From a1354f3a846ac4c02b055679e6416d56c7b70fdd Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jun 28 2016 10:21:51 +0000 Subject: * Tue Jun 28 2016 Lukas Vrabec 3.13.1-191.3 - Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. - Allow glusterd daemon to get systemd status - Allow logrotate dbus-chat with system_logind daemon - Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files - Add interface cron_read_pid_files() - Allow pcp_pmlogger to create unix dgram sockets - Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t. - Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd() - Create label for openhpid log files. - Label /var/lib/ganglia as httpd_var_lib_t - Allow firewalld_t to create entries in net_conf_t dirs. - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals - Allow systemd_hwdb_t to relabel /etc/udev/hwdb.bin file. - Label /etc/dhcp/scripts dir as bin_t - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index d27bd89..cb19aa0 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index eccd46a..0112673 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -3509,7 +3509,7 @@ index 7590165..d81185e 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8d..b94f32f 100644 +index 33e0f8d..48f001d 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3585,7 +3585,16 @@ index 33e0f8d..b94f32f 100644 /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -@@ -135,10 +153,12 @@ ifdef(`distro_debian',` +@@ -128,6 +146,8 @@ ifdef(`distro_debian',` + /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) + ') + ++/etc/dhcp/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ + # + # /lib + # +@@ -135,10 +155,12 @@ ifdef(`distro_debian',` /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -3599,7 +3608,7 @@ index 33e0f8d..b94f32f 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -149,10 +169,12 @@ ifdef(`distro_gentoo',` +@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3613,7 +3622,7 @@ index 33e0f8d..b94f32f 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +190,7 @@ ifdef(`distro_gentoo',` +@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3621,7 +3630,7 @@ index 33e0f8d..b94f32f 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,34 +202,50 @@ ifdef(`distro_gentoo',` +@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3681,7 +3690,7 @@ index 33e0f8d..b94f32f 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -218,19 +257,32 @@ ifdef(`distro_gentoo',` +@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3721,7 +3730,7 @@ index 33e0f8d..b94f32f 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -245,26 +297,40 @@ ifdef(`distro_gentoo',` +@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3767,7 +3776,7 @@ index 33e0f8d..b94f32f 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -280,10 +346,14 @@ ifdef(`distro_gentoo',` +@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3782,7 +3791,7 @@ index 33e0f8d..b94f32f 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -298,16 +368,22 @@ ifdef(`distro_gentoo',` +@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3807,7 +3816,7 @@ index 33e0f8d..b94f32f 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,20 +401,27 @@ ifdef(`distro_redhat', ` +@@ -325,20 +403,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3836,7 +3845,7 @@ index 33e0f8d..b94f32f 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -346,6 +429,7 @@ ifdef(`distro_redhat', ` +@@ -346,6 +431,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -3844,7 +3853,7 @@ index 33e0f8d..b94f32f 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,17 +471,34 @@ ifdef(`distro_suse', ` +@@ -387,17 +473,34 @@ ifdef(`distro_suse', ` # # /var # @@ -48193,10 +48202,10 @@ index 0000000..ebd6cc8 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..435604e +index 0000000..356f74a --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,931 @@ +@@ -0,0 +1,932 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49033,6 +49042,7 @@ index 0000000..435604e +# systemd_hwdb domain +# +manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t) ++allow systemd_hwdb_t systemd_hwdb_etc_t:file {relabelfrom relabelto}; +files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file) + + diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index d8d7c65..fba7038 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -3460,10 +3460,10 @@ index 0000000..d8b04b5 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..754c30f 100644 +index 7caefc3..2029082 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,214 @@ +@@ -1,162 +1,215 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3672,6 +3672,7 @@ index 7caefc3..754c30f 100644 +/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/ganglia(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -9426,10 +9427,10 @@ index c3fd7b1..e189593 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..49accb6 100644 +index 2b9a3a1..982ce9b 100644 --- a/bind.fc +++ b/bind.fc -@@ -1,54 +1,77 @@ +@@ -1,54 +1,78 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -9508,6 +9509,7 @@ index 2b9a3a1..49accb6 100644 +/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/lib/softhsm(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) @@ -9731,7 +9733,7 @@ index 531a8f2..3fcf187 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..bf5ad4a 100644 +index 1241123..ab9ec30 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9764,7 +9766,13 @@ index 1241123..bf5ad4a 100644 allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket { accept listen }; -@@ -89,9 +93,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) +@@ -84,14 +88,13 @@ allow named_t named_conf_t:dir list_dir_perms; + read_files_pattern(named_t, named_conf_t, named_conf_t) + read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) + ++manage_dirs_pattern(named_t, named_cache_t, named_cache_t) + manage_files_pattern(named_t, named_cache_t, named_cache_t) + manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) allow named_t named_keytab_t:file read_file_perms; @@ -9775,7 +9783,7 @@ index 1241123..bf5ad4a 100644 logging_log_filetrans(named_t, named_log_t, file) manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) -@@ -112,10 +114,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) +@@ -112,10 +115,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) kernel_read_kernel_sysctls(named_t) kernel_read_system_state(named_t) kernel_read_network_state(named_t) @@ -9787,7 +9795,7 @@ index 1241123..bf5ad4a 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -141,9 +143,13 @@ corenet_sendrecv_all_client_packets(named_t) +@@ -141,9 +144,13 @@ corenet_sendrecv_all_client_packets(named_t) corenet_tcp_connect_all_ports(named_t) corenet_tcp_sendrecv_all_ports(named_t) @@ -9801,7 +9809,7 @@ index 1241123..bf5ad4a 100644 domain_use_interactive_fds(named_t) -@@ -175,6 +181,19 @@ tunable_policy(`named_write_master_zones',` +@@ -175,6 +182,19 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -9821,7 +9829,7 @@ index 1241123..bf5ad4a 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,7 +206,17 @@ optional_policy(` +@@ -187,7 +207,17 @@ optional_policy(` ') optional_policy(` @@ -9839,7 +9847,7 @@ index 1241123..bf5ad4a 100644 kerberos_use(named_t) ') -@@ -215,7 +244,8 @@ optional_policy(` +@@ -215,7 +245,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -9849,7 +9857,7 @@ index 1241123..bf5ad4a 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +259,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +260,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -9861,7 +9869,7 @@ index 1241123..bf5ad4a 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +271,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +272,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -9871,7 +9879,7 @@ index 1241123..bf5ad4a 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +289,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +290,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -18019,7 +18027,7 @@ index ad0bae9..615a947 100644 +/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') diff --git a/cron.if b/cron.if -index 1303b30..759412f 100644 +index 1303b30..f13c532 100644 --- a/cron.if +++ b/cron.if @@ -2,11 +2,12 @@ @@ -18205,15 +18213,6 @@ index 1303b30..759412f 100644 - # - # Declarations - # -- -- role $1 types { unconfined_cronjob_t crontab_t }; -- -- ############################## -- # -- # Local policy -- # -- -- domtrans_pattern($2, crontab_exec_t, crontab_t) + ############################## + # + # Declarations @@ -18221,32 +18220,41 @@ index 1303b30..759412f 100644 + + role $1 types unconfined_cronjob_t; -- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; -- allow $2 crond_t:process sigchld; +- role $1 types { unconfined_cronjob_t crontab_t }; + ############################## + # + # Local policy + # -- allow $2 user_cron_spool_t:file { getattr read write ioctl }; +- ############################## +- # +- # Local policy +- # + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; -- allow $2 crontab_t:process { ptrace signal_perms }; -- ps_process_pattern($2, crontab_t) +- domtrans_pattern($2, crontab_exec_t, crontab_t) + allow $2 crond_t:process sigchld; -- corecmd_exec_bin(crontab_t) -- corecmd_exec_shell(crontab_t) +- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; +- allow $2 crond_t:process sigchld; + allow $2 user_cron_spool_t:file { getattr read write ioctl }; -- tunable_policy(`cron_userdomain_transition',` -- allow crond_t $2:process transition; -- allow crond_t $2:fd use; -- allow crond_t $2:key manage_key_perms; +- allow $2 user_cron_spool_t:file { getattr read write ioctl }; + # cronjob shows up in user ps + ps_process_pattern($2, unconfined_cronjob_t) + allow $2 unconfined_cronjob_t:process signal_perms; +- allow $2 crontab_t:process { ptrace signal_perms }; +- ps_process_pattern($2, crontab_t) +- +- corecmd_exec_bin(crontab_t) +- corecmd_exec_shell(crontab_t) +- +- tunable_policy(`cron_userdomain_transition',` +- allow crond_t $2:process transition; +- allow crond_t $2:fd use; +- allow crond_t $2:key manage_key_perms; +- - allow $2 user_cron_spool_t:file entrypoint; + tunable_policy(`deny_ptrace',`',` + allow $2 unconfined_cronjob_t:process ptrace; @@ -18371,16 +18379,15 @@ index 1303b30..759412f 100644 - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; +- +- allow $2 user_cron_spool_t:file entrypoint; + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; -- allow $2 user_cron_spool_t:file entrypoint; -+ allow $2 user_cron_spool_t:file entrypoint; - - allow $2 crond_t:fifo_file rw_fifo_file_perms; -+ allow $2 crond_t:fifo_file rw_fifo_file_perms; ++ allow $2 user_cron_spool_t:file entrypoint; - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) @@ -18388,6 +18395,9 @@ index 1303b30..759412f 100644 - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; ++ allow $2 crond_t:fifo_file rw_fifo_file_perms; + +- dontaudit $2 user_cron_spool_t:file entrypoint; + allow $2 cronjob_t:process { signal_perms }; + ps_process_pattern($2, cronjob_t) + ',` @@ -18395,8 +18405,6 @@ index 1303b30..759412f 100644 + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; -- dontaudit $2 user_cron_spool_t:file entrypoint; -- - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 cronjob_t:process { ptrace signal_perms }; @@ -18705,11 +18713,10 @@ index 1303b30..759412f 100644 - allow $1 crond_t:fifo_file rw_fifo_file_perms; + allow $1 user_cron_spool_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Read and write crond TCP sockets. ++') ++ ++######################################## ++## +## Read and write inherited spool files. +## +## @@ -18724,10 +18731,11 @@ index 1303b30..759412f 100644 + ') + + allow $1 cron_spool_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write crond TCP sockets. +## Read, and write cron daemon TCP sockets. ## ## @@ -18751,106 +18759,120 @@ index 1303b30..759412f 100644 ## ## ## -@@ -627,8 +675,26 @@ interface(`cron_search_spool',` +@@ -627,8 +675,7 @@ interface(`cron_search_spool',` ######################################## ## -## Create, read, write, and delete -## crond pid files. +## Search the directory containing user cron tables. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_manage_system_spool',` -+ gen_require(` -+ type cron_system_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) -+') -+ -+######################################## -+## -+## Manage pid files used by cron ## ## ## -@@ -641,13 +707,13 @@ interface(`cron_manage_pid_files',` - type crond_var_run_t; +@@ -636,37 +683,37 @@ interface(`cron_search_spool',` + ## + ## + # +-interface(`cron_manage_pid_files',` ++interface(`cron_manage_system_spool',` + gen_require(` +- type crond_var_run_t; ++ type cron_system_spool_t; ') -+ files_search_pids($1) - manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +- manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ++ files_search_spool($1) ++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) ') ######################################## ## -## Execute anacron in the cron -## system domain. -+## Execute anacron in the cron system domain. ++## Manage pid files used by cron ## ## ## -@@ -660,13 +726,13 @@ interface(`cron_anacron_domtrans_system_job',` - type system_cronjob_t, anacron_exec_t; +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +-interface(`cron_anacron_domtrans_system_job',` ++interface(`cron_manage_pid_files',` + gen_require(` +- type system_cronjob_t, anacron_exec_t; ++ type crond_var_run_t; ') - corecmd_search_bin($1) - domtrans_pattern($1, anacron_exec_t, system_cronjob_t) +- domtrans_pattern($1, anacron_exec_t, system_cronjob_t) ++ files_search_pids($1) ++ manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') ######################################## ## -## Use system cron job file descriptors. -+## Inherit and use a file descriptor -+## from system cron jobs. ++## Read pid files used by cron ## ## ## -@@ -684,7 +750,7 @@ interface(`cron_use_system_job_fds',` +@@ -674,37 +721,37 @@ interface(`cron_anacron_domtrans_system_job',` + ## + ## + # +-interface(`cron_use_system_job_fds',` ++interface(`cron_read_pid_files',` + gen_require(` +- type system_cronjob_t; ++ type crond_var_run_t; + ') + +- allow $1 system_cronjob_t:fd use; ++ files_search_pids($1) ++ read_files_pattern($1, crond_var_run_t, crond_var_run_t) + ') ######################################## ## -## Read system cron job lib files. -+## Write a system cron job unnamed pipe. ++## Execute anacron in the cron system domain. ## ## ## -@@ -692,19 +758,17 @@ interface(`cron_use_system_job_fds',` +-## Domain allowed access. ++## Domain allowed to transition. ## ## # -interface(`cron_read_system_job_lib_files',` -+interface(`cron_write_system_job_pipes',` ++interface(`cron_anacron_domtrans_system_job',` gen_require(` - type system_cronjob_var_lib_t; -+ type system_cronjob_t; ++ type system_cronjob_t, anacron_exec_t; ') - files_search_var_lib($1) - read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -+ allow $1 system_cronjob_t:fifo_file write; ++ domtrans_pattern($1, anacron_exec_t, system_cronjob_t) ') ######################################## ## -## Create, read, write, and delete -## system cron job lib files. -+## Read and write a system cron job unnamed pipe. ++## Inherit and use a file descriptor ++## from system cron jobs. ## ## ## -@@ -712,18 +776,17 @@ interface(`cron_read_system_job_lib_files',` +@@ -712,18 +759,17 @@ interface(`cron_read_system_job_lib_files',` ## ## # -interface(`cron_manage_system_job_lib_files',` -+interface(`cron_rw_system_job_pipes',` ++interface(`cron_use_system_job_fds',` gen_require(` - type system_cronjob_var_lib_t; + type system_cronjob_t; @@ -18858,154 +18880,134 @@ index 1303b30..759412f 100644 - files_search_var_lib($1) - manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; ++ allow $1 system_cronjob_t:fd use; ') ######################################## ## -## Write system cron job unnamed pipes. -+## Allow read/write unix stream sockets from the system cron jobs. ++## Write a system cron job unnamed pipe. ## ## ## -@@ -731,18 +794,17 @@ interface(`cron_manage_system_job_lib_files',` - ## - ## - # --interface(`cron_write_system_job_pipes',` -+interface(`cron_rw_system_job_stream_sockets',` - gen_require(` +@@ -736,13 +782,12 @@ interface(`cron_write_system_job_pipes',` type system_cronjob_t; ') - allow $1 system_cronjob_t:file write; -+ allow $1 system_cronjob_t:unix_stream_socket { read write }; ++ allow $1 system_cronjob_t:fifo_file write; ') ######################################## ## -## Read and write system cron job -## unnamed pipes. -+## Read temporary files from the system cron jobs. ++## Read and write a system cron job unnamed pipe. ## ## ## -@@ -750,86 +812,142 @@ interface(`cron_write_system_job_pipes',` - ## - ## - # --interface(`cron_rw_system_job_pipes',` -+interface(`cron_read_system_job_tmp_files',` - gen_require(` -- type system_cronjob_t; -+ type system_cronjob_tmp_t, cron_var_run_t; +@@ -755,13 +800,12 @@ interface(`cron_rw_system_job_pipes',` + type system_cronjob_t; ') - allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; -+ files_search_tmp($1) -+ allow $1 system_cronjob_tmp_t:file read_file_perms; -+ -+ files_search_pids($1) -+ allow $1 cron_var_run_t:file read_file_perms; ++ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## -## Read and write inherited system cron -## job unix domain stream sockets. -+## Do not audit attempts to append temporary -+## files from the system cron jobs. ++## Allow read/write unix stream sockets from the system cron jobs. ## ## ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`cron_rw_system_job_stream_sockets',` -+interface(`cron_dontaudit_append_system_job_tmp_files',` - gen_require(` -- type system_cronjob_t; -+ type system_cronjob_tmp_t; - ') - -- allow $1 system_cronjob_t:unix_stream_socket { read write }; -+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms; - ') +@@ -779,7 +823,7 @@ interface(`cron_rw_system_job_stream_sockets',` ######################################## ## -## Read system cron job temporary files. -+## Do not audit attempts to write temporary -+## files from the system cron jobs. ++## Read temporary files from the system cron jobs. ## ## ## --## Domain allowed access. -+## Domain to not audit. - ## - ## +@@ -789,17 +833,20 @@ interface(`cron_rw_system_job_stream_sockets',` # --interface(`cron_read_system_job_tmp_files',` -+interface(`cron_dontaudit_write_system_job_tmp_files',` + interface(`cron_read_system_job_tmp_files',` gen_require(` - type system_cronjob_tmp_t; -+ type cron_var_run_t; +- type system_cronjob_tmp_t; ++ type system_cronjob_tmp_t, cron_var_run_t; ') -- files_search_tmp($1) -- allow $1 system_cronjob_tmp_t:file read_file_perms; -+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; -+ dontaudit $1 cron_var_run_t:file write_file_perms; + files_search_tmp($1) + allow $1 system_cronjob_tmp_t:file read_file_perms; ++ ++ files_search_pids($1) ++ allow $1 cron_var_run_t:file read_file_perms; ') ######################################## ## --## Do not audit attempts to append temporary + ## Do not audit attempts to append temporary -## system cron job files. -+## Read temporary files from the system cron jobs. ++## files from the system cron jobs. ## ## ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`cron_dontaudit_append_system_job_tmp_files',` -+interface(`cron_read_system_job_lib_files',` - gen_require(` -- type system_cronjob_tmp_t; -+ type system_cronjob_var_lib_t; - ') - -- dontaudit $1 system_cronjob_tmp_t:file append_file_perms; -+ files_search_var_lib($1) -+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) - ') - +@@ -818,7 +865,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` ######################################## ## --## Do not audit attempts to write temporary + ## Do not audit attempts to write temporary -## system cron job files. -+## Manage files from the system cron jobs. ++## files from the system cron jobs. ## ## ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`cron_dontaudit_write_system_job_tmp_files',` -+interface(`cron_manage_system_job_lib_files',` +@@ -829,7 +876,97 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` + interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` -- type system_cronjob_tmp_t; -+ type system_cronjob_var_lib_t; + type system_cronjob_tmp_t; ++ type cron_var_run_t; ') -- dontaudit $1 system_cronjob_tmp_t:file write_file_perms; + dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ++ dontaudit $1 cron_var_run_t:file write_file_perms; ++') ++ ++######################################## ++## ++## Read temporary files from the system cron jobs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_read_system_job_lib_files',` ++ gen_require(` ++ type system_cronjob_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++') ++ ++######################################## ++## ++## Manage files from the system cron jobs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_manage_system_job_lib_files',` ++ gen_require(` ++ type system_cronjob_var_lib_t; ++ ') ++ + files_search_var_lib($1) + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) +') @@ -32050,10 +32052,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..c31e40e +index 0000000..3ba328e --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,302 @@ +@@ -0,0 +1,303 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32240,6 +32242,7 @@ index 0000000..c31e40e +init_read_script_state(glusterd_t) +init_rw_script_tmp_files(glusterd_t) +init_manage_script_status_files(glusterd_t) ++init_status(glusterd_t) + +systemd_config_systemd_services(glusterd_t) +systemd_signal_passwd_agent(glusterd_t) @@ -39511,7 +39514,7 @@ index 59ad3b3..bd02cc8 100644 + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0) diff --git a/jabber.if b/jabber.if -index 7eb3811..629af1e 100644 +index 7eb3811..8075ba5 100644 --- a/jabber.if +++ b/jabber.if @@ -1,29 +1,76 @@ @@ -39669,7 +39672,7 @@ index 7eb3811..629af1e 100644 ## ## ## -@@ -66,20 +137,27 @@ interface(`jabber_tcp_connect',` +@@ -66,20 +137,28 @@ interface(`jabber_tcp_connect',` ## ## ## @@ -39687,6 +39690,7 @@ index 7eb3811..629af1e 100644 + type jabberd_t, jabberd_var_lib_t; + type jabberd_initrc_exec_t, jabberd_router_t; + type jabberd_lock_t; ++ type jabberd_var_spool_t; ') - allow $1 jabberd_domain:process { ptrace signal_perms }; @@ -39703,7 +39707,7 @@ index 7eb3811..629af1e 100644 init_labeled_script_domtrans($1, jabberd_initrc_exec_t) domain_system_change_exemption($1) -@@ -89,15 +167,9 @@ interface(`jabber_admin',` +@@ -89,15 +168,9 @@ interface(`jabber_admin',` files_search_locks($1) admin_pattern($1, jabberd_lock_t) @@ -39711,7 +39715,8 @@ index 7eb3811..629af1e 100644 - admin_pattern($1, jabberd_log_t) - files_search_spool($1) - admin_pattern($1, jabberd_spool_t) +- admin_pattern($1, jabberd_spool_t) ++ admin_pattern($1, jabberd_var_spool_t) files_search_var_lib($1) admin_pattern($1, jabberd_var_lib_t) @@ -45775,7 +45780,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..688605e 100644 +index be0ab84..5160f96 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -45900,7 +45905,7 @@ index be0ab84..688605e 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +126,54 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +126,55 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -45925,6 +45930,7 @@ index be0ab84..688605e 100644 +systemd_start_all_unit_files(logrotate_t) +systemd_reload_all_services(logrotate_t) +systemd_status_all_unit_files(logrotate_t) ++systemd_dbus_chat_logind(logrotate_t) +init_stream_connect(logrotate_t) -seutil_dontaudit_read_config(logrotate_t) @@ -45961,7 +45967,7 @@ index be0ab84..688605e 100644 ') optional_policy(` -@@ -135,16 +188,17 @@ optional_policy(` +@@ -135,16 +189,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -45981,7 +45987,7 @@ index be0ab84..688605e 100644 ') optional_policy(` -@@ -170,6 +224,11 @@ optional_policy(` +@@ -170,6 +225,11 @@ optional_policy(` ') optional_policy(` @@ -45993,7 +45999,7 @@ index be0ab84..688605e 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +237,7 @@ optional_policy(` +@@ -178,7 +238,7 @@ optional_policy(` ') optional_policy(` @@ -46002,7 +46008,7 @@ index be0ab84..688605e 100644 ') optional_policy(` -@@ -198,17 +257,18 @@ optional_policy(` +@@ -198,17 +258,18 @@ optional_policy(` ') optional_policy(` @@ -46024,7 +46030,7 @@ index be0ab84..688605e 100644 ') optional_policy(` -@@ -216,6 +276,14 @@ optional_policy(` +@@ -216,6 +277,14 @@ optional_policy(` ') optional_policy(` @@ -46039,7 +46045,7 @@ index be0ab84..688605e 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +296,43 @@ optional_policy(` +@@ -228,26 +297,43 @@ optional_policy(` ') optional_policy(` @@ -64261,10 +64267,10 @@ index 8de6191..1a01e99 100644 +') diff --git a/openhpid.fc b/openhpid.fc new file mode 100644 -index 0000000..9441fd7 +index 0000000..df219e6 --- /dev/null +++ b/openhpid.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0) + @@ -64272,6 +64278,8 @@ index 0000000..9441fd7 + +/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0) + ++/var/log/dynsim[0-9]*\.log -- gen_context(system_u:object_r:openhpid_log_t,s0) ++ +/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0) diff --git a/openhpid.if b/openhpid.if new file mode 100644 @@ -64440,10 +64448,10 @@ index 0000000..598789a + diff --git a/openhpid.te b/openhpid.te new file mode 100644 -index 0000000..b4f88f6 +index 0000000..a0e0eaf --- /dev/null +++ b/openhpid.te -@@ -0,0 +1,60 @@ +@@ -0,0 +1,67 @@ +policy_module(openhpid, 1.0.0) + +######################################## @@ -64458,6 +64466,9 @@ index 0000000..b4f88f6 +type openhpid_initrc_exec_t; +init_script_file(openhpid_initrc_exec_t) + ++type openhpid_log_t; ++logging_log_file(openhpid_log_t) ++ +type openhpid_var_lib_t; +files_type(openhpid_var_lib_t) + @@ -64478,6 +64489,10 @@ index 0000000..b4f88f6 +allow openhpid_t self:tcp_socket create_stream_socket_perms; +allow openhpid_t self:udp_socket create_socket_perms; + ++ ++manage_files_pattern(openhpid_t, openhpid_log_t, openhpid_log_t) ++logging_log_filetrans(openhpid_t, openhpid_log_t, file) ++ +manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) +manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) +files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file }) @@ -68409,10 +68424,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..5eb733c +index 0000000..a9ca49d --- /dev/null +++ b/pcp.te -@@ -0,0 +1,279 @@ +@@ -0,0 +1,285 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -68565,6 +68580,10 @@ index 0000000..5eb733c +userdom_read_user_tmp_files(pcp_pmcd_t) + +optional_policy(` ++ cron_read_pid_files(pcp_pmcd_t) ++') ++ ++optional_policy(` + docker_manage_lib_files(pcp_pmcd_t) +') + @@ -68681,8 +68700,10 @@ index 0000000..5eb733c +allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read }; + +allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto; ++allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms; + +kernel_read_system_state(pcp_pmlogger_t) ++kernel_read_network_state(pcp_pmlogger_t) + +corecmd_exec_bin(pcp_pmlogger_t) + @@ -96579,7 +96600,7 @@ index 3df2a0f..7264d8a 100644 -/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) +/usr/lib/systemd/system/sanlk-resetd\.service -- gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0) diff --git a/sanlock.if b/sanlock.if -index cd6c213..372c7bb 100644 +index cd6c213..6d3cdc4 100644 --- a/sanlock.if +++ b/sanlock.if @@ -1,4 +1,6 @@ @@ -96683,7 +96704,7 @@ index cd6c213..372c7bb 100644 ## ## ## -@@ -97,21 +120,125 @@ interface(`sanlock_stream_connect',` +@@ -97,21 +120,121 @@ interface(`sanlock_stream_connect',` # interface(`sanlock_admin',` gen_require(` @@ -96803,11 +96824,7 @@ index cd6c213..372c7bb 100644 - logging_search_logs($1) - admin_pattern($1, sanlock_log_t) -+ sanlk_resetd_systemctl($1) -+ admin_pattern($1, sanlk_resetd_unit_file_t) -+ allow $1 sanlk_resetd_unit_file_t:service all_service_perms; -+ -+ sanlk_resetd_systemctl($1) ++ sanlock_systemctl_sanlk_resetd($1) + admin_pattern($1, sanlk_resetd_unit_file_t) + allow $1 sanlk_resetd_unit_file_t:service all_service_perms; + optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index d20db5d..7f21cb5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191%{?dist}.2 +Release: 191%{?dist}.3 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -645,6 +645,23 @@ exit 0 %endif %changelog +* Tue Jun 28 2016 Lukas Vrabec 3.13.1-191.3 +- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. +- Allow glusterd daemon to get systemd status +- Allow logrotate dbus-chat with system_logind daemon +- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files +- Add interface cron_read_pid_files() +- Allow pcp_pmlogger to create unix dgram sockets +- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t. +- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd() +- Create label for openhpid log files. +- Label /var/lib/ganglia as httpd_var_lib_t +- Allow firewalld_t to create entries in net_conf_t dirs. +- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals +- Allow systemd_hwdb_t to relabel /etc/udev/hwdb.bin file. +- Label /etc/dhcp/scripts dir as bin_t +- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. + * Wed Jun 22 2016 Lukas Vrabec 3.13.1-191.2 - Allow firewalld_t to create entries in net_conf_t dirs. - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals