfiles_setattr_man_pages(mandb_t) @@ -53871,10 +53872,10 @@ index 0000000..ce897e2 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..e583610 +index 0000000..564b2db --- /dev/null +++ b/nova.te -@@ -0,0 +1,338 @@ +@@ -0,0 +1,340 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -54169,6 +54170,8 @@ index 0000000..e583610 +# unconfined_domain(nova_scheduler_t) +#') + ++miscfiles_read_certs(nova_scheduler_t) ++ +####################################### +# +# nova vncproxy local policy @@ -59537,7 +59540,7 @@ index 6837e9a..21e6dae 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 3270ff9..fcda1bc 100644 +index 3270ff9..272a34c 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) @@ -59640,7 +59643,11 @@ index 3270ff9..fcda1bc 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -121,18 +147,24 @@ fs_search_auto_mountpoints(openvpn_t) +@@ -118,21 +144,30 @@ files_read_etc_runtime_files(openvpn_t) + + fs_getattr_all_fs(openvpn_t) + fs_search_auto_mountpoints(openvpn_t) ++fs_list_cgroup_dirs(openvpn_t) auth_use_pam(openvpn_t) @@ -59656,6 +59663,8 @@ index 3270ff9..fcda1bc 100644 sysnet_use_ldap(openvpn_t) -userdom_use_user_terminals(openvpn_t) ++systemd_passwd_agent_domtrans(openvpn_t) ++ +userdom_use_inherited_user_terminals(openvpn_t) +userdom_read_home_certs(openvpn_t) +userdom_attach_admin_tun_iface(openvpn_t) @@ -59668,7 +59677,7 @@ index 3270ff9..fcda1bc 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -143,6 +175,14 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` +@@ -143,6 +178,14 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(openvpn_t) ') @@ -59683,7 +59692,7 @@ index 3270ff9..fcda1bc 100644 optional_policy(` daemontools_service_domain(openvpn_t, openvpn_exec_t) ') -@@ -155,3 +195,27 @@ optional_policy(` +@@ -155,3 +198,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -74961,10 +74970,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..de82e12 100644 +index 769d1fd..7cc3063 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,176 @@ +@@ -1,96 +1,180 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -75060,8 +75069,6 @@ index 769d1fd..de82e12 100644 -files_read_usr_files(quantum_t) - -auth_use_nsswitch(quantum_t) -- --libs_exec_ldconfig(quantum_t) +allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit setcap signal_perms }; @@ -75152,6 +75159,11 @@ index 769d1fd..de82e12 100644 + corenet_tcp_sendrecv_all_ports(neutron_t) +') +-libs_exec_ldconfig(quantum_t) ++optional_policy(` ++ dbus_system_bus_client(neutron_t) ++') + -logging_send_audit_msgs(quantum_t) -logging_send_syslog_msg(quantum_t) +optional_policy(` @@ -88667,7 +88679,7 @@ index cd6c213..34b861a 100644 + allow $1 sanlock_unit_file_t:service all_service_perms; ') diff --git a/sanlock.te b/sanlock.te -index a34eac4..b144d40 100644 +index a34eac4..c60eacd 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -88801,13 +88813,14 @@ index a34eac4..b144d40 100644 ') optional_policy(` -@@ -100,7 +117,8 @@ optional_policy(` +@@ -100,7 +117,9 @@ optional_policy(` ') optional_policy(` - virt_kill_all_virt_domains(sanlock_t) + virt_kill_svirt(sanlock_t) + virt_kill(sanlock_t) ++ virt_signal(sanlock_t) virt_manage_lib_files(sanlock_t) - virt_signal_all_virt_domains(sanlock_t) + virt_signal_svirt(sanlock_t) @@ -95943,10 +95956,10 @@ index c6aaac7..84cdcac 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..7e59e7e +index 0000000..79e43aa --- /dev/null +++ b/swift.fc -@@ -0,0 +1,33 @@ +@@ -0,0 +1,35 @@ +/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -95973,6 +95986,8 @@ index 0000000..7e59e7e +/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0) +/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0) + ++/var/lib/swift(/.*)? gen_context(system_u:object_r:swift_data_t,s0) ++ +# This seems to be a de-facto standard when using swift. +/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0) + @@ -101529,7 +101544,7 @@ index c30da4c..9ccc90c 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..c43ef2e 100644 +index 9dec06c..c7a2d97 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -102912,7 +102927,7 @@ index 9dec06c..c43ef2e 100644 ######################################## ## -## Search virt image directories. -+## Send a signal to virtual machines ++## Send a signal to virtd daemon. ## ## ## @@ -102921,34 +102936,34 @@ index 9dec06c..c43ef2e 100644 ## # -interface(`virt_search_images',` -+interface(`virt_signal_svirt',` ++interface(`virt_signal',` gen_require(` - attribute virt_image_type; -+ attribute virt_domain; ++ type virtd_t; ') - virt_search_lib($1) - allow $1 virt_image_type:dir search_dir_perms; -+ allow $1 virt_domain:process signal; ++ allow $1 virtd_t:process signal; ') ######################################## ## -## Read virt image files. -+## Manage virt home files. ++## Send a signal to virtual machines ## ## ## -@@ -995,36 +1016,57 @@ interface(`virt_search_images',` +@@ -995,57 +1016,75 @@ interface(`virt_search_images',` ## ## # -interface(`virt_read_images',` -+interface(`virt_manage_home_files',` ++interface(`virt_signal_svirt',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -+ type virt_home_t; ++ attribute virt_domain; ') - virt_search_lib($1) @@ -102957,8 +102972,7 @@ index 9dec06c..c43ef2e 100644 - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, virt_home_t, virt_home_t) ++ allow $1 virt_domain:process signal; +') - tunable_policy(`virt_use_nfs',` @@ -102967,30 +102981,30 @@ index 9dec06c..c43ef2e 100644 - fs_read_nfs_symlinks($1) +######################################## +## -+## allow domain to read -+## virt tmpfs files ++## Manage virt home files. +## +## +## -+## Domain allowed access ++## Domain allowed access. +## +## +# -+interface(`virt_read_tmpfs_files',` ++interface(`virt_manage_home_files',` + gen_require(` -+ attribute virt_tmpfs_type; ++ type virt_home_t; ') - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) -+ allow $1 virt_tmpfs_type:file read_file_perms; ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, virt_home_t, virt_home_t) +') + +######################################## +## -+## allow domain to manage ++## allow domain to read +## virt tmpfs files +## +## @@ -102999,38 +103013,63 @@ index 9dec06c..c43ef2e 100644 +## +## +# -+interface(`virt_manage_tmpfs_files',` ++interface(`virt_read_tmpfs_files',` + gen_require(` + attribute virt_tmpfs_type; ') + -+ allow $1 virt_tmpfs_type:file manage_file_perms; ++ allow $1 virt_tmpfs_type:file read_file_perms; ') ######################################## ## -## Read and write all virt image -## character files. -+## Create .virt directory in the user home directory -+## with an correct label. ++## allow domain to manage ++## virt tmpfs files ## ## ## -@@ -1032,20 +1074,28 @@ interface(`virt_read_images',` +-## Domain allowed access. ++## Domain allowed access ## ## # -interface(`virt_rw_all_image_chr_files',` -+interface(`virt_filetrans_home_content',` ++interface(`virt_manage_tmpfs_files',` gen_require(` - attribute virt_image_type; -+ type virt_home_t; -+ type svirt_home_t; ++ attribute virt_tmpfs_type; ') - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - rw_chr_files_pattern($1, virt_image_type, virt_image_type) ++ allow $1 virt_tmpfs_type:file manage_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## svirt cache files. ++## Create .virt directory in the user home directory ++## with an correct label. + ## + ## + ## +@@ -1053,15 +1092,28 @@ interface(`virt_rw_all_image_chr_files',` + ## + ## + # +-interface(`virt_manage_svirt_cache',` +- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') +- virt_manage_virt_cache($1) ++interface(`virt_filetrans_home_content',` ++ gen_require(` ++ type virt_home_t; ++ type svirt_home_t; ++ ') ++ + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") + filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") @@ -103047,34 +103086,36 @@ index 9dec06c..c43ef2e 100644 ######################################## ## -## Create, read, write, and delete --## svirt cache files. +-## virt cache content. +## Dontaudit attempts to Read virt_image_type devices. ## ## ## -@@ -1053,37 +1103,133 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1069,21 +1121,133 @@ interface(`virt_manage_svirt_cache',` ## ## # --interface(`virt_manage_svirt_cache',` -- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') -- virt_manage_virt_cache($1) +-interface(`virt_manage_virt_cache',` +interface(`virt_dontaudit_read_chr_dev',` -+ gen_require(` + gen_require(` +- type virt_cache_t; + attribute virt_image_type; -+ ') -+ + ') + +- files_search_var($1) +- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) +- manage_files_pattern($1, virt_cache_t, virt_cache_t) +- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') ######################################## ## -## Create, read, write, and delete --## virt cache content. +-## virt image files. +## Creates types and rules for a basic +## virt_lxc process domain. - ## --## ++## +## +## +## Prefix for the domain. @@ -103103,7 +103144,7 @@ index 9dec06c..c43ef2e 100644 +## Make the specified type usable as a lxc domain +## +## - ## ++## +## Type to be used as a lxc domain +## +## @@ -103122,7 +103163,7 @@ index 9dec06c..c43ef2e 100644 +## +## +## - ## Domain allowed access. ++## Domain allowed access. +## +## +# @@ -103141,30 +103182,22 @@ index 9dec06c..c43ef2e 100644 +## +## +## Domain allowed access. - ## - ## - # --interface(`virt_manage_virt_cache',` ++## ++## ++# +interface(`virt_filetrans_named_content',` - gen_require(` -- type virt_cache_t; ++ gen_require(` + type virt_lxc_var_run_t; + type virt_var_run_t; - ') - -- files_search_var($1) -- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) -- manage_files_pattern($1, virt_cache_t, virt_cache_t) -- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) ++ ') ++ + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") + files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") - ') - - ######################################## - ## --## Create, read, write, and delete --## virt image files. ++') ++ ++######################################## ++## +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. +## @@ -103200,7 +103233,7 @@ index 9dec06c..c43ef2e 100644 ## ## ## -@@ -1091,36 +1237,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1255,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -103274,7 +103307,7 @@ index 9dec06c..c43ef2e 100644 ## ## ## -@@ -1136,50 +1300,53 @@ interface(`virt_manage_images',` +@@ -1136,50 +1318,53 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -103313,30 +103346,30 @@ index 9dec06c..c43ef2e 100644 - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) -+ allow $1 virt_domain:process signal_perms; - +- - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) -+ admin_pattern($1, virt_file_type) -+ admin_pattern($1, svirt_file_type) - +- - files_search_etc($1) - admin_pattern($1, { virt_etc_t virt_etc_rw_t }) -+ virt_systemctl($1) -+ allow $1 virtd_unit_file_t:service all_service_perms; - +- - logging_search_logs($1) - admin_pattern($1, virt_log_t) - - files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) -- ++ allow $1 virt_domain:process signal_perms; + - files_search_var($1) - admin_pattern($1, svirt_cache_t) -- ++ admin_pattern($1, virt_file_type) ++ admin_pattern($1, svirt_file_type) + - files_search_var_lib($1) - admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) -- ++ virt_systemctl($1) ++ allow $1 virtd_unit_file_t:service all_service_perms; + - files_search_locks($1) - admin_pattern($1, virt_lock_t) + virt_stream_connect_sandbox($1) diff --git a/selinux-policy.spec b/selinux-policy.spec index 2fc86eb..add9635 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 189%{?dist} +Release: 190%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -582,6 +582,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Oct 14 2014 Lukas Vrabec 3.12.1-190 +- Add support for /etc/.updated and /var/.updated +- Allow dnssec_trigger_t to execute unbound-control in own domain. +- Allow neutron connections to system dbus. +- Add support for /var/lib/swiftdirectory. +- Allow nova-scheduler to read certs. +- Allow openvpn to access /sys/fs/cgroup dir. +- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd +- ALlow sanlock to send a signal to virtd_t. +- Allow read antivirus domain all kernel sysctls. +- Allow mandb to getattr on file systems +- Add support for /etc/.updated and /var/.updated +- Allow iptables read fail2ban logs. BZ (1147709) + * Tue Oct 07 2014 Lukas Vrabec 3.12.1-189 - Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof. - Allow nova domains to getattr on all filesystems.