diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 55276b3..cf78633 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index e2e6f5e..a628669 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -20840,7 +20840,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..c652350 100644 +index e100d88..1428581 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -20893,6 +20893,15 @@ index e100d88..c652350 100644 ## Allows the kernel to share state information with ## the caller. ## +@@ -268,7 +304,7 @@ interface(`kernel_stream_connect',` + type kernel_t; + ') + +- allow $1 kernel_t:unix_stream_socket connectto; ++ allow $1 kernel_t:unix_stream_socket { getattr connectto }; + ') + + ######################################## @@ -286,7 +322,7 @@ interface(`kernel_rw_unix_dgram_sockets',` type kernel_t; ') @@ -25807,7 +25816,7 @@ index 0000000..63bc797 +logging_stream_connect_syslog(sysadm_t) diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc new file mode 100644 -index 0000000..b680867 +index 0000000..d9efb90 --- /dev/null +++ b/policy/modules/roles/unconfineduser.fc @@ -0,0 +1,8 @@ @@ -25817,8 +25826,8 @@ index 0000000..b680867 +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +#/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) + -+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) -+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++#/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 index 0000000..03faeac @@ -36603,7 +36612,7 @@ index 79a45f6..e69fa39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..528f36a 100644 +index 17eda24..b7bc1a9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -36898,7 +36907,7 @@ index 17eda24..528f36a 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +323,247 @@ ifdef(`distro_gentoo',` +@@ -186,29 +323,252 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -36948,17 +36957,21 @@ index 17eda24..528f36a 100644 +') + +optional_policy(` -+ iscsi_read_lib_files(init_t) -+ iscsi_manage_lock(init_t) ++ anaconda_domtrans_install(init_t) +') + +optional_policy(` ++ iscsi_read_lib_files(init_t) ++ iscsi_manage_lock(init_t) + ') + + optional_policy(` +- auth_rw_login_records(init_t) + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) ') optional_policy(` -- auth_rw_login_records(init_t) + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_config(init_t) @@ -37070,6 +37083,7 @@ index 17eda24..528f36a 100644 +systemd_manage_random_seed(init_t) +systemd_manage_all_unit_files(init_t) +systemd_logger_stream_connect(init_t) ++systemd_login_manage_pid_files(init_t) +systemd_config_all_services(init_t) +systemd_relabelto_fifo_file_passwd_run(init_t) +systemd_relabel_unit_dirs(init_t) @@ -37114,9 +37128,9 @@ index 17eda24..528f36a 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) +') + @@ -37128,18 +37142,18 @@ index 17eda24..528f36a 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) +') @@ -37155,7 +37169,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -216,7 +571,30 @@ optional_policy(` +@@ -216,7 +576,30 @@ optional_policy(` ') optional_policy(` @@ -37187,7 +37201,7 @@ index 17eda24..528f36a 100644 ') ######################################## -@@ -225,9 +603,9 @@ optional_policy(` +@@ -225,9 +608,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37199,7 +37213,7 @@ index 17eda24..528f36a 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +636,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +641,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37216,7 +37230,7 @@ index 17eda24..528f36a 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +661,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +666,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37259,7 +37273,7 @@ index 17eda24..528f36a 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +698,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +703,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37271,7 +37285,7 @@ index 17eda24..528f36a 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +710,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +715,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37282,7 +37296,7 @@ index 17eda24..528f36a 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +721,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +726,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37292,7 +37306,7 @@ index 17eda24..528f36a 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +730,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +735,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37300,7 +37314,7 @@ index 17eda24..528f36a 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +737,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +742,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37308,7 +37322,7 @@ index 17eda24..528f36a 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +745,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +750,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37326,7 +37340,7 @@ index 17eda24..528f36a 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +763,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +768,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37340,7 +37354,7 @@ index 17eda24..528f36a 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +778,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +783,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37354,7 +37368,7 @@ index 17eda24..528f36a 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +791,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +796,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37365,7 +37379,7 @@ index 17eda24..528f36a 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +804,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +809,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37373,7 +37387,7 @@ index 17eda24..528f36a 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +823,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +828,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37397,7 +37411,7 @@ index 17eda24..528f36a 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +856,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +861,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37405,7 +37419,7 @@ index 17eda24..528f36a 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +890,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +895,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37416,7 +37430,7 @@ index 17eda24..528f36a 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +914,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +919,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37425,7 +37439,7 @@ index 17eda24..528f36a 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +929,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +934,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37433,7 +37447,7 @@ index 17eda24..528f36a 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +950,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +955,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37441,7 +37455,7 @@ index 17eda24..528f36a 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +960,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +965,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37486,7 +37500,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -559,14 +1005,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1010,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37518,7 +37532,7 @@ index 17eda24..528f36a 100644 ') ') -@@ -577,6 +1040,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1045,39 @@ ifdef(`distro_suse',` ') ') @@ -37558,7 +37572,7 @@ index 17eda24..528f36a 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1085,8 @@ optional_policy(` +@@ -589,6 +1090,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37567,7 +37581,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -610,6 +1108,7 @@ optional_policy(` +@@ -610,6 +1113,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37575,7 +37589,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -626,6 +1125,17 @@ optional_policy(` +@@ -626,6 +1130,17 @@ optional_policy(` ') optional_policy(` @@ -37593,7 +37607,7 @@ index 17eda24..528f36a 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1152,13 @@ optional_policy(` +@@ -642,9 +1157,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37607,7 +37621,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -657,15 +1171,11 @@ optional_policy(` +@@ -657,15 +1176,11 @@ optional_policy(` ') optional_policy(` @@ -37625,7 +37639,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -686,6 +1196,15 @@ optional_policy(` +@@ -686,6 +1201,15 @@ optional_policy(` ') optional_policy(` @@ -37641,7 +37655,7 @@ index 17eda24..528f36a 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1245,7 @@ optional_policy(` +@@ -726,6 +1250,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37649,7 +37663,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -743,7 +1263,13 @@ optional_policy(` +@@ -743,7 +1268,13 @@ optional_policy(` ') optional_policy(` @@ -37664,7 +37678,7 @@ index 17eda24..528f36a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1292,10 @@ optional_policy(` +@@ -766,6 +1297,10 @@ optional_policy(` ') optional_policy(` @@ -37675,7 +37689,7 @@ index 17eda24..528f36a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1305,20 @@ optional_policy(` +@@ -775,10 +1310,20 @@ optional_policy(` ') optional_policy(` @@ -37696,7 +37710,7 @@ index 17eda24..528f36a 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1327,10 @@ optional_policy(` +@@ -787,6 +1332,10 @@ optional_policy(` ') optional_policy(` @@ -37707,7 +37721,7 @@ index 17eda24..528f36a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1352,6 @@ optional_policy(` +@@ -808,8 +1357,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37716,7 +37730,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -818,6 +1360,10 @@ optional_policy(` +@@ -818,6 +1365,10 @@ optional_policy(` ') optional_policy(` @@ -37727,7 +37741,7 @@ index 17eda24..528f36a 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1373,12 @@ optional_policy(` +@@ -827,10 +1378,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37740,7 +37754,7 @@ index 17eda24..528f36a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1405,60 @@ optional_policy(` +@@ -857,21 +1410,60 @@ optional_policy(` ') optional_policy(` @@ -37802,7 +37816,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -887,6 +1474,10 @@ optional_policy(` +@@ -887,6 +1479,10 @@ optional_policy(` ') optional_policy(` @@ -37813,7 +37827,7 @@ index 17eda24..528f36a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1488,218 @@ optional_policy(` +@@ -897,3 +1493,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -46334,10 +46348,10 @@ index 0000000..0e4185f +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..3380372 +index 0000000..ebd6cc8 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1698 @@ +@@ -0,0 +1,1716 @@ +## SELinux policy for systemd components + +###################################### @@ -46630,6 +46644,24 @@ index 0000000..3380372 + + files_search_pids($1) + manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) ++') ++ ++ ++###################################### ++## ++## Read systemd_login PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_filetrans_pid_files',` ++ gen_require(` ++ type systemd_logind_var_run_t; ++ ') ++ + files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") +') + diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index 67a9ec7..9c0c683 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -31640,10 +31640,10 @@ index 5cd0909..bd3c3d2 100644 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..8c8c6c9 +index 0000000..cbd6aa4 --- /dev/null +++ b/glusterd.fc -@@ -0,0 +1,18 @@ +@@ -0,0 +1,20 @@ +/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + +/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) @@ -31652,6 +31652,8 @@ index 0000000..8c8c6c9 +/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + ++/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ +/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) @@ -31913,10 +31915,10 @@ index 0000000..fc9bf19 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..74ec2fd +index 0000000..8e0f5a7 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,295 @@ +@@ -0,0 +1,296 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32200,6 +32202,7 @@ index 0000000..74ec2fd + rpc_domtrans_nfsd(glusterd_t) + rpc_domtrans_rpcd(glusterd_t) + rpc_manage_nfs_state_data(glusterd_t) ++ rpcbind_stream_connect(glusterd_t) +') + +optional_policy(` @@ -86143,7 +86146,7 @@ index c8bdea2..1574225 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..1fafe47 100644 +index 6cf79c4..1a605f9 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -86182,7 +86185,7 @@ index 6cf79c4..1fafe47 100644 attribute cluster_domain; attribute cluster_log; attribute cluster_pid; -@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t; +@@ -44,34 +73,284 @@ type foghorn_initrc_exec_t; init_script_file(foghorn_initrc_exec_t) rhcs_domain_template(gfs_controld) @@ -86436,6 +86439,7 @@ index 6cf79c4..1fafe47 100644 + rpc_domtrans_nfsd(cluster_t) + rpc_domtrans_rpcd(cluster_t) + rpc_manage_nfs_state_data(cluster_t) ++ rpc_filetrans_var_lib_nfs_content(cluster_t) +') + +optional_policy(` @@ -86470,7 +86474,7 @@ index 6cf79c4..1fafe47 100644 ') ##################################### -@@ -79,13 +357,14 @@ optional_policy(` +@@ -79,13 +358,14 @@ optional_policy(` # dlm_controld local policy # @@ -86487,7 +86491,7 @@ index 6cf79c4..1fafe47 100644 kernel_rw_net_sysctls(dlm_controld_t) corecmd_exec_bin(dlm_controld_t) -@@ -98,16 +377,30 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -86521,7 +86525,7 @@ index 6cf79c4..1fafe47 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +411,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -86533,7 +86537,7 @@ index 6cf79c4..1fafe47 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -140,6 +432,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) +@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) corenet_sendrecv_zented_server_packets(fenced_t) corenet_tcp_bind_zented_port(fenced_t) @@ -86542,7 +86546,7 @@ index 6cf79c4..1fafe47 100644 corenet_tcp_sendrecv_zented_port(fenced_t) corenet_sendrecv_http_client_packets(fenced_t) -@@ -148,9 +442,8 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +443,8 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -86554,7 +86558,7 @@ index 6cf79c4..1fafe47 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +454,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -86563,7 +86567,7 @@ index 6cf79c4..1fafe47 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +475,8 @@ optional_policy(` +@@ -182,7 +476,8 @@ optional_policy(` ') optional_policy(` @@ -86573,7 +86577,7 @@ index 6cf79c4..1fafe47 100644 ') optional_policy(` -@@ -190,12 +484,17 @@ optional_policy(` +@@ -190,12 +485,17 @@ optional_policy(` ') optional_policy(` @@ -86592,7 +86596,7 @@ index 6cf79c4..1fafe47 100644 ') optional_policy(` -@@ -203,6 +502,21 @@ optional_policy(` +@@ -203,6 +503,21 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -86614,7 +86618,7 @@ index 6cf79c4..1fafe47 100644 ####################################### # # foghorn local policy -@@ -221,16 +535,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +536,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -86639,7 +86643,7 @@ index 6cf79c4..1fafe47 100644 snmp_stream_connect(foghorn_t) ') -@@ -247,16 +567,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ +@@ -247,16 +568,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -86661,7 +86665,7 @@ index 6cf79c4..1fafe47 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +599,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +600,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -86721,7 +86725,7 @@ index 6cf79c4..1fafe47 100644 ###################################### # # qdiskd local policy -@@ -292,7 +663,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +@@ -292,7 +664,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) @@ -86729,7 +86733,7 @@ index 6cf79c4..1fafe47 100644 kernel_read_software_raid_state(qdiskd_t) kernel_getattr_core_if(qdiskd_t) -@@ -321,6 +691,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +692,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -88903,7 +88907,7 @@ index a6fb30c..38a2f09 100644 +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + diff --git a/rpc.if b/rpc.if -index 0bf13c2..50f25de 100644 +index 0bf13c2..4f3c2b9 100644 --- a/rpc.if +++ b/rpc.if @@ -1,4 +1,4 @@ @@ -89221,10 +89225,11 @@ index 0bf13c2..50f25de 100644 files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; + allow $1 var_lib_nfs_t:dir search_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read nfs lib files. +## List NFS state data in /var/lib/nfs. +## +## @@ -89240,11 +89245,10 @@ index 0bf13c2..50f25de 100644 + + files_search_var_lib($1) + allow $1 var_lib_nfs_t:dir list_dir_perms; - ') - - ######################################## - ## --## Read nfs lib files. ++') ++ ++######################################## ++## +## Read NFS state data in /var/lib/nfs. ## ## @@ -89259,7 +89263,7 @@ index 0bf13c2..50f25de 100644 ## ## ## -@@ -366,31 +403,50 @@ interface(`rpc_manage_nfs_state_data',` +@@ -366,31 +403,68 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) @@ -89277,6 +89281,7 @@ index 0bf13c2..50f25de 100644 ## Domain allowed access. ## ## +-## +# +interface(`rpc_rw_gssd_keys',` + gen_require(` @@ -89286,6 +89291,25 @@ index 0bf13c2..50f25de 100644 + allow $1 gssd_t:key { read search setattr view write }; +') + ++######################################## ++## ++## Transition to alsa named content ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## ++# ++interface(`rpc_filetrans_var_lib_nfs_content',` ++ gen_require(` ++ type var_lib_nfs_t; ++ ') ++ ++ files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs") ++') ++ +####################################### +## +## All of the rules required to @@ -89296,14 +89320,11 @@ index 0bf13c2..50f25de 100644 +## Domain allowed access. +## +## - ## --## --## Role allowed access. --## ++## +## +## Role allowed access. +## - ## ++## ## # interface(`rpc_admin',` @@ -89317,7 +89338,7 @@ index 0bf13c2..50f25de 100644 ') allow $1 rpc_domain:process { ptrace signal_perms }; -@@ -411,7 +467,7 @@ interface(`rpc_admin',` +@@ -411,7 +485,7 @@ interface(`rpc_admin',` admin_pattern($1, rpcd_var_run_t) files_list_all($1) @@ -89327,10 +89348,10 @@ index 0bf13c2..50f25de 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..876a4e7 100644 +index 2da9fca..7f491b0 100644 --- a/rpc.te +++ b/rpc.te -@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1) +@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) # ## @@ -89360,10 +89381,17 @@ index 2da9fca..876a4e7 100644 ## -gen_tunable(allow_nfsd_anon_write, false) +gen_tunable(nfsd_anon_write, false) ++ ++## ++##

++## Allow rpcd_t to manage fuse files ++##

++## ++gen_tunable(rpcd_use_fusefs, false) attribute rpc_domain; -@@ -39,21 +37,23 @@ files_tmp_file(gssd_tmp_t) +@@ -39,21 +44,23 @@ files_tmp_file(gssd_tmp_t) type rpcd_var_run_t; files_pid_file(rpcd_var_run_t) @@ -89392,7 +89420,7 @@ index 2da9fca..876a4e7 100644 type var_lib_nfs_t; files_mountpoint(var_lib_nfs_t) -@@ -71,7 +71,6 @@ allow rpc_domain self:tcp_socket { accept listen }; +@@ -71,7 +78,6 @@ allow rpc_domain self:tcp_socket { accept listen }; manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) @@ -89400,7 +89428,7 @@ index 2da9fca..876a4e7 100644 kernel_read_kernel_sysctls(rpc_domain) kernel_rw_rpc_sysctls(rpc_domain) -@@ -79,8 +78,6 @@ dev_read_sysfs(rpc_domain) +@@ -79,8 +85,6 @@ dev_read_sysfs(rpc_domain) dev_read_urand(rpc_domain) dev_read_rand(rpc_domain) @@ -89409,7 +89437,7 @@ index 2da9fca..876a4e7 100644 corenet_tcp_sendrecv_generic_if(rpc_domain) corenet_udp_sendrecv_generic_if(rpc_domain) corenet_tcp_sendrecv_generic_node(rpc_domain) -@@ -108,41 +105,43 @@ files_read_etc_runtime_files(rpc_domain) +@@ -108,41 +112,45 @@ files_read_etc_runtime_files(rpc_domain) files_read_usr_files(rpc_domain) files_list_home(rpc_domain) @@ -89451,6 +89479,8 @@ index 2da9fca..876a4e7 100644 manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) ++read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t) ++ +# rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) @@ -89461,7 +89491,7 @@ index 2da9fca..876a4e7 100644 kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) -@@ -163,13 +162,14 @@ fs_getattr_all_fs(rpcd_t) +@@ -163,13 +171,21 @@ fs_getattr_all_fs(rpcd_t) storage_getattr_fixed_disk_dev(rpcd_t) @@ -89472,14 +89502,20 @@ index 2da9fca..876a4e7 100644 miscfiles_read_generic_certs(rpcd_t) -seutil_dontaudit_search_config(rpcd_t) -- --userdom_signal_all_users(rpcd_t) +userdom_signal_unpriv_users(rpcd_t) +userdom_read_user_home_content_files(rpcd_t) +-userdom_signal_all_users(rpcd_t) ++tunable_policy(`rpcd_use_fusefs',` ++ fs_manage_fusefs_dirs(rpcd_t) ++ fs_manage_fusefs_files(rpcd_t) ++ fs_read_fusefs_symlinks(rpcd_t) ++ fs_getattr_fusefs(rpcd_t) ++') + ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcd_t) -@@ -181,19 +181,27 @@ optional_policy(` +@@ -181,19 +197,27 @@ optional_policy(` ') optional_policy(` @@ -89510,7 +89546,7 @@ index 2da9fca..876a4e7 100644 ') ######################################## -@@ -202,41 +210,56 @@ optional_policy(` +@@ -202,41 +226,56 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -89528,10 +89564,10 @@ index 2da9fca..876a4e7 100644 kernel_request_load_module(nfsd_t) -# kernel_mounton_proc(nfsd_t) +kernel_mounton_proc(nfsd_t) -+ -+corecmd_exec_shell(nfsd_t) -corenet_sendrecv_nfs_server_packets(nfsd_t) ++corecmd_exec_shell(nfsd_t) ++ +corenet_tcp_bind_all_rpc_ports(nfsd_t) +corenet_udp_bind_all_rpc_ports(nfsd_t) corenet_tcp_bind_nfs_port(nfsd_t) @@ -89576,7 +89612,7 @@ index 2da9fca..876a4e7 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +268,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +284,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -89584,7 +89620,7 @@ index 2da9fca..876a4e7 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +279,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +295,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -89599,7 +89635,7 @@ index 2da9fca..876a4e7 100644 ') ######################################## -@@ -270,7 +292,7 @@ optional_policy(` +@@ -270,7 +308,7 @@ optional_policy(` # GSSD local policy # @@ -89608,7 +89644,7 @@ index 2da9fca..876a4e7 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +302,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +318,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -89616,7 +89652,7 @@ index 2da9fca..876a4e7 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +311,31 @@ kernel_signal(gssd_t) +@@ -288,25 +327,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -89651,7 +89687,7 @@ index 2da9fca..876a4e7 100644 ') optional_policy(` -@@ -314,9 +343,12 @@ optional_policy(` +@@ -314,9 +359,12 @@ optional_policy(` ') optional_policy(` @@ -102136,19 +102172,21 @@ index b38b8b1..eb36653 100644 userdom_dontaudit_search_user_home_dirs(speedmgmt_t) diff --git a/squid.fc b/squid.fc -index 0a8b0f7..20a2ecc 100644 +index 0a8b0f7..0630506 100644 --- a/squid.fc +++ b/squid.fc -@@ -1,20 +1,24 @@ +@@ -1,20 +1,26 @@ -/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) ++/dev/shm/squid-* -- gen_context(system_u:object_r:squid_tmpfs_t,s0) + +-/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) --/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) -+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0) - -/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) ++/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0) ++ +/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0) /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) @@ -103550,11 +103588,50 @@ index 0000000..e847ea3 + rpm_exec(stapserver_t) +') + +diff --git a/stunnel.fc b/stunnel.fc +index 49dd63c..ae2e798 100644 +--- a/stunnel.fc ++++ b/stunnel.fc +@@ -5,3 +5,5 @@ + /usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) + + /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) ++ ++/var/log/stunnel.* -- gen_context(system_u:object_r:stunnel_log_t,s0) diff --git a/stunnel.te b/stunnel.te -index 27a8480..88f7dc8 100644 +index 27a8480..5482c75 100644 --- a/stunnel.te +++ b/stunnel.te -@@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t) +@@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t) + type stunnel_etc_t; + files_config_file(stunnel_etc_t) + ++type stunnel_log_t; ++logging_log_file(stunnel_log_t) ++ + type stunnel_tmp_t; + files_tmp_file(stunnel_tmp_t) + +@@ -23,7 +26,7 @@ files_pid_file(stunnel_var_run_t) + # Local policy + # + +-allow stunnel_t self:capability { setgid setuid sys_chroot }; ++allow stunnel_t self:capability { setgid setuid sys_chroot sys_nice }; + dontaudit stunnel_t self:capability sys_tty_config; + allow stunnel_t self:process signal_perms; + allow stunnel_t self:fifo_file rw_fifo_file_perms; +@@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms; + allow stunnel_t stunnel_etc_t:file read_file_perms; + allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; + ++allow stunnel_t stunnel_log_t:file manage_file_perms; ++logging_log_filetrans(stunnel_t, stunnel_log_t, file) ++ + manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) + manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) + files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) +@@ -48,7 +54,6 @@ kernel_read_network_state(stunnel_t) corecmd_exec_bin(stunnel_t) @@ -103562,7 +103639,7 @@ index 27a8480..88f7dc8 100644 corenet_all_recvfrom_netlabel(stunnel_t) corenet_tcp_sendrecv_generic_if(stunnel_t) corenet_tcp_sendrecv_generic_node(stunnel_t) -@@ -75,7 +74,6 @@ auth_use_nsswitch(stunnel_t) +@@ -75,7 +80,6 @@ auth_use_nsswitch(stunnel_t) logging_send_syslog_msg(stunnel_t) miscfiles_read_generic_certs(stunnel_t) @@ -103570,7 +103647,7 @@ index 27a8480..88f7dc8 100644 userdom_dontaudit_use_unpriv_user_fds(stunnel_t) userdom_dontaudit_search_user_home_dirs(stunnel_t) -@@ -105,4 +103,5 @@ optional_policy(` +@@ -105,4 +109,5 @@ optional_policy(` gen_require(` type stunnel_port_t; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 576d484..e5688af 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 184%{?dist} +Release: 185%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -651,6 +651,17 @@ exit 0 %endif %changelog +* Thu May 05 2016 Lukas Vrabec 3.13.1-185 +- Allow stunnel create log files. BZ(1333033) +- Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574) +- Allow stunnel sys_nice capability. Stunnel sched_* syscalls in some cases. BZ(1332287) +- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. +- Create new interface called systemd_login_filetrans_pid_files(). +- Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980) +- Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927) +- Label /usr/sbin/xrdp* files as bin_t BZ(1258453) +- Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318 + * Fri Apr 29 2016 Lukas Vrabec 3.13.1-184 - Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732 - Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)