diff --git a/policy-f20-base.patch b/policy-f20-base.patch index cc34165..880e282 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -5604,7 +5604,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..72e1a41 100644 +index 4edc40d..77dedae 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5863,7 +5863,7 @@ index 4edc40d..72e1a41 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -214,51 +268,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,64 +268,73 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5872,7 +5872,7 @@ index 4edc40d..72e1a41 100644 network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) -+network_port(neutron, tcp,9696,s0) ++network_port(neutron, tcp,9696,s0, tcp,9697,s0) network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) @@ -5932,7 +5932,10 @@ index 4edc40d..72e1a41 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +330,10 @@ network_port(varnishd, tcp,6081-6082,s0) + network_port(utcpserver) # no defined portcon + network_port(uucpd, tcp,540,s0) ++network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0) + network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5945,7 +5948,7 @@ index 4edc40d..72e1a41 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -285,19 +347,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -285,19 +348,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5972,7 +5975,7 @@ index 4edc40d..72e1a41 100644 ######################################## # -@@ -330,6 +396,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +397,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5981,7 +5984,7 @@ index 4edc40d..72e1a41 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +410,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +411,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -15677,7 +15680,7 @@ index 148d87a..b5a89ba 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index cda5588..924f856 100644 +index cda5588..7b26d12 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1,9 +1,12 @@ @@ -15708,8 +15711,8 @@ index cda5588..924f856 100644 +/usr/lib/udev/devices/hugepages/.* <> +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> -+/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) -+/var/run/[^/]*/gvfs/.* <> ++/var/run/user/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) ++/var/run/user/[^/]*/gvfs/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 8416beb..c6cd3eb 100644 --- a/policy/modules/kernel/filesystem.if diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 3873d91..c36d9a5 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -23880,10 +23880,10 @@ index 0000000..66fe66d +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..fcf810d +index 0000000..73e71c1 --- /dev/null +++ b/docker.te -@@ -0,0 +1,272 @@ +@@ -0,0 +1,274 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23983,6 +23983,7 @@ index 0000000..fcf810d +manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto }; +files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) + +manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) @@ -24021,6 +24022,7 @@ index 0000000..fcf810d + +fs_read_cgroup_files(docker_t) +fs_read_tmpfs_symlinks(docker_t) ++fs_getattr_all_fs(docker_t) + +storage_raw_rw_fixed_disk(docker_t) + @@ -44098,10 +44100,10 @@ index 0000000..39f4a04 +') diff --git a/motion.te b/motion.te new file mode 100644 -index 0000000..b694afc +index 0000000..c7f4eb5 --- /dev/null +++ b/motion.te -@@ -0,0 +1,64 @@ +@@ -0,0 +1,65 @@ +policy_module(motion, 1.0.0) + +######################################## @@ -44130,7 +44132,7 @@ index 0000000..b694afc +# motion local policy +# +allow motion_t self:udp_socket { create connect getattr }; -+allow motion_t self:tcp_socket { bind create setopt listen }; ++allow motion_t self:tcp_socket create_stream_socket_perms; +allow motion_t self:netlink_route_socket r_netlink_socket_perms; + +manage_dirs_pattern(motion_t, motion_log_t, motion_log_t) @@ -44147,6 +44149,7 @@ index 0000000..b694afc + +corenet_tcp_bind_http_cache_port(motion_t) +corenet_tcp_bind_transproxy_port(motion_t) ++corenet_tcp_bind_us_cli_port(motion_t) +corenet_tcp_connect_http_port(motion_t) +corenet_tcp_bind_generic_node(motion_t) + @@ -101591,7 +101594,7 @@ index 9dec06c..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..b1ba89c 100644 +index 1f22fba..f618cd0 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,209 @@ @@ -103037,7 +103040,7 @@ index 1f22fba..b1ba89c 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1126,294 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1126,296 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -103094,6 +103097,7 @@ index 1f22fba..b1ba89c 100644 +allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow svirt_sandbox_domain self:passwd rootok; ++allow svirt_sandbox_domain self:filesystem associate; + +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; @@ -103267,6 +103271,7 @@ index 1f22fba..b1ba89c 100644 + docker_manage_lib_files(svirt_lxc_net_t) + docker_manage_lib_dirs(svirt_lxc_net_t) + docker_read_share_files(svirt_sandbox_domain) ++ docker_exec_lib(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) + docker_use_ptys(svirt_sandbox_domain) +') @@ -103294,7 +103299,7 @@ index 1f22fba..b1ba89c 100644 +') + +tunable_policy(`virt_use_samba',` -+ fs_manage_nfs_files(svirt_sandbox_domain) ++ fs_manage_cifs_files(svirt_sandbox_domain) + fs_manage_cifs_files(svirt_sandbox_domain) + fs_read_cifs_symlinks(svirt_sandbox_domain) ') @@ -103469,7 +103474,7 @@ index 1f22fba..b1ba89c 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1426,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1428,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -103484,7 +103489,7 @@ index 1f22fba..b1ba89c 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1444,8 @@ optional_policy(` +@@ -1183,9 +1446,8 @@ optional_policy(` ######################################## # @@ -103495,7 +103500,7 @@ index 1f22fba..b1ba89c 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1458,218 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1460,218 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index b32d916..f22b575 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 158%{?dist} +Release: 159%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri May 02 2014 Lukas Vrabec 3.12.1-159 +- Add support for us_cli ports +- Fix labeling for /var/run/user//gvfs +- add support for tcp/9697 +- Additional rules required by openstack, needs backport to F20 and RHEL7 +- Additional access required by docker +- ALlow motion to use tcp/8082 port + * Fri Apr 25 2014 Lukas Vrabec 3.12.1-158 - Fix bug in policy, needs back port to RHEL7/RHEL6 - optional can not be used in boolean. But we want to call ldap_read_certs() in sysnet_use_ldap