From 059413b56b0bd6e490a86e516a6ef8117162fd89 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 21 2014 10:52:11 +0000 Subject: - Allow cockpit to bind to its port - Add fixes for squid which is configured to run with more tha - geard seems to do a lot of relabeling - Allow system_mail_t to append to munin_var_lib_t - Allow mozilla_plugin to read alsa_rw_ content - Dontaudit attempts to read fixed disk - Add MCS/MLS Constraints to kernel keyring, also add MCS Cons - Allow seunshare domains to getattr on all executables --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index cad7ed8..9a9a2d9 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -1034,7 +1034,7 @@ index 4705ab6..b7e7ea5 100644 +## +gen_tunable(mount_anyfile, false) diff --git a/policy/mcs b/policy/mcs -index 216b3d1..275d3d9 100644 +index 216b3d1..064ec83 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ @@ -1044,7 +1044,7 @@ index 216b3d1..275d3d9 100644 # # Define sensitivities # -@@ -69,53 +71,50 @@ gen_levels(1,mcs_num_cats) +@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats) # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } @@ -1081,6 +1081,12 @@ index 216b3d1..275d3d9 100644 - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); ++ ++mlsconstrain key { create link read search setattr view write } ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); ++ ++mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. @@ -1115,7 +1121,7 @@ index 216b3d1..275d3d9 100644 mlsconstrain process { signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -@@ -135,6 +134,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d +@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d mlsconstrain { db_tuple } { insert relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); @@ -1125,7 +1131,7 @@ index 216b3d1..275d3d9 100644 # Access control for any database objects based on MCS rules. mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } ( h1 dom h2 ); -@@ -166,4 +168,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -1150,10 +1156,20 @@ index 216b3d1..275d3d9 100644 + ') dnl end enable_mcs diff --git a/policy/mls b/policy/mls -index d218387..c2541c2 100644 +index d218387..094a319 100644 --- a/policy/mls +++ b/policy/mls -@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s +@@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } + # these access vectors have no MLS restrictions + # filesystem { transition associate } + +- +- +- + # + # MLS policy for the socket classes + # +@@ -195,7 +192,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or @@ -1163,7 +1179,19 @@ index d218387..c2541c2 100644 # used by netlabel to restrict normal domains to same level connections mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom -@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv } +@@ -252,6 +250,11 @@ mlsconstrain msg receive + (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsipcread )); + ++mlsconstrain key { create link read search setattr view write } ++ (( l1 eq l2 ) or ++ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ++ ( t1 == mlsprocwrite )); ++ + # the ipc "write" ops (implicit single level) + mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } + (( l1 eq l2 ) or +@@ -361,9 +364,6 @@ mlsconstrain { peer packet } { recv } (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); @@ -3334,10 +3362,10 @@ index 1dc7a85..c6f4da0 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..fb30c11 100644 +index 7590165..b516b43 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,62 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -3363,6 +3391,7 @@ index 7590165..fb30c11 100644 -allow seunshare_t self:unix_stream_socket create_stream_socket_perms; +corecmd_exec_shell(seunshare_domain) +corecmd_exec_bin(seunshare_domain) ++corecmd_getattr_all_executables(seunshare_domain) -corecmd_exec_shell(seunshare_t) -corecmd_exec_bin(seunshare_t) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index ab1a6a5..ce16f17 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -566,7 +566,7 @@ index 058d908..cf17e67 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..23aea8e 100644 +index cc43d25..721bfee 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -802,7 +802,7 @@ index cc43d25..23aea8e 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +193,40 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +193,42 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -827,14 +827,16 @@ index cc43d25..23aea8e 100644 fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) -+logging_read_generic_logs(abrt_t) +-auth_use_nsswitch(abrt_t) ++storage_dontaudit_read_fixed_disk(abrt_t) + + logging_read_generic_logs(abrt_t) +logging_send_syslog_msg(abrt_t) +logging_stream_connect_syslog(abrt_t) +logging_read_syslog_pid(abrt_t) + - auth_use_nsswitch(abrt_t) - --logging_read_generic_logs(abrt_t) ++auth_use_nsswitch(abrt_t) ++ +init_read_utmp(abrt_t) +miscfiles_read_generic_certs(abrt_t) @@ -846,7 +848,7 @@ index cc43d25..23aea8e 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +234,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +236,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -863,7 +865,7 @@ index cc43d25..23aea8e 100644 ') optional_policy(` -@@ -209,6 +246,20 @@ optional_policy(` +@@ -209,6 +248,20 @@ optional_policy(` ') optional_policy(` @@ -884,7 +886,7 @@ index cc43d25..23aea8e 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -221,6 +272,11 @@ optional_policy(` +@@ -221,6 +274,11 @@ optional_policy(` ') optional_policy(` @@ -896,7 +898,7 @@ index cc43d25..23aea8e 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -230,6 +286,7 @@ optional_policy(` +@@ -230,6 +288,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -904,7 +906,7 @@ index cc43d25..23aea8e 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +297,17 @@ optional_policy(` +@@ -240,9 +299,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -923,7 +925,7 @@ index cc43d25..23aea8e 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +318,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +320,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -938,7 +940,7 @@ index cc43d25..23aea8e 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +337,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +339,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -946,7 +948,7 @@ index cc43d25..23aea8e 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +346,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +348,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -967,7 +969,7 @@ index cc43d25..23aea8e 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +367,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +369,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -994,7 +996,7 @@ index cc43d25..23aea8e 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +403,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +405,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1008,7 +1010,7 @@ index cc43d25..23aea8e 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +421,11 @@ optional_policy(` +@@ -330,10 +423,11 @@ optional_policy(` ####################################### # @@ -1022,7 +1024,7 @@ index cc43d25..23aea8e 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +444,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +446,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1084,7 +1086,7 @@ index cc43d25..23aea8e 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +502,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +504,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -13336,10 +13338,10 @@ index 0000000..25e3237 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..ede96a7 +index 0000000..589262d --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,93 @@ +@@ -0,0 +1,95 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -13378,6 +13380,8 @@ index 0000000..ede96a7 +corecmd_exec_bin(cockpit_t) +corecmd_exec_shell(cockpit_t) + ++corenet_tcp_bind_cockpit_port(cockpit_t) ++ +dev_read_sysfs(cockpit_t) + +domain_use_interactive_fds(cockpit_t) @@ -28174,10 +28178,10 @@ index 0000000..04e159f +') diff --git a/gear.te b/gear.te new file mode 100644 -index 0000000..781c76d +index 0000000..cb68ca9 --- /dev/null +++ b/gear.te -@@ -0,0 +1,122 @@ +@@ -0,0 +1,125 @@ +policy_module(gear, 1.0.0) + +######################################## @@ -28212,6 +28216,8 @@ index 0000000..781c76d +allow gear_t self:unix_stream_socket create_stream_socket_perms; +allow gear_t self:tcp_socket create_stream_socket_perms; + ++allow gear_t gear_unit_file_t:dir { relabelfrom relabelto }; ++ +manage_dirs_pattern(gear_t, gear_log_t, gear_log_t) +manage_files_pattern(gear_t, gear_log_t, gear_log_t) +manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t) @@ -28225,6 +28231,7 @@ index 0000000..781c76d +manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) +manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) +files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file }) ++allow gear_t gear_var_lib_t:dir { relabelfrom relabelto }; + +manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t) +manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) @@ -45211,7 +45218,7 @@ index 6194b80..cafb2b0 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..a4f86f5 100644 +index 6a306ee..44a39ff 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -45657,7 +45664,7 @@ index 6a306ee..a4f86f5 100644 ') optional_policy(` -@@ -300,259 +326,255 @@ optional_policy(` +@@ -300,259 +326,256 @@ optional_policy(` ######################################## # @@ -45982,6 +45989,7 @@ index 6a306ee..a4f86f5 100644 - allow mozilla_plugin_t self:process { execmem execstack }; +optional_policy(` + alsa_read_rw_config(mozilla_plugin_t) ++ alsa_read_rw_config(mozilla_plugin_config_t) + alsa_read_home_files(mozilla_plugin_t) ') @@ -46059,7 +46067,7 @@ index 6a306ee..a4f86f5 100644 ') optional_policy(` -@@ -560,7 +582,11 @@ optional_policy(` +@@ -560,7 +583,11 @@ optional_policy(` ') optional_policy(` @@ -46072,7 +46080,7 @@ index 6a306ee..a4f86f5 100644 ') optional_policy(` -@@ -568,108 +594,131 @@ optional_policy(` +@@ -568,108 +595,131 @@ optional_policy(` ') optional_policy(` @@ -47837,7 +47845,7 @@ index ed81cac..8f217ea 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..b995f01 100644 +index afd2fad..8ccf7ef 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -48124,7 +48132,7 @@ index afd2fad..b995f01 100644 ') optional_policy(` -@@ -264,10 +161,15 @@ optional_policy(` +@@ -264,10 +161,16 @@ optional_policy(` ') optional_policy(` @@ -48134,13 +48142,14 @@ index afd2fad..b995f01 100644 optional_policy(` + munin_dontaudit_leaks(system_mail_t) ++ munin_append_var_lib_files(system_mail_t) +') + +optional_policy(` nagios_read_tmp_files(system_mail_t) ') -@@ -278,6 +180,19 @@ optional_policy(` +@@ -278,6 +181,19 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -48160,7 +48169,7 @@ index afd2fad..b995f01 100644 ') optional_policy(` -@@ -293,42 +208,36 @@ optional_policy(` +@@ -293,42 +209,36 @@ optional_policy(` ') optional_policy(` @@ -48213,7 +48222,7 @@ index afd2fad..b995f01 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -337,40 +246,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -337,40 +247,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -48262,7 +48271,7 @@ index afd2fad..b995f01 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -378,6 +273,10 @@ optional_policy(` +@@ -378,6 +274,10 @@ optional_policy(` ') optional_policy(` @@ -48273,7 +48282,7 @@ index afd2fad..b995f01 100644 postfix_rw_inherited_master_pipes(mailserver_delivery) ') -@@ -387,24 +286,177 @@ optional_policy(` +@@ -387,24 +287,177 @@ optional_policy(` ######################################## # @@ -48587,7 +48596,7 @@ index eb4b72a..4968324 100644 +/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) +/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/munin.if b/munin.if -index b744fe3..4c1b6a8 100644 +index b744fe3..17e2514 100644 --- a/munin.if +++ b/munin.if @@ -1,12 +1,13 @@ @@ -48658,7 +48667,7 @@ index b744fe3..4c1b6a8 100644 ## ## ## -@@ -80,15 +84,53 @@ interface(`munin_read_config',` +@@ -80,15 +84,73 @@ interface(`munin_read_config',` type munin_etc_t; ') @@ -48690,6 +48699,26 @@ index b744fe3..4c1b6a8 100644 + +') + ++####################################### ++## ++## Append munin library files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`munin_append_var_lib_files',` ++ gen_require(` ++ type munin_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ append_files_pattern($1, munin_var_lib_t, munin_var_lib_t) ++ ++') ++ +###################################### +## +## dontaudit read and write an leaked file descriptors @@ -48714,7 +48743,7 @@ index b744fe3..4c1b6a8 100644 ## ## ## -@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',` +@@ -147,8 +209,8 @@ interface(`munin_dontaudit_search_lib',` ######################################## ## @@ -48725,7 +48754,7 @@ index b744fe3..4c1b6a8 100644 ## ## ## -@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',` +@@ -157,7 +219,7 @@ interface(`munin_dontaudit_search_lib',` ## ## ## @@ -48734,7 +48763,7 @@ index b744fe3..4c1b6a8 100644 ## ## ## -@@ -170,8 +212,12 @@ interface(`munin_admin',` +@@ -170,8 +232,12 @@ interface(`munin_admin',` type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; ') @@ -93415,7 +93444,7 @@ index 5e1f053..e7820bc 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 221c560..fcf6da0 100644 +index 221c560..d892e00 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -93427,19 +93456,19 @@ index 221c560..fcf6da0 100644 type squid_initrc_exec_t; init_script_file(squid_initrc_exec_t) -@@ -37,15 +37,21 @@ init_script_file(squid_initrc_exec_t) +@@ -37,15 +37,22 @@ init_script_file(squid_initrc_exec_t) type squid_log_t; logging_log_file(squid_log_t) --type squid_tmp_t; --files_tmp_file(squid_tmp_t) -- - type squid_tmpfs_t; - files_tmpfs_file(squid_tmpfs_t) - -+type squid_tmp_t; -+files_tmp_file(squid_tmp_t) ++type squid_tmpfs_t; ++files_tmpfs_file(squid_tmpfs_t) + + type squid_tmp_t; + files_tmp_file(squid_tmp_t) + +-type squid_tmpfs_t; +-files_tmpfs_file(squid_tmpfs_t) + type squid_var_run_t; files_pid_file(squid_var_run_t) @@ -93452,7 +93481,7 @@ index 221c560..fcf6da0 100644 ######################################## # # Local policy -@@ -74,19 +80,17 @@ allow squid_t squid_conf_t:file read_file_perms; +@@ -74,20 +81,20 @@ allow squid_t squid_conf_t:file read_file_perms; allow squid_t squid_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) @@ -93464,7 +93493,8 @@ index 221c560..fcf6da0 100644 logging_log_filetrans(squid_t, squid_log_t, { file dir }) +manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) -+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) ++manage_dirs_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) ++fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, { dir file }) + manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) @@ -93474,9 +93504,11 @@ index 221c560..fcf6da0 100644 -fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) - manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) ++manage_sock_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) files_pid_filetrans(squid_t, squid_var_run_t, file) -@@ -96,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t) + can_exec(squid_t, squid_exec_t) +@@ -96,7 +103,6 @@ kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) kernel_read_network_state(squid_t) @@ -93484,7 +93516,7 @@ index 221c560..fcf6da0 100644 corenet_all_recvfrom_netlabel(squid_t) corenet_tcp_sendrecv_generic_if(squid_t) corenet_udp_sendrecv_generic_if(squid_t) -@@ -134,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) +@@ -134,6 +140,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) corenet_udp_sendrecv_gopher_port(squid_t) corenet_sendrecv_squid_server_packets(squid_t) @@ -93492,7 +93524,7 @@ index 221c560..fcf6da0 100644 corenet_tcp_bind_squid_port(squid_t) corenet_udp_bind_squid_port(squid_t) corenet_tcp_sendrecv_squid_port(squid_t) -@@ -156,7 +160,6 @@ dev_read_urand(squid_t) +@@ -156,7 +163,6 @@ dev_read_urand(squid_t) domain_use_interactive_fds(squid_t) files_read_etc_runtime_files(squid_t) @@ -93500,7 +93532,7 @@ index 221c560..fcf6da0 100644 files_search_spool(squid_t) files_dontaudit_getattr_tmp_dirs(squid_t) files_getattr_home_dir(squid_t) -@@ -178,7 +181,6 @@ libs_exec_lib_files(squid_t) +@@ -178,7 +184,6 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) @@ -93508,7 +93540,7 @@ index 221c560..fcf6da0 100644 userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) -@@ -200,6 +202,8 @@ tunable_policy(`squid_use_tproxy',` +@@ -200,6 +205,8 @@ tunable_policy(`squid_use_tproxy',` optional_policy(` apache_content_template(squid) @@ -93517,7 +93549,7 @@ index 221c560..fcf6da0 100644 corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) -@@ -209,18 +213,18 @@ optional_policy(` +@@ -209,18 +216,18 @@ optional_policy(` corenet_tcp_connect_http_cache_port(httpd_squid_script_t) corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) @@ -93543,7 +93575,7 @@ index 221c560..fcf6da0 100644 ') optional_policy(` -@@ -238,3 +242,24 @@ optional_policy(` +@@ -238,3 +245,24 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 50adf0c..0511c76 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 165%{?dist} +Release: 166%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed May 21 2014 Miroslav Grepl 3.12.1-166 +- Allow cockpit to bind to its port +- Add fixes for squid which is configured to run with more than one worker. +- geard seems to do a lot of relabeling +- Allow system_mail_t to append to munin_var_lib_t +- Allow mozilla_plugin to read alsa_rw_ content +- Dontaudit attempts to read fixed disk +- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm +- Allow seunshare domains to getattr on all executables + * Fri May 16 2014 Miroslav Grepl 3.12.1-165 - More fixes for OpenStack