diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b74e6f2..d114f36 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -19416,7 +19416,7 @@ index 76d9f66..21c96cf 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..871b8fd 100644 +index fe0c682..95ae197 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -19868,7 +19868,7 @@ index fe0c682..871b8fd 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -20831,7 +20831,7 @@ index d1f64a0..8f50bb9 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..8715521 100644 +index 6bf0ecc..266289c 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -21785,7 +21785,7 @@ index 6bf0ecc..8715521 100644 ') ######################################## -@@ -1284,10 +1655,604 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1655,622 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -22392,6 +22392,24 @@ index 6bf0ecc..8715521 100644 + filetrans_pattern($1, xdm_tmp_t, $2, $3, $4) + files_search_tmp($1) +') ++ ++######################################## ++## ++## Dontaudit search ssh home directory ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_search_log',` ++ gen_require(` ++ type xserver_log_t; ++ ') ++ ++ dontaudit $1 xserver_log_t:dir search_dir_perms; ++') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 2696452..fcf58c6 100644 --- a/policy/modules/services/xserver.te diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 69b3776..d9abd45 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10927,7 +10927,7 @@ index 32e8265..0de4af3 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index 914ee2d..72fab35 100644 +index 914ee2d..7d723c0 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -10945,8 +10945,9 @@ index 914ee2d..72fab35 100644 # -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; +-allow chronyd_t self:process { getcap setcap setrlimit signal }; +allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time }; - allow chronyd_t self:process { getcap setcap setrlimit signal }; ++allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; +allow chronyd_t self:udp_socket create_socket_perms; +allow chronyd_t self:unix_dgram_socket create_socket_perms; @@ -50974,6 +50975,16 @@ index 0000000..c1eed44 + ssh_exec_keygen(openshift_cron_t) + ssh_dontaudit_read_server_keys(openshift_cron_t) +') +diff --git a/openvpn.fc b/openvpn.fc +index 300213f..6f0d2e4 100644 +--- a/openvpn.fc ++++ b/openvpn.fc +@@ -1,4 +1,5 @@ + /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) ++/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0) + /etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) + + /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) diff --git a/openvpn.if b/openvpn.if index 6837e9a..af8f9d0 100644 --- a/openvpn.if @@ -50994,10 +51005,24 @@ index 6837e9a..af8f9d0 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 3270ff9..67da060 100644 +index 3270ff9..8e252e4 100644 --- a/openvpn.te +++ b/openvpn.te -@@ -26,6 +26,9 @@ files_config_file(openvpn_etc_t) +@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) + # + + ## ++##

++## Allow openvpn to run unconfined scripts ++##

++##
++gen_tunable(openvpn_run_unconfined, false) ++ ++## + ##

+ ## Determine whether openvpn can + ## read generic user home content files. +@@ -26,6 +33,9 @@ files_config_file(openvpn_etc_t) type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -51007,7 +51032,7 @@ index 3270ff9..67da060 100644 type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) -@@ -43,7 +46,7 @@ files_pid_file(openvpn_var_run_t) +@@ -43,7 +53,7 @@ files_pid_file(openvpn_var_run_t) # Local policy # @@ -51016,7 +51041,7 @@ index 3270ff9..67da060 100644 allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; -@@ -62,6 +65,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) +@@ -62,6 +72,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) allow openvpn_t openvpn_status_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") @@ -51026,7 +51051,7 @@ index 3270ff9..67da060 100644 manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -@@ -83,7 +89,6 @@ kernel_request_load_module(openvpn_t) +@@ -83,7 +96,6 @@ kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -51034,7 +51059,7 @@ index 3270ff9..67da060 100644 corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -105,11 +110,12 @@ corenet_tcp_bind_http_port(openvpn_t) +@@ -105,11 +117,12 @@ corenet_tcp_bind_http_port(openvpn_t) corenet_sendrecv_http_client_packets(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) corenet_tcp_sendrecv_http_port(openvpn_t) @@ -51048,7 +51073,7 @@ index 3270ff9..67da060 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -121,18 +127,24 @@ fs_search_auto_mountpoints(openvpn_t) +@@ -121,18 +134,24 @@ fs_search_auto_mountpoints(openvpn_t) auth_use_pam(openvpn_t) @@ -51076,7 +51101,7 @@ index 3270ff9..67da060 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -155,3 +167,7 @@ optional_policy(` +@@ -155,3 +174,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -51084,11 +51109,31 @@ index 3270ff9..67da060 100644 +optional_policy(` + unconfined_attach_tun_iface(openvpn_t) +') ++ ++type openvpn_unconfined_script_t; ++type openvpn_unconfined_script_exec_t; ++domain_type(openvpn_unconfined_script_t) ++domain_entry_file(openvpn_unconfined_script_t, openvpn_unconfined_script_exec_t) ++corecmd_shell_entry_type(openvpn_unconfined_script_t) ++role system_r types openvpn_unconfined_script_t; ++ ++allow openvpn_t openvpn_unconfined_script_exec_t:dir search_dir_perms; ++allow openvpn_t openvpn_unconfined_script_exec_t:file ioctl; ++ ++optional_policy(` ++ unconfined_domain(openvpn_unconfined_script_t) ++') ++ ++tunable_policy(`openvpn_run_unconfined',` ++ domtrans_pattern(openvpn_t, openvpn_unconfined_script_exec_t, openvpn_unconfined_script_t) ++',` ++ can_exec(openvpn_t, openvpn_unconfined_script_exec_t) ++') diff --git a/openvswitch.fc b/openvswitch.fc -index 45d7cc5..baf8d21 100644 +index 45d7cc5..c5b9607 100644 --- a/openvswitch.fc +++ b/openvswitch.fc -@@ -1,12 +1,15 @@ +@@ -1,12 +1,16 @@ -/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0) +/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0) @@ -51098,6 +51143,7 @@ index 45d7cc5..baf8d21 100644 +/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0) @@ -52389,7 +52435,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..c1035d4 100644 +index 7bcf327..04b62f4 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -52638,7 +52684,7 @@ index 7bcf327..c1035d4 100644 ') optional_policy(` -@@ -151,16 +247,23 @@ optional_policy(` +@@ -151,16 +247,24 @@ optional_policy(` ') optional_policy(` @@ -52655,6 +52701,7 @@ index 7bcf327..c1035d4 100644 - seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) + rpc_read_exports(pegasus_t) ++ rpc_read_nfs_state_data(pegasus_t) +') + +optional_policy(` @@ -52666,7 +52713,7 @@ index 7bcf327..c1035d4 100644 ') optional_policy(` -@@ -168,7 +271,7 @@ optional_policy(` +@@ -168,7 +272,7 @@ optional_policy(` ') optional_policy(` @@ -55187,7 +55234,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 49694e8..d14cc7d 100644 +index 49694e8..ad46f29 100644 --- a/policykit.te +++ b/policykit.te @@ -1,4 +1,4 @@ @@ -55219,7 +55266,7 @@ index 49694e8..d14cc7d 100644 type policykit_resolve_t, policykit_domain; type policykit_resolve_exec_t; -@@ -42,63 +37,66 @@ files_pid_file(policykit_var_run_t) +@@ -42,63 +37,68 @@ files_pid_file(policykit_var_run_t) ####################################### # @@ -55291,6 +55338,8 @@ index 49694e8..d14cc7d 100644 auth_use_nsswitch(policykit_t) ++init_list_pid_dirs(policykit_t) ++ +logging_send_syslog_msg(policykit_t) + userdom_getattr_all_users(policykit_t) @@ -55305,7 +55354,7 @@ index 49694e8..d14cc7d 100644 optional_policy(` consolekit_dbus_chat(policykit_t) ') -@@ -109,29 +107,43 @@ optional_policy(` +@@ -109,29 +109,43 @@ optional_policy(` ') optional_policy(` @@ -55357,7 +55406,7 @@ index 49694e8..d14cc7d 100644 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -145,9 +157,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +@@ -145,9 +159,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -55367,7 +55416,7 @@ index 49694e8..d14cc7d 100644 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) dev_read_video_dev(policykit_auth_t) -@@ -157,53 +166,64 @@ files_search_home(policykit_auth_t) +@@ -157,53 +168,64 @@ files_search_home(policykit_auth_t) fs_getattr_all_fs(policykit_auth_t) fs_search_tmpfs(policykit_auth_t) @@ -55442,7 +55491,7 @@ index 49694e8..d14cc7d 100644 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -@@ -211,23 +231,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -211,23 +233,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -55469,7 +55518,7 @@ index 49694e8..d14cc7d 100644 optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') -@@ -235,26 +252,28 @@ optional_policy(` +@@ -235,26 +254,28 @@ optional_policy(` ######################################## # @@ -55504,7 +55553,7 @@ index 49694e8..d14cc7d 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +285,7 @@ optional_policy(` +@@ -266,6 +287,7 @@ optional_policy(` ') optional_policy(` @@ -65420,10 +65469,20 @@ index b31f2d7..046f5b8 100644 userdom_dontaudit_search_user_home_dirs(radvd_t) diff --git a/raid.fc b/raid.fc -index 5806046..01ca7cb 100644 +index 5806046..5578653 100644 --- a/raid.fc +++ b/raid.fc -@@ -16,6 +16,7 @@ +@@ -3,6 +3,9 @@ + + /etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0) + ++/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0) ++/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0) ++ + /sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) +@@ -16,6 +19,7 @@ /usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) @@ -65432,7 +65491,7 @@ index 5806046..01ca7cb 100644 /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/raid.if b/raid.if -index 951db7f..6d6ec1d 100644 +index 951db7f..7736755 100644 --- a/raid.if +++ b/raid.if @@ -1,9 +1,8 @@ @@ -65447,7 +65506,7 @@ index 951db7f..6d6ec1d 100644 ## ## ##

-@@ -22,34 +21,33 @@ interface(`raid_domtrans_mdadm',` +@@ -22,82 +21,115 @@ interface(`raid_domtrans_mdadm',` ###################################### ## @@ -65482,35 +65541,62 @@ index 951db7f..6d6ec1d 100644 - roleattribute $1 mdadm_roles; ') - ######################################## +-######################################## ++###################################### ## -## Create, read, write, and delete -## mdadm pid files. -+## read the mdadm pid files. ++## Execute mdadm server in the mdadm domain. ## ## ## -@@ -57,47 +55,58 @@ interface(`raid_run_mdadm',` +-## Domain allowed access. ++## Domain allowed to transition. ## ## # -interface(`raid_manage_mdadm_pid',` -+interface(`raid_read_mdadm_pid',` ++interface(`mdadm_systemctl',` gen_require(` - type mdadm_var_run_t; +- type mdadm_var_run_t; ++ type mdadm_t; ++ type mdadm_unit_file_t; ') - files_search_pids($1) - allow $1 mdadm_var_run_t:file manage_file_perms; -+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) ++ systemd_exec_systemctl($1) ++ allow $1 mdadm_unit_file_t:file read_file_perms; ++ allow $1 mdadm_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, mdadm_t) ') ######################################## ## -## All of the rules required to -## administrate an mdadm environment. -+## Create, read, write, and delete the mdadm pid files. ++## read the mdadm pid files. ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`raid_read_mdadm_pid',` ++ gen_require(` ++ type mdadm_var_run_t; ++ ') ++ ++ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete the mdadm pid files. ++## +## +##

+## Create, read, write, and delete the mdadm pid files. @@ -65519,16 +65605,12 @@ index 951db7f..6d6ec1d 100644 +## Added for use in the init module. +##

+##
- ## ++## ## - ## Domain allowed access. +-## Role allowed access. ++## Domain allowed access. ## ## --## --## --## Role allowed access. --## --## -## # -interface(`raid_admin_mdadm',` @@ -65573,20 +65655,23 @@ index 951db7f..6d6ec1d 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..e9c20b8 100644 +index 2c1730b..f60c494 100644 --- a/raid.te +++ b/raid.te -@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t; +@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) ++type mdadm_unit_file_t; ++systemd_unit_file(mdadm_unit_file_t) ++ +type mdadm_tmp_t; +files_tmpfs_file(mdadm_tmp_t) + type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) dev_associate(mdadm_var_run_t) -@@ -25,23 +28,31 @@ dev_associate(mdadm_var_run_t) +@@ -25,23 +31,31 @@ dev_associate(mdadm_var_run_t) # allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; @@ -65622,7 +65707,7 @@ index 2c1730b..e9c20b8 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -49,19 +60,25 @@ corecmd_exec_shell(mdadm_t) +@@ -49,19 +63,25 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -65650,7 +65735,7 @@ index 2c1730b..e9c20b8 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +87,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +90,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -65671,6 +65756,24 @@ index 2c1730b..e9c20b8 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) +@@ -97,9 +121,17 @@ optional_policy(` + ') + + optional_policy(` ++ mdadm_systemctl(mdadm_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(mdadm_t) + ') + + optional_policy(` + udev_read_db(mdadm_t) + ') ++ ++optional_policy(` ++ xserver_dontaudit_search_log(mdadm_t) ++') diff --git a/razor.fc b/razor.fc index 6723f4d..6e26673 100644 --- a/razor.fc @@ -85096,10 +85199,11 @@ index 0000000..dda7934 +files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file }) diff --git a/thumb.fc b/thumb.fc new file mode 100644 -index 0000000..601aea3 +index 0000000..92b6843 --- /dev/null +++ b/thumb.fc -@@ -0,0 +1,17 @@ +@@ -0,0 +1,18 @@ ++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) +HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) +HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) +HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0) @@ -89728,7 +89832,7 @@ index 9dec06c..378880d 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..7a305c4 100644 +index 1f22fba..99dd3a5 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -90873,7 +90977,7 @@ index 1f22fba..7a305c4 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +826,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +826,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -90889,6 +90993,7 @@ index 1f22fba..7a305c4 100644 +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) ++filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") -can_exec(virsh_t, virsh_exec_t) - @@ -90903,7 +91008,7 @@ index 1f22fba..7a305c4 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +846,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -90930,7 +91035,7 @@ index 1f22fba..7a305c4 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +866,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -90962,7 +91067,7 @@ index 1f22fba..7a305c4 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +898,20 @@ optional_policy(` +@@ -847,14 +899,20 @@ optional_policy(` ') optional_policy(` @@ -90984,7 +91089,7 @@ index 1f22fba..7a305c4 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +936,44 @@ optional_policy(` +@@ -879,34 +937,45 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -91035,10 +91140,11 @@ index 1f22fba..7a305c4 100644 +manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir }) ++filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +983,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +985,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -91056,7 +91162,7 @@ index 1f22fba..7a305c4 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +1005,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +1007,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -91067,7 +91173,7 @@ index 1f22fba..7a305c4 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +1014,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +1016,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -91075,7 +91181,7 @@ index 1f22fba..7a305c4 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1026,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1028,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -91094,7 +91200,7 @@ index 1f22fba..7a305c4 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1040,40 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1042,40 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -91143,7 +91249,7 @@ index 1f22fba..7a305c4 100644 allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1083,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -91170,7 +91276,7 @@ index 1f22fba..7a305c4 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1101,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -91189,7 +91295,7 @@ index 1f22fba..7a305c4 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1120,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -91216,7 +91322,7 @@ index 1f22fba..7a305c4 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1143,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1145,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -91355,7 +91461,7 @@ index 1f22fba..7a305c4 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1241,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1243,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -91370,7 +91476,7 @@ index 1f22fba..7a305c4 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1259,8 @@ optional_policy(` +@@ -1183,9 +1261,8 @@ optional_policy(` ######################################## # @@ -91381,7 +91487,7 @@ index 1f22fba..7a305c4 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1273,114 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1275,114 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 7ecc0d1..1d8f15b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 62%{?dist} +Release: 63%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jul 11 2013 Miroslav Grepl 3.12.1-63 +- Add mdadm fixes + * Tue Jul 9 2013 Miroslav Grepl 3.12.1-62 - Fix definition of sandbox.disabled to sandbox.pp.disabled