diff --git a/policy-f20-base.patch b/policy-f20-base.patch index e5e93d4..c90d25e 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -20235,7 +20235,7 @@ index 3a45a3e..7499f24 100644 +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index da11120..ece2f7f 100644 +index da11120..621ec5a 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0) @@ -20252,7 +20252,20 @@ index da11120..ece2f7f 100644 ######################################## # -@@ -30,8 +33,7 @@ mls_file_upgrade(secadm_t) +@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r) + + allow secadm_t self:capability { dac_read_search dac_override }; + ++kernel_read_system_state(secadm_t) ++ + corecmd_exec_shell(secadm_t) + + dev_relabel_all_dev_nodes(secadm_t) ++dev_read_urand(secadm_t) + + domain_obj_id_change_exemption(secadm_t) + +@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) auth_role(secadm_r, secadm_t) @@ -22310,7 +22323,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index cdfddf4..fa6dc70 100644 +index cdfddf4..c6313b9 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -22466,22 +22479,15 @@ index cdfddf4..fa6dc70 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -153,6 +255,10 @@ ifndef(`distro_redhat',` - userhelper_role_template(user, user_r, user_t) - ') - -+ optional_policy(` -+ vmtools_run_helper(user_t, user_r) -+ ') -+ - optional_policy(` - vmware_role(user_r, user_t) - ') -@@ -161,3 +267,15 @@ ifndef(`distro_redhat',` +@@ -161,3 +263,19 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') + ++optional_policy(` ++ vmtools_run_helper(user_t, user_r) ++') ++ + +optional_policy(` + virt_transition_svirt(user_t, user_r) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index c6a6492..8a515fb 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -26884,7 +26884,7 @@ index d062080..97fb494 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..bbdaf90 100644 +index e50f33c..de8e914 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -26950,7 +26950,18 @@ index e50f33c..bbdaf90 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) +@@ -193,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) + + allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; + +-allow ftpd_t xferlog_t:dir setattr_dir_perms; +-append_files_pattern(ftpd_t, xferlog_t, xferlog_t) +-create_files_pattern(ftpd_t, xferlog_t, xferlog_t) +-setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t) +-logging_log_filetrans(ftpd_t, xferlog_t, file) ++manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t) ++manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) ++logging_log_filetrans(ftpd_t, xferlog_t, { dir file }) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) @@ -26966,7 +26977,7 @@ index e50f33c..bbdaf90 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -224,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -26980,7 +26991,7 @@ index e50f33c..bbdaf90 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -245,7 +258,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -26988,7 +26999,7 @@ index e50f33c..bbdaf90 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -254,32 +268,50 @@ sysnet_use_ldap(ftpd_t) +@@ -254,32 +266,50 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -27046,7 +27057,7 @@ index e50f33c..bbdaf90 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -299,22 +331,19 @@ tunable_policy(`ftpd_connect_db',` +@@ -299,22 +329,19 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -27074,7 +27085,7 @@ index e50f33c..bbdaf90 100644 userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) ') -@@ -360,7 +389,7 @@ optional_policy(` +@@ -360,7 +387,7 @@ optional_policy(` selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) @@ -27083,7 +27094,7 @@ index e50f33c..bbdaf90 100644 ') optional_policy(` -@@ -410,21 +439,20 @@ optional_policy(` +@@ -410,21 +437,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -27107,7 +27118,7 @@ index e50f33c..bbdaf90 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -437,23 +465,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -437,23 +463,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -27148,7 +27159,7 @@ index e50f33c..bbdaf90 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -475,21 +514,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -475,21 +512,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -37302,7 +37313,7 @@ index 19777b8..55d1556 100644 + ') +') diff --git a/ktalk.te b/ktalk.te -index 2cf3815..36e6eb0 100644 +index 2cf3815..f932c32 100644 --- a/ktalk.te +++ b/ktalk.te @@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1) @@ -37344,12 +37355,13 @@ index 2cf3815..36e6eb0 100644 auth_use_nsswitch(ktalkd_t) -@@ -47,4 +61,4 @@ init_read_utmp(ktalkd_t) +@@ -47,4 +61,5 @@ init_read_utmp(ktalkd_t) logging_send_syslog_msg(ktalkd_t) -miscfiles_read_localization(ktalkd_t) +userdom_use_user_ptys(ktalkd_t) ++userdom_use_user_ttys(ktalkd_t) diff --git a/kudzu.if b/kudzu.if index 5297064..6ba8108 100644 --- a/kudzu.if @@ -59173,10 +59185,10 @@ index 0000000..ba24b40 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..78672af +index 0000000..d3152d5 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,232 @@ +@@ -0,0 +1,254 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -59260,7 +59272,6 @@ index 0000000..78672af + +sysnet_read_config(pcp_domain) + -+ +######################################## +# +# pcp_pmcd local policy @@ -59318,6 +59329,10 @@ index 0000000..78672af + ') +') + ++optional_policy(` ++ unconfined_domain(pcp_pmcd_t) ++') ++ +######################################## +# +# pcp_pmproxy local policy @@ -59331,6 +59346,10 @@ index 0000000..78672af + +logging_send_syslog_msg(pcp_pmproxy_t) + ++optional_policy(` ++ unconfined_domain(pcp_pmproxy_t) ++') ++ +######################################## +# +# pcp_pmwebd local policy @@ -59338,6 +59357,10 @@ index 0000000..78672af + +corenet_tcp_bind_generic_node(pcp_pmwebd_t) + ++optional_policy(` ++ unconfined_domain(pcp_pmwebd_t) ++') ++ +######################################## +# +# pcp_pmmgr local policy @@ -59367,6 +59390,10 @@ index 0000000..78672af + pcp_pmlogger_exec(pcp_pmmgr_t) +') + ++optional_policy(` ++ unconfined_domain(pcp_pmmgr_t) ++') ++ +######################################## +# +# pcp_pmie local policy @@ -59387,6 +59414,10 @@ index 0000000..78672af + +userdom_read_user_tmp_files(pcp_pmie_t) + ++optional_policy(` ++ unconfined_domain(pcp_pmie_t) ++') ++ +######################################## +# +# pcp_pmlogger local policy @@ -59409,6 +59440,9 @@ index 0000000..78672af + corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t) +') + ++optional_policy(` ++ unconfined_domain(pcp_pmlogger_t) ++') diff --git a/pcscd.if b/pcscd.if index 43d50f9..7f77d32 100644 --- a/pcscd.if @@ -61625,10 +61659,10 @@ index 0000000..b975b85 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..cadefe5 +index 0000000..33d2867 --- /dev/null +++ b/pki.te -@@ -0,0 +1,286 @@ +@@ -0,0 +1,287 @@ +policy_module(pki,10.0.11) + +######################################## @@ -61704,6 +61738,7 @@ index 0000000..cadefe5 +# + +allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; ++dontaudit pki_tomcat_t self:capability net_admin; +allow pki_tomcat_t self:process { signal setsched signull execmem }; + +allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; @@ -73542,10 +73577,10 @@ index 951db7f..c0cabe8 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") ') diff --git a/raid.te b/raid.te -index 2c1730b..5aa98aa 100644 +index 2c1730b..aa0ff54 100644 --- a/raid.te +++ b/raid.te -@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t; +@@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) @@ -73556,12 +73591,15 @@ index 2c1730b..5aa98aa 100644 +systemd_unit_file(mdadm_unit_file_t) + +type mdadm_tmp_t; -+files_tmpfs_file(mdadm_tmp_t) ++files_tmp_file(mdadm_tmp_t) ++ ++type mdadm_tmpfs_t; ++files_tmpfs_file(mdadm_tmpfs_t) + type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) dev_associate(mdadm_var_run_t) -@@ -25,43 +34,64 @@ dev_associate(mdadm_var_run_t) +@@ -25,43 +37,68 @@ dev_associate(mdadm_var_run_t) # allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; @@ -73579,6 +73617,10 @@ index 2c1730b..5aa98aa 100644 +manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) +manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) +files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file) ++ ++manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t) ++manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t) ++fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, file) manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) @@ -73635,7 +73677,7 @@ index 2c1730b..5aa98aa 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +107,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -73657,7 +73699,7 @@ index 2c1730b..5aa98aa 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -89,17 +124,38 @@ optional_policy(` +@@ -89,17 +131,38 @@ optional_policy(` ') optional_policy(` @@ -86317,7 +86359,7 @@ index 98c9e0a..d4aa009 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 4a23d84..6fa941d 100644 +index 4a23d84..20f5040 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3) @@ -86450,7 +86492,7 @@ index 4a23d84..6fa941d 100644 + +auth_use_nsswitch(sblim_sfcbd_t) + -+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t) ++corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t) +corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t) + +dev_read_rand(sblim_sfcbd_t) @@ -100272,10 +100314,10 @@ index 9dec06c..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..3ecf9e4 100644 +index 1f22fba..57af4d0 100644 --- a/virt.te +++ b/virt.te -@@ -1,147 +1,194 @@ +@@ -1,147 +1,209 @@ -policy_module(virt, 1.6.10) +policy_module(virt, 1.5.0) @@ -100413,20 +100455,34 @@ index 1f22fba..3ecf9e4 100644 -attribute virt_image_type; -attribute virt_tmp_type; -attribute virt_tmpfs_type; -- --attribute svirt_lxc_domain; +## +##

+## Allow confined virtual guests to use usb devices +##

+## +gen_tunable(virt_use_usb, true) ++ ++## ++##

++## Allow sandbox containers to manage nfs files ++##

++## ++gen_tunable(virt_sandbox_use_nfs, false) ++ ++## ++##

++## Allow sandbox containers to manage samba/cifs files ++##

++## ++gen_tunable(virt_sandbox_use_samba, false) --attribute_role virt_domain_roles; --roleattribute system_r virt_domain_roles; +-attribute svirt_lxc_domain; +## +##

+## Allow sandbox containers to send audit messages + +-attribute_role virt_domain_roles; +-roleattribute system_r virt_domain_roles; +##

+## +gen_tunable(virt_sandbox_use_audit, true) @@ -100456,10 +100512,10 @@ index 1f22fba..3ecf9e4 100644 + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; -+ -+type qemu_exec_t, virt_file_type; -type virt_cache_t alias svirt_cache_t; ++type qemu_exec_t, virt_file_type; ++ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -100541,7 +100597,7 @@ index 1f22fba..3ecf9e4 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -150,295 +197,130 @@ ifdef(`enable_mls',` +@@ -150,295 +212,130 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -100800,9 +100856,7 @@ index 1f22fba..3ecf9e4 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) @@ -100811,7 +100865,9 @@ index 1f22fba..3ecf9e4 100644 -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) @@ -100912,7 +100968,7 @@ index 1f22fba..3ecf9e4 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +330,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +345,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -100959,29 +101015,29 @@ index 1f22fba..3ecf9e4 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +365,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +380,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- -can_exec(virtd_t, virt_tmp_t) - -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +378,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +393,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -100989,7 +101045,7 @@ index 1f22fba..3ecf9e4 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +386,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +401,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -101017,7 +101073,7 @@ index 1f22fba..3ecf9e4 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +406,27 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +421,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -101050,7 +101106,7 @@ index 1f22fba..3ecf9e4 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +457,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +472,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -101070,7 +101126,7 @@ index 1f22fba..3ecf9e4 100644 selinux_validate_context(virtd_t) -@@ -613,18 +479,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +494,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -101107,7 +101163,7 @@ index 1f22fba..3ecf9e4 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +507,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +522,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -101116,7 +101172,7 @@ index 1f22fba..3ecf9e4 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,20 +532,12 @@ optional_policy(` +@@ -658,20 +547,12 @@ optional_policy(` ') optional_policy(` @@ -101137,7 +101193,7 @@ index 1f22fba..3ecf9e4 100644 ') optional_policy(` -@@ -684,14 +550,20 @@ optional_policy(` +@@ -684,14 +565,20 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -101160,7 +101216,7 @@ index 1f22fba..3ecf9e4 100644 iptables_manage_config(virtd_t) ') -@@ -704,11 +576,13 @@ optional_policy(` +@@ -704,11 +591,13 @@ optional_policy(` ') optional_policy(` @@ -101174,7 +101230,7 @@ index 1f22fba..3ecf9e4 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -719,10 +593,18 @@ optional_policy(` +@@ -719,10 +608,18 @@ optional_policy(` ') optional_policy(` @@ -101193,7 +101249,7 @@ index 1f22fba..3ecf9e4 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +619,277 @@ optional_policy(` +@@ -737,44 +634,277 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -101221,27 +101277,23 @@ index 1f22fba..3ecf9e4 100644 -allow virsh_t self:fifo_file rw_fifo_file_perms; -allow virsh_t self:unix_stream_socket { accept connectto listen }; -allow virsh_t self:tcp_socket { accept listen }; -- --manage_files_pattern(virsh_t, virt_image_type, virt_image_type) --manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) --manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) +read_files_pattern(virt_domain, virt_content_t, virt_content_t) +dontaudit virt_domain virt_content_t:file write_file_perms; +dontaudit virt_domain virt_content_t:dir write; +-manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) ++kernel_read_net_sysctls(virt_domain) ++kernel_read_network_state(virt_domain) + -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+kernel_read_net_sysctls(virt_domain) -+kernel_read_network_state(virt_domain) - --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -101252,12 +101304,14 @@ index 1f22fba..3ecf9e4 100644 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) --dontaudit virsh_t virt_var_lib_t:file read_file_perms; +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --allow virsh_t svirt_lxc_domain:process transition; +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -101289,9 +101343,10 @@ index 1f22fba..3ecf9e4 100644 + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; --can_exec(virsh_t, virsh_exec_t) +-allow virsh_t svirt_lxc_domain:process transition; +dontaudit virt_domain virt_tmpfs_type:file { read write }; -+ + +-can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_log_t, virt_log_t) + +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) @@ -101340,7 +101395,7 @@ index 1f22fba..3ecf9e4 100644 +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +miscfiles_read_generic_certs(virt_domain) - ++ +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) @@ -101456,7 +101511,7 @@ index 1f22fba..3ecf9e4 100644 +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; -+ + +ps_process_pattern(virsh_t, svirt_sandbox_domain) + +can_exec(virsh_t, virsh_exec_t) @@ -101494,7 +101549,7 @@ index 1f22fba..3ecf9e4 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +900,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +915,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -101521,7 +101576,7 @@ index 1f22fba..3ecf9e4 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,23 +920,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,23 +935,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -101555,7 +101610,7 @@ index 1f22fba..3ecf9e4 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -847,14 +957,20 @@ optional_policy(` +@@ -847,14 +972,20 @@ optional_policy(` ') optional_policy(` @@ -101577,7 +101632,7 @@ index 1f22fba..3ecf9e4 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +995,65 @@ optional_policy(` +@@ -879,49 +1010,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -101661,7 +101716,7 @@ index 1f22fba..3ecf9e4 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1065,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1080,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -101681,7 +101736,7 @@ index 1f22fba..3ecf9e4 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1086,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1101,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -101705,7 +101760,7 @@ index 1f22fba..3ecf9e4 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1111,282 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1126,294 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -101734,8 +101789,7 @@ index 1f22fba..3ecf9e4 100644 +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -101743,7 +101797,8 @@ index 1f22fba..3ecf9e4 100644 +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -101953,6 +102008,18 @@ index 1f22fba..3ecf9e4 100644 + +optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) ++') ++ ++tunable_policy(`virt_use_nfs',` ++ fs_manage_nfs_dirs(svirt_sandbox_domain) ++ fs_manage_nfs_files(svirt_sandbox_domain) ++ fs_read_nfs_symlinks(svirt_sandbox_domain) ++') ++ ++tunable_policy(`virt_use_samba',` ++ fs_manage_nfs_files(svirt_sandbox_domain) ++ fs_manage_cifs_files(svirt_sandbox_domain) ++ fs_read_cifs_symlinks(svirt_sandbox_domain) ') ######################################## @@ -101979,6 +102046,10 @@ index 1f22fba..3ecf9e4 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; ++ ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -101990,10 +102061,6 @@ index 1f22fba..3ecf9e4 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') -+ +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -102097,12 +102164,12 @@ index 1f22fba..3ecf9e4 100644 +fs_manage_cgroup_files(svirt_qemu_net_t) + +term_pty(svirt_sandbox_file_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +auth_use_nsswitch(svirt_qemu_net_t) + +rpm_read_db(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +logging_send_syslog_msg(svirt_qemu_net_t) + +tunable_policy(`virt_sandbox_use_audit',` @@ -102125,7 +102192,7 @@ index 1f22fba..3ecf9e4 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1399,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1426,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -102140,7 +102207,7 @@ index 1f22fba..3ecf9e4 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1417,8 @@ optional_policy(` +@@ -1183,9 +1444,8 @@ optional_policy(` ######################################## # @@ -102151,7 +102218,7 @@ index 1f22fba..3ecf9e4 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1431,216 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1458,218 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -102370,6 +102437,8 @@ index 1f22fba..3ecf9e4 100644 +optional_policy(` + systemd_dbus_chat_logind(sandbox_net_domain) +') ++ ++ diff --git a/vlock.te b/vlock.te index 9ead775..b5285e7 100644 --- a/vlock.te @@ -102525,10 +102594,10 @@ index 0000000..7933d80 +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..d59b917 +index 0000000..1928ad9 --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,94 @@ +@@ -0,0 +1,96 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -102618,6 +102687,8 @@ index 0000000..d59b917 +corecmd_exec_bin(vmtools_helper_t) + +userdom_stream_connect(vmtools_helper_t) ++userdom_use_inherited_user_ttys(vmtools_helper_t) ++userdom_use_inherited_user_ptys(vmtools_helper_t) + +optional_policy(` + unconfined_domain(vmtools_helper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 67c36ce..610ad91 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 144%{?dist} +Release: 145%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Mar 24 2014 Miroslav Grepl 3.12.1-145 +- Allow also unpriv user to run vmtools +- Allow secadm to read /dev/urandom and meminfo +- Add booleans to allow docker processes to use nfs and samba +- Add mdadm_tmpfs support +- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t +- Allow vmware-user-sui to use user ttys +- Allow talk 2 users logged via console too +- Allow ftp services to manage xferlog_t +- Make all pcp domanis as unconfined for F20 beucause of new policies +- allow anaconda to dbus chat with systemd-localed + * Fri Mar 21 2014 Miroslav Grepl 3.12.1-144 - allow anaconda to dbus chat with systemd-localed - Add fixes for haproxy based on bperkins@redhat.com