From 9229b610673978e8e3a0c55946fdce96f2f288b7 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 18 2014 15:43:18 +0000 Subject: * Mon Aug 18 2014 Lukas Vrabec 3.13.1-73 - Allow ssytemd_logind_t to list tmpfs directories - Allow lvm_t to create undefined sockets - Allow passwd_t to read/write stream sockets - Allow docker lots more access. - Fix label for ports - Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service. - Label tcp port 4194 as kubernetes port. - Additional access required for passenger_t - sandbox domains should be allowed to use libraries which require execmod - Allow qpid to read passwd files BZ (#1130086) - Remove cockpit port, it is now going to use websm port - Add getattr to the list of access to dontaudit on unix_stream_sockets - Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter. --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index d2b48ca..45b20e7 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2667,7 +2667,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..1a53101 100644 +index 1d732f1..4aef39e 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -2896,11 +2896,12 @@ index 1d732f1..1a53101 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -352,6 +383,14 @@ userdom_read_user_tmp_files(passwd_t) +@@ -352,6 +383,15 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) +userdom_stream_connect(passwd_t) ++userdom_rw_stream(passwd_t) + +optional_policy(` + gnome_exec_keyringd(passwd_t) @@ -2911,7 +2912,7 @@ index 1d732f1..1a53101 100644 optional_policy(` nscd_run(passwd_t, passwd_roles) -@@ -401,9 +440,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -401,9 +441,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -2924,7 +2925,7 @@ index 1d732f1..1a53101 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -416,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -416,7 +457,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -2932,7 +2933,7 @@ index 1d732f1..1a53101 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -426,12 +465,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -426,12 +466,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -2945,7 +2946,7 @@ index 1d732f1..1a53101 100644 userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -@@ -446,7 +482,8 @@ optional_policy(` +@@ -446,7 +483,8 @@ optional_policy(` # Useradd local policy # @@ -2955,7 +2956,7 @@ index 1d732f1..1a53101 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -461,6 +498,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -461,6 +499,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -2966,7 +2967,7 @@ index 1d732f1..1a53101 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +509,28 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +510,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3006,7 +3007,7 @@ index 1d732f1..1a53101 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,6 +538,7 @@ auth_rw_faillog(useradd_t) +@@ -498,6 +539,7 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -3014,7 +3015,7 @@ index 1d732f1..1a53101 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -508,33 +549,32 @@ init_rw_utmp(useradd_t) +@@ -508,33 +550,32 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -3059,7 +3060,7 @@ index 1d732f1..1a53101 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -549,10 +589,19 @@ optional_policy(` +@@ -549,10 +590,19 @@ optional_policy(` ') optional_policy(` @@ -3079,7 +3080,7 @@ index 1d732f1..1a53101 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +611,12 @@ optional_policy(` +@@ -562,3 +612,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -5460,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..a19d634 100644 +index b191055..9ae3918 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5534,7 +5535,7 @@ index b191055..a19d634 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,55 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) @@ -5553,7 +5554,6 @@ index b191055..a19d634 100644 network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) -+network_port(cockpit, udp,1001,s0) +network_port(collectd, udp,25826,s0) network_port(chronyd, udp,323,s0) network_port(clamd, tcp,3310,s0) @@ -5612,7 +5612,7 @@ index b191055..a19d634 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +176,53 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5651,6 +5651,7 @@ index b191055..a19d634 100644 +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) +network_port(keystone, tcp, 35357,s0, udp, 35357,s0) ++network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0) +network_port(rlogin, tcp,543,s0, tcp,2105,s0) +network_port(rtsclient, tcp,2501,s0) network_port(kprop, tcp,754,s0) @@ -17457,7 +17458,7 @@ index 7be4ddf..71e675a 100644 +/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0) +/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..fb8a1f1 100644 +index e100d88..5a45858 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -17621,7 +17622,32 @@ index e100d88..fb8a1f1 100644 ## Allow caller to get the attributes of kernel message ## interface (/proc/kmsg). ## -@@ -1477,6 +1565,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1458,6 +1546,24 @@ interface(`kernel_list_all_proc',` + + ######################################## + ## ++## Allow attempts to mounton all proc directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_mounton_all_proc',` ++ gen_require(` ++ attribute proc_type; ++ ') ++ ++ allow $1 proc_type:dir mounton; ++') ++ ++######################################## ++## + ## Do not audit attempts to list all proc directories. + ## + ## +@@ -1477,6 +1583,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -17646,7 +17672,7 @@ index e100d88..fb8a1f1 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -1672,7 +1778,7 @@ interface(`kernel_read_net_sysctls',` +@@ -1672,7 +1796,7 @@ interface(`kernel_read_net_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -17655,7 +17681,7 @@ index e100d88..fb8a1f1 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1693,7 +1799,7 @@ interface(`kernel_rw_net_sysctls',` +@@ -1693,7 +1817,7 @@ interface(`kernel_rw_net_sysctls',` ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -17664,7 +17690,7 @@ index e100d88..fb8a1f1 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1715,7 +1821,6 @@ interface(`kernel_read_unix_sysctls',` +@@ -1715,7 +1839,6 @@ interface(`kernel_read_unix_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) @@ -17672,7 +17698,7 @@ index e100d88..fb8a1f1 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1750,16 +1855,9 @@ interface(`kernel_rw_unix_sysctls',` +@@ -1750,16 +1873,9 @@ interface(`kernel_rw_unix_sysctls',` ## Domain allowed access. ## ## @@ -17690,7 +17716,7 @@ index e100d88..fb8a1f1 100644 ') ######################################## -@@ -1771,16 +1869,9 @@ interface(`kernel_read_hotplug_sysctls',` +@@ -1771,16 +1887,9 @@ interface(`kernel_read_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -17708,7 +17734,7 @@ index e100d88..fb8a1f1 100644 ') ######################################## -@@ -1792,16 +1883,9 @@ interface(`kernel_rw_hotplug_sysctls',` +@@ -1792,16 +1901,9 @@ interface(`kernel_rw_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -17726,7 +17752,7 @@ index e100d88..fb8a1f1 100644 ') ######################################## -@@ -1813,16 +1897,9 @@ interface(`kernel_read_modprobe_sysctls',` +@@ -1813,16 +1915,9 @@ interface(`kernel_read_modprobe_sysctls',` ## Domain allowed access. ## ## @@ -17744,16 +17770,37 @@ index e100d88..fb8a1f1 100644 ') ######################################## -@@ -2085,7 +2162,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,9 +2180,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; - dontaudit $1 sysctl_type:file getattr; + dontaudit $1 sysctl_type:file read_file_perms; ++') ++ ++######################################## ++## ++## Allow attempts to mounton all sysctl directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_mounton_all_sysctls',` ++ gen_require(` ++ attribute sysctl_type; ++ ') ++ ++ allow $1 sysctl_type:dir mounton; ') ++ ######################################## -@@ -2282,6 +2359,25 @@ interface(`kernel_list_unlabeled',` + ## + ## Allow caller to read all sysctls. +@@ -2282,6 +2396,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -17779,7 +17826,7 @@ index e100d88..fb8a1f1 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2402,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2439,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -17788,7 +17835,7 @@ index e100d88..fb8a1f1 100644 ## ## # -@@ -2488,6 +2584,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2621,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -17813,7 +17860,7 @@ index e100d88..fb8a1f1 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2639,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2676,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -17838,7 +17885,7 @@ index e100d88..fb8a1f1 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2667,6 +2799,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,6 +2836,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -17863,7 +17910,7 @@ index e100d88..fb8a1f1 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +2844,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,6 +2881,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -17889,7 +17936,7 @@ index e100d88..fb8a1f1 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +2972,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +3009,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -17923,10 +17970,11 @@ index e100d88..fb8a1f1 100644 ######################################## ## -@@ -2958,6 +3154,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,7 +3191,25 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## +-## Unconfined access to kernel module resources. +## Relabel to unlabeled context . +## +## @@ -17945,10 +17993,11 @@ index e100d88..fb8a1f1 100644 + +######################################## +## - ## Unconfined access to kernel module resources. ++## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3186,565 @@ interface(`kernel_unconfined',` + ## +@@ -2972,5 +3223,565 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -34282,10 +34331,10 @@ index 312cd04..3c62b4c 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..ef41ebe 100644 +index 73a1c4e..af8050d 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,22 +1,35 @@ +@@ -1,22 +1,39 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -34293,13 +34342,17 @@ index 73a1c4e..ef41ebe 100644 +/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/lib/systemd/system/arptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + ++ +/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) + +/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -36767,7 +36820,7 @@ index 58bc27f..f5ae583 100644 +') + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c4..f505f63 100644 +index 79048c4..a7040f1 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -36851,7 +36904,7 @@ index 79048c4..f505f63 100644 ccs_stream_connect(clvmd_t) ') -@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config; +@@ -170,15 +181,22 @@ dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -36859,7 +36912,10 @@ index 79048c4..f505f63 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -179,6 +191,11 @@ allow lvm_t self:sem create_sem_perms; ++allow lvm_t self:socket create_socket_perms; + allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; + allow lvm_t self:sem create_sem_perms; + allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; @@ -36871,7 +36927,7 @@ index 79048c4..f505f63 100644 manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) -@@ -191,10 +208,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,10 +209,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -36884,7 +36940,7 @@ index 79048c4..f505f63 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -202,8 +221,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -202,8 +222,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -36896,7 +36952,7 @@ index 79048c4..f505f63 100644 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +241,7 @@ kernel_read_kernel_sysctls(lvm_t) +@@ -220,6 +242,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -36904,7 +36960,7 @@ index 79048c4..f505f63 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -230,11 +252,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +253,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -36919,7 +36975,7 @@ index 79048c4..f505f63 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -246,6 +270,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +271,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -36927,7 +36983,7 @@ index 79048c4..f505f63 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -255,17 +280,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +281,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -36950,7 +37006,7 @@ index 79048c4..f505f63 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -285,7 +314,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +315,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -36959,7 +37015,7 @@ index 79048c4..f505f63 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +322,22 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +323,22 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -36983,7 +37039,7 @@ index 79048c4..f505f63 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -313,6 +349,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +350,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -36995,7 +37051,7 @@ index 79048c4..f505f63 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +374,34 @@ optional_policy(` +@@ -333,14 +375,34 @@ optional_policy(` ') optional_policy(` @@ -42685,10 +42741,10 @@ index 0000000..d2a8fc7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..e2c527a +index 0000000..08a4e91 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,685 @@ +@@ -0,0 +1,686 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -42787,6 +42843,7 @@ index 0000000..e2c527a + +fs_mount_tmpfs(systemd_logind_t) +fs_unmount_tmpfs(systemd_logind_t) ++fs_list_tmpfs(systemd_logind_t) +fs_manage_fusefs_dirs(systemd_logind_t) +fs_manage_fusefs_files(systemd_logind_t) + @@ -44765,7 +44822,7 @@ index db75976..8f5380f 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..d193211 100644 +index 9dc60c6..72d01d2 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -48054,7 +48111,7 @@ index 9dc60c6..d193211 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4477,1666 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4477,1684 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -48586,7 +48643,7 @@ index 9dc60c6..d193211 100644 +######################################## +## +## Do not audit attempts to read and write -+## unserdomain stream. ++## userdomain stream. +## +## +## @@ -48604,6 +48661,24 @@ index 9dc60c6..d193211 100644 + +######################################## +## ++## Read and write userdomain stream. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_stream',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:unix_stream_socket rw_socket_perms; ++') ++ ++######################################## ++## +## Do not audit attempts to read and write +## unserdomain datagram socket. +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 5e8f985..610c051 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3618,7 +3618,7 @@ index 7caefc3..7e70f67 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..9eba5f5 100644 +index f6eb485..499800e 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -4085,7 +4085,13 @@ index f6eb485..9eba5f5 100644 ## ## ## -@@ -372,8 +413,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -367,13 +408,13 @@ interface(`apache_dontaudit_rw_stream_sockets',` + type httpd_t; + ') + +- dontaudit $1 httpd_t:unix_stream_socket { read write }; ++ dontaudit $1 httpd_t:unix_stream_socket { getattr read write }; + ') ######################################## ## @@ -4241,11 +4247,10 @@ index f6eb485..9eba5f5 100644 apache_domtrans_helper($1) - roleattribute $2 httpd_helper_roles; + role $2 types httpd_helper_t; - ') - - ######################################## - ## --## Read httpd log files. ++') ++ ++######################################## ++## +## dontaudit attempts to read +## apache log files. +## @@ -4263,10 +4268,11 @@ index f6eb485..9eba5f5 100644 + + dontaudit $1 httpd_log_t:file read_file_perms; + dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read httpd log files. +## Allow the specified domain to read +## apache log files. ## @@ -4547,11 +4553,31 @@ index f6eb485..9eba5f5 100644 -######################################## +###################################### ++## ++## Allow the specified domain to read ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_sys_content_rw_files',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ ++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ## -## Create, read, write, and delete -## httpd system rw content. +## Allow the specified domain to read -+## apache system content rw files. ++## apache system content rw dirs. ## ## ## @@ -4561,32 +4587,12 @@ index f6eb485..9eba5f5 100644 +## # -interface(`apache_manage_sys_rw_content',` -+interface(`apache_read_sys_content_rw_files',` ++interface(`apache_read_sys_content_rw_dirs',` gen_require(` type httpd_sys_rw_content_t; ') - apache_search_sys_content($1) -+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+###################################### -+## -+## Allow the specified domain to read -+## apache system content rw dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_dirs',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ + list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + @@ -4679,6 +4685,15 @@ index f6eb485..9eba5f5 100644 ## ## ## +@@ -916,7 +1122,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',` + type httpd_sys_script_t; + ') + +- dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; ++ dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write }; + ') + + ######################################## @@ -941,7 +1147,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## @@ -4972,7 +4987,7 @@ index f6eb485..9eba5f5 100644 + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; + dontaudit $1 httpd_t:tcp_socket { read write }; + dontaudit $1 httpd_t:unix_dgram_socket { read write }; -+ dontaudit $1 httpd_t:unix_stream_socket { read write }; ++ dontaudit $1 httpd_t:unix_stream_socket { getattr read write }; + dontaudit $1 httpd_tmp_t:file { read write }; +') + @@ -13804,10 +13819,10 @@ index 0000000..573dcae +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..cc6201d +index 0000000..4c9b3b1 --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -13845,11 +13860,7 @@ index 0000000..cc6201d +dev_read_urand(cockpit_ws_t) # for authkey +dev_read_rand(cockpit_ws_t) # for libssh + -+# cockpit-ws can read from the cockpit port -+# TODO: disable this until we have it in our f20 selinux-policy-targeted -+# corenet_tcp_bind_cockpit_port(cockpit_ws_t) -+#allow cockpit_ws_t init_t:tcp_socket accept; -+corenet_tcp_bind_all_reserved_ports(cockpit_ws_t) ++corenet_tcp_bind_websm_port(cockpit_ws_t) + +# cockpit-ws can connect to other hosts via ssh +corenet_tcp_connect_ssh_port(cockpit_ws_t) @@ -24559,10 +24570,10 @@ index 0000000..76eb32e +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..dfb6b04 +index 0000000..ef1b924 --- /dev/null +++ b/docker.te -@@ -0,0 +1,278 @@ +@@ -0,0 +1,280 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -24672,7 +24683,7 @@ index 0000000..dfb6b04 +manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) +files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) + -+allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; ++allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(docker_t, docker_devpts_t) + +kernel_read_system_state(docker_t) @@ -24755,6 +24766,8 @@ index 0000000..dfb6b04 +kernel_get_sysvipc_info(docker_t) +kernel_request_load_module(docker_t) +kernel_mounton_messages(docker_t) ++kernel_mounton_all_proc(docker_t) ++kernel_mounton_all_sysctls(docker_t) + +dev_getattr_all(docker_t) +dev_getattr_sysfs_fs(docker_t) @@ -39659,6 +39672,152 @@ index c5548c5..1356fcb 100644 -miscfiles_read_localization(ktalkd_t) +userdom_use_user_ptys(ktalkd_t) +userdom_use_user_ttys(ktalkd_t) +diff --git a/kubernetes.fc b/kubernetes.fc +new file mode 100644 +index 0000000..9d05b4a +--- /dev/null ++++ b/kubernetes.fc +@@ -0,0 +1,15 @@ ++/usr/lib/systemd/system/kubelet.* -- gen_context(system_u:object_r:kube_kubelet_unit_file_t,s0) ++/usr/lib/systemd/system/kube-apiserver.* -- gen_context(system_u:object_r:kube_apiserver_unit_file_t,s0) ++/usr/lib/systemd/system/kube-controller-manager.* -- gen_context(system_u:object_r:kube_controller_unit_file_t,s0) ++/usr/lib/systemd/system/kube-proxy.* -- gen_context(system_u:object_r:kube_proxy_unit_file_t,s0) ++/usr/lib/systemd/system/etcd.* -- gen_context(system_u:object_r:kube_etcd_unit_file_t,s0) ++ ++/usr/bin/kubelet -- gen_context(system_u:object_r:kube_kubelet_exec_t,s0) ++/usr/bin/kube-apiserver -- gen_context(system_u:object_r:kube_apiserver_exec_t,s0) ++/usr/bin/kube-controller-manager -- gen_context(system_u:object_r:kube_controller_exec_t,s0) ++/usr/bin/kube-proxy -- gen_context(system_u:object_r:kube_proxy_exec_t,s0) ++/usr/bin/kubecfg -- gen_context(system_u:object_r:kube_kubecfg_exec_t,s0) ++/usr/bin/etcd -- gen_context(system_u:object_r:kube_etcd_exec_t,s0) ++ ++/var/lib/etcd(/.*)? gen_context(system_u:object_r:kube_etcd_var_lib_t,s0) ++ +diff --git a/kubernetes.if b/kubernetes.if +new file mode 100644 +index 0000000..e9d90b0 +--- /dev/null ++++ b/kubernetes.if +@@ -0,0 +1,43 @@ ++## kube ++ ++###################################### ++## ++## Creates types and rules for a basic ++## kube init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`kube_domain_template',` ++ gen_require(` ++ attribute kube_domain; ++ ') ++ ++ ############################## ++ # ++ # $1_t declarations ++ # ++ ++ type kube_$1_t, kube_domain; ++ type kube_$1_exec_t; ++ init_daemon_domain(kube_$1_t, kube_$1_exec_t) ++ ++ type kube_$1_unit_file_t; ++ systemd_unit_file(kube_$1_unit_file_t) ++ ++ ############################## ++ # ++ # kube_domain domain policy ++ ++ kernel_read_unix_sysctls(kube_domain) ++ kernel_read_net_sysctls(kube_domain) ++ ++ auth_read_passwd(kube_domain) ++ ++ corenet_tcp_bind_generic_node(kube_domain) ++ corenet_tcp_connect_http_cache_port(kube_domain) ++ corenet_tcp_connect_kubernetes_port(kube_domain) ++') +diff --git a/kubernetes.te b/kubernetes.te +new file mode 100644 +index 0000000..7bfbbff +--- /dev/null ++++ b/kubernetes.te +@@ -0,0 +1,70 @@ ++policy_module(kubernetes, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute kube_domain; ++ ++kube_domain_template(kubelet) ++kube_domain_template(apiserver) ++kube_domain_template(controller) ++kube_domain_template(proxy) ++kube_domain_template(kubecfg) ++kube_domain_template(etcd) ++ ++type kube_etcd_var_lib_t; ++files_type(kube_etcd_var_lib_t) ++ ++######################################## ++# ++# kubelet local policy ++# ++ ++allow kube_kubelet_t self:capability net_admin; ++allow kube_kubelet_t self:tcp_socket { accept listen create_socket_perms }; ++ ++corenet_tcp_bind_kubernetes_port(kube_kubelet_t) ++ ++######################################## ++# ++# kube_controller local policy ++# ++ ++allow kube_controller_t self:tcp_socket create_socket_perms; ++ ++######################################## ++# ++# kube_apiserver local policy ++# ++ ++allow kube_apiserver_t self:tcp_socket { accept listen create_socket_perms }; ++ ++corenet_tcp_bind_http_cache_port(kube_apiserver_t) ++ ++######################################## ++# ++# kube_proxy local policy ++# ++ ++allow kube_proxy_t self:capability net_admin; ++allow kube_proxy_t self:tcp_socket create_socket_perms; ++ ++######################################## ++# ++# kube_ectd local policy ++# ++ ++allow kube_etcd_t self:tcp_socket { accept listen create_socket_perms }; ++allow kube_etcd_t self:unix_dgram_socket create_socket_perms; ++ ++fs_getattr_xattr_fs(kube_etcd_t) ++ ++manage_files_pattern(kube_etcd_t, kube_etcd_var_lib_t, kube_etcd_var_lib_t) ++files_var_lib_filetrans(kube_etcd_t, kube_etcd_var_lib_t, file ) ++ ++corenet_tcp_bind_kubernetes_port(kube_etcd_t) ++corenet_tcp_bind_afs3_callback_port(kube_etcd_t) ++ ++logging_send_syslog_msg(kube_etcd_t) diff --git a/kudzu.if b/kudzu.if index 5297064..6ba8108 100644 --- a/kudzu.if @@ -49187,7 +49346,7 @@ index ed81cac..837a43a 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..45bdd6f 100644 +index ff1d68c..58ba0ce 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -49414,7 +49573,7 @@ index ff1d68c..45bdd6f 100644 ') optional_policy(` -@@ -258,10 +282,16 @@ optional_policy(` +@@ -258,10 +282,17 @@ optional_policy(` ') optional_policy(` @@ -49428,10 +49587,11 @@ index ff1d68c..45bdd6f 100644 +') + +optional_policy(` ++ nagios_append_spool(system_mail_t) nagios_read_tmp_files(system_mail_t) ') -@@ -272,6 +302,19 @@ optional_policy(` +@@ -272,6 +303,19 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -49451,7 +49611,7 @@ index ff1d68c..45bdd6f 100644 ') optional_policy(` -@@ -287,42 +330,36 @@ optional_policy(` +@@ -287,42 +331,36 @@ optional_policy(` ') optional_policy(` @@ -49504,7 +49664,7 @@ index ff1d68c..45bdd6f 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,44 +368,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,44 +369,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -49574,7 +49734,7 @@ index ff1d68c..45bdd6f 100644 ') optional_policy(` -@@ -381,24 +422,49 @@ optional_policy(` +@@ -381,24 +423,49 @@ optional_policy(` ######################################## # @@ -51910,7 +52070,7 @@ index d78dfc3..02f18ac 100644 -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/nagios.if b/nagios.if -index 0641e97..d7d9a79 100644 +index 0641e97..cad402c 100644 --- a/nagios.if +++ b/nagios.if @@ -1,12 +1,13 @@ @@ -52015,13 +52175,32 @@ index 0641e97..d7d9a79 100644 ## ## ## -@@ -132,13 +125,14 @@ interface(`nagios_search_spool',` +@@ -132,13 +125,33 @@ interface(`nagios_search_spool',` type nagios_spool_t; ') - files_search_spool($1) allow $1 nagios_spool_t:dir search_dir_perms; + files_search_spool($1) ++') ++ ++######################################## ++## ++## Append nagios spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nagios_append_spool',` ++ gen_require(` ++ type nagios_spool_t; ++ ') ++ ++ allow $1 nagios_spool_t:file append_file_perms; ++ files_search_spool($1) ') ######################################## @@ -52032,17 +52211,18 @@ index 0641e97..d7d9a79 100644 ## ## ## -@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',` +@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',` type nagios_tmp_t; ') - files_search_tmp($1) allow $1 nagios_tmp_t:file read_file_perms; + files_search_tmp($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute nrpe with a domain transition. +## Allow the specified domain to read +## nagios temporary files. +## @@ -52059,17 +52239,16 @@ index 0641e97..d7d9a79 100644 + + allow $1 nagios_tmp_t:file rw_inherited_file_perms; + files_search_tmp($1) - ') - - ######################################## - ## --## Execute nrpe with a domain transition. ++') ++ ++######################################## ++## +## Execute the nagios NRPE with +## a domain transition. ## ## ## -@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',` +@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',` type nrpe_t, nrpe_exec_t; ') @@ -52086,7 +52265,7 @@ index 0641e97..d7d9a79 100644 ## ## ## -@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',` +@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',` ## ## ## @@ -54376,10 +54555,10 @@ index 0000000..d6de5b6 +/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) diff --git a/nova.if b/nova.if new file mode 100644 -index 0000000..28936b4 +index 0000000..ce897e2 --- /dev/null +++ b/nova.if -@@ -0,0 +1,57 @@ +@@ -0,0 +1,59 @@ +## openstack-nova + +###################################### @@ -54429,7 +54608,9 @@ index 0000000..28936b4 + + manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) + manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) -+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir }) ++ manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) ++ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir }) ++ fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir }) + can_exec(nova_$1_t, nova_$1_tmp_t) + + kernel_read_system_state(nova_$1_t) @@ -61732,7 +61913,7 @@ index bf59ef7..2d8335f 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33b..24ce7e8 100644 +index 08ec33b..e478148 100644 --- a/passenger.te +++ b/passenger.te @@ -14,6 +14,9 @@ role system_r types passenger_t; @@ -61745,7 +61926,7 @@ index 08ec33b..24ce7e8 100644 type passenger_var_lib_t; files_type(passenger_var_lib_t) -@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t) +@@ -22,22 +25,25 @@ files_pid_file(passenger_var_run_t) ######################################## # @@ -61755,7 +61936,8 @@ index 08ec33b..24ce7e8 100644 allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; -allow passenger_t self:process { setpgid setsched sigkill signal }; -+allow passenger_t self:process { setpgid setsched sigkill signal signull }; ++allow passenger_t self:capability2 block_suspend; ++allow passenger_t self:process { setpgid setsched getsession signal_perms }; allow passenger_t self:fifo_file rw_fifo_file_perms; -allow passenger_t self:unix_stream_socket { accept connectto listen }; +allow passenger_t self:tcp_socket listen; @@ -61777,7 +61959,7 @@ index 08ec33b..24ce7e8 100644 manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -@@ -45,7 +50,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +@@ -45,7 +51,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) @@ -61790,7 +61972,7 @@ index 08ec33b..24ce7e8 100644 kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) -@@ -53,13 +62,10 @@ kernel_read_network_state(passenger_t) +@@ -53,13 +63,10 @@ kernel_read_network_state(passenger_t) kernel_read_net_sysctls(passenger_t) corenet_all_recvfrom_netlabel(passenger_t) @@ -61805,7 +61987,7 @@ index 08ec33b..24ce7e8 100644 corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) -@@ -68,8 +74,6 @@ dev_read_urand(passenger_t) +@@ -68,8 +75,6 @@ dev_read_urand(passenger_t) domain_read_all_domains_state(passenger_t) @@ -61814,7 +61996,7 @@ index 08ec33b..24ce7e8 100644 auth_use_nsswitch(passenger_t) logging_send_syslog_msg(passenger_t) -@@ -94,14 +98,21 @@ optional_policy(` +@@ -94,14 +99,21 @@ optional_policy(` ') optional_policy(` @@ -74611,7 +74793,7 @@ index fe2adf8..f7e9c70 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 83eb09e..b48c931 100644 +index 83eb09e..fc17eee 100644 --- a/qpid.te +++ b/qpid.te @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) @@ -74624,7 +74806,7 @@ index 83eb09e..b48c931 100644 type qpidd_tmpfs_t; files_tmpfs_file(qpidd_tmpfs_t) -@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms; +@@ -33,41 +36,54 @@ allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket { accept listen }; allow qpidd_t self:unix_stream_socket { accept listen }; @@ -74651,6 +74833,8 @@ index 83eb09e..b48c931 100644 kernel_read_system_state(qpidd_t) -corenet_all_recvfrom_unlabeled(qpidd_t) ++auth_read_passwd(qpidd_t) ++ corenet_all_recvfrom_netlabel(qpidd_t) +corenet_tcp_bind_generic_node(qpidd_t) corenet_tcp_sendrecv_generic_if(qpidd_t) @@ -87896,10 +88080,10 @@ index 0000000..03bdcef +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..499e739 +index 0000000..a3319b0 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,500 @@ +@@ -0,0 +1,501 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -88054,6 +88238,7 @@ index 0000000..499e739 +manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); +manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); +dontaudit sandbox_x_domain sandbox_file_t:dir mounton; ++allow sandbox_x_domain sandbox_file_t:file execmod; + +kernel_getattr_proc(sandbox_x_domain) +kernel_read_network_state(sandbox_x_domain) @@ -101276,7 +101461,7 @@ index a4f20bc..9ccc90c 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..d179539 100644 +index facdee8..c43ef2e 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -102325,7 +102510,7 @@ index facdee8..d179539 100644 ## ## ## -@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',` +@@ -860,74 +695,266 @@ interface(`virt_read_lib_files',` ## ## # @@ -102474,6 +102659,7 @@ index facdee8..d179539 100644 + manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) + manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) + manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) ++ allow $1 svirt_sandbox_file_t:dir_file_class_set { relabelfrom relabelto }; +') + +####################################### @@ -102613,7 +102799,7 @@ index facdee8..d179539 100644 ## ## ## -@@ -935,19 +961,17 @@ interface(`virt_read_log',` +@@ -935,19 +962,17 @@ interface(`virt_read_log',` ## ## # @@ -102637,7 +102823,7 @@ index facdee8..d179539 100644 ## ## ## -@@ -955,20 +979,17 @@ interface(`virt_append_log',` +@@ -955,20 +980,17 @@ interface(`virt_append_log',` ## ## # @@ -102662,7 +102848,7 @@ index facdee8..d179539 100644 ## ## ## -@@ -976,18 +997,17 @@ interface(`virt_manage_log',` +@@ -976,18 +998,17 @@ interface(`virt_manage_log',` ## ## # @@ -102685,7 +102871,7 @@ index facdee8..d179539 100644 ## ## ## -@@ -995,36 +1015,57 @@ interface(`virt_search_images',` +@@ -995,36 +1016,57 @@ interface(`virt_search_images',` ## ## # @@ -102762,7 +102948,7 @@ index facdee8..d179539 100644 ## ## ## -@@ -1032,20 +1073,28 @@ interface(`virt_read_images',` +@@ -1032,20 +1074,28 @@ interface(`virt_read_images',` ## ## # @@ -102798,7 +102984,7 @@ index facdee8..d179539 100644 ## ## ## -@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,37 +1103,133 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -102946,7 +103132,7 @@ index facdee8..d179539 100644 ## ## ## -@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1237,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -103020,7 +103206,7 @@ index facdee8..d179539 100644 ## ## ## -@@ -1136,50 +1299,53 @@ interface(`virt_manage_images',` +@@ -1136,50 +1300,53 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` diff --git a/selinux-policy.spec b/selinux-policy.spec index a7014b4..60ab40d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 72%{?dist} +Release: 73%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,7 +602,23 @@ SELinux Reference policy mls base module. %endif %changelog -* Tue Aug 12 2014 Lukas Vrabec 3.12.1-72 +* Mon Aug 18 2014 Lukas Vrabec 3.13.1-73 +- Allow ssytemd_logind_t to list tmpfs directories +- Allow lvm_t to create undefined sockets +- Allow passwd_t to read/write stream sockets +- Allow docker lots more access. +- Fix label for ports +- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service. +- Label tcp port 4194 as kubernetes port. +- Additional access required for passenger_t +- sandbox domains should be allowed to use libraries which require execmod +- Allow qpid to read passwd files BZ (#1130086) +- Remove cockpit port, it is now going to use websm port +- Add getattr to the list of access to dontaudit on unix_stream_sockets +- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter. + + +* Tue Aug 12 2014 Lukas Vrabec 3.13.1-72 - docker needs to be able to look at everything in /dev - Allow all processes to send themselves signals - Allow sysadm_t to create netlink_tcpdiag socket