diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 70a2712..3f5a7bb 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -110349,7 +110349,7 @@ index 4705ab6..11a1ae6 100644 +gen_tunable(selinuxuser_tcp_server,false) + diff --git a/policy/mcs b/policy/mcs -index f477c7f..4e59b42 100644 +index f477c7f..ff7369c 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ @@ -110425,7 +110425,7 @@ index f477c7f..4e59b42 100644 # # MCS policy for SELinux-enabled databases # -@@ -144,4 +169,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -144,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -110435,20 +110435,22 @@ index f477c7f..4e59b42 100644 +# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation +# because the subject in this particular case is the remote domain which is +# writing data out the network node which is acting as the object -+mlsconstrain { node } { recvfrom } -+ ((( l1 dom l2 ) and ( l1 domby h2 )) or -+ ( t1 == mcsnetwrite ) or -+ ( t1 == unlabeled_t )); -+mlsconstrain { node } { sendto } -+ ((( l1 dom l2 ) and ( l1 domby h2 )) or -+ ( t1 == mcsnetwrite )); ++mlsconstrain { node } { recvfrom sendto } ++ (( l1 dom l2 ) or (t1 != mcsuntrustedproc)); + -+mlsconstrain packet { send recv } -+ (( h1 dom h2 ) or ( t1 == mcsnetwrite )); ++mlsconstrain { packet peer } { recv } ++ (( l1 dom l2 ) or ++ ((t1 != mcsuntrustedproc) and (t2 != mcsuntrustedproc))); ++ ++# the netif ingress/egress ops, the ingress permission is a "write" operation ++# because the subject in this particular case is the remote domain which is ++# writing data out the network interface which is acting as the object ++mlsconstrain { netif } { egress ingress } ++ (( l1 dom l2 ) or (t1 != mcsuntrustedproc)); + ') dnl end enable_mcs diff --git a/policy/mls b/policy/mls -index d218387..c406594 100644 +index d218387..c2541c2 100644 --- a/policy/mls +++ b/policy/mls @@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s @@ -110461,6 +110463,16 @@ index d218387..c406594 100644 # used by netlabel to restrict normal domains to same level connections mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom +@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv } + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +- +- +- + # + # MLS policy for the process class + # diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index 7a6f06f..bf04b0a 100644 --- a/policy/modules/admin/bootloader.fc diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 8f424d4..adfc825 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -68427,7 +68427,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/tuned.te b/tuned.te -index db9d2a5..0c1d7e7 100644 +index db9d2a5..edfe6ba 100644 --- a/tuned.te +++ b/tuned.te @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -68443,7 +68443,7 @@ index db9d2a5..0c1d7e7 100644 type tuned_log_t; logging_log_file(tuned_log_t) -@@ -22,43 +28,84 @@ files_pid_file(tuned_var_run_t) +@@ -22,43 +28,85 @@ files_pid_file(tuned_var_run_t) # # tuned local policy # @@ -68477,6 +68477,7 @@ index db9d2a5..0c1d7e7 100644 kernel_read_network_state(tuned_t) - +kernel_read_kernel_sysctls(tuned_t) ++kernel_request_load_module(tuned_t) +kernel_rw_kernel_sysctl(tuned_t) +kernel_rw_hotplug_sysctls(tuned_t) +kernel_rw_vm_sysctls(tuned_t) @@ -70731,7 +70732,7 @@ index 6f0736b..2e6c056 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..08c7bcb 100644 +index 947bbc6..3b2df69 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,104 @@ policy_module(virt, 1.5.0) @@ -70837,8 +70838,8 @@ index 947bbc6..08c7bcb 100644 -type svirt_cache_t; -files_type(svirt_cache_t) -+virt_domain_template(svirt_nokvm) -+role system_r types svirt_nokvm_t; ++virt_domain_template(svirt_tcg) ++role system_r types svirt_tcg_t; -attribute virt_domain; -attribute virt_image_type; @@ -71024,14 +71025,14 @@ index 947bbc6..08c7bcb 100644 +# svirt_prot_exec local policy +# + -+allow svirt_nokvm_t self:process { execmem execstack }; -+corenet_udp_sendrecv_generic_if(svirt_nokvm_t) -+corenet_udp_sendrecv_generic_node(svirt_nokvm_t) -+corenet_udp_sendrecv_all_ports(svirt_nokvm_t) -+corenet_udp_bind_generic_node(svirt_nokvm_t) -+corenet_udp_bind_all_ports(svirt_nokvm_t) -+corenet_tcp_bind_all_ports(svirt_nokvm_t) -+corenet_tcp_connect_all_ports(svirt_nokvm_t) ++allow svirt_tcg_t self:process { execmem execstack }; ++corenet_udp_sendrecv_generic_if(svirt_tcg_t) ++corenet_udp_sendrecv_generic_node(svirt_tcg_t) ++corenet_udp_sendrecv_all_ports(svirt_tcg_t) ++corenet_udp_bind_generic_node(svirt_tcg_t) ++corenet_udp_bind_all_ports(svirt_tcg_t) ++corenet_tcp_bind_all_ports(svirt_tcg_t) ++corenet_tcp_connect_all_ports(svirt_tcg_t) + ######################################## # diff --git a/selinux-policy.spec b/selinux-policy.spec index f92d641..2addea8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 61%{?dist} +Release: 62%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -524,6 +524,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Dec 11 2012 Miroslav Grepl 3.11.1-62 +- Fix MCS Constraints to control ingres and egres controls on the network. +- Change name of svirt_nokvm_t to svirt_tcg_t +- Allow tuned to request the kernel to load kernel modules + * Mon Dec 10 2012 Miroslav Grepl 3.11.1-61 - Label /var/lib/pgsql/.ssh as ssh_home_t - Add labeling for /usr/bin/pg_ctl