diff --git a/policy-f22-base.patch b/policy-f22-base.patch index 4e06132..7b76770 100644 --- a/policy-f22-base.patch +++ b/policy-f22-base.patch @@ -34191,7 +34191,7 @@ index c42fbc3..bf211db 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..3c2729f 100644 +index be8ed1e..660ef80 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,18 @@ role iptables_roles types iptables_t; @@ -34304,11 +34304,12 @@ index be8ed1e..3c2729f 100644 ') optional_policy(` -@@ -110,6 +125,11 @@ optional_policy(` +@@ -110,6 +125,12 @@ optional_policy(` ') optional_policy(` + firewalld_read_config(iptables_t) ++ firewalld_read_pid_files(iptables_t) + firewalld_dontaudit_write_tmp_files(iptables_t) +') + @@ -34316,7 +34317,7 @@ index be8ed1e..3c2729f 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +144,16 @@ optional_policy(` +@@ -124,6 +145,16 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -34333,7 +34334,7 @@ index be8ed1e..3c2729f 100644 ') optional_policy(` -@@ -135,9 +165,9 @@ optional_policy(` +@@ -135,9 +166,9 @@ optional_policy(` ') optional_policy(` @@ -41428,10 +41429,10 @@ index a392fc4..2121526 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..a03b5ee +index 0000000..946cdb9 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,51 @@ +@@ -0,0 +1,52 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -41477,6 +41478,7 @@ index 0000000..a03b5ee +/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0) ++/var/run/systemd/shutdown(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) +/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) @@ -41485,10 +41487,10 @@ index 0000000..a03b5ee +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..cde0261 +index 0000000..6162ce0 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1497 @@ +@@ -0,0 +1,1498 @@ +## SELinux policy for systemd components + +###################################### @@ -42604,6 +42606,7 @@ index 0000000..cde0261 + ') + + files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") ++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "shutdown") + init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") + init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") + files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) @@ -42988,10 +42991,10 @@ index 0000000..cde0261 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..29270dd +index 0000000..283e9f8 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,732 @@ +@@ -0,0 +1,734 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -43183,6 +43186,7 @@ index 0000000..29270dd +init_dbus_chat(systemd_logind_t) +init_dbus_chat_script(systemd_logind_t) +init_read_script_state(systemd_logind_t) ++init_read_utmp(systemd_logind_t) +init_rw_stream_sockets(systemd_logind_t) + +logging_send_syslog_msg(systemd_logind_t) @@ -43190,6 +43194,7 @@ index 0000000..29270dd +udev_read_db(systemd_logind_t) +udev_manage_rules_files(systemd_logind_t) + ++userdom_destroy_unpriv_user_shared_mem(systemd_logind_t) +userdom_read_all_users_state(systemd_logind_t) +userdom_use_user_ttys(systemd_logind_t) +userdom_manage_tmp_role(system_r, systemd_logind_t) @@ -45137,7 +45142,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..86cd136 100644 +index 9dc60c6..0a36cde 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -48000,123 +48005,123 @@ index 9dc60c6..86cd136 100644 ') ######################################## -@@ -2955,69 +3935,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3935,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') --######################################## +##################################### - ## --## Execute an Xserver session in all unprivileged user domains. This --## is an explicit transition, requiring the --## caller to use setexeccon(). ++## +## Allow domain dyntrans to unpriv userdomain. - ## - ## --## --## Domain allowed to transition. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`userdom_xsession_spec_domtrans_unpriv_users',` -- gen_require(` -- attribute unpriv_userdomain; -- ') ++## ++# +interface(`userdom_dyntransition_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') - -- xserver_xsession_spec_domtrans($1, unpriv_userdomain) -- allow unpriv_userdomain $1:fd use; -- allow unpriv_userdomain $1:fifo_file rw_file_perms; -- allow unpriv_userdomain $1:process sigchld; ++ + allow $1 unpriv_userdomain:process dyntransition; ++') ++ ++#################################### ++## ++## Allow domain dyntrans to admin userdomain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dyntransition_admin_users',` ++ gen_require(` ++ attribute admindomain; ++ ') ++ ++ allow $1 admindomain:process dyntransition; ++') ++ + ######################################## + ## + ## Execute an Xserver session in all unprivileged user domains. This +@@ -2978,24 +3994,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` + allow unpriv_userdomain $1:process sigchld; ') -####################################### -+#################################### - ## +-## -## Read and write unpriviledged user SysV sempaphores. -+## Allow domain dyntrans to admin userdomain. - ## - ## +-## +-## -## -## Domain allowed access. -## -+## -+## Domain allowed access. -+## - ## - # +-## +-# -interface(`userdom_rw_unpriv_user_semaphores',` - gen_require(` - attribute unpriv_userdomain; - ') -+interface(`userdom_dyntransition_admin_users',` -+ gen_require(` -+ attribute admindomain; -+ ') - +- - allow $1 unpriv_userdomain:sem rw_sem_perms; -+ allow $1 admindomain:process dyntransition; +-') +- + ######################################## + ## + ## Manage unpriviledged user SysV sempaphores. +@@ -3014,9 +4012,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` + allow $1 unpriv_userdomain:sem create_sem_perms; ') - ######################################## +-####################################### ++######################################## ## --## Manage unpriviledged user SysV sempaphores. -+## Execute an Xserver session in all unprivileged user domains. This -+## is an explicit transition, requiring the -+## caller to use setexeccon(). +-## Read and write unpriviledged user SysV shared ++## Manage unpriviledged user SysV shared + ## memory segments. ## ## - ## --## Domain allowed access. -+## Domain allowed to transition. +@@ -3025,17 +4023,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # --interface(`userdom_manage_unpriv_user_semaphores',` -+interface(`userdom_xsession_spec_domtrans_unpriv_users',` +-interface(`userdom_rw_unpriv_user_shared_mem',` ++interface(`userdom_manage_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') -- allow $1 unpriv_userdomain:sem create_sem_perms; -+ xserver_xsession_spec_domtrans($1, unpriv_userdomain) -+ allow unpriv_userdomain $1:fd use; -+ allow unpriv_userdomain $1:fifo_file rw_file_perms; -+ allow unpriv_userdomain $1:process sigchld; +- allow $1 unpriv_userdomain:shm rw_shm_perms; ++ allow $1 unpriv_userdomain:shm create_shm_perms; ') --####################################### -+######################################## + ######################################## ## --## Read and write unpriviledged user SysV shared --## memory segments. -+## Manage unpriviledged user SysV sempaphores. +-## Manage unpriviledged user SysV shared ++## Destroy unpriviledged user SysV shared + ## memory segments. ## ## - ## -@@ -3025,12 +4004,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3044,12 +4042,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # --interface(`userdom_rw_unpriv_user_shared_mem',` -+interface(`userdom_manage_unpriv_user_semaphores',` +-interface(`userdom_manage_unpriv_user_shared_mem',` ++interface(`userdom_destroy_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') -- allow $1 unpriv_userdomain:shm rw_shm_perms; -+ allow $1 unpriv_userdomain:sem create_sem_perms; +- allow $1 unpriv_userdomain:shm create_shm_perms; ++ allow $1 unpriv_userdomain:shm destroy; ') ######################################## -@@ -3094,7 +4073,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4092,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -48125,7 +48130,7 @@ index 9dc60c6..86cd136 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4089,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4108,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -48159,7 +48164,7 @@ index 9dc60c6..86cd136 100644 ') ######################################## -@@ -3214,7 +4177,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4196,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -48186,7 +48191,7 @@ index 9dc60c6..86cd136 100644 ') ######################################## -@@ -3269,12 +4250,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4269,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -48202,7 +48207,7 @@ index 9dc60c6..86cd136 100644 ## ## ## -@@ -3282,46 +4264,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,49 +4283,125 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -48260,8 +48265,9 @@ index 9dc60c6..86cd136 100644 gen_require(` - attribute userdomain; + type user_tmp_t; -+ ') -+ + ') + +- allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + @@ -48335,10 +48341,13 @@ index 9dc60c6..86cd136 100644 +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; - ') ++ ') ++ ++ allow $1 userdomain:process getattr; + ') - allow $1 userdomain:process getattr; -@@ -3382,6 +4440,42 @@ interface(`userdom_signal_all_users',` + ######################################## +@@ -3382,6 +4459,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -48381,7 +48390,7 @@ index 9dc60c6..86cd136 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4496,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4515,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -48442,7 +48451,7 @@ index 9dc60c6..86cd136 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4583,1691 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4602,1691 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-f22-contrib.patch b/policy-f22-contrib.patch index db6cea4..e127d19 100644 --- a/policy-f22-contrib.patch +++ b/policy-f22-contrib.patch @@ -3143,10 +3143,10 @@ index 0000000..36251b9 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..12349f3 +index 0000000..d8b04b5 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,272 @@ +@@ -0,0 +1,273 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -3261,6 +3261,7 @@ index 0000000..12349f3 + +corenet_all_recvfrom_netlabel(antivirus_t) +corenet_tcp_bind_all_unreserved_ports(antivirus_t) ++corenet_dontaudit_tcp_bind_all_reserved_ports(antivirus_t) +corenet_tcp_sendrecv_generic_if(antivirus_t) +corenet_udp_sendrecv_generic_if(antivirus_t) +corenet_tcp_sendrecv_generic_node(antivirus_domain) @@ -28776,7 +28777,7 @@ index 21d7b84..0e272bd 100644 /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) diff --git a/firewalld.if b/firewalld.if -index c62c567..6460877 100644 +index c62c567..2d9e254 100644 --- a/firewalld.if +++ b/firewalld.if @@ -2,7 +2,7 @@ @@ -28857,7 +28858,7 @@ index c62c567..6460877 100644 ## ## ## -@@ -51,18 +93,18 @@ interface(`firewalld_dbus_chat',` +@@ -51,18 +93,37 @@ interface(`firewalld_dbus_chat',` ## ## # @@ -28875,12 +28876,31 @@ index c62c567..6460877 100644 ## -## All of the rules required to -## administrate an firewalld environment. ++## Read firewalld PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`firewalld_read_pid_files',` ++ gen_require(` ++ type firewalld_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 firewalld_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an firewalld environment ## ## ## -@@ -79,14 +121,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',` +@@ -79,14 +140,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',` interface(`firewalld_admin',` gen_require(` type firewalld_t, firewalld_initrc_exec_t; @@ -28902,7 +28922,7 @@ index c62c567..6460877 100644 domain_system_change_exemption($1) role_transition $2 firewalld_initrc_exec_t system_r; allow $2 system_r; -@@ -97,6 +143,9 @@ interface(`firewalld_admin',` +@@ -97,6 +162,9 @@ interface(`firewalld_admin',` logging_search_logs($1) admin_pattern($1, firewalld_var_log_t) @@ -28915,7 +28935,7 @@ index c62c567..6460877 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..1b550dd 100644 +index 98072a3..d5d852e 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -28943,7 +28963,7 @@ index 98072a3..1b550dd 100644 allow firewalld_t firewalld_var_log_t:file append_file_perms; allow firewalld_t firewalld_var_log_t:file create_file_perms; -@@ -48,8 +56,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) +@@ -48,8 +56,14 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) allow firewalld_t firewalld_tmp_t:file mmap_file_perms; @@ -28952,12 +28972,14 @@ index 98072a3..1b550dd 100644 +allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms; + manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) - files_pid_filetrans(firewalld_t, firewalld_var_run_t, file) +-files_pid_filetrans(firewalld_t, firewalld_var_run_t, file) ++manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) ++files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file dir }) +can_exec(firewalld_t, firewalld_var_run_t) kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -63,20 +76,19 @@ dev_search_sysfs(firewalld_t) +@@ -63,20 +77,19 @@ dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -28984,7 +29006,7 @@ index 98072a3..1b550dd 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +107,10 @@ optional_policy(` +@@ -95,6 +108,10 @@ optional_policy(` ') optional_policy(` @@ -98650,7 +98672,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..2794505 100644 +index cc58e35..d20d0ed 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) @@ -99194,7 +99216,7 @@ index cc58e35..2794505 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +450,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +450,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -99204,6 +99226,7 @@ index cc58e35..2794505 100644 corenet_tcp_bind_spamd_port(spamd_t) - -corenet_sendrecv_razor_client_packets(spamd_t) ++corenet_tcp_connect_all_unreserved_ports(spamd_t) +corenet_tcp_connect_spamd_port(spamd_t) corenet_tcp_connect_razor_port(spamd_t) - @@ -99298,7 +99321,7 @@ index cc58e35..2794505 100644 ') optional_policy(` -@@ -421,21 +521,13 @@ optional_policy(` +@@ -421,21 +522,13 @@ optional_policy(` ') optional_policy(` @@ -99322,7 +99345,7 @@ index cc58e35..2794505 100644 ') optional_policy(` -@@ -443,8 +535,8 @@ optional_policy(` +@@ -443,8 +536,8 @@ optional_policy(` ') optional_policy(` @@ -99332,7 +99355,7 @@ index cc58e35..2794505 100644 ') optional_policy(` -@@ -455,7 +547,17 @@ optional_policy(` +@@ -455,7 +548,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -99351,7 +99374,7 @@ index cc58e35..2794505 100644 ') optional_policy(` -@@ -463,9 +565,9 @@ optional_policy(` +@@ -463,9 +566,9 @@ optional_policy(` ') optional_policy(` @@ -99362,7 +99385,7 @@ index cc58e35..2794505 100644 ') optional_policy(` -@@ -474,32 +576,32 @@ optional_policy(` +@@ -474,32 +577,32 @@ optional_policy(` ######################################## # @@ -99405,7 +99428,7 @@ index cc58e35..2794505 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +610,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +611,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a38d185..8b544ec 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 128.22%{?dist} +Release: 128.23%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -606,6 +606,16 @@ exit 0 %endif %changelog +* Tue Dec 15 2015 Lukas Vrabec 3.13.1-128.23 +- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243) +- Add interface firewalld_read_pid_files() +- Allow iptables to read firewalld pid files. BZ(1291243) +- Merge pull request #82 from vmojzis/f22-base +- Allow systemd-logind to read /run/utmp when shutdown is invoked. +- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments. +- Add userdom_destroy_unpriv_user_shared_mem() interface. +- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked. + * Tue Dec 09 2015 Lukas Vrabec 3.13.1-128.22 - Allow arpwatch to create netlink netfilter sockets. BZ(1282139) - Allow virt_domain to create socket file in /tmp. BZ(1268638)