From 2bb5c83b3d0395399f78a73eb90307190882aa7b Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Nov 02 2016 17:02:58 +0000 Subject: * Wed Nov 02 2016 Lukas Vrabec - 3.13.1-222 - Allow abrt_dump_oops_t to drop capabilities. bz(1391040) - Add named_t domain net_raw capability bz(1389240) - Allow geoclue to read system info. bz(1389320) - Make openfortivpn_t as init_deamon_domain. bz(1159899) - Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487) - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Add interace lldpad_relabel_tmpfs - Merge pull request #155 from rhatdan/sandbox_nfs - Add pscsd_t wake_alarm capability2 - Allow sandbox domains to mount fuse file systems - Add boolean to allow sandbox domains to mount nfs - Allow hypervvssd_t to read all dirs. - Allow isnsd_t to connect to isns_port_t - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. - Make tor_var_lib_t and tor_var_log_t as mountpoints. - Allow systemd-rfkill to write to /proc/kmsg bz(1388669) - Allow init_t to relabel /dev/shm/lldpad.state - Merge pull request #168 from rhatdan/docker - Label tcp 51954 as isns_port_t - Lots of new domains like OCID and RKT are user container processes --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 09d36e2..ba6d48a 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2487a9f..7a93d33 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5946,7 +5946,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..25a5cfe 100644 +index b191055..9729941 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6134,7 +6134,8 @@ index b191055..25a5cfe 100644 +network_port(ircd, tcp,6667,s0, tcp,6697,s0) network_port(isakmp, udp,500,s0) network_port(iscsi, tcp,3260,s0) - network_port(isns, tcp,3205,s0, udp,3205,s0) +-network_port(isns, tcp,3205,s0, udp,3205,s0) ++network_port(isns, tcp,3205,s0, udp,3205,s0, tcp,51954,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) -network_port(jabber_interserver, tcp,5269,s0) -network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0) @@ -37458,7 +37459,7 @@ index 79a45f6..d092e6e 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..e33db3f 100644 +index 17eda24..e59e001 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37768,7 +37769,7 @@ index 17eda24..e33db3f 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +337,271 @@ ifdef(`distro_gentoo',` +@@ -186,29 +337,275 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38011,10 +38012,14 @@ index 17eda24..e33db3f 100644 optional_policy(` - auth_rw_login_records(init_t) -+ consolekit_manage_log(init_t) ++ lldpad_relabel_tmpfs(init_t) ') optional_policy(` ++ consolekit_manage_log(init_t) ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -38049,7 +38054,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -216,7 +609,30 @@ optional_policy(` +@@ -216,7 +613,30 @@ optional_policy(` ') optional_policy(` @@ -38081,7 +38086,7 @@ index 17eda24..e33db3f 100644 ') ######################################## -@@ -225,9 +641,9 @@ optional_policy(` +@@ -225,9 +645,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38093,7 +38098,7 @@ index 17eda24..e33db3f 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +674,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +678,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38110,7 +38115,7 @@ index 17eda24..e33db3f 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +699,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +703,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38153,7 +38158,7 @@ index 17eda24..e33db3f 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +736,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +740,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38165,7 +38170,7 @@ index 17eda24..e33db3f 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +748,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +752,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38176,7 +38181,7 @@ index 17eda24..e33db3f 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +759,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +763,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38186,7 +38191,7 @@ index 17eda24..e33db3f 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +768,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +772,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38194,7 +38199,7 @@ index 17eda24..e33db3f 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +775,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +779,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38202,7 +38207,7 @@ index 17eda24..e33db3f 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +783,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +787,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38220,7 +38225,7 @@ index 17eda24..e33db3f 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +801,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +805,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38234,7 +38239,7 @@ index 17eda24..e33db3f 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +816,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +820,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38248,7 +38253,7 @@ index 17eda24..e33db3f 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +829,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +833,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38259,7 +38264,7 @@ index 17eda24..e33db3f 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +842,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +846,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38267,7 +38272,7 @@ index 17eda24..e33db3f 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +861,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +865,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38291,7 +38296,7 @@ index 17eda24..e33db3f 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +894,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +898,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38299,7 +38304,7 @@ index 17eda24..e33db3f 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +928,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +932,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38310,7 +38315,7 @@ index 17eda24..e33db3f 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +952,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +956,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38319,7 +38324,7 @@ index 17eda24..e33db3f 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +967,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +971,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38327,7 +38332,7 @@ index 17eda24..e33db3f 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +988,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +992,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38335,7 +38340,7 @@ index 17eda24..e33db3f 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +998,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1002,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38380,7 +38385,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -559,14 +1043,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1047,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38412,7 +38417,7 @@ index 17eda24..e33db3f 100644 ') ') -@@ -577,6 +1078,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1082,39 @@ ifdef(`distro_suse',` ') ') @@ -38452,7 +38457,7 @@ index 17eda24..e33db3f 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1123,8 @@ optional_policy(` +@@ -589,6 +1127,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38461,7 +38466,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -610,6 +1146,7 @@ optional_policy(` +@@ -610,6 +1150,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38469,7 +38474,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -626,6 +1163,17 @@ optional_policy(` +@@ -626,6 +1167,17 @@ optional_policy(` ') optional_policy(` @@ -38487,7 +38492,7 @@ index 17eda24..e33db3f 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1190,13 @@ optional_policy(` +@@ -642,9 +1194,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38501,7 +38506,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -657,15 +1209,11 @@ optional_policy(` +@@ -657,15 +1213,11 @@ optional_policy(` ') optional_policy(` @@ -38519,7 +38524,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -686,6 +1234,15 @@ optional_policy(` +@@ -686,6 +1238,15 @@ optional_policy(` ') optional_policy(` @@ -38535,7 +38540,7 @@ index 17eda24..e33db3f 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1283,7 @@ optional_policy(` +@@ -726,6 +1287,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38543,7 +38548,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -743,7 +1301,13 @@ optional_policy(` +@@ -743,7 +1305,13 @@ optional_policy(` ') optional_policy(` @@ -38558,7 +38563,7 @@ index 17eda24..e33db3f 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1330,10 @@ optional_policy(` +@@ -766,6 +1334,10 @@ optional_policy(` ') optional_policy(` @@ -38569,7 +38574,7 @@ index 17eda24..e33db3f 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1343,20 @@ optional_policy(` +@@ -775,10 +1347,20 @@ optional_policy(` ') optional_policy(` @@ -38590,7 +38595,7 @@ index 17eda24..e33db3f 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1365,10 @@ optional_policy(` +@@ -787,6 +1369,10 @@ optional_policy(` ') optional_policy(` @@ -38601,7 +38606,7 @@ index 17eda24..e33db3f 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1390,6 @@ optional_policy(` +@@ -808,8 +1394,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38610,7 +38615,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -818,6 +1398,10 @@ optional_policy(` +@@ -818,6 +1402,10 @@ optional_policy(` ') optional_policy(` @@ -38621,7 +38626,7 @@ index 17eda24..e33db3f 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1411,12 @@ optional_policy(` +@@ -827,10 +1415,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38634,7 +38639,7 @@ index 17eda24..e33db3f 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1443,62 @@ optional_policy(` +@@ -857,21 +1447,62 @@ optional_policy(` ') optional_policy(` @@ -38698,7 +38703,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -887,6 +1514,10 @@ optional_policy(` +@@ -887,6 +1518,10 @@ optional_policy(` ') optional_policy(` @@ -38709,7 +38714,7 @@ index 17eda24..e33db3f 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1528,218 @@ optional_policy(` +@@ -897,3 +1532,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -49137,10 +49142,10 @@ index 0000000..86e3d01 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..eff9e73 +index 0000000..2800431 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,972 @@ +@@ -0,0 +1,973 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49868,6 +49873,7 @@ index 0000000..eff9e73 + +dev_read_sysfs(systemd_rfkill_t) +dev_rw_wireless(systemd_rfkill_t) ++dev_write_kmsg(systemd_rfkill_t) + +init_search_var_lib_dirs(systemd_rfkill_t) + @@ -51261,10 +51267,10 @@ index 5ca20a9..5454d16 100644 + allow $1 unconfined_service_t:process signull; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902d..a349d18 100644 +index 5fe902d..b31eeba 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,28 @@ +@@ -1,207 +1,32 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) @@ -51352,8 +51358,7 @@ index 5fe902d..a349d18 100644 -optional_policy(` - firstboot_run(unconfined_t, unconfined_r) -') -+role unconfined_r types unconfined_service_t; - +- -optional_policy(` - ftp_run_ftpdctl(unconfined_t, unconfined_r) -') @@ -51369,15 +51374,12 @@ index 5fe902d..a349d18 100644 -optional_policy(` - java_run_unconfined(unconfined_t, unconfined_r) -') -+corecmd_bin_entry_type(unconfined_service_t) -+corecmd_shell_entry_type(unconfined_service_t) - - optional_policy(` +- +-optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r) -+ rpm_transition_script(unconfined_service_t, system_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r) -') - @@ -51429,7 +51431,8 @@ index 5fe902d..a349d18 100644 -optional_policy(` - rpm_run(unconfined_t, unconfined_r) -') -- ++role unconfined_r types unconfined_service_t; + -optional_policy(` - samba_run_net(unconfined_t, unconfined_r) - samba_run_winbind_helper(unconfined_t, unconfined_r) @@ -51451,16 +51454,20 @@ index 5fe902d..a349d18 100644 -optional_policy(` - unconfined_dbus_chat(unconfined_t) -') -- --optional_policy(` ++corecmd_bin_entry_type(unconfined_service_t) ++corecmd_shell_entry_type(unconfined_service_t) + + optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) --') -- --optional_policy(` ++ rpm_transition_script(unconfined_service_t, system_r) + ') + + optional_policy(` - vpn_run(unconfined_t, unconfined_r) --') -- --optional_policy(` ++ dbus_chat_system_bus(unconfined_service_t) + ') + + optional_policy(` - webalizer_run(unconfined_t, unconfined_r) -') - @@ -51482,7 +51489,7 @@ index 5fe902d..a349d18 100644 - -optional_policy(` - unconfined_dbus_chat(unconfined_execmem_t) -+ dbus_chat_system_bus(unconfined_service_t) ++ virt_transition_svirt(unconfined_service_t, system_r) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db75976..c54480a 100644 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d4a3261..c402de5 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9774,7 +9774,7 @@ index 531a8f2..3fcf187 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..ab9ec30 100644 +index 1241123..f726b13 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9801,7 +9801,7 @@ index 1241123..ab9ec30 100644 # -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; -+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource }; ++allow named_t self:capability { chown dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; +allow named_t self:capability2 block_suspend; allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; @@ -31429,10 +31429,10 @@ index 0000000..cf9f7bf +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..efd838f +index 0000000..fb8be0d --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,71 @@ +@@ -0,0 +1,72 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -31466,6 +31466,7 @@ index 0000000..efd838f +manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t) +files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file }) + ++kernel_read_system_state(geoclue_t) +kernel_read_network_state(geoclue_t) + +auth_read_passwd(geoclue_t) @@ -32381,10 +32382,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..3ba328e +index 0000000..0a33da3 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,303 @@ +@@ -0,0 +1,305 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32446,7 +32447,7 @@ index 0000000..3ba328e +# Local policy +# + -+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; ++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw }; + +allow glusterd_t self:capability2 block_suspend; +allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; @@ -32542,6 +32543,7 @@ index 0000000..3ba328e +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) +dev_read_rand(glusterd_t) ++dev_rw_infiniband_dev(glusterd_t) + +domain_read_all_domains_state(glusterd_t) +domain_getattr_all_sockets(glusterd_t) @@ -32551,6 +32553,7 @@ index 0000000..3ba328e +fs_mount_all_fs(glusterd_t) +fs_unmount_all_fs(glusterd_t) +fs_getattr_all_fs(glusterd_t) ++fs_getattr_all_dirs(glusterd_t) + +files_mounton_non_security(glusterd_t) + @@ -37724,10 +37727,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..de9cd55 100644 +index 4eb7041..b205df0 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,153 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,154 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -37889,6 +37892,7 @@ index 4eb7041..de9cd55 100644 -miscfiles_read_localization(hypervkvpd_t) +files_list_all_mountpoints(hypervvssd_t) +files_write_all_mountpoints(hypervvssd_t) ++files_list_non_auth_dirs(hypervvssd_t) -sysnet_dns_name_resolve(hypervkvpd_t) +logging_send_syslog_msg(hypervvssd_t) @@ -39918,7 +39922,7 @@ index ca020fa..d546e07 100644 + kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t) +') diff --git a/isns.te b/isns.te -index bc11034..183c526 100644 +index bc11034..20a7f39 100644 --- a/isns.te +++ b/isns.te @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) @@ -39939,9 +39943,11 @@ index bc11034..183c526 100644 corenet_all_recvfrom_unlabeled(isnsd_t) corenet_all_recvfrom_netlabel(isnsd_t) corenet_tcp_sendrecv_generic_if(isnsd_t) -@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t) +@@ -45,11 +49,8 @@ corenet_tcp_sendrecv_isns_port(isnsd_t) + corenet_tcp_bind_generic_node(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t) ++corenet_tcp_connect_isns_port(isnsd_t) -files_read_etc_files(isnsd_t) +auth_use_nsswitch(isnsd_t) @@ -46051,7 +46057,7 @@ index 8031a78..72e56ac 100644 + +/dev/shm/lldpad.* -- gen_context(system_u:object_r:lldpad_tmpfs_t,s0) diff --git a/lldpad.if b/lldpad.if -index d18c960..fb5b674 100644 +index d18c960..b7bd752 100644 --- a/lldpad.if +++ b/lldpad.if @@ -2,6 +2,25 @@ @@ -46095,6 +46101,29 @@ index d18c960..fb5b674 100644 init_labeled_script_domtrans($1, lldpad_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 lldpad_initrc_exec_t system_r; +@@ -56,3 +79,22 @@ interface(`lldpad_admin',` + files_search_pids($1) + admin_pattern($1, lldpad_var_run_t) + ') ++ ++######################################## ++## ++## Allow relabel lldpad_tmpfs_t ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lldpad_relabel_tmpfs',` ++ gen_require(` ++ type lldpad_tmpfs_t; ++ ') ++ ++ allow $1 lldpad_tmpfs_t:file relabelfrom; ++ allow $1 lldpad_tmpfs_t:file relabelto; ++') diff --git a/lldpad.te b/lldpad.te index 2a491d9..42e5578 100644 --- a/lldpad.te @@ -64805,10 +64834,10 @@ index 0000000..7581b52 +') diff --git a/openfortivpn.te b/openfortivpn.te new file mode 100644 -index 0000000..0d22f83 +index 0000000..3142896 --- /dev/null +++ b/openfortivpn.te -@@ -0,0 +1,69 @@ +@@ -0,0 +1,67 @@ +policy_module(openfortivpn, 1.0.0) + +######################################## @@ -64817,11 +64846,9 @@ index 0000000..0d22f83 +# + +type openfortivpn_t; -+domain_type(openfortivpn_t); +role system_r types openfortivpn_t; -+ +type openfortivpn_exec_t; -+domain_entry_file(openfortivpn_t, openfortivpn_exec_t) ++init_daemon_domain(openfortivpn_t, openfortivpn_exec_t) + +type openfortivpn_var_lib_t; +files_type(openfortivpn_var_lib_t) @@ -69440,14 +69467,15 @@ index 43d50f9..6b1544f 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 1fb1964..5212cd2 100644 +index 1fb1964..a8026bd 100644 --- a/pcscd.te +++ b/pcscd.te -@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") +@@ -22,10 +22,12 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") # allow pcscd_t self:capability { dac_override dac_read_search fsetid }; -allow pcscd_t self:process signal; ++allow pcscd_t self:capability2 { wake_alarm }; +allow pcscd_t self:process { signal signull }; allow pcscd_t self:fifo_file rw_fifo_file_perms; -allow pcscd_t self:unix_stream_socket { accept listen }; @@ -69458,7 +69486,7 @@ index 1fb1964..5212cd2 100644 allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) +@@ -36,7 +38,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) kernel_read_system_state(pcscd_t) @@ -69466,7 +69494,7 @@ index 1fb1964..5212cd2 100644 corenet_all_recvfrom_netlabel(pcscd_t) corenet_tcp_sendrecv_generic_if(pcscd_t) corenet_tcp_sendrecv_generic_node(pcscd_t) -@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t) +@@ -45,12 +46,13 @@ corenet_sendrecv_http_client_packets(pcscd_t) corenet_tcp_connect_http_port(pcscd_t) corenet_tcp_sendrecv_http_port(pcscd_t) @@ -69481,7 +69509,7 @@ index 1fb1964..5212cd2 100644 files_read_etc_runtime_files(pcscd_t) term_use_unallocated_ttys(pcscd_t) -@@ -60,16 +61,26 @@ locallogin_use_fds(pcscd_t) +@@ -60,16 +62,26 @@ locallogin_use_fds(pcscd_t) logging_send_syslog_msg(pcscd_t) @@ -69510,7 +69538,7 @@ index 1fb1964..5212cd2 100644 ') optional_policy(` -@@ -85,3 +96,8 @@ optional_policy(` +@@ -85,3 +97,8 @@ optional_policy(` optional_policy(` udev_read_db(pcscd_t) ') @@ -90925,7 +90953,7 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..7f491b0 100644 +index 2da9fca..23bddad 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91123,7 +91151,7 @@ index 2da9fca..7f491b0 100644 ') ######################################## -@@ -202,41 +226,56 @@ optional_policy(` +@@ -202,41 +226,61 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -91177,6 +91205,11 @@ index 2da9fca..7f491b0 100644 storage_dontaudit_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) ++allow nfsd_t nfsd_unit_file_t:file manage_file_perms; ++systemd_unit_file_filetrans(nfsd_t, nfsd_unit_file_t, file) ++systemd_create_unit_file_dirs(nfsd_t) ++systemd_create_unit_file_lnk(nfsd_t) ++ +# Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) @@ -91189,7 +91222,7 @@ index 2da9fca..7f491b0 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +284,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -91197,7 +91230,7 @@ index 2da9fca..7f491b0 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +295,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -91212,7 +91245,7 @@ index 2da9fca..7f491b0 100644 ') ######################################## -@@ -270,7 +308,7 @@ optional_policy(` +@@ -270,7 +313,7 @@ optional_policy(` # GSSD local policy # @@ -91221,7 +91254,7 @@ index 2da9fca..7f491b0 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +318,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -91229,7 +91262,7 @@ index 2da9fca..7f491b0 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +327,31 @@ kernel_signal(gssd_t) +@@ -288,25 +332,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -91264,7 +91297,7 @@ index 2da9fca..7f491b0 100644 ') optional_policy(` -@@ -314,9 +359,12 @@ optional_policy(` +@@ -314,9 +364,12 @@ optional_policy(` ') optional_policy(` @@ -109696,7 +109729,7 @@ index 61c2e07..3b86095 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..f24416b 100644 +index 5ceacde..c919a2d 100644 --- a/tor.te +++ b/tor.te @@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) @@ -109713,7 +109746,16 @@ index 5ceacde..f24416b 100644 type tor_t; type tor_exec_t; init_daemon_domain(tor_t, tor_exec_t) -@@ -32,6 +39,10 @@ logging_log_file(tor_var_log_t) +@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t) + + type tor_var_lib_t; + files_type(tor_var_lib_t) ++files_mountpoint(tor_var_lib_t) + + type tor_var_log_t; + logging_log_file(tor_var_log_t) ++files_mountpoint(tor_var_log_t) + type tor_var_run_t; files_pid_file(tor_var_run_t) init_daemon_run_dir(tor_var_run_t, "tor") @@ -109724,7 +109766,7 @@ index 5ceacde..f24416b 100644 ######################################## # -@@ -48,6 +59,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; +@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; allow tor_t tor_etc_t:file read_file_perms; allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; @@ -109733,7 +109775,7 @@ index 5ceacde..f24416b 100644 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -@@ -77,7 +90,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) +@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) corenet_udp_sendrecv_generic_node(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) @@ -109741,7 +109783,7 @@ index 5ceacde..f24416b 100644 corenet_sendrecv_dns_server_packets(tor_t) corenet_udp_bind_dns_port(tor_t) corenet_udp_sendrecv_dns_port(tor_t) -@@ -85,6 +97,7 @@ corenet_udp_sendrecv_dns_port(tor_t) +@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_tcp_bind_tor_port(tor_t) corenet_tcp_sendrecv_tor_port(tor_t) @@ -109749,7 +109791,7 @@ index 5ceacde..f24416b 100644 corenet_sendrecv_all_client_packets(tor_t) corenet_tcp_connect_all_ports(tor_t) -@@ -98,19 +111,22 @@ dev_read_urand(tor_t) +@@ -98,19 +113,22 @@ dev_read_urand(tor_t) domain_use_interactive_fds(tor_t) files_read_etc_runtime_files(tor_t) @@ -114182,7 +114224,7 @@ index facdee8..2cff369 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..923fbbe 100644 +index f03dcf5..af39887 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,403 @@ @@ -115766,7 +115808,7 @@ index f03dcf5..923fbbe 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1260,360 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1260,364 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116051,6 +116093,9 @@ index f03dcf5..923fbbe 100644 + fs_manage_nfs_files(svirt_sandbox_domain) + fs_manage_nfs_named_sockets(svirt_sandbox_domain) + fs_manage_nfs_symlinks(svirt_sandbox_domain) ++ fs_mount_nfs(svirt_sandbox_domain) ++ fs_unmount_nfs(svirt_sandbox_domain) ++ kernel_rw_fs_sysctls(svirt_sandbox_domain) +') + +tunable_policy(`virt_use_samba',` @@ -116064,6 +116109,8 @@ index f03dcf5..923fbbe 100644 + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) ++ fs_mount_fusefs(svirt_sandbox_domain) ++ fs_unmount_fusefs(svirt_sandbox_domain) ') optional_policy(` @@ -116091,7 +116138,6 @@ index f03dcf5..923fbbe 100644 +dontaudit container_t self:capability2 block_suspend ; +allow container_t self:process { execstack execmem }; +manage_chr_files_pattern(container_t, container_file_t, container_file_t) -+kernel_load_module(container_t) + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_t self:capability sys_admin; @@ -116271,7 +116317,7 @@ index f03dcf5..923fbbe 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1626,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1630,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116286,7 +116332,7 @@ index f03dcf5..923fbbe 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1644,7 @@ optional_policy(` +@@ -1192,7 +1648,7 @@ optional_policy(` ######################################## # @@ -116295,7 +116341,7 @@ index f03dcf5..923fbbe 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1653,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1657,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 11f9dc3..714f596 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 221%{?dist} +Release: 222%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,29 @@ exit 0 %endif %changelog +* Wed Nov 02 2016 Lukas Vrabec - 3.13.1-222 +- Allow abrt_dump_oops_t to drop capabilities. bz(1391040) +- Add named_t domain net_raw capability bz(1389240) +- Allow geoclue to read system info. bz(1389320) +- Make openfortivpn_t as init_deamon_domain. bz(1159899) +- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487) +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Add interace lldpad_relabel_tmpfs +- Merge pull request #155 from rhatdan/sandbox_nfs +- Add pscsd_t wake_alarm capability2 +- Allow sandbox domains to mount fuse file systems +- Add boolean to allow sandbox domains to mount nfs +- Allow hypervvssd_t to read all dirs. +- Allow isnsd_t to connect to isns_port_t +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. +- Make tor_var_lib_t and tor_var_log_t as mountpoints. +- Allow systemd-rfkill to write to /proc/kmsg bz(1388669) +- Allow init_t to relabel /dev/shm/lldpad.state +- Merge pull request #168 from rhatdan/docker +- Label tcp 51954 as isns_port_t +- Lots of new domains like OCID and RKT are user container processes + * Mon Oct 17 2016 Miroslav Grepl - 3.13.1-221 - Add container_file_t into contexts/customizable_types.