From fb1d5447cbba47313385f3812fee172bf6d6809d Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 03 2017 15:15:06 +0000 Subject: * Tue Oct 03 2017 Lukas Vrabec - 3.13.1-283.6 - Allow cupsd_t to execute ld_so_cache_t BZ(1478602) - Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806) - Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026) - Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531) - Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318) - Allow systemd to maange sysfs BZ(1471361) --- diff --git a/container-selinux.tgz b/container-selinux.tgz index e209ecc..b0e27fa 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f27-base.patch b/policy-f27-base.patch index 129df47..9a198b9 100644 --- a/policy-f27-base.patch +++ b/policy-f27-base.patch @@ -34736,7 +34736,7 @@ index 3efd5b669..a8cb6df3d 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791dcc..2d255df93 100644 +index 09b791dcc..2fb4d0413 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -35036,8 +35036,7 @@ index 09b791dcc..2d255df93 100644 + allow nsswitch_domain self:tcp_socket create_socket_perms; +') + - tunable_policy(`authlogin_nsswitch_use_ldap',` -- files_list_var_lib(nsswitch_domain) ++tunable_policy(`authlogin_nsswitch_use_ldap',` + corenet_tcp_sendrecv_generic_if(nsswitch_domain) + corenet_tcp_sendrecv_generic_node(nsswitch_domain) + corenet_tcp_sendrecv_ldap_port(nsswitch_domain) @@ -35045,7 +35044,8 @@ index 09b791dcc..2d255df93 100644 + corenet_sendrecv_ldap_client_packets(nsswitch_domain) +') + -+tunable_policy(`authlogin_nsswitch_use_ldap',` + tunable_policy(`authlogin_nsswitch_use_ldap',` +- files_list_var_lib(nsswitch_domain) + # Support for LDAPS + dev_read_rand(nsswitch_domain) + # LDAP Configuration using encrypted requires @@ -35078,7 +35078,7 @@ index 09b791dcc..2d255df93 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,10 +520,159 @@ optional_policy(` +@@ -456,10 +520,163 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -35103,6 +35103,10 @@ index 09b791dcc..2d255df93 100644 samba_dontaudit_write_var_files(nsswitch_domain) ') + ++optional_policy(` ++ virt_read_lib_files(nsswitch_domain) ++') ++ +####################################### +# +# Login Program local policy @@ -37846,7 +37850,7 @@ index 79a45f62e..6ed0c399a 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..f049f18e3 100644 +index 17eda2480..fa8d5f276 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -38045,7 +38049,7 @@ index 17eda2480..f049f18e3 100644 +corenet_udp_bind_all_ports(init_t) + +dev_create_all_chr_files(init_t) -+dev_rw_sysfs(init_t) ++dev_manage_sysfs(init_t) +dev_read_urand(init_t) +dev_read_raw_memory(init_t) # Early devtmpfs @@ -38272,7 +38276,7 @@ index 17eda2480..f049f18e3 100644 +allow init_t self:unix_dgram_socket { create_socket_perms sendto }; +allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec }; +allow init_t self:process { getcap setcap }; -+allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom }; +allow init_t self:netlink_kobject_uevent_socket create_socket_perms; +allow init_t self:netlink_selinux_socket create_socket_perms; +allow init_t self:unix_dgram_socket lock; diff --git a/policy-f27-contrib.patch b/policy-f27-contrib.patch index 500c1ec..38189bb 100644 --- a/policy-f27-contrib.patch +++ b/policy-f27-contrib.patch @@ -21351,7 +21351,7 @@ index 3023be7f6..5afde8039 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813ccb..e0ba2f7d9 100644 +index c91813ccb..03b417f70 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21628,7 +21628,7 @@ index c91813ccb..e0ba2f7d9 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,22 +289,29 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,22 +289,30 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -21637,6 +21637,7 @@ index c91813ccb..e0ba2f7d9 100644 +libs_exec_ldconfig(cupsd_t) +libs_exec_ld_so(cupsd_t) +libs_use_ld_so(cupsd_t) ++libs_legacy_use_ld_so(cupsd_t) logging_send_audit_msgs(cupsd_t) logging_send_syslog_msg(cupsd_t) @@ -21663,7 +21664,7 @@ index c91813ccb..e0ba2f7d9 100644 optional_policy(` apm_domtrans_client(cupsd_t) -@@ -272,6 +324,8 @@ optional_policy(` +@@ -272,6 +325,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -21672,7 +21673,7 @@ index c91813ccb..e0ba2f7d9 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -279,11 +333,17 @@ optional_policy(` +@@ -279,11 +334,17 @@ optional_policy(` ') optional_policy(` @@ -21690,7 +21691,7 @@ index c91813ccb..e0ba2f7d9 100644 ') ') -@@ -296,8 +356,8 @@ optional_policy(` +@@ -296,8 +357,8 @@ optional_policy(` ') optional_policy(` @@ -21700,7 +21701,7 @@ index c91813ccb..e0ba2f7d9 100644 ') optional_policy(` -@@ -306,7 +366,6 @@ optional_policy(` +@@ -306,7 +367,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -21708,7 +21709,7 @@ index c91813ccb..e0ba2f7d9 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -316,6 +375,10 @@ optional_policy(` +@@ -316,6 +376,10 @@ optional_policy(` ') optional_policy(` @@ -21719,7 +21720,7 @@ index c91813ccb..e0ba2f7d9 100644 samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) samba_stream_connect_nmbd(cupsd_t) -@@ -326,7 +389,7 @@ optional_policy(` +@@ -326,7 +390,7 @@ optional_policy(` ') optional_policy(` @@ -21728,7 +21729,7 @@ index c91813ccb..e0ba2f7d9 100644 ') optional_policy(` -@@ -334,7 +397,11 @@ optional_policy(` +@@ -334,7 +398,11 @@ optional_policy(` ') optional_policy(` @@ -21741,7 +21742,7 @@ index c91813ccb..e0ba2f7d9 100644 ') ######################################## -@@ -342,12 +409,11 @@ optional_policy(` +@@ -342,12 +410,11 @@ optional_policy(` # Configuration daemon local policy # @@ -21757,7 +21758,7 @@ index c91813ccb..e0ba2f7d9 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -367,23 +433,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +@@ -367,23 +434,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -21785,7 +21786,7 @@ index c91813ccb..e0ba2f7d9 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +458,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +459,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -21806,7 +21807,7 @@ index c91813ccb..e0ba2f7d9 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +475,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,11 +476,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -21818,7 +21819,7 @@ index c91813ccb..e0ba2f7d9 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +502,12 @@ optional_policy(` +@@ -449,9 +503,12 @@ optional_policy(` ') optional_policy(` @@ -21832,7 +21833,7 @@ index c91813ccb..e0ba2f7d9 100644 ') optional_policy(` -@@ -467,6 +523,10 @@ optional_policy(` +@@ -467,6 +524,10 @@ optional_policy(` ') optional_policy(` @@ -21843,7 +21844,7 @@ index c91813ccb..e0ba2f7d9 100644 rpm_read_db(cupsd_config_t) ') -@@ -487,10 +547,6 @@ optional_policy(` +@@ -487,10 +548,6 @@ optional_policy(` # Lpd local policy # @@ -21854,7 +21855,7 @@ index c91813ccb..e0ba2f7d9 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +564,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +565,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -21872,7 +21873,7 @@ index c91813ccb..e0ba2f7d9 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +593,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +594,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -21882,7 +21883,7 @@ index c91813ccb..e0ba2f7d9 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -549,9 +602,9 @@ optional_policy(` +@@ -549,9 +603,9 @@ optional_policy(` # Pdf local policy # @@ -21894,7 +21895,7 @@ index c91813ccb..e0ba2f7d9 100644 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +619,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +620,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -22046,7 +22047,7 @@ index c91813ccb..e0ba2f7d9 100644 ######################################## # -@@ -735,7 +663,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +664,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -22054,7 +22055,7 @@ index c91813ccb..e0ba2f7d9 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +672,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +673,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -22068,7 +22069,7 @@ index c91813ccb..e0ba2f7d9 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +684,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +685,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -22077,7 +22078,7 @@ index c91813ccb..e0ba2f7d9 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +696,4 @@ optional_policy(` +@@ -773,3 +697,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -29695,7 +29696,7 @@ index c62c5670a..a74f123da 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3a1..42ee4d39c 100644 +index 98072a3a1..c48426ab7 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t) @@ -29753,9 +29754,11 @@ index 98072a3a1..42ee4d39c 100644 corecmd_exec_bin(firewalld_t) corecmd_exec_shell(firewalld_t) -@@ -63,20 +79,27 @@ dev_search_sysfs(firewalld_t) +@@ -62,21 +78,29 @@ dev_read_urand(firewalld_t) + dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) ++domain_obj_id_change_exemption(firewalld_t) -files_read_etc_files(firewalld_t) -files_read_usr_files(firewalld_t) @@ -29788,7 +29791,7 @@ index 98072a3a1..42ee4d39c 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -91,10 +114,15 @@ optional_policy(` +@@ -91,10 +115,15 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(firewalld_t) @@ -76788,7 +76791,7 @@ index ded95ec3a..db49c5774 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83eca..87a1d852a 100644 +index 5cfb83eca..23bc054ae 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -76966,9 +76969,8 @@ index 5cfb83eca..87a1d852a 100644 -######################################## -# -# Common postfix user domain local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_user_domains self:capability dac_override; - -domain_use_interactive_fds(postfix_user_domains) @@ -76976,8 +76978,9 @@ index 5cfb83eca..87a1d852a 100644 -######################################## -# -# Master local policy --# -- ++# Postfix master process local policy + # + -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +dontaudit postfix_master_t self:capability { net_admin }; +# chown is to set the correct ownership of queue dirs @@ -77166,7 +77169,7 @@ index 5cfb83eca..87a1d852a 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -363,37 +256,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -363,74 +256,89 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool ######################################## # @@ -77213,8 +77216,12 @@ index 5cfb83eca..87a1d852a 100644 optional_policy(` mailman_read_data_files(postfix_cleanup_t) -@@ -401,36 +291,50 @@ optional_policy(` + ') ++optional_policy(` ++ milter_stream_connect_all(postfix_cleanup_t) ++') ++ ######################################## # -# Local local policy @@ -77273,7 +77280,7 @@ index 5cfb83eca..87a1d852a 100644 ') optional_policy(` -@@ -442,16 +346,25 @@ optional_policy(` +@@ -442,16 +350,25 @@ optional_policy(` ') optional_policy(` @@ -77299,7 +77306,7 @@ index 5cfb83eca..87a1d852a 100644 procmail_domtrans(postfix_local_t) ') -@@ -466,15 +379,17 @@ optional_policy(` +@@ -466,15 +383,17 @@ optional_policy(` ######################################## # @@ -77324,7 +77331,7 @@ index 5cfb83eca..87a1d852a 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -484,14 +399,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -484,14 +403,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -77344,7 +77351,7 @@ index 5cfb83eca..87a1d852a 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -500,7 +416,6 @@ corecmd_read_bin_pipes(postfix_map_t) +@@ -500,7 +420,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) @@ -77352,7 +77359,7 @@ index 5cfb83eca..87a1d852a 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -508,21 +423,24 @@ auth_use_nsswitch(postfix_map_t) +@@ -508,21 +427,24 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -77380,7 +77387,7 @@ index 5cfb83eca..87a1d852a 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -532,21 +450,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -532,21 +454,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -77406,7 +77413,7 @@ index 5cfb83eca..87a1d852a 100644 write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) -@@ -557,6 +475,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) +@@ -557,6 +479,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) corecmd_exec_bin(postfix_pipe_t) optional_policy(` @@ -77417,7 +77424,7 @@ index 5cfb83eca..87a1d852a 100644 dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -584,19 +506,28 @@ optional_policy(` +@@ -584,19 +510,28 @@ optional_policy(` ######################################## # @@ -77451,7 +77458,7 @@ index 5cfb83eca..87a1d852a 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -611,10 +542,7 @@ optional_policy(` +@@ -611,10 +546,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -77463,7 +77470,7 @@ index 5cfb83eca..87a1d852a 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -629,17 +557,24 @@ optional_policy(` +@@ -629,17 +561,24 @@ optional_policy(` ####################################### # @@ -77491,7 +77498,7 @@ index 5cfb83eca..87a1d852a 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +590,80 @@ optional_policy(` +@@ -655,69 +594,80 @@ optional_policy(` ######################################## # @@ -77589,7 +77596,7 @@ index 5cfb83eca..87a1d852a 100644 ') optional_policy(` -@@ -730,28 +676,32 @@ optional_policy(` +@@ -730,28 +680,32 @@ optional_policy(` ######################################## # @@ -77630,7 +77637,7 @@ index 5cfb83eca..87a1d852a 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) -@@ -764,6 +714,7 @@ optional_policy(` +@@ -764,6 +718,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -77638,7 +77645,7 @@ index 5cfb83eca..87a1d852a 100644 ') optional_policy(` -@@ -774,31 +725,101 @@ optional_policy(` +@@ -774,31 +729,101 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -117069,7 +117076,7 @@ index facdee8b3..2a619ba9e 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf567..915a13a07 100644 +index f03dcf567..fe13718c7 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,424 @@ @@ -117682,10 +117689,10 @@ index f03dcf567..915a13a07 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) +- +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +allow svirt_t self:process ptrace; --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; @@ -117861,20 +117868,20 @@ index f03dcf567..915a13a07 100644 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +-can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -118034,7 +118041,7 @@ index f03dcf567..915a13a07 100644 ') optional_policy(` -@@ -691,99 +653,437 @@ optional_policy(` +@@ -691,99 +653,441 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -118179,6 +118186,10 @@ index f03dcf567..915a13a07 100644 +') + +optional_policy(` ++ dbus_system_bus_client(virtlogd_t) ++') ++ ++optional_policy(` + systemd_write_inhibit_pipes(virtlogd_t) +') + @@ -118523,7 +118534,7 @@ index f03dcf567..915a13a07 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1094,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1098,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -118550,7 +118561,7 @@ index f03dcf567..915a13a07 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1114,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1118,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -118584,7 +118595,7 @@ index f03dcf567..915a13a07 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1151,20 @@ optional_policy(` +@@ -856,14 +1155,20 @@ optional_policy(` ') optional_policy(` @@ -118606,7 +118617,7 @@ index f03dcf567..915a13a07 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1189,66 @@ optional_policy(` +@@ -888,49 +1193,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -118691,7 +118702,7 @@ index f03dcf567..915a13a07 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1260,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1264,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -118711,7 +118722,7 @@ index f03dcf567..915a13a07 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,15 +1281,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,15 +1285,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -118730,7 +118741,7 @@ index f03dcf567..915a13a07 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -982,186 +1295,307 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -982,186 +1299,307 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -119167,7 +119178,7 @@ index f03dcf567..915a13a07 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1608,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1612,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -119182,7 +119193,7 @@ index f03dcf567..915a13a07 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1626,7 @@ optional_policy(` +@@ -1192,7 +1630,7 @@ optional_policy(` ######################################## # @@ -119191,7 +119202,7 @@ index f03dcf567..915a13a07 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1635,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1639,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index e36090c..30a8c7a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 283.5%{?dist} +Release: 283.6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,14 @@ exit 0 %endif %changelog +* Tue Oct 03 2017 Lukas Vrabec - 3.13.1-283.6 +- Allow cupsd_t to execute ld_so_cache_t BZ(1478602) +- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806) +- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026) +- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531) +- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318) +- Allow systemd to maange sysfs BZ(1471361) + * Fri Sep 29 2017 Lukas Vrabec - 3.13.1-283.5 - Allow virtlogd_t domain to write inhibit systemd pipes. - Allow smbd_t domain to mmap samba_var_t files BZ(1496319)