From afbac82e0d0e605a42246a551ec032d568beb9fd Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 12 2014 08:19:37 +0000 Subject: * Sat Apr 11 2014 Lukas Vrabec 3.12.1-154 - Allow all freeipmi domains to read/write ipmi devices - Allow sblim_sfcbd to use also pegasus-https port - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Allow docker to status any unit file and allow it to start generic unit files --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 3c28671..80d8251 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -33061,7 +33061,7 @@ index 0d4c8d3..3a3ec52 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..7ca1e9e 100644 +index 9e54bf9..4917c6e 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -33074,7 +33074,7 @@ index 9e54bf9..7ca1e9e 100644 type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) -@@ -72,14 +75,18 @@ role system_r types setkey_t; +@@ -72,24 +75,32 @@ role system_r types setkey_t; # ipsec Local policy # @@ -33096,8 +33096,10 @@ index 9e54bf9..7ca1e9e 100644 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -@@ -88,8 +95,11 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) + allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; + read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) ++filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets") allow ipsec_t ipsec_key_file_t:dir list_dir_perms; -manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) @@ -33109,7 +33111,7 @@ index 9e54bf9..7ca1e9e 100644 manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -@@ -110,10 +120,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) +@@ -110,10 +121,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; @@ -33122,7 +33124,7 @@ index 9e54bf9..7ca1e9e 100644 kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; -@@ -128,20 +138,22 @@ corecmd_exec_shell(ipsec_t) +@@ -128,20 +139,22 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -33152,7 +33154,7 @@ index 9e54bf9..7ca1e9e 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,24 +169,33 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,24 +170,33 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -33187,7 +33189,7 @@ index 9e54bf9..7ca1e9e 100644 seutil_sigchld_newrole(ipsec_t) ') -@@ -187,10 +208,10 @@ optional_policy(` +@@ -187,10 +209,10 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -33202,7 +33204,7 @@ index 9e54bf9..7ca1e9e 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) +@@ -208,12 +230,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -33218,7 +33220,7 @@ index 9e54bf9..7ca1e9e 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +270,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -33235,7 +33237,7 @@ index 9e54bf9..7ca1e9e 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +289,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -33244,7 +33246,7 @@ index 9e54bf9..7ca1e9e 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +313,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -33256,7 +33258,7 @@ index 9e54bf9..7ca1e9e 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +324,22 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -33284,7 +33286,7 @@ index 9e54bf9..7ca1e9e 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +363,10 @@ optional_policy(` +@@ -322,6 +364,10 @@ optional_policy(` ') optional_policy(` @@ -33295,7 +33297,7 @@ index 9e54bf9..7ca1e9e 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +380,7 @@ optional_policy(` +@@ -335,7 +381,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -33304,7 +33306,7 @@ index 9e54bf9..7ca1e9e 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +415,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -33324,7 +33326,7 @@ index 9e54bf9..7ca1e9e 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +445,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -33337,7 +33339,7 @@ index 9e54bf9..7ca1e9e 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +482,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 7665122..8370211 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -11897,7 +11897,7 @@ index 32e8265..0de4af3 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index 914ee2d..7d723c0 100644 +index 914ee2d..d0c8001 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -11928,7 +11928,7 @@ index 914ee2d..7d723c0 100644 allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +83,20 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -11936,6 +11936,7 @@ index 914ee2d..7d723c0 100644 + +dev_read_rand(chronyd_t) +dev_read_urand(chronyd_t) ++dev_read_sysfs(chronyd_t) + dev_rw_realtime_clock(chronyd_t) @@ -26678,7 +26679,7 @@ index 0000000..9715f27 + diff --git a/freeipmi.te b/freeipmi.te new file mode 100644 -index 0000000..8071a76 +index 0000000..0710d79 --- /dev/null +++ b/freeipmi.te @@ -0,0 +1,75 @@ @@ -26724,6 +26725,7 @@ index 0000000..8071a76 + +dev_read_rand(freeipmi_domain) +dev_read_urand(freeipmi_domain) ++dev_rw_ipmi_dev(freeipmi_domain) + +sysnet_dns_name_resolve(freeipmi_domain) + @@ -26734,7 +26736,6 @@ index 0000000..8071a76 + +files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid") + -+dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t) + +allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms; + @@ -73778,7 +73779,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..7d5630f 100644 +index 3698b51..7c4b65b 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -73800,7 +73801,7 @@ index 3698b51..7d5630f 100644 allow rabbitmq_beam_t self:process { setsched signal signull }; allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_beam_t self:tcp_socket { accept listen }; -@@ -38,50 +43,85 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +@@ -38,56 +43,93 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) @@ -73895,15 +73896,15 @@ index 3698b51..7d5630f 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -89,6 +129,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; + allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; - allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; - -+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; ++allow rabbitmq_epmd_t rabbitmq_var_log_t:file manage_file_perms; + ++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) + corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) - corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t) @@ -99,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -87132,7 +87133,7 @@ index 98c9e0a..d4aa009 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 4a23d84..20f5040 100644 +index 4a23d84..5a90acf 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3) @@ -87238,7 +87239,7 @@ index 4a23d84..20f5040 100644 ') optional_policy(` -@@ -117,6 +133,33 @@ optional_policy(` +@@ -117,6 +133,35 @@ optional_policy(` # Reposd local policy # @@ -87267,6 +87268,8 @@ index 4a23d84..20f5040 100644 + +corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t) +corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t) ++corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t) ++corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t) + +dev_read_rand(sblim_sfcbd_t) +dev_read_urand(sblim_sfcbd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 7c5c00f..a2a9f1a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 153%{?dist} +Release: 154%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Sat Apr 11 2014 Lukas Vrabec 3.12.1-154 +- Allow all freeipmi domains to read/write ipmi devices +- Allow sblim_sfcbd to use also pegasus-https port +- Allow rabbitmq_epmd to manage rabbit_var_log_t files +- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input +- Allow docker to status any unit file and allow it to start generic unit files + * Wed Apr 9 2014 Miroslav Grepl 3.12.1-153 - Back port puppet fixes from rawhide - Allow automount to getattr all files