From c9f447684ad8b16d0af3cc635b9c5479cff3d35f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 14 2017 10:26:24 +0000 Subject: * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-283.1 - Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files - Allow automount domain to manage mount pid files - Allow stunnel_t domain setsched - Add keepalived domain setpgid capability - dbus: add policy for dbus-broker - Revert "Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)" - Allow tomcat domain to connect to mssql port - Fix typo bug in apache module - Label /usr/lib/virt-sysprep/firstboot.sh as virtd_exec_t - Dontaudit that system_mail_t is trying to read /root/ files - Allow mozilla plugin to mmap mozilla tmpfs files - Add creating opasswd file with shadow_t SELinux label in auth_manage_shadow() interface - Allow sysctl_irq_t assciate with proc_t - Allow sshd_t domain to send signull to xdm_t processes - Allow updpwd_t domain auth file name trans - Allow passwd_t domain mmap /etc/shadow and /etc/passwd --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 01fb911..9cc76fd 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f27-base.patch b/policy-f27-base.patch index 766abd1..e242cf8 100644 --- a/policy-f27-base.patch +++ b/policy-f27-base.patch @@ -22769,7 +22769,7 @@ index e100d886b..355a67b18 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c5e..af9ee60b6 100644 +index 8dbab4c5e..2d283007a 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -22832,7 +22832,12 @@ index 8dbab4c5e..af9ee60b6 100644 type proc_xen_t, proc_type; files_mountpoint(proc_xen_t) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) -@@ -118,6 +147,7 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) +@@ -114,10 +143,12 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0) + + # /proc/irq directory and files + type sysctl_irq_t, sysctl_type; ++fs_associate_proc(sysctl_irq_t) + genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) # /proc/net/rpc directory and files type sysctl_rpc_t, sysctl_type; @@ -22840,7 +22845,7 @@ index 8dbab4c5e..af9ee60b6 100644 genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) # /proc/sys/crypto directory and files -@@ -133,14 +163,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) +@@ -133,14 +164,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) type sysctl_kernel_t, sysctl_type; genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) @@ -22855,7 +22860,7 @@ index 8dbab4c5e..af9ee60b6 100644 # /proc/sys/net directory and files type sysctl_net_t, sysctl_type; genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) -@@ -153,6 +175,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) +@@ -153,6 +176,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) @@ -22866,7 +22871,7 @@ index 8dbab4c5e..af9ee60b6 100644 # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -165,6 +191,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +192,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -22881,7 +22886,7 @@ index 8dbab4c5e..af9ee60b6 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -189,6 +223,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +224,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # @@ -22889,7 +22894,7 @@ index 8dbab4c5e..af9ee60b6 100644 allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; -@@ -233,7 +268,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +269,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -22897,7 +22902,7 @@ index 8dbab4c5e..af9ee60b6 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +278,26 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +279,26 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -22928,7 +22933,7 @@ index 8dbab4c5e..af9ee60b6 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +306,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +307,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -22938,7 +22943,7 @@ index 8dbab4c5e..af9ee60b6 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,13 +321,23 @@ files_list_root(kernel_t) +@@ -277,13 +322,23 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -22962,7 +22967,7 @@ index 8dbab4c5e..af9ee60b6 100644 ifdef(`distro_redhat',` # Bugzilla 222337 -@@ -291,11 +345,29 @@ ifdef(`distro_redhat',` +@@ -291,11 +346,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -22992,7 +22997,7 @@ index 8dbab4c5e..af9ee60b6 100644 ') optional_policy(` -@@ -305,6 +377,19 @@ optional_policy(` +@@ -305,6 +378,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -23012,7 +23017,7 @@ index 8dbab4c5e..af9ee60b6 100644 ') optional_policy(` -@@ -312,6 +397,11 @@ optional_policy(` +@@ -312,6 +398,11 @@ optional_policy(` ') optional_policy(` @@ -23024,7 +23029,7 @@ index 8dbab4c5e..af9ee60b6 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +422,6 @@ optional_policy(` +@@ -332,9 +423,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -23034,7 +23039,7 @@ index 8dbab4c5e..af9ee60b6 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +430,7 @@ optional_policy(` +@@ -343,9 +431,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -23045,7 +23050,7 @@ index 8dbab4c5e..af9ee60b6 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +439,7 @@ optional_policy(` +@@ -354,7 +440,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -23054,7 +23059,7 @@ index 8dbab4c5e..af9ee60b6 100644 ') ') -@@ -364,9 +449,22 @@ optional_policy(` +@@ -364,9 +450,22 @@ optional_policy(` ') optional_policy(` @@ -23077,7 +23082,7 @@ index 8dbab4c5e..af9ee60b6 100644 ######################################## # # Unlabeled process local policy -@@ -388,6 +486,8 @@ optional_policy(` +@@ -388,6 +487,8 @@ optional_policy(` if( ! secure_mode_insmod ) { allow can_load_kernmodule self:capability sys_module; @@ -23086,7 +23091,7 @@ index 8dbab4c5e..af9ee60b6 100644 # load_module() calls stop_machine() which # calls sched_setscheduler() allow can_load_kernmodule self:capability sys_nice; -@@ -399,14 +499,38 @@ if( ! secure_mode_insmod ) { +@@ -399,14 +500,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -29351,7 +29356,7 @@ index fe0c68272..79d568a54 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7b0..3038b0862 100644 +index cc877c7b0..b14a28d5c 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -29734,7 +29739,7 @@ index cc877c7b0..3038b0862 100644 rpm_use_script_fds(sshd_t) ') -@@ -289,13 +379,93 @@ optional_policy(` +@@ -289,13 +379,94 @@ optional_policy(` ') optional_policy(` @@ -29776,6 +29781,7 @@ index cc877c7b0..3038b0862 100644 + +optional_policy(` xserver_domtrans_xauth(sshd_t) ++ xserver_xdm_signull(sshd_t) ') +ifdef(`TODO',` @@ -29828,7 +29834,7 @@ index cc877c7b0..3038b0862 100644 ######################################## # # ssh_keygen local policy -@@ -304,19 +474,33 @@ optional_policy(` +@@ -304,19 +475,33 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -29863,7 +29869,7 @@ index cc877c7b0..3038b0862 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -332,7 +516,9 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -332,7 +517,9 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) @@ -29873,7 +29879,7 @@ index cc877c7b0..3038b0862 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -341,3 +527,150 @@ optional_policy(` +@@ -341,3 +528,150 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -30194,7 +30200,7 @@ index 8274418c6..a47fd0b4d 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc2d..29db5fd25 100644 +index 6bf0ecc2d..75b2f31f9 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,36 @@ @@ -31197,7 +31203,32 @@ index 6bf0ecc2d..29db5fd25 100644 ') ######################################## -@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` +@@ -1135,6 +1456,24 @@ interface(`xserver_signal',` + + ######################################## + ## ++## Send a null signal to xdm processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_signull',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ allow $1 xdm_t:process signull; ++') ++ ++######################################## ++## + ## Kill X servers + ## + ## +@@ -1210,6 +1549,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -31223,7 +31254,7 @@ index 6bf0ecc2d..29db5fd25 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1584,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -31250,7 +31281,7 @@ index 6bf0ecc2d..29db5fd25 100644 ') ######################################## -@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1629,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -31259,7 +31290,7 @@ index 6bf0ecc2d..29db5fd25 100644 ## ## ## -@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1639,27 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -31288,7 +31319,7 @@ index 6bf0ecc2d..29db5fd25 100644 ') ######################################## -@@ -1284,10 +1658,662 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1676,662 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -33742,7 +33773,7 @@ index 247958765..890e1e293 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b669..190c29841 100644 +index 3efd5b669..a8cb6df3d 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -34057,7 +34088,7 @@ index 3efd5b669..190c29841 100644 ## Read the shadow passwords file (/etc/shadow) ## ## -@@ -664,6 +777,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +777,11 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -34065,10 +34096,11 @@ index 3efd5b669..190c29841 100644 + files_var_filetrans($1, shadow_t, file, "shadow-") + files_etc_filetrans($1, shadow_t, file, "gshadow") + files_etc_filetrans($1, shadow_t, file, "nshadow") ++ files_etc_filetrans($1, shadow_t, file, "opasswd") ') ####################################### -@@ -763,7 +880,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +881,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -34120,7 +34152,7 @@ index 3efd5b669..190c29841 100644 ') ####################################### -@@ -824,9 +984,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +985,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -34151,7 +34183,7 @@ index 3efd5b669..190c29841 100644 ## ## ## -@@ -834,12 +1014,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +1015,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -34182,7 +34214,7 @@ index 3efd5b669..190c29841 100644 ') ######################################## -@@ -854,15 +1049,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1050,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -34201,7 +34233,7 @@ index 3efd5b669..190c29841 100644 ## ## ## -@@ -875,13 +1070,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1071,33 @@ interface(`auth_signal_pam',` ## ## # @@ -34239,7 +34271,7 @@ index 3efd5b669..190c29841 100644 ') ######################################## -@@ -959,9 +1174,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1175,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -34273,7 +34305,7 @@ index 3efd5b669..190c29841 100644 ') ######################################## -@@ -1040,6 +1276,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1277,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -34284,7 +34316,7 @@ index 3efd5b669..190c29841 100644 ') ######################################## -@@ -1176,6 +1416,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1417,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -34292,7 +34324,7 @@ index 3efd5b669..190c29841 100644 ') ####################################### -@@ -1576,6 +1817,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1818,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -34318,7 +34350,7 @@ index 3efd5b669..190c29841 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1986,63 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1987,63 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -34386,7 +34418,7 @@ index 3efd5b669..190c29841 100644 ') ######################################## -@@ -1767,11 +2066,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +2067,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -34403,7 +34435,7 @@ index 3efd5b669..190c29841 100644 ') ######################################## -@@ -1805,3 +2106,298 @@ interface(`auth_unconfined',` +@@ -1805,3 +2107,298 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') diff --git a/policy-f27-contrib.patch b/policy-f27-contrib.patch index 8e51ee1..93a3a6c 100644 --- a/policy-f27-contrib.patch +++ b/policy-f27-contrib.patch @@ -5579,7 +5579,7 @@ index f6eb4851f..fe461a3fc 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962b6..a6b4312e6 100644 +index 6649962b6..1a0189a44 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6828,7 +6828,7 @@ index 6649962b6..a6b4312e6 100644 avahi_dbus_chat(httpd_t) ') + -+ tunable_policy(`httpd_dbus_sssd', ++ tunable_policy(`httpd_dbus_sssd',` + sssd_dbus_chat(httpd_t) + ') ') @@ -9010,7 +9010,7 @@ index f24e36960..4484a98da 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 27d2f400b..1297f5bbe 100644 +index 27d2f400b..f74f75f1b 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -9065,7 +9065,7 @@ index 27d2f400b..1297f5bbe 100644 fs_search_all(automount_t) fs_search_auto_mountpoints(automount_t) fs_unmount_all_fs(automount_t) -@@ -135,15 +139,18 @@ auth_use_nsswitch(automount_t) +@@ -135,15 +139,19 @@ auth_use_nsswitch(automount_t) logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) @@ -9082,13 +9082,14 @@ index 27d2f400b..1297f5bbe 100644 + mount_domtrans(automount_t) + mount_domtrans_showmount(automount_t) + mount_signal(automount_t) ++ mount_rw_pid_files(automount_t) +') + +optional_policy(` fstools_domtrans(automount_t) ') -@@ -166,3 +173,8 @@ optional_policy(` +@@ -166,3 +174,8 @@ optional_policy(` optional_policy(` udev_read_db(automount_t) ') @@ -22522,10 +22523,10 @@ index f55c42082..e9d64ab5f 100644 - -miscfiles_read_localization(dbskkd_t) diff --git a/dbus.fc b/dbus.fc -index dda905b9c..558729530 100644 +index dda905b9c..60806a524 100644 --- a/dbus.fc +++ b/dbus.fc -@@ -1,20 +1,29 @@ +@@ -1,20 +1,31 @@ -HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) +/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) @@ -22541,6 +22542,8 @@ index dda905b9c..558729530 100644 -/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/usr/bin/dbus-broker -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/usr/bin/dbus-broker-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0) -/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) @@ -23505,7 +23508,7 @@ index 62d22cb46..c0c2ed47d 100644 + manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) ') diff --git a/dbus.te b/dbus.te -index c9998c80d..d8ef03416 100644 +index c9998c80d..d7910970e 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -23632,7 +23635,7 @@ index c9998c80d..d8ef03416 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +124,176 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -23654,6 +23657,7 @@ index c9998c80d..d8ef03416 100644 +init_domtrans_script(system_dbusd_t) +init_rw_stream_sockets(system_dbusd_t) +init_status(system_dbusd_t) ++init_start(system_dbusd_t) # needed by dbus-broker logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) @@ -23823,7 +23827,7 @@ index c9998c80d..d8ef03416 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +302,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -23848,7 +23852,7 @@ index c9998c80d..d8ef03416 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +321,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -23856,7 +23860,7 @@ index c9998c80d..d8ef03416 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +330,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -23898,7 +23902,7 @@ index c9998c80d..d8ef03416 100644 ') ######################################## -@@ -244,5 +367,9 @@ optional_policy(` +@@ -244,5 +368,9 @@ optional_policy(` # Unconfined access to this module # @@ -25814,10 +25818,10 @@ index 000000000..b3784d85d +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 000000000..86c5021d6 +index 000000000..22cafcd43 --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,211 @@ +@@ -0,0 +1,207 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -25982,10 +25986,6 @@ index 000000000..86c5021d6 + systemd_manage_passwd_run(dirsrv_t) +') + -+optional_policy(` -+ rolekit_read_tmp(dirsrv_t) -+') -+ +######################################## +# +# dirsrv-snmp local policy @@ -43317,7 +43317,7 @@ index 000000000..bd7e7fa17 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 000000000..923edd01e +index 000000000..e5b8b3bbf --- /dev/null +++ b/keepalived.te @@ -0,0 +1,100 @@ @@ -43347,7 +43347,7 @@ index 000000000..923edd01e +# + +allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace }; -+allow keepalived_t self:process { signal_perms }; ++allow keepalived_t self:process { signal_perms setpgid }; +allow keepalived_t self:netlink_socket create_socket_perms; +allow keepalived_t self:netlink_generic_socket create_socket_perms; +allow keepalived_t self:netlink_netfilter_socket create_socket_perms; @@ -53630,7 +53630,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..3c24a12ef 100644 +index 11ac8e4fc..94822ad40 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -53911,15 +53911,15 @@ index 11ac8e4fc..3c24a12ef 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -userdom_use_user_ptys(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) - -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -54049,34 +54049,34 @@ index 11ac8e4fc..3c24a12ef 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) -+') -+ -+optional_policy(` -+ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ lpd_domtrans_lpr(mozilla_t) ++ java_domtrans(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ nscd_socket_use(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) ++ nscd_socket_use(mozilla_t) ++') ++ ++optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -54084,7 +54084,7 @@ index 11ac8e4fc..3c24a12ef 100644 ') optional_policy(` -@@ -300,259 +340,258 @@ optional_policy(` +@@ -300,259 +340,260 @@ optional_policy(` ######################################## # @@ -54168,13 +54168,15 @@ index 11ac8e4fc..3c24a12ef 100644 -fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file dir lnk_file sock_file fifo_file }) +userdom_manage_home_texlive(mozilla_plugin_t) ++allow mozilla_plugin_t mozilla_plugin_tmpfs_t:file map; - allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; +-allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- + -dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) ++allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) @@ -54489,7 +54491,7 @@ index 11ac8e4fc..3c24a12ef 100644 ') optional_policy(` -@@ -560,7 +599,11 @@ optional_policy(` +@@ -560,7 +601,11 @@ optional_policy(` ') optional_policy(` @@ -54502,7 +54504,7 @@ index 11ac8e4fc..3c24a12ef 100644 ') optional_policy(` -@@ -568,108 +611,144 @@ optional_policy(` +@@ -568,108 +613,144 @@ optional_policy(` ') optional_policy(` @@ -56308,7 +56310,7 @@ index ed81cac5a..cd52baf59 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c6a..94b1dfca7 100644 +index ff1d68c6a..3f662fbef 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -56408,7 +56410,7 @@ index ff1d68c6a..94b1dfca7 100644 procmail_exec(user_mail_domain) ') -@@ -166,57 +166,76 @@ optional_policy(` +@@ -166,57 +166,77 @@ optional_policy(` uucp_manage_spool(user_mail_domain) ') @@ -56461,6 +56463,7 @@ index ff1d68c6a..94b1dfca7 100644 +userdom_dontaudit_list_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) +userdom_dontaudit_list_user_tmp(system_mail_t) ++userdom_dontaudit_read_inherited_admin_home_files(system_mail_t) + +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) @@ -56504,7 +56507,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -225,17 +244,21 @@ optional_policy(` +@@ -225,17 +245,21 @@ optional_policy(` ') optional_policy(` @@ -56528,7 +56531,7 @@ index ff1d68c6a..94b1dfca7 100644 courier_stream_connect_authdaemon(system_mail_t) ') -@@ -244,9 +267,10 @@ optional_policy(` +@@ -244,9 +268,10 @@ optional_policy(` ') optional_policy(` @@ -56542,7 +56545,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -258,10 +282,17 @@ optional_policy(` +@@ -258,10 +283,17 @@ optional_policy(` ') optional_policy(` @@ -56560,7 +56563,7 @@ index ff1d68c6a..94b1dfca7 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -272,6 +303,19 @@ optional_policy(` +@@ -272,6 +304,19 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -56580,7 +56583,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -279,6 +323,10 @@ optional_policy(` +@@ -279,6 +324,10 @@ optional_policy(` ') optional_policy(` @@ -56591,7 +56594,7 @@ index ff1d68c6a..94b1dfca7 100644 userdom_dontaudit_use_user_ptys(system_mail_t) optional_policy(` -@@ -287,42 +335,36 @@ optional_policy(` +@@ -287,42 +336,36 @@ optional_policy(` ') optional_policy(` @@ -56644,7 +56647,7 @@ index ff1d68c6a..94b1dfca7 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,44 +373,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,44 +374,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -56714,7 +56717,7 @@ index ff1d68c6a..94b1dfca7 100644 ') optional_policy(` -@@ -381,24 +427,49 @@ optional_policy(` +@@ -381,24 +428,49 @@ optional_policy(` ######################################## # @@ -92198,10 +92201,10 @@ index 000000000..504b6e13e +/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0) diff --git a/rolekit.if b/rolekit.if new file mode 100644 -index 000000000..df5e3338c +index 000000000..b11fb8f6d --- /dev/null +++ b/rolekit.if -@@ -0,0 +1,138 @@ +@@ -0,0 +1,120 @@ +## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. + +######################################## @@ -92322,24 +92325,6 @@ index 000000000..df5e3338c + systemd_read_fifo_file_passwd_run($1) + ') +') -+ -+######################################## -+## -+## Allow domain to read rolekit tmp files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rolekit_read_tmp',` -+ gen_require(` -+ type rolekit_tmp_t; -+ ') -+ -+ read_files_pattern($1, rolekit_tmp_t, rolekit_tmp_t) -+') diff --git a/rolekit.te b/rolekit.te new file mode 100644 index 000000000..da944537b @@ -107829,7 +107814,7 @@ index 49dd63ca1..ae2e798f5 100644 + +/var/log/stunnel.* -- gen_context(system_u:object_r:stunnel_log_t,s0) diff --git a/stunnel.te b/stunnel.te -index 27a8480bc..5482c7549 100644 +index 27a8480bc..fc3fca520 100644 --- a/stunnel.te +++ b/stunnel.te @@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t) @@ -107842,15 +107827,18 @@ index 27a8480bc..5482c7549 100644 type stunnel_tmp_t; files_tmp_file(stunnel_tmp_t) -@@ -23,7 +26,7 @@ files_pid_file(stunnel_var_run_t) +@@ -23,9 +26,9 @@ files_pid_file(stunnel_var_run_t) # Local policy # -allow stunnel_t self:capability { setgid setuid sys_chroot }; +allow stunnel_t self:capability { setgid setuid sys_chroot sys_nice }; dontaudit stunnel_t self:capability sys_tty_config; - allow stunnel_t self:process signal_perms; +-allow stunnel_t self:process signal_perms; ++allow stunnel_t self:process { setsched signal_perms }; allow stunnel_t self:fifo_file rw_fifo_file_perms; + allow stunnel_t self:tcp_socket { accept listen }; + allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; @@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms; allow stunnel_t stunnel_etc_t:file read_file_perms; allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; @@ -112168,10 +112156,10 @@ index 000000000..e5cec8fda +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 000000000..bc54338c2 +index 000000000..7726f7594 --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,108 @@ +@@ -0,0 +1,109 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -112256,6 +112244,7 @@ index 000000000..bc54338c2 +corenet_tcp_connect_oracle_port(tomcat_domain) +corenet_tcp_connect_ibm_dt_2_port(tomcat_domain) +corenet_tcp_connect_unreserved_ports(tomcat_domain) ++corenet_tcp_connect_mssql_port(tomcat_domain) + +dev_read_rand(tomcat_domain) +dev_read_urand(tomcat_domain) @@ -114588,10 +114577,10 @@ index 3d11c6a3d..c5d84287e 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bcfc..9777de289 100644 +index a4f20bcfc..58d0a33f2 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,109 @@ +@@ -1,51 +1,111 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -114726,6 +114715,8 @@ index a4f20bcfc..9777de289 100644 + +/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) + ++/usr/lib/virt-sysprep/firstboot.sh -- gen_context(system_u:object_r:virtd_exec_t,s0) ++ +/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0) + +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 324a11b..74208cc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 283%{?dist} +Release: 283.1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,24 @@ exit 0 %endif %changelog +* Thu Sep 14 2017 Lukas Vrabec - 3.13.1-283.1 +- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files +- Allow automount domain to manage mount pid files +- Allow stunnel_t domain setsched +- Add keepalived domain setpgid capability +- dbus: add policy for dbus-broker +- Revert "Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)" +- Allow tomcat domain to connect to mssql port +- Fix typo bug in apache module +- Label /usr/lib/virt-sysprep/firstboot.sh as virtd_exec_t +- Dontaudit that system_mail_t is trying to read /root/ files +- Allow mozilla plugin to mmap mozilla tmpfs files +- Add creating opasswd file with shadow_t SELinux label in auth_manage_shadow() interface +- Allow sysctl_irq_t assciate with proc_t +- Allow sshd_t domain to send signull to xdm_t processes +- Allow updpwd_t domain auth file name trans +- Allow passwd_t domain mmap /etc/shadow and /etc/passwd + * Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283 - Allow passwd_t domain mmap /etc/shadow and /etc/passwd - Allow pulseaudio_t domain to map user tmp files