diff --git a/policy-f20-base.patch b/policy-f20-base.patch index cda5ab2..aea367d 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -8742,7 +8742,7 @@ index 6529bd9..b31a5e8 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..84e8030 100644 +index 6a1e4d1..1b9b0b5 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -8860,6 +8860,24 @@ index 6a1e4d1..84e8030 100644 ## Relabel to and from all entry point ## file types. ## +@@ -1421,7 +1434,7 @@ interface(`domain_entry_file_spec_domtrans',` + ## + ## Ability to mmap a low area of the address + ## space conditionally, as configured by +-## /proc/sys/kernel/mmap_min_addr. ++## /proc/sys/vm/mmap_min_addr. + ## Preventing such mappings helps protect against + ## exploiting null deref bugs in the kernel. + ## +@@ -1448,7 +1461,7 @@ interface(`domain_mmap_low',` + ## + ## Ability to mmap a low area of the address + ## space unconditionally, as configured +-## by /proc/sys/kernel/mmap_min_addr. ++## by /proc/sys/vm/mmap_min_addr. + ## Preventing such mappings helps protect against + ## exploiting null deref bugs in the kernel. + ## @@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',` ######################################## @@ -8950,10 +8968,10 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..e739a3a 100644 +index cf04cb5..974c2ca 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te -@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) +@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) # # Declarations # @@ -8983,7 +9001,12 @@ index cf04cb5..e739a3a 100644 ## ##

-@@ -15,6 +38,7 @@ gen_tunable(mmap_low_allowed, false) + ## Control the ability to mmap a low area of the address space, +-## as configured by /proc/sys/kernel/mmap_min_addr. ++## as configured by /proc/sys/vm/mmap_min_addr. + ##

+ ## + gen_tunable(mmap_low_allowed, false) # Mark process types as domains attribute domain; @@ -9682,7 +9705,7 @@ index c2c6e05..7996499 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..8a14ff2 100644 +index 64ff4d7..ac39d88 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10477,7 +10500,7 @@ index 64ff4d7..8a14ff2 100644 ') ######################################## -@@ -1928,6 +2425,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2425,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -10499,10 +10522,28 @@ index 64ff4d7..8a14ff2 100644 + +######################################## +## ++## Mount a filesystem on the root file system ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_mounton_rootfs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ dontaudit $1 root_t:dir mounton; ++') ++ ++######################################## ++## ## Get attributes of the /boot directory. ## ## -@@ -2163,6 +2678,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2163,6 +2696,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -10527,7 +10568,7 @@ index 64ff4d7..8a14ff2 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2627,6 +3160,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +3178,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -10552,7 +10593,7 @@ index 64ff4d7..8a14ff2 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +3249,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +3267,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -10560,7 +10601,7 @@ index 64ff4d7..8a14ff2 100644 ') ######################################## -@@ -2706,7 +3258,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +3276,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -10569,7 +10610,7 @@ index 64ff4d7..8a14ff2 100644 ## ## # -@@ -2762,6 +3314,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +3332,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -10595,7 +10636,7 @@ index 64ff4d7..8a14ff2 100644 ## Delete system configuration files in /etc. ## ## -@@ -2780,6 +3351,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +3369,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -10620,7 +10661,7 @@ index 64ff4d7..8a14ff2 100644 ## Execute generic files in /etc. ## ## -@@ -2945,24 +3534,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,26 +3552,8 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -10642,10 +10683,14 @@ index 64ff4d7..8a14ff2 100644 - -######################################## -## - ## Read files in /etc that are dynamically - ## created on boot, such as mtab. +-## Read files in /etc that are dynamically +-## created on boot, such as mtab. ++## Read files in /etc that are dynamically ++## created on boot, such as mtab. ## -@@ -3003,9 +3574,7 @@ interface(`files_read_etc_runtime_files',` + ## + ##

+@@ -3003,9 +3592,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ##

@@ -10656,7 +10701,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -3013,18 +3582,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3600,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -10678,7 +10723,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -3042,6 +3610,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3628,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -10705,7 +10750,7 @@ index 64ff4d7..8a14ff2 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3059,6 +3647,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3059,6 +3665,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -10713,7 +10758,7 @@ index 64ff4d7..8a14ff2 100644 ') ######################################## -@@ -3080,6 +3669,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3687,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -10721,7 +10766,7 @@ index 64ff4d7..8a14ff2 100644 ') ######################################## -@@ -3132,6 +3722,44 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3740,44 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -10766,7 +10811,7 @@ index 64ff4d7..8a14ff2 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3205,6 +3833,62 @@ interface(`files_delete_isid_type_dirs',` +@@ -3205,6 +3851,62 @@ interface(`files_delete_isid_type_dirs',` delete_dirs_pattern($1, file_t, file_t) ') @@ -10829,7 +10874,7 @@ index 64ff4d7..8a14ff2 100644 ######################################## ## -@@ -3246,6 +3930,25 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3246,6 +3948,25 @@ interface(`files_mounton_isid_type_dirs',` ######################################## ## @@ -10855,7 +10900,7 @@ index 64ff4d7..8a14ff2 100644 ## Read files on new filesystems ## that have not yet been labeled. ## -@@ -3455,6 +4158,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +4176,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -10881,7 +10926,7 @@ index 64ff4d7..8a14ff2 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4518,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4536,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10925,7 +10970,7 @@ index 64ff4d7..8a14ff2 100644 ') ######################################## -@@ -4199,192 +4939,215 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,192 +4957,215 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11237,7 +11282,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4392,53 +5155,56 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4392,53 +5173,56 @@ interface(`files_manage_generic_tmp_dirs',` ## ## # @@ -11306,7 +11351,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4446,77 +5212,92 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4446,77 +5230,92 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -11423,7 +11468,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4524,110 +5305,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4524,110 +5323,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -11562,7 +11607,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4635,22 +5404,17 @@ interface(`files_tmp_filetrans',` +@@ -4635,22 +5422,17 @@ interface(`files_tmp_filetrans',` ## ## # @@ -11589,7 +11634,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4658,17 +5422,17 @@ interface(`files_purge_tmp',` +@@ -4658,17 +5440,17 @@ interface(`files_purge_tmp',` ## ## # @@ -11611,7 +11656,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4676,18 +5440,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4676,18 +5458,17 @@ interface(`files_setattr_usr_dirs',` ## ## # @@ -11634,7 +11679,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4695,35 +5458,35 @@ interface(`files_search_usr',` +@@ -4695,35 +5476,35 @@ interface(`files_search_usr',` ## ## # @@ -11679,7 +11724,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4731,36 +5494,35 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4731,36 +5512,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # @@ -11725,7 +11770,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4768,17 +5530,17 @@ interface(`files_dontaudit_rw_usr_dirs',` +@@ -4768,17 +5548,17 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # @@ -11747,7 +11792,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4786,73 +5548,59 @@ interface(`files_delete_usr_dirs',` +@@ -4786,73 +5566,59 @@ interface(`files_delete_usr_dirs',` ## ## # @@ -11840,7 +11885,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4860,55 +5608,58 @@ interface(`files_read_usr_files',` +@@ -4860,55 +5626,58 @@ interface(`files_read_usr_files',` ## ## # @@ -11915,7 +11960,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4916,67 +5667,70 @@ interface(`files_manage_usr_files',` +@@ -4916,67 +5685,70 @@ interface(`files_manage_usr_files',` ## ## # @@ -12004,7 +12049,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -4985,35 +5739,50 @@ interface(`files_read_usr_symlinks',` +@@ -4985,35 +5757,50 @@ interface(`files_read_usr_symlinks',` ## ## # @@ -12064,7 +12109,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5021,20 +5790,17 @@ interface(`files_dontaudit_search_src',` +@@ -5021,20 +5808,17 @@ interface(`files_dontaudit_search_src',` ## ## # @@ -12089,7 +12134,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5042,20 +5808,18 @@ interface(`files_getattr_usr_src_files',` +@@ -5042,20 +5826,18 @@ interface(`files_getattr_usr_src_files',` ## ## # @@ -12114,7 +12159,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5063,38 +5827,35 @@ interface(`files_read_usr_src_files',` +@@ -5063,38 +5845,35 @@ interface(`files_read_usr_src_files',` ## ## # @@ -12162,7 +12207,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5102,37 +5863,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5102,37 +5881,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # @@ -12210,7 +12255,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5140,35 +5900,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5140,35 +5918,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # @@ -12255,7 +12300,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5176,36 +5936,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5176,36 +5954,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # @@ -12321,7 +12366,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5213,36 +5992,37 @@ interface(`files_dontaudit_search_var',` +@@ -5213,36 +6010,37 @@ interface(`files_dontaudit_search_var',` ## ## # @@ -12369,7 +12414,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5250,17 +6030,17 @@ interface(`files_manage_var_dirs',` +@@ -5250,17 +6048,17 @@ interface(`files_manage_var_dirs',` ## ## # @@ -12391,7 +12436,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5268,17 +6048,17 @@ interface(`files_read_var_files',` +@@ -5268,17 +6066,17 @@ interface(`files_read_var_files',` ## ## # @@ -12413,7 +12458,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5286,73 +6066,86 @@ interface(`files_append_var_files',` +@@ -5286,73 +6084,86 @@ interface(`files_append_var_files',` ## ## # @@ -12520,7 +12565,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5360,50 +6153,41 @@ interface(`files_read_var_symlinks',` +@@ -5360,50 +6171,41 @@ interface(`files_read_var_symlinks',` ## ## # @@ -12585,7 +12630,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5411,69 +6195,56 @@ interface(`files_var_filetrans',` +@@ -5411,69 +6213,56 @@ interface(`files_var_filetrans',` ## ## # @@ -12670,7 +12715,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5481,17 +6252,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5481,17 +6270,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # @@ -12694,7 +12739,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5499,70 +6271,54 @@ interface(`files_list_var_lib',` +@@ -5499,70 +6289,54 @@ interface(`files_list_var_lib',` ## ## # @@ -12778,7 +12823,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5570,41 +6326,36 @@ interface(`files_read_var_lib_files',` +@@ -5570,41 +6344,36 @@ interface(`files_read_var_lib_files',` ## ## # @@ -12830,7 +12875,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5612,36 +6363,36 @@ interface(`files_manage_urandom_seed',` +@@ -5612,36 +6381,36 @@ interface(`files_manage_urandom_seed',` ## ## # @@ -12877,7 +12922,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5649,38 +6400,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5649,38 +6418,35 @@ interface(`files_setattr_lock_dirs',` ## ## # @@ -12925,7 +12970,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5688,19 +6436,17 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,19 +6454,17 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -12949,7 +12994,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5708,60 +6454,54 @@ interface(`files_list_locks',` +@@ -5708,60 +6472,54 @@ interface(`files_list_locks',` ## ## # @@ -13025,7 +13070,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5769,20 +6509,18 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,20 +6527,18 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -13051,7 +13096,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5790,185 +6528,207 @@ interface(`files_getattr_generic_locks',` +@@ -5790,185 +6546,207 @@ interface(`files_getattr_generic_locks',` ## ## # @@ -13336,7 +13381,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -5976,39 +6736,37 @@ interface(`files_setattr_pid_dirs',` +@@ -5976,39 +6754,37 @@ interface(`files_setattr_pid_dirs',` ## ## # @@ -13387,7 +13432,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6016,18 +6774,21 @@ interface(`files_dontaudit_search_pids',` +@@ -6016,18 +6792,21 @@ interface(`files_dontaudit_search_pids',` ## ## # @@ -13414,45 +13459,36 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6035,19 +6796,19 @@ interface(`files_list_pids',` +@@ -6035,19 +6814,1112 @@ interface(`files_list_pids',` ## ## # -interface(`files_read_generic_pids',` +interface(`files_manage_urandom_seed',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + type var_t, var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) ++ ') ++ + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_lib_t, var_lib_t) - ') - - ######################################## - ## --## Write named generic process ID pipes ++') ++ ++######################################## ++## +## Allow domain to manage mount tables +## necessary for rpcd, nfsd, etc. - ## - ## - ## -@@ -6055,58 +6816,1223 @@ interface(`files_read_generic_pids',` - ## - ## - # --interface(`files_write_generic_pid_pipes',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_mounttab',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_lib_t, var_lib_t) +') @@ -13988,38 +14024,12 @@ index 64ff4d7..8a14ff2 100644 + + files_search_pids($1) + allow $1 var_run_t:fifo_file write; - ') - - ######################################## - ## - ## Create an object in the process ID directory, with a private type. - ## --## --##

--## Create an object in the process ID directory (e.g., /var/run) --## with a private type. Typically this is used for creating --## private PID files in /var/run with the private type instead --## of the general PID file type. To accomplish this goal, --## either the program must be SELinux-aware, or use this interface. --##

--##

--## Related interfaces: --##

--## --##

--## Example usage with a domain that can create and --## write its PID file with a private PID file type in the --## /var/run directory: --##

--##

--## type mypidfile_t; --## files_pid_file(mypidfile_t) --## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; --## files_pid_filetrans(mydomain_t, mypidfile_t, file) --##

--## ++') ++ ++######################################## ++## ++## Create an object in the process ID directory, with a private type. ++## +## +##

+## Create an object in the process ID directory (e.g., /var/run) @@ -14548,35 +14558,45 @@ index 64ff4d7..8a14ff2 100644 +## +# +interface(`files_relabel_all_spool_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + attribute spoolfile; + type var_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + relabel_dirs_pattern($1, spoolfile, spoolfile) -+') -+ -+######################################## -+##

+ ') + + ######################################## + ## +-## Write named generic process ID pipes +## Search the contents of generic spool +## directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6055,58 +7927,130 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` +interface(`files_search_spool',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + search_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Do not audit attempts to search generic +## spool directories. +## @@ -14598,7 +14618,33 @@ index 64ff4d7..8a14ff2 100644 +## +## List the contents of generic spool +## (/var/spool) directories. -+## + ## +-## +-##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +-##

+-##

+-## Related interfaces: +-##

+-## +-##

+-## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +-##

+-##

+-## type mypidfile_t; +-## files_pid_file(mypidfile_t) +-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; +-## files_pid_filetrans(mydomain_t, mypidfile_t, file) +-##

+-## ## ## ## Domain allowed access. @@ -14698,7 +14744,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6114,44 +8040,165 @@ interface(`files_write_generic_pid_pipes',` +@@ -6114,44 +8058,165 @@ interface(`files_write_generic_pid_pipes',` ## The name of the object being created. ## ## @@ -14883,7 +14929,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6159,20 +8206,18 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6159,20 +8224,18 @@ interface(`files_pid_filetrans_lock_dir',` ## ## # @@ -14909,7 +14955,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6180,19 +8225,17 @@ interface(`files_rw_generic_pids',` +@@ -6180,19 +8243,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -14933,7 +14979,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6200,18 +8243,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6200,18 +8261,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -14956,7 +15002,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6219,41 +8261,43 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6219,41 +8279,43 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -15014,7 +15060,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6262,67 +8306,55 @@ interface(`files_read_all_pids',` +@@ -6262,67 +8324,55 @@ interface(`files_read_all_pids',` ## ## # @@ -15099,7 +15145,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6330,37 +8362,37 @@ interface(`files_manage_all_pids',` +@@ -6330,37 +8380,37 @@ interface(`files_manage_all_pids',` ## ## # @@ -15148,7 +15194,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6368,132 +8400,206 @@ interface(`files_search_spool',` +@@ -6368,132 +8418,206 @@ interface(`files_search_spool',` ## ## # @@ -15406,7 +15452,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6501,53 +8607,17 @@ interface(`files_spool_filetrans',` +@@ -6501,53 +8625,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -15464,7 +15510,7 @@ index 64ff4d7..8a14ff2 100644 ## ## ## -@@ -6555,10 +8625,10 @@ interface(`files_polyinstantiate_all',` +@@ -6555,10 +8643,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -17265,7 +17311,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 649e458..3270372 100644 +index 649e458..4a102cb 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -17430,7 +17476,33 @@ index 649e458..3270372 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -2085,7 +2174,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -1672,7 +1761,7 @@ interface(`kernel_read_net_sysctls',` + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) +- ++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + +@@ -1693,7 +1782,7 @@ interface(`kernel_rw_net_sysctls',` + ') + + rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) +- ++ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + +@@ -1715,7 +1804,6 @@ interface(`kernel_read_unix_sysctls',` + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) +- + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + +@@ -2085,7 +2173,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -17439,7 +17511,7 @@ index 649e458..3270372 100644 ') ######################################## -@@ -2282,6 +2371,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2370,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -17465,7 +17537,7 @@ index 649e458..3270372 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2414,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2413,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -17474,7 +17546,7 @@ index 649e458..3270372 100644 ## ## # -@@ -2488,6 +2596,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2595,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -17499,7 +17571,7 @@ index 649e458..3270372 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2651,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2650,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -17524,7 +17596,7 @@ index 649e458..3270372 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2632,7 +2776,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2632,7 +2775,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -17533,7 +17605,7 @@ index 649e458..3270372 100644 ') ######################################## -@@ -2670,6 +2814,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2670,6 +2813,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -17558,7 +17630,7 @@ index 649e458..3270372 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2697,6 +2859,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2697,6 +2858,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -17584,7 +17656,7 @@ index 649e458..3270372 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2806,6 +2987,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2806,6 +2986,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -17618,7 +17690,7 @@ index 649e458..3270372 100644 ######################################## ## -@@ -2961,6 +3169,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2961,6 +3168,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -17643,7 +17715,7 @@ index 649e458..3270372 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2975,5 +3201,300 @@ interface(`kernel_unconfined',` +@@ -2975,5 +3200,300 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -18642,7 +18714,7 @@ index 81440c5..a02d444 100644 ') + diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te -index 522ab32..cb9c3a2 100644 +index 522ab32..85f484d 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false) @@ -18666,6 +18738,15 @@ index 522ab32..cb9c3a2 100644 ######################################## # +@@ -52,7 +53,7 @@ allow selinux_unconfined_type boolean_type:file read_file_perms; + allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; + + # Access the security API. +-allow selinux_unconfined_type security_t:security ~{ load_policy setenforce }; ++allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; + + ifdef(`distro_rhel4',` + # needed for systems without audit support @@ -60,11 +61,28 @@ ifdef(`distro_rhel4',` ') @@ -40175,10 +40256,10 @@ index 0000000..e9f1096 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..24b2af3 +index 0000000..d2a8fc7 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1458 @@ +@@ -0,0 +1,1460 @@ +## SELinux policy for systemd components + +###################################### @@ -40277,6 +40358,8 @@ index 0000000..24b2af3 + systemd_login_list_pid_dirs($1) + systemd_login_read_pid_files($1) + systemd_passwd_agent_exec($1) ++ ++ dontaudit $1 self:capability net_admin; +') + +####################################### diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 7734ed6..4380e89 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -18291,10 +18291,10 @@ index 6ce66e7..7725178 100644 optional_policy(` diff --git a/cups.fc b/cups.fc -index 949011e..afe482b 100644 +index 949011e..9437dbe 100644 --- a/cups.fc +++ b/cups.fc -@@ -1,77 +1,87 @@ +@@ -1,77 +1,91 @@ -/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) @@ -18392,23 +18392,23 @@ index 949011e..afe482b 100644 /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) -+ -+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0) -+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) -+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0) ++/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) -/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) ++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) ++ +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) @@ -18422,10 +18422,14 @@ index 949011e..afe482b 100644 +/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) +/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + ++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) +/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + @@ -27863,16 +27867,16 @@ index fc3b036..10a1bbe 100644 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) diff --git a/gear.fc b/gear.fc new file mode 100644 -index 0000000..5eabf35 +index 0000000..98c012c --- /dev/null +++ b/gear.fc @@ -0,0 +1,7 @@ +/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0) + -+/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0) -+ -+/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0) ++/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0) + ++/var/lib/containers(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0) ++/var/lib/containers/units(/.*)? gen_context(system_u:object_r:gear_unit_file_t,s0) +/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0) diff --git a/gear.if b/gear.if new file mode 100644 @@ -28170,10 +28174,10 @@ index 0000000..04e159f +') diff --git a/gear.te b/gear.te new file mode 100644 -index 0000000..db1c340 +index 0000000..781c76d --- /dev/null +++ b/gear.te -@@ -0,0 +1,110 @@ +@@ -0,0 +1,122 @@ +policy_module(gear, 1.0.0) + +######################################## @@ -28259,6 +28263,7 @@ index 0000000..db1c340 + +init_read_state(gear_t) +init_dbus_chat(gear_t) ++init_enable_services(gear_t) + +iptables_domtrans(gear_t) + @@ -28273,16 +28278,27 @@ index 0000000..db1c340 + +sysnet_dns_name_resolve(gear_t) + -+sysnet_domtrans_ifconfig(gear_t) ++sysnet_exec_ifconfig(gear_t) ++sysnet_manage_ifconfig_run(gear_t) + +systemd_manage_all_unit_files(gear_t) + +optional_policy(` ++ hostname_exec(gear_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(gear_t) ++') ++ ++optional_policy(` + docker_stream_connect(gear_t) +') + +optional_policy(` ++ openshift_manage_lib_dirs(gear_t) + openshift_manage_lib_files(gear_t) ++ openshift_relabelfrom_lib(gear_t) +') diff --git a/gift.te b/gift.te index 395238e..af76abb 100644 @@ -39834,7 +39850,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..f8c5464 100644 +index 7bab8e5..17ea89c 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,26 @@ @@ -39885,7 +39901,7 @@ index 7bab8e5..f8c5464 100644 -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; +# Change ownership on log files. +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; -+dontaudit logrotate_t self:capability sys_resource; ++dontaudit logrotate_t self:capability { sys_resource net_admin }; + +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + @@ -45193,7 +45209,7 @@ index 6194b80..cafb2b0 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..39094ea 100644 +index 6a306ee..a4f86f5 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -45467,12 +45483,12 @@ index 6a306ee..39094ea 100644 - -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -45639,7 +45655,7 @@ index 6a306ee..39094ea 100644 ') optional_policy(` -@@ -300,259 +326,251 @@ optional_policy(` +@@ -300,259 +326,255 @@ optional_policy(` ######################################## # @@ -45872,14 +45888,17 @@ index 6a306ee..39094ea 100644 fs_getattr_all_fs(mozilla_plugin_t) -# fs_read_hugetlbfs_files(mozilla_plugin_t) -fs_search_auto_mountpoints(mozilla_plugin_t) -- --term_getattr_all_ttys(mozilla_plugin_t) --term_getattr_all_ptys(mozilla_plugin_t) +fs_list_dos(mozilla_plugin_t) +fs_read_noxattr_fs_files(mozilla_plugin_t) +fs_read_hugetlbfs_files(mozilla_plugin_t) +fs_exec_hugetlbfs_files(mozilla_plugin_t) +-term_getattr_all_ttys(mozilla_plugin_t) +-term_getattr_all_ptys(mozilla_plugin_t) ++storage_raw_read_removable_device(mozilla_plugin_t) ++fs_read_removable_files(mozilla_plugin_t) ++fs_read_removable_symlinks(mozilla_plugin_t) + application_exec(mozilla_plugin_t) +application_dontaudit_signull(mozilla_plugin_t) @@ -46038,7 +46057,7 @@ index 6a306ee..39094ea 100644 ') optional_policy(` -@@ -560,7 +578,11 @@ optional_policy(` +@@ -560,7 +582,11 @@ optional_policy(` ') optional_policy(` @@ -46051,7 +46070,7 @@ index 6a306ee..39094ea 100644 ') optional_policy(` -@@ -568,108 +590,131 @@ optional_policy(` +@@ -568,108 +594,131 @@ optional_policy(` ') optional_policy(` @@ -52822,10 +52841,10 @@ index 0000000..28936b4 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..bd2f08f +index 0000000..2d9ab86 --- /dev/null +++ b/nova.te -@@ -0,0 +1,318 @@ +@@ -0,0 +1,320 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -53096,6 +53115,8 @@ index 0000000..bd2f08f +allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms; +allow nova_scheduler_t self:udp_socket create_socket_perms; + ++auth_read_passwd(nova_scheduler_t) ++ +#optional_policy(` +# unconfined_domain(nova_scheduler_t) +#') @@ -56729,7 +56750,7 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..1d4e039 +index 0000000..95b6381 --- /dev/null +++ b/openshift.fc @@ -0,0 +1,28 @@ @@ -56740,7 +56761,7 @@ index 0000000..1d4e039 + +/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) +/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) -+/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) ++/var/lib/containers/home(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) +/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) +/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) + @@ -56763,10 +56784,10 @@ index 0000000..1d4e039 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..9451b83 +index 0000000..a472b52 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,702 @@ +@@ -0,0 +1,721 @@ + +## policy for openshift + @@ -57131,6 +57152,26 @@ index 0000000..9451b83 + manage_sock_files_pattern($1, openshift_file_type, openshift_file_type) +') + ++######################################## ++## ++## Relabel openshift library files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_relabelfrom_lib',` ++ gen_require(` ++ type openshift_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++ relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++') ++ +####################################### +## +## Create private objects in the @@ -57185,7 +57226,6 @@ index 0000000..9451b83 + allow $1 openshift_var_run_t:file read_file_perms; +') + -+ +######################################## +## +## All of the rules required to administrate @@ -57471,10 +57511,10 @@ index 0000000..9451b83 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..ebd0c68 +index 0000000..93fd0ea --- /dev/null +++ b/openshift.te -@@ -0,0 +1,575 @@ +@@ -0,0 +1,579 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -57798,6 +57838,10 @@ index 0000000..ebd0c68 +') + +optional_policy(` ++ gear_search_lib(openshift_domain) ++') ++ ++optional_policy(` + gpg_entry_type(openshift_domain) +') + @@ -59115,10 +59159,10 @@ index 0000000..42ed4ba +') diff --git a/openwsman.te b/openwsman.te new file mode 100644 -index 0000000..49dc5ef +index 0000000..79ad541 --- /dev/null +++ b/openwsman.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,60 @@ +policy_module(openwsman, 1.0.0) + +######################################## @@ -59130,6 +59174,9 @@ index 0000000..49dc5ef +type openwsman_exec_t; +init_daemon_domain(openwsman_t, openwsman_exec_t) + ++type openwsman_tmp_t; ++files_tmp_file(openwsman_tmp_t) ++ +type openwsman_log_t; +logging_log_file(openwsman_log_t) + @@ -59143,10 +59190,17 @@ index 0000000..49dc5ef +# +# openwsman local policy +# ++ ++allow openwsman_t self:capability setuid; ++ +allow openwsman_t self:process { fork }; +allow openwsman_t self:fifo_file rw_fifo_file_perms; +allow openwsman_t self:unix_stream_socket create_stream_socket_perms; -+allow openwsman_t self:tcp_socket { create_socket_perms listen }; ++allow openwsman_t self:tcp_socket { create_socket_perms accept listen }; ++ ++manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) ++manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) ++files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file }) + +manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t) +logging_log_filetrans(openwsman_t, openwsman_log_t, { file }) @@ -59155,12 +59209,19 @@ index 0000000..49dc5ef +files_pid_filetrans(openwsman_t, openwsman_run_t, { file }) + +auth_use_nsswitch(openwsman_t) ++auth_domtrans_chkpwd(openwsman_t) + ++corenet_tcp_connect_pegasus_https_port(openwsman_t) +corenet_tcp_bind_vnc_port(openwsman_t) + +dev_read_urand(openwsman_t) + +logging_send_syslog_msg(openwsman_t) ++logging_send_audit_msgs(openwsman_t) ++ ++optional_policy(` ++ unconfined_domain(openwsman_t) ++') + diff --git a/oracleasm.fc b/oracleasm.fc new file mode 100644 @@ -73746,10 +73807,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..375e2e3 100644 +index 769d1fd..1dbc6aa 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,139 @@ +@@ -1,96 +1,143 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -73801,7 +73862,7 @@ index 769d1fd..375e2e3 100644 -allow quantum_t self:unix_stream_socket { accept listen }; +allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; -+allow neutron_t self:process { setsched setrlimit signal_perms }; ++allow neutron_t self:process { setsched setrlimit setcap signal_perms }; + +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; @@ -73809,6 +73870,7 @@ index 769d1fd..375e2e3 100644 +allow neutron_t self:unix_stream_socket { accept listen }; +allow neutron_t self:netlink_route_socket rw_netlink_socket_perms; +allow neutron_t self:rawip_socket create_socket_perms; ++allow neutron_t self:packet_socket create_socket_perms; + +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) @@ -73897,45 +73959,48 @@ index 769d1fd..375e2e3 100644 +logging_send_syslog_msg(neutron_t) -sysnet_domtrans_ifconfig(quantum_t) ++netutils_exec(neutron_t) ++ ++# need to stay in neutron +sysnet_exec_ifconfig(neutron_t) +sysnet_manage_ifconfig_run(neutron_t) +sysnet_filetrans_named_content_ifconfig(neutron_t) ++ ++optional_policy(` ++ brctl_domtrans(neutron_t) ++') optional_policy(` - brctl_domtrans(quantum_t) -+ brctl_domtrans(neutron_t) ++ dnsmasq_domtrans(neutron_t) ++ dnsmasq_signal(neutron_t) ++ dnsmasq_kill(neutron_t) ++ dnsmasq_read_state(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ dnsmasq_domtrans(neutron_t) -+ dnsmasq_signal(neutron_t) -+ dnsmasq_kill(neutron_t) -+ dnsmasq_read_state(neutron_t) ++ iptables_domtrans(neutron_t) +') - mysql_tcp_connect(quantum_t) +optional_policy(` -+ iptables_domtrans(neutron_t) - ') - - optional_policy(` -- postgresql_stream_connect(quantum_t) -- postgresql_unpriv_client(quantum_t) + mysql_stream_connect(neutron_t) + mysql_read_db_lnk_files(neutron_t) + mysql_read_config(neutron_t) + mysql_tcp_connect(neutron_t) -+') + ') -- postgresql_tcp_connect(quantum_t) -+optional_policy(` + optional_policy(` +- postgresql_stream_connect(quantum_t) +- postgresql_unpriv_client(quantum_t) + postgresql_stream_connect(neutron_t) + postgresql_unpriv_client(neutron_t) + postgresql_tcp_connect(neutron_t) +') -+ + +- postgresql_tcp_connect(quantum_t) +optional_policy(` + openvswitch_domtrans(neutron_t) + openvswitch_stream_connect(neutron_t) @@ -98406,7 +98471,7 @@ index 9b95c3e..a892845 100644 init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/ulogd.te b/ulogd.te -index c6acbbe..bd23e7f 100644 +index c6acbbe..022c367 100644 --- a/ulogd.te +++ b/ulogd.te @@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t) @@ -98430,8 +98495,9 @@ index c6acbbe..bd23e7f 100644 -files_read_etc_files(ulogd_t) -files_read_usr_files(ulogd_t) - +- -miscfiles_read_localization(ulogd_t) ++kernel_request_load_module(ulogd_t) sysnet_dns_name_resolve(ulogd_t) @@ -101767,7 +101833,7 @@ index 9dec06c..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..0fd2172 100644 +index 1f22fba..1df2084 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,209 @@ @@ -103213,7 +103279,7 @@ index 1f22fba..0fd2172 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1126,296 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1126,300 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -103450,6 +103516,10 @@ index 1f22fba..0fd2172 100644 +') + +optional_policy(` ++ gear_read_pid_files(svirt_sandbox_domain) ++') ++ ++optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + @@ -103501,10 +103571,6 @@ index 1f22fba..0fd2172 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; -+ -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -103516,6 +103582,13 @@ index 1f22fba..0fd2172 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') + +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -103524,14 +103597,11 @@ index 1f22fba..0fd2172 100644 + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) -+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; -+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; - -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) ++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; ++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; ++ +kernel_read_irq_sysctls(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) @@ -103612,7 +103682,8 @@ index 1f22fba..0fd2172 100644 +dev_read_urand(svirt_qemu_net_t) + +files_read_kernel_modules(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +fs_noxattr_type(svirt_sandbox_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) @@ -103621,8 +103692,7 @@ index 1f22fba..0fd2172 100644 +term_pty(svirt_sandbox_file_t) + +auth_use_nsswitch(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +rpm_read_db(svirt_qemu_net_t) + +logging_send_syslog_msg(svirt_qemu_net_t) @@ -103647,7 +103717,7 @@ index 1f22fba..0fd2172 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1428,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1432,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -103662,7 +103732,7 @@ index 1f22fba..0fd2172 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1446,8 @@ optional_policy(` +@@ -1183,9 +1450,8 @@ optional_policy(` ######################################## # @@ -103673,7 +103743,7 @@ index 1f22fba..0fd2172 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1460,218 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1464,216 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -103892,8 +103962,6 @@ index 1f22fba..0fd2172 100644 +optional_policy(` + systemd_dbus_chat_logind(sandbox_net_domain) +') -+ -+ diff --git a/vlock.te b/vlock.te index 9ead775..b5285e7 100644 --- a/vlock.te @@ -107114,7 +107182,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 46e4cd3..614e66c 100644 +index 46e4cd3..551c4e9 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3) @@ -107233,7 +107301,7 @@ index 46e4cd3..614e66c 100644 corenet_sendrecv_ftp_client_packets(zabbix_t) corenet_tcp_connect_ftp_port(zabbix_t) -@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) +@@ -85,37 +112,30 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) corenet_sendrecv_http_client_packets(zabbix_t) corenet_tcp_connect_http_port(zabbix_t) corenet_tcp_sendrecv_http_port(zabbix_t) @@ -107259,9 +107327,12 @@ index 46e4cd3..614e66c 100644 +logging_send_syslog_msg(zabbix_t) + tunable_policy(`zabbix_can_network',` - corenet_sendrecv_all_client_packets(zabbix_t) - corenet_tcp_connect_all_ports(zabbix_t) -@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',` +- corenet_sendrecv_all_client_packets(zabbix_t) +- corenet_tcp_connect_all_ports(zabbix_t) +- corenet_tcp_sendrecv_all_ports(zabbix_t) ++ corenet_sendrecv_all_client_packets(zabbix_domain) ++ corenet_tcp_connect_all_ports(zabbix_domain) ++ corenet_tcp_sendrecv_all_ports(zabbix_domain) ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 5e6222d..4091b31 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 161%{?dist} +Release: 162%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,22 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon May 12 2014 Lukas Vrabec 3.12.1-162 +- More rules needed for openshift/gear in rhel7 +- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files +- Allow mozilla plugins to use /dev/sr0 +- Dontaudit logrotate executing systemctl command attempting to net_admin +- Allow neutron execute arping in neutron_t +- Allow nova-scheduler to read passwd file +- Fix zabbix_can_network boolean to have this boolean for all zabbix domains +- Allow openwsman to execute chkpwd and make this domain as unconfined for F20. +- Add openwsman_tmp_t rules +- Allow ulogd to request the kernel to load a module +- Add support for /usr/local/Brother labeling. We removed /usr/local equiv. +- Systectl_net_t can be a lnk_file +- Fix path to mmap_min_addr +- Any app that executes systemctl will attempt a net_admin + * Wed May 07 2014 Lukas Vrabec 3.12.1-161 - Allow keystone to connect to ldap servers - Add additional caps for neutron_t