diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 5cda8df..daa1d07 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -21943,7 +21943,7 @@ index fe0c682..e8dcfa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..07f129b 100644 +index cc877c7..a8b01bf 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2) @@ -22195,7 +22195,7 @@ index cc877c7..07f129b 100644 files_read_etc_files(ssh_keysign_t) -@@ -226,39 +264,56 @@ optional_policy(` +@@ -226,39 +264,57 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -22210,12 +22210,13 @@ index cc877c7..07f129b 100644 - kernel_search_key(sshd_t) kernel_link_key(sshd_t) - ++kernel_read_net_sysctls(sshd_t) ++ +files_search_all(sshd_t) + +fs_search_cgroup_dirs(sshd_t) +fs_rw_cgroup_files(sshd_t) -+ + term_use_all_ptys(sshd_t) term_setattr_all_ptys(sshd_t) +term_setattr_all_ttys(sshd_t) @@ -22264,7 +22265,7 @@ index cc877c7..07f129b 100644 ') optional_policy(` -@@ -266,6 +321,15 @@ optional_policy(` +@@ -266,6 +322,15 @@ optional_policy(` ') optional_policy(` @@ -22280,7 +22281,7 @@ index cc877c7..07f129b 100644 inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') -@@ -275,6 +339,18 @@ optional_policy(` +@@ -275,6 +340,18 @@ optional_policy(` ') optional_policy(` @@ -22299,7 +22300,7 @@ index cc877c7..07f129b 100644 oddjob_domtrans_mkhomedir(sshd_t) ') -@@ -289,13 +365,93 @@ optional_policy(` +@@ -289,13 +366,93 @@ optional_policy(` ') optional_policy(` @@ -22393,7 +22394,7 @@ index cc877c7..07f129b 100644 ######################################## # # ssh_keygen local policy -@@ -304,19 +460,29 @@ optional_policy(` +@@ -304,19 +461,29 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -22424,7 +22425,7 @@ index cc877c7..07f129b 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -333,6 +499,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -333,6 +500,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -22437,7 +22438,7 @@ index cc877c7..07f129b 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -341,3 +513,140 @@ optional_policy(` +@@ -341,3 +514,140 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b2617fa..bfcea24 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3109,10 +3109,10 @@ index 0000000..8ba9c95 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..516f7bb 100644 +index 7caefc3..8434d2f 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,200 @@ +@@ -1,162 +1,201 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3198,6 +3198,7 @@ index 7caefc3..516f7bb 100644 -/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) +/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -23577,10 +23578,10 @@ index 0000000..89401fe +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..412e818 +index 0000000..5e91008 --- /dev/null +++ b/docker.te -@@ -0,0 +1,256 @@ +@@ -0,0 +1,260 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23808,6 +23809,10 @@ index 0000000..412e818 +optional_policy(` + dbus_system_bus_client(docker_t) + init_dbus_chat(docker_t) ++ ++ optional_policy(` ++ systemd_dbus_chat_logind(docker_t) ++ ') +') + +optional_policy(` @@ -55606,10 +55611,10 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..db2369b +index 0000000..88c2186 --- /dev/null +++ b/openshift.fc -@@ -0,0 +1,27 @@ +@@ -0,0 +1,28 @@ +/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0) + @@ -55617,6 +55622,7 @@ index 0000000..db2369b + +/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) +/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) ++/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) +/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) +/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) + @@ -99574,7 +99580,7 @@ index facdee8..fddb027 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..7a02075 100644 +index f03dcf5..1bbfa18 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,197 @@ @@ -100652,7 +100658,7 @@ index f03dcf5..7a02075 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +miscfiles_read_generic_certs(virt_domain) @@ -100709,7 +100715,7 @@ index f03dcf5..7a02075 100644 + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) +') - ++ +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) + fs_manage_fusefs_files(virt_domain) @@ -100854,10 +100860,10 @@ index f03dcf5..7a02075 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -101050,12 +101056,12 @@ index f03dcf5..7a02075 100644 +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') @@ -101163,6 +101169,10 @@ index f03dcf5..7a02075 100644 + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) + docker_use_ptys(svirt_sandbox_domain) +') ++ ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -101247,10 +101257,6 @@ index f03dcf5..7a02075 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') @@ -101289,6 +101295,10 @@ index f03dcf5..7a02075 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; ++ ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -101300,13 +101310,6 @@ index f03dcf5..7a02075 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') - --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -101315,11 +101318,14 @@ index f03dcf5..7a02075 100644 + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') --corenet_sendrecv_all_client_packets(svirt_lxc_net_t) --corenet_tcp_connect_all_ports(svirt_lxc_net_t) +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; -+ + +-corenet_sendrecv_all_client_packets(svirt_lxc_net_t) +-corenet_tcp_connect_all_ports(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) @@ -101395,15 +101401,15 @@ index f03dcf5..7a02075 100644 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) +dev_read_urand(svirt_qemu_net_t) + +files_read_kernel_modules(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +fs_noxattr_type(svirt_sandbox_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) @@ -101461,7 +101467,7 @@ index f03dcf5..7a02075 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1431,206 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1431,210 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -101670,6 +101676,10 @@ index f03dcf5..7a02075 100644 +corenet_udp_bind_all_ports(sandbox_net_domain) +corenet_tcp_bind_all_ports(sandbox_net_domain) +corenet_tcp_connect_all_ports(sandbox_net_domain) ++ ++optional_policy(` ++ systemd_dbus_chat_logind(sandbox_net_domain) ++') diff --git a/vlock.te b/vlock.te index 6b72968..de409cc 100644 --- a/vlock.te @@ -101825,10 +101835,10 @@ index 0000000..7933d80 +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..ab589a9 +index 0000000..5ce7d9c --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,87 @@ +@@ -0,0 +1,89 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -101915,6 +101925,8 @@ index 0000000..ab589a9 +domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t) +can_exec(vmtools_helper_t, vmtools_helper_exec_t) + ++corecmd_exec_bin(vmtools_helper_t) ++ +userdom_stream_connect(vmtools_helper_t) diff --git a/vmware.if b/vmware.if index 20a1fb2..470ea95 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index 3405bf7..c6ee813 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 34%{?dist} +Release: 35%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -580,6 +580,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Mar 13 2014 Miroslav Grepl 3.13.1-35 +- sshd to read network sysctls +- Allow vmtools_helper_t to execute bin_t +- Add support for /usr/share/joomla +- /var/lib/containers should be labeled as openshift content for now +- Allow docker domains to talk to the login programs, to allow a process to login into the container + * Wed Mar 12 2014 Miroslav Grepl 3.13.1-34 - Add install_t for anaconda