diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 8fce541..ca76565 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index b519149..4a0ca04 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -6284,7 +6284,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..ab7c054 100644 +index b31c054..891ace5 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6343,16 +6343,18 @@ index b31c054..ab7c054 100644 /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -@@ -80,6 +93,8 @@ +@@ -80,7 +93,10 @@ /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/nvme.* -c gen_context(system_u:object_r:nvme_device_t,s0) +/dev/nvme.* -b gen_context(system_u:object_r:nvme_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) ++/dev/ndctl[0-9] -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -90,6 +105,7 @@ + /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) +@@ -90,6 +106,7 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) @@ -6360,7 +6362,7 @@ index b31c054..ab7c054 100644 /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -@@ -106,6 +122,7 @@ +@@ -106,6 +123,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6368,7 +6370,7 @@ index b31c054..ab7c054 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +135,12 @@ +@@ -118,6 +136,12 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -6381,7 +6383,7 @@ index b31c054..ab7c054 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +152,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +153,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6396,7 +6398,7 @@ index b31c054..ab7c054 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,15 +197,21 @@ ifdef(`distro_suse', ` +@@ -172,15 +198,21 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6418,7 +6420,7 @@ index b31c054..ab7c054 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +229,27 @@ ifdef(`distro_debian',` +@@ -198,12 +230,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -25235,7 +25237,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..fe03d6d 100644 +index 2522ca6..a23a472 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) @@ -25668,7 +25670,7 @@ index 2522ca6..fe03d6d 100644 ') optional_policy(` -@@ -345,30 +490,37 @@ optional_policy(` +@@ -345,30 +490,38 @@ optional_policy(` ') optional_policy(` @@ -25681,6 +25683,7 @@ index 2522ca6..fe03d6d 100644 + systemd_login_reboot(sysadm_t) + systemd_login_halt(sysadm_t) + systemd_login_undefined(sysadm_t) ++ systemd_tmpfiles_run(sysadm_t, sysadm_r) ') optional_policy(` @@ -25715,7 +25718,7 @@ index 2522ca6..fe03d6d 100644 ') optional_policy(` -@@ -380,10 +532,6 @@ optional_policy(` +@@ -380,10 +533,6 @@ optional_policy(` ') optional_policy(` @@ -25726,7 +25729,7 @@ index 2522ca6..fe03d6d 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +539,9 @@ optional_policy(` +@@ -391,6 +540,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25736,7 +25739,7 @@ index 2522ca6..fe03d6d 100644 ') optional_policy(` -@@ -398,31 +549,34 @@ optional_policy(` +@@ -398,31 +550,34 @@ optional_policy(` ') optional_policy(` @@ -25777,7 +25780,7 @@ index 2522ca6..fe03d6d 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +589,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +590,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25788,7 +25791,7 @@ index 2522ca6..fe03d6d 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +609,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +610,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -36737,7 +36740,7 @@ index 79a45f6..e69fa39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..e06e912 100644 +index 17eda24..f8e16bb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37032,7 +37035,7 @@ index 17eda24..e06e912 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +323,258 @@ ifdef(`distro_gentoo',` +@@ -186,29 +323,259 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37222,6 +37225,7 @@ index 17eda24..e06e912 100644 +systemd_manage_unit_symlinks(initrc_t) +systemd_config_all_services(initrc_t) +systemd_read_unit_files(initrc_t) ++systemd_login_status(init_t) + +create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + @@ -37300,7 +37304,7 @@ index 17eda24..e06e912 100644 ') optional_policy(` -@@ -216,7 +582,30 @@ optional_policy(` +@@ -216,7 +583,30 @@ optional_policy(` ') optional_policy(` @@ -37332,7 +37336,7 @@ index 17eda24..e06e912 100644 ') ######################################## -@@ -225,9 +614,9 @@ optional_policy(` +@@ -225,9 +615,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37344,7 +37348,7 @@ index 17eda24..e06e912 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +647,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +648,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37361,7 +37365,7 @@ index 17eda24..e06e912 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +672,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +673,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37404,7 +37408,7 @@ index 17eda24..e06e912 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +709,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +710,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37416,7 +37420,7 @@ index 17eda24..e06e912 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +721,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +722,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37427,7 +37431,7 @@ index 17eda24..e06e912 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +732,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +733,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37437,7 +37441,7 @@ index 17eda24..e06e912 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +741,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +742,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37445,7 +37449,7 @@ index 17eda24..e06e912 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +748,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +749,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37453,7 +37457,7 @@ index 17eda24..e06e912 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +756,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +757,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37471,7 +37475,7 @@ index 17eda24..e06e912 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +774,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +775,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37485,7 +37489,7 @@ index 17eda24..e06e912 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +789,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +790,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37499,7 +37503,7 @@ index 17eda24..e06e912 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +802,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +803,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37510,7 +37514,7 @@ index 17eda24..e06e912 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +815,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +816,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37518,7 +37522,7 @@ index 17eda24..e06e912 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +834,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +835,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37542,7 +37546,7 @@ index 17eda24..e06e912 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +867,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +868,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37550,7 +37554,7 @@ index 17eda24..e06e912 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +901,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +902,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37561,7 +37565,7 @@ index 17eda24..e06e912 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +925,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +926,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37570,7 +37574,7 @@ index 17eda24..e06e912 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +940,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +941,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37578,7 +37582,7 @@ index 17eda24..e06e912 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +961,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +962,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37586,7 +37590,7 @@ index 17eda24..e06e912 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +971,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +972,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37631,7 +37635,7 @@ index 17eda24..e06e912 100644 ') optional_policy(` -@@ -559,14 +1016,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1017,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37663,7 +37667,7 @@ index 17eda24..e06e912 100644 ') ') -@@ -577,6 +1051,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1052,39 @@ ifdef(`distro_suse',` ') ') @@ -37703,7 +37707,7 @@ index 17eda24..e06e912 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1096,8 @@ optional_policy(` +@@ -589,6 +1097,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37712,7 +37716,7 @@ index 17eda24..e06e912 100644 ') optional_policy(` -@@ -610,6 +1119,7 @@ optional_policy(` +@@ -610,6 +1120,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37720,7 +37724,7 @@ index 17eda24..e06e912 100644 ') optional_policy(` -@@ -626,6 +1136,17 @@ optional_policy(` +@@ -626,6 +1137,17 @@ optional_policy(` ') optional_policy(` @@ -37738,7 +37742,7 @@ index 17eda24..e06e912 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1163,13 @@ optional_policy(` +@@ -642,9 +1164,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37752,7 +37756,7 @@ index 17eda24..e06e912 100644 ') optional_policy(` -@@ -657,15 +1182,11 @@ optional_policy(` +@@ -657,15 +1183,11 @@ optional_policy(` ') optional_policy(` @@ -37770,7 +37774,7 @@ index 17eda24..e06e912 100644 ') optional_policy(` -@@ -686,6 +1207,15 @@ optional_policy(` +@@ -686,6 +1208,15 @@ optional_policy(` ') optional_policy(` @@ -37786,7 +37790,7 @@ index 17eda24..e06e912 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1256,7 @@ optional_policy(` +@@ -726,6 +1257,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37794,7 +37798,7 @@ index 17eda24..e06e912 100644 ') optional_policy(` -@@ -743,7 +1274,13 @@ optional_policy(` +@@ -743,7 +1275,13 @@ optional_policy(` ') optional_policy(` @@ -37809,7 +37813,7 @@ index 17eda24..e06e912 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1303,10 @@ optional_policy(` +@@ -766,6 +1304,10 @@ optional_policy(` ') optional_policy(` @@ -37820,7 +37824,7 @@ index 17eda24..e06e912 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1316,20 @@ optional_policy(` +@@ -775,10 +1317,20 @@ optional_policy(` ') optional_policy(` @@ -37841,7 +37845,7 @@ index 17eda24..e06e912 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1338,10 @@ optional_policy(` +@@ -787,6 +1339,10 @@ optional_policy(` ') optional_policy(` @@ -37852,7 +37856,7 @@ index 17eda24..e06e912 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1363,6 @@ optional_policy(` +@@ -808,8 +1364,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37861,7 +37865,7 @@ index 17eda24..e06e912 100644 ') optional_policy(` -@@ -818,6 +1371,10 @@ optional_policy(` +@@ -818,6 +1372,10 @@ optional_policy(` ') optional_policy(` @@ -37872,7 +37876,7 @@ index 17eda24..e06e912 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1384,12 @@ optional_policy(` +@@ -827,10 +1385,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37885,7 +37889,7 @@ index 17eda24..e06e912 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1416,60 @@ optional_policy(` +@@ -857,21 +1417,60 @@ optional_policy(` ') optional_policy(` @@ -37947,7 +37951,7 @@ index 17eda24..e06e912 100644 ') optional_policy(` -@@ -887,6 +1485,10 @@ optional_policy(` +@@ -887,6 +1486,10 @@ optional_policy(` ') optional_policy(` @@ -37958,7 +37962,7 @@ index 17eda24..e06e912 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1499,218 @@ optional_policy(` +@@ -897,3 +1500,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -46509,10 +46513,10 @@ index 0000000..8b77d7a +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..513b97b +index 0000000..16cd1ac --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1738 @@ +@@ -0,0 +1,1763 @@ +## SELinux policy for systemd components + +###################################### @@ -47119,6 +47123,31 @@ index 0000000..513b97b + +######################################## +## ++## Execute systemd-tmpfiles in the systemd_tmpfiles_t domain, and ++## allow the specified role the systemd_tmpfiles domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the systemd_tmpfiles domain. ++## ++## ++# ++interface(`systemd_tmpfiles_run',` ++ gen_require(` ++ type systemd_tmpfiles_t; ++ ') ++ ++ systemd_passwd_agent_domtrans($1) ++ role $2 types systemd_tmpfiles_t; ++') ++ ++######################################## ++## +## Role access for systemd_passwd_agent +## +## diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index b136566..937e5ee 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -28782,7 +28782,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..50e7985 100644 +index 98072a3..73c5573 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -28851,7 +28851,7 @@ index 98072a3..50e7985 100644 -sysnet_read_config(firewalld_t) +sysnet_dns_name_resolve(firewalld_t) +sysnet_manage_config_dirs(firewalld_t) -+sysnet_create_config(firewalld_t) ++sysnet_manage_config(firewalld_t) optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) @@ -45804,10 +45804,10 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..5160f96 100644 +index be0ab84..6f475e4 100644 --- a/logrotate.te +++ b/logrotate.te -@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) +@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) # Declarations # @@ -45820,6 +45820,13 @@ index be0ab84..5160f96 100644 +## +gen_tunable(logrotate_use_nfs, false) + ++## ++##

++## Allow logrotate to read logs inside ++##

++## ++gen_tunable(logrotate_read_inside_containers, false) ++ type logrotate_t; -type logrotate_exec_t; @@ -45834,7 +45841,7 @@ index be0ab84..5160f96 100644 type logrotate_lock_t; files_lock_file(logrotate_lock_t) -@@ -25,21 +31,30 @@ files_tmp_file(logrotate_tmp_t) +@@ -25,21 +38,30 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) @@ -45871,7 +45878,7 @@ index be0ab84..5160f96 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,36 +63,52 @@ allow logrotate_t self:msg { send receive }; +@@ -48,36 +70,52 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -45929,7 +45936,7 @@ index be0ab84..5160f96 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +126,55 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +133,55 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -45947,8 +45954,7 @@ index be0ab84..5160f96 100644 +# cjp: why is this needed? logging_exec_all_logs(logrotate_t) +logging_systemctl_syslogd(logrotate_t) - --miscfiles_read_localization(logrotate_t) ++ +systemd_exec_systemctl(logrotate_t) +systemd_getattr_unit_files(logrotate_t) +systemd_start_all_unit_files(logrotate_t) @@ -45957,12 +45963,13 @@ index be0ab84..5160f96 100644 +systemd_dbus_chat_logind(logrotate_t) +init_stream_connect(logrotate_t) --seutil_dontaudit_read_config(logrotate_t) +-miscfiles_read_localization(logrotate_t) +miscfiles_read_hwdata(logrotate_t) --userdom_use_user_terminals(logrotate_t) +-seutil_dontaudit_read_config(logrotate_t) +term_dontaudit_use_unallocated_ttys(logrotate_t) -+ + +-userdom_use_user_terminals(logrotate_t) +userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) @@ -45991,7 +45998,7 @@ index be0ab84..5160f96 100644 ') optional_policy(` -@@ -135,16 +189,17 @@ optional_policy(` +@@ -135,16 +196,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -46011,7 +46018,7 @@ index be0ab84..5160f96 100644 ') optional_policy(` -@@ -170,6 +225,11 @@ optional_policy(` +@@ -170,6 +232,11 @@ optional_policy(` ') optional_policy(` @@ -46023,7 +46030,7 @@ index be0ab84..5160f96 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +238,7 @@ optional_policy(` +@@ -178,7 +245,7 @@ optional_policy(` ') optional_policy(` @@ -46032,7 +46039,7 @@ index be0ab84..5160f96 100644 ') optional_policy(` -@@ -198,17 +258,18 @@ optional_policy(` +@@ -198,17 +265,18 @@ optional_policy(` ') optional_policy(` @@ -46054,7 +46061,7 @@ index be0ab84..5160f96 100644 ') optional_policy(` -@@ -216,6 +277,14 @@ optional_policy(` +@@ -216,6 +284,14 @@ optional_policy(` ') optional_policy(` @@ -46069,7 +46076,7 @@ index be0ab84..5160f96 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +297,43 @@ optional_policy(` +@@ -228,26 +304,50 @@ optional_policy(` ') optional_policy(` @@ -46103,6 +46110,13 @@ index be0ab84..5160f96 100644 + virt_manage_cache(logrotate_t) +') + ++ ++optional_policy(` ++ tunable_policy(`logrotate_read_inside_containers',` ++ virt_read_sandbox_files(logrotate_t) ++ ') ++') ++ ####################################### # -# Mail local policy @@ -49756,10 +49770,10 @@ index 0000000..f5b98e6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..66c45cb +index 0000000..942a31e --- /dev/null +++ b/mock.te -@@ -0,0 +1,284 @@ +@@ -0,0 +1,286 @@ +policy_module(mock,1.0.0) + +## @@ -49892,10 +49906,12 @@ index 0000000..66c45cb +selinux_get_enforce_mode(mock_t) + +term_search_ptys(mock_t) ++term_use_generic_ptys(mock_t) +term_mount_pty_fs(mock_t) +term_unmount_pty_fs(mock_t) +term_use_ptmx(mock_t) + ++ +auth_use_nsswitch(mock_t) + +init_exec(mock_t) @@ -64044,10 +64060,10 @@ index 0000000..eac3932 +') diff --git a/opendnssec.te b/opendnssec.te new file mode 100644 -index 0000000..a0e817d +index 0000000..83507cf --- /dev/null +++ b/opendnssec.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,59 @@ +policy_module(opendnssec, 1.0.0) + +######################################## @@ -64078,7 +64094,7 @@ index 0000000..a0e817d +allow opendnssec_t self:capability { chown setgid setuid sys_chroot }; +allow opendnssec_t self:process { fork signal_perms }; +allow opendnssec_t self:fifo_file rw_fifo_file_perms; -+allow opendnssec_t self:unix_stream_socket create_stream_socket_perms; ++allow opendnssec_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +manage_files_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t) +manage_dirs_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t) @@ -64100,6 +64116,10 @@ index 0000000..a0e817d +logging_send_syslog_msg(opendnssec_t) + +optional_policy(` ++ bind_manage_cache(opendnssec_t) ++') ++ ++optional_policy(` + ipa_manage_lib(opendnssec_t) +') + @@ -66896,7 +66916,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..370dd38 100644 +index 44dbc99..34682ff 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -66962,7 +66982,7 @@ index 44dbc99..370dd38 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -63,35 +67,51 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +@@ -63,35 +67,52 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) @@ -66984,6 +67004,7 @@ index 44dbc99..370dd38 100644 +corenet_tcp_connect_xodbc_connect_port(openvswitch_t) +corenet_tcp_connect_ovsdb_port(openvswitch_t) +corenet_tcp_connect_openflow_port(openvswitch_t) ++corenet_tcp_connect_openvswitch_port(openvswitch_t) +corenet_tcp_bind_generic_node(openvswitch_t) +corenet_tcp_bind_openvswitch_port(openvswitch_t) @@ -88452,7 +88473,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..cb5f49c 100644 +index d32e1a2..1271bf3 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -88495,7 +88516,7 @@ index d32e1a2..cb5f49c 100644 files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) -+kernel_read_sysctl(rhsmcertd_t) ++kernel_read_net_sysctls(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) +kernel_read_sysctl(rhsmcertd_t) + @@ -104232,7 +104253,7 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..c420309 100644 +index 2d8db1f..864ea2f 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t) @@ -104300,7 +104321,7 @@ index 2d8db1f..c420309 100644 corecmd_exec_bin(sssd_t) -@@ -83,28 +86,35 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +86,36 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -104310,6 +104331,7 @@ index 2d8db1f..c420309 100644 files_list_var_lib(sssd_t) fs_list_inotifyfs(sssd_t) ++fs_getattr_xattr_fs(sssd_t) selinux_validate_context(sssd_t) +seutil_read_config(sssd_t) @@ -104340,7 +104362,7 @@ index 2d8db1f..c420309 100644 init_read_utmp(sssd_t) -@@ -112,18 +122,64 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +123,64 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 987e15a..f8b6036 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191.5%{?dist} +Release: 191.6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -645,6 +645,25 @@ exit 0 %endif %changelog +* Mon Jul 18 2016 Lukas Vrabec 3.13.1-191.6 +- Remove double graphite-web context declaration +- Fix typo in rhsmcertd SELinux policy +- Allow firewalld to manage net_conf_t files +- Allow logrotate read logs inside containers. +- Allow sssd to getattr on fs_t +- Allow opendnssec domain to manage bind chace files +- Allow rhsmcertd to read network sysctls +- Label /var/log/graphite-web dir as httpd_log_t +- Allow mock to use generic ptys +- Allow openvswitch connect to openvswitch_port_t type. +- Allow lttng tools to block suspending +- Allow creation of vpnaas in openstack +- Allow systemd to get status of systemd-logind daemon +- Label more ndctl devices not just ndctl0 +- label /dev/ndctl0 device as nvram_device_t +- Allow sysadm user to run systemd-tmpfiles +- Add interface systemd_tmpfiles_run + * Mon Jul 11 2016 Lukas Vrabec 3.13.1-191.5 - Bump release - Fix the version of policy