From b1d8816d9423900a61460954846bb6498ee01638 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: May 25 2016 10:43:21 +0000 Subject: * Wed May 25 2016 Lukas Vrabec 3.13.1-189 - Add SELinux policy for opendnssec service. BZ(1333106) - Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106) - Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index d80d875..2d9fea1 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index 88a051e..37ccaec 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -9549,7 +9549,7 @@ index 2b9a3a1..49accb6 100644 +/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +') diff --git a/bind.if b/bind.if -index 531a8f2..0b86f2f 100644 +index 531a8f2..3fcf187 100644 --- a/bind.if +++ b/bind.if @@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',` @@ -9617,7 +9617,7 @@ index 531a8f2..0b86f2f 100644 ## Search bind cache directories. ## ## -@@ -310,6 +354,27 @@ interface(`bind_read_zone',` +@@ -310,6 +354,47 @@ interface(`bind_read_zone',` ######################################## ## @@ -9642,10 +9642,30 @@ index 531a8f2..0b86f2f 100644 + +######################################## +## ++## Create, read, write, and delete ++## bind zone files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_manage_zone_dirs',` ++ gen_require(` ++ type named_zone_t; ++ ') ++ ++ files_search_var($1) ++ allow $1 named_zone_t:dir manage_dir_perms; ++') ++ ++######################################## ++## ## Create, read, write, and delete ## bind zone files. ## -@@ -344,6 +409,25 @@ interface(`bind_udp_chat_named',` +@@ -344,6 +429,25 @@ interface(`bind_udp_chat_named',` ######################################## ## @@ -9671,28 +9691,28 @@ index 531a8f2..0b86f2f 100644 ## All of the rules required to ## administrate an bind environment. ## -@@ -364,11 +448,17 @@ interface(`bind_admin',` +@@ -364,11 +468,17 @@ interface(`bind_admin',` type named_t, named_tmp_t, named_log_t; type named_cache_t, named_zone_t, named_initrc_exec_t; type dnssec_t, ndc_t, named_conf_t, named_var_run_t; - type named_keytab_t; + type named_keytab_t, named_unit_file_t; -+ ') -+ + ') + +- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { named_t ndc_t }) + allow $1 named_t:process signal_perms; + ps_process_pattern($1, named_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 named_t:process ptrace; - ') - -- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { named_t ndc_t }) ++ ') ++ + bind_run_ndc($1, $2) init_labeled_script_domtrans($1, named_initrc_exec_t) domain_system_change_exemption($1) -@@ -384,11 +474,15 @@ interface(`bind_admin',` +@@ -384,11 +494,15 @@ interface(`bind_admin',` files_list_etc($1) admin_pattern($1, { named_keytab_t named_conf_t }) @@ -9710,7 +9730,7 @@ index 531a8f2..0b86f2f 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..dcaf16b 100644 +index 1241123..bf5ad4a 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9800,10 +9820,14 @@ index 1241123..dcaf16b 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,7 +206,13 @@ optional_policy(` +@@ -187,7 +206,17 @@ optional_policy(` ') optional_policy(` ++ ipa_manage_lib(named_t) ++') ++ ++optional_policy(` + ipsec_rw_inherited_pipes(named_t) +') + @@ -9814,7 +9838,7 @@ index 1241123..dcaf16b 100644 kerberos_use(named_t) ') -@@ -215,7 +240,8 @@ optional_policy(` +@@ -215,7 +244,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -9824,7 +9848,7 @@ index 1241123..dcaf16b 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +255,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +259,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -9836,7 +9860,7 @@ index 1241123..dcaf16b 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +267,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +271,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -9846,7 +9870,7 @@ index 1241123..dcaf16b 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +285,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +289,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -37977,14 +38001,19 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..ce135f3 +index 0000000..e1ddda0 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,19 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + ++/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0) ++ +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) + ++/usr/libexec/ipa/ipa-dnskeysyncd -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0) ++/usr/libexec/ipa/ipa-dnskeysync-replica -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0) ++ +/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) +/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) +/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) @@ -38181,10 +38210,10 @@ index 0000000..904782d +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..af46439 +index 0000000..5fad85e --- /dev/null +++ b/ipa.te -@@ -0,0 +1,130 @@ +@@ -0,0 +1,195 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -38201,9 +38230,16 @@ index 0000000..af46439 +type ipa_otpd_exec_t; +init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t) + ++type ipa_dnskey_t, ipa_domain; ++type ipa_dnskey_exec_t; ++init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t) ++ +type ipa_otpd_unit_file_t; +systemd_unit_file(ipa_otpd_unit_file_t) + ++type ipa_dnskey_unit_file_t; ++systemd_unit_file(ipa_dnskey_unit_file_t) ++ +type ipa_log_t; +logging_log_file(ipa_log_t) + @@ -38220,6 +38256,9 @@ index 0000000..af46439 +init_system_domain(ipa_helper_t, ipa_helper_exec_t) +role ipa_helper_roles types ipa_helper_t; + ++type ipa_tmp_t; ++files_tmp_file(ipa_tmp_t) ++ +######################################## +# +# ipa_otpd local policy @@ -38315,6 +38354,61 @@ index 0000000..af46439 +optional_policy(` + sssd_manage_lib_files(ipa_helper_t) +') ++ ++######################################## ++# ++# ipa-dnskey local policy ++# ++allow ipa_dnskey_t self:tcp_socket create_stream_socket_perms; ++allow ipa_dnskey_t self:udp_socket create_socket_perms; ++allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms; ++allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read }; ++ ++manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) ++setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) ++list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) ++ ++manage_files_pattern(ipa_dnskey_t, ipa_tmp_t, ipa_tmp_t) ++files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file }) ++ ++kernel_dgram_send(ipa_dnskey_t) ++ ++auth_use_nsswitch(ipa_dnskey_t) ++ ++corecmd_exec_bin(ipa_dnskey_t) ++corecmd_exec_shell(ipa_dnskey_t) ++ ++corenet_tcp_bind_generic_node(ipa_dnskey_t) ++corenet_tcp_connect_kerberos_port(ipa_dnskey_t) ++corenet_tcp_connect_rndc_port(ipa_dnskey_t) ++ ++dev_read_rand(ipa_dnskey_t) ++ ++libs_exec_ldconfig(ipa_dnskey_t) ++ ++logging_send_syslog_msg(ipa_dnskey_t) ++ ++miscfiles_read_certs(ipa_dnskey_t) ++ ++sysnet_read_config(ipa_dnskey_t) ++ ++optional_policy(` ++ bind_domtrans_ndc(ipa_dnskey_t) ++ bind_read_dnssec_keys(ipa_dnskey_t) ++ bind_manage_zone(ipa_dnskey_t) ++ bind_manage_zone_dirs(ipa_dnskey_t) ++') ++ ++optional_policy(` ++ dirsrv_stream_connect(ipa_dnskey_t) ++') ++ ++optional_policy(` ++ opendnssec_domtrans(ipa_dnskey_t) ++ opendnssec_manage_config(ipa_dnskey_t) ++ opendnssec_manage_var_files(ipa_dnskey_t) ++ opendnssec_filetrans_etc_content(ipa_dnskey_t) ++') diff --git a/ipmievd.fc b/ipmievd.fc new file mode 100644 index 0000000..caf1fe5 @@ -63355,6 +63449,299 @@ index 3b6920e..3e9b17f 100644 userdom_dontaudit_use_unpriv_user_fds(openct_t) userdom_dontaudit_search_user_home_dirs(openct_t) +diff --git a/opendnssec.fc b/opendnssec.fc +new file mode 100644 +index 0000000..08d0e79 +--- /dev/null ++++ b/opendnssec.fc +@@ -0,0 +1,14 @@ ++/usr/lib/systemd/system/ods-enforcerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0) ++ ++/usr/lib/systemd/system/ods-signerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0) ++ ++/usr/sbin/ods-control -- gen_context(system_u:object_r:opendnssec_exec_t,s0) ++/usr/sbin/ods-enforcerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0) ++/usr/sbin/ods-signer -- gen_context(system_u:object_r:opendnssec_exec_t,s0) ++/usr/sbin/ods-signerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0) ++ ++/etc/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_conf_t,s0) ++ ++/var/run/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_run_t,s0) ++ ++/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0) +diff --git a/opendnssec.if b/opendnssec.if +new file mode 100644 +index 0000000..fb0141d +--- /dev/null ++++ b/opendnssec.if +@@ -0,0 +1,206 @@ ++ ++## policy for opendnssec ++ ++######################################## ++## ++## Execute opendnssec_exec_t in the opendnssec domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`opendnssec_domtrans',` ++ gen_require(` ++ type opendnssec_t, opendnssec_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, opendnssec_exec_t, opendnssec_t) ++') ++ ++###################################### ++## ++## Execute opendnssec in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_exec',` ++ gen_require(` ++ type opendnssec_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, opendnssec_exec_t) ++') ++ ++######################################## ++## ++## Read the opendnssec configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`opendnssec_read_config',` ++ gen_require(` ++ type opendnssec_conf_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 opendnssec_conf_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Read the opendnssec configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`opendnssec_manage_config',` ++ gen_require(` ++ type opendnssec_conf_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 opendnssec_conf_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Allow the specified domain to ++## read and write opendnssec /var files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_manage_var_files',` ++ gen_require(` ++ type opendnssec_var_t; ++ ') ++ ++ files_search_var($1) ++ files_search_var_lib($1) ++ manage_files_pattern($1, opendnssec_var_t, opendnssec_var_t) ++') ++ ++######################################## ++## ++## Read opendnssec PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_read_pid_files',` ++ gen_require(` ++ type opendnssec_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t) ++') ++ ++######################################## ++## ++## Execute opendnssec server in the opendnssec domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`opendnssec_systemctl',` ++ gen_require(` ++ type opendnssec_t; ++ type opendnssec_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 opendnssec_unit_file_t:file read_file_perms; ++ allow $1 opendnssec_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, opendnssec_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an opendnssec environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`opendnssec_admin',` ++ gen_require(` ++ type opendnssec_t; ++ type opendnssec_var_run_t; ++ type opendnssec_unit_file_t; ++ ') ++ ++ allow $1 opendnssec_t:process { signal_perms }; ++ ps_process_pattern($1, opendnssec_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 opendnssec_t:process ptrace; ++ ') ++ ++ files_search_pids($1) ++ admin_pattern($1, opendnssec_var_run_t) ++ ++ opendnssec_systemctl($1) ++ admin_pattern($1, opendnssec_unit_file_t) ++ allow $1 opendnssec_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') ++ ++######################################## ++## ++## Transition to quota named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_filetrans_etc_content',` ++ gen_require(` ++ type opendnssec_conf_t; ++ ') ++ ++ files_etc_filetrans($1, opendnssec_conf_t, file) ++') +diff --git a/opendnssec.te b/opendnssec.te +new file mode 100644 +index 0000000..a0e817d +--- /dev/null ++++ b/opendnssec.te +@@ -0,0 +1,55 @@ ++policy_module(opendnssec, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type opendnssec_t; ++type opendnssec_exec_t; ++init_daemon_domain(opendnssec_t, opendnssec_exec_t) ++ ++type opendnssec_conf_t; ++files_config_file(opendnssec_conf_t) ++ ++type opendnssec_var_t; ++files_type(opendnssec_var_t) ++ ++type opendnssec_var_run_t; ++files_pid_file(opendnssec_var_run_t) ++ ++type opendnssec_unit_file_t; ++systemd_unit_file(opendnssec_unit_file_t) ++ ++######################################## ++# ++# opendnssec local policy ++# ++allow opendnssec_t self:capability { chown setgid setuid sys_chroot }; ++allow opendnssec_t self:process { fork signal_perms }; ++allow opendnssec_t self:fifo_file rw_fifo_file_perms; ++allow opendnssec_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t) ++manage_dirs_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t) ++ ++manage_dirs_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t) ++manage_files_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t) ++files_var_filetrans(opendnssec_t, opendnssec_var_t, dir) ++ ++manage_dirs_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t) ++manage_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t) ++manage_lnk_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t) ++manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t) ++files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file }) ++ ++auth_use_nsswitch(opendnssec_t) ++ ++corecmd_exec_bin(opendnssec_t) ++ ++logging_send_syslog_msg(opendnssec_t) ++ ++optional_policy(` ++ ipa_manage_lib(opendnssec_t) ++') ++ diff --git a/openfortivpn.fc b/openfortivpn.fc new file mode 100644 index 0000000..2e4dd3f @@ -86800,15 +87187,16 @@ index 6cf79c4..1a605f9 100644 ') diff --git a/rhev.fc b/rhev.fc new file mode 100644 -index 0000000..4b66adf +index 0000000..013d1d9 --- /dev/null +++ b/rhev.fc -@@ -0,0 +1,13 @@ +@@ -0,0 +1,14 @@ +/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) + +/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++/usr/share/ovirt-guest-agent/ovirt-guest-agent\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) + +/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0) + diff --git a/selinux-policy.spec b/selinux-policy.spec index cb9ffd3..f9984ec 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 188%{?dist} +Release: 189%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -645,6 +645,11 @@ exit 0 %endif %changelog +* Wed May 25 2016 Lukas Vrabec 3.13.1-189 +- Add SELinux policy for opendnssec service. BZ(1333106) +- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106) +- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t + * Tue May 24 2016 Lukas Vrabec 3.13.1-188 - Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t - Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)