From 461e3d8ce6656f2c3ff9f43e573a1347acb1af1a Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 31 2017 16:02:41 +0000 Subject: * Thu Aug 31 2017 Lukas Vrabec - 3.13.1-225.22 - Allow ddclient use nsswitch BZ(1456241) - Allow thumb_t domain getattr fixed_disk device. BZ(1379137) - After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy - Allow cupsd_t to execute ld_so_cache - Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain - Allow nscd_t domain to search network sysctls - Allow iscsid_t domain to read mount pid files - Allow ksmtuned_t domain manage sysfs_t files/dirs - Dontaudit useradd_t sys_ptrace BZ(1480121) - Allow ipsec_t can exec ipsec_exec_t - After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy - Allow ifconfig_t domain unmount fs_t --- diff --git a/container-selinux.tgz b/container-selinux.tgz index a013fe7..8018518 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f25-base.patch b/policy-f25-base.patch index 0e4c203..24f8fdc 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -3089,7 +3089,7 @@ index 99e3903ea..fa68362ea 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1e7..84225b490 100644 +index 1d732f1e7..7a132d600 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3409,7 +3409,7 @@ index 1d732f1e7..84225b490 100644 userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -@@ -446,7 +492,8 @@ optional_policy(` +@@ -446,8 +492,10 @@ optional_policy(` # Useradd local policy # @@ -3417,9 +3417,11 @@ index 1d732f1e7..84225b490 100644 +allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; + dontaudit useradd_t self:capability sys_tty_config; ++dontaudit useradd_t self:cap_userns { sys_ptrace }; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; + allow useradd_t self:fd use; +@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -3430,7 +3432,7 @@ index 1d732f1e7..84225b490 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3470,7 +3472,7 @@ index 1d732f1e7..84225b490 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t) +@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -3478,7 +3480,7 @@ index 1d732f1e7..84225b490 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t) +@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -3528,7 +3530,7 @@ index 1d732f1e7..84225b490 100644 ') optional_policy(` -@@ -545,14 +599,27 @@ optional_policy(` +@@ -545,14 +600,27 @@ optional_policy(` ') optional_policy(` @@ -3556,7 +3558,7 @@ index 1d732f1e7..84225b490 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +629,12 @@ optional_policy(` +@@ -562,3 +630,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -26937,7 +26939,7 @@ index 76d9f66ec..7528851ad 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c68272..92e8e489b 100644 +index fe0c68272..a1954d8cd 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -27064,7 +27066,7 @@ index fe0c68272..92e8e489b 100644 files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -+ allow $1_t self:capability { setpcap kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; ++ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override chown dac_read fowner fsetid net_admin setgid setuid sys_tty_config };; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; + allow $1_t self:process { setcap getcap signal getsched setsched setrlimit setexec }; @@ -37822,7 +37824,7 @@ index 0d4c8d35e..537aa4274 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd0417..102b975de 100644 +index 312cd0417..56961b493 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -37884,7 +37886,15 @@ index 312cd0417..102b975de 100644 manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) +@@ -101,6 +118,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) + files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file }) + + can_exec(ipsec_t, ipsec_mgmt_exec_t) ++can_exec(ipsec_t, ipsec_exec_t) + + # pluto runs an updown script (by calling popen()!) as this is by default + # a shell script, we need to find a way to make things work without +@@ -110,10 +128,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; @@ -37897,7 +37907,7 @@ index 312cd0417..102b975de 100644 kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; -@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t) +@@ -128,20 +146,24 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -37929,7 +37939,7 @@ index 312cd0417..102b975de 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,22 +179,32 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -37964,7 +37974,7 @@ index 312cd0417..102b975de 100644 optional_policy(` seutil_sigchld_newrole(ipsec_t) -@@ -182,19 +213,30 @@ optional_policy(` +@@ -182,19 +214,30 @@ optional_policy(` udev_read_db(ipsec_t) ') @@ -37999,7 +38009,7 @@ index 312cd0417..102b975de 100644 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) -@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) +@@ -208,12 +251,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -38015,7 +38025,7 @@ index 312cd0417..102b975de 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +291,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -38032,7 +38042,7 @@ index 312cd0417..102b975de 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +310,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -38041,7 +38051,7 @@ index 312cd0417..102b975de 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) +@@ -269,6 +326,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -38049,7 +38059,7 @@ index 312cd0417..102b975de 100644 files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) -@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +336,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -38061,7 +38071,7 @@ index 312cd0417..102b975de 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +347,28 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -38095,7 +38105,7 @@ index 312cd0417..102b975de 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +391,10 @@ optional_policy(` +@@ -322,6 +392,10 @@ optional_policy(` ') optional_policy(` @@ -38106,7 +38116,7 @@ index 312cd0417..102b975de 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +408,7 @@ optional_policy(` +@@ -335,7 +409,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -38115,7 +38125,7 @@ index 312cd0417..102b975de 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -38135,7 +38145,7 @@ index 312cd0417..102b975de 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -38148,7 +38158,7 @@ index 312cd0417..102b975de 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -45536,7 +45546,7 @@ index 2cea692c0..e3cb4f2ef 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4bc..41a5b082f 100644 +index a392fc4bc..95c64150b 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -45781,7 +45791,7 @@ index a392fc4bc..41a5b082f 100644 vmware_append_log(dhcpc_t) ') -@@ -264,32 +322,72 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,32 +322,73 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -45847,6 +45857,7 @@ index a392fc4bc..41a5b082f 100644 +files_read_usr_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) ++fs_unmount_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) +fs_read_nsfs_files(ifconfig_t) +fs_mount_nsfs(ifconfig_t) @@ -45854,7 +45865,7 @@ index a392fc4bc..41a5b082f 100644 selinux_dontaudit_getattr_fs(ifconfig_t) -@@ -299,33 +397,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +398,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -45912,7 +45923,7 @@ index a392fc4bc..41a5b082f 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +452,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +453,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -45925,7 +45936,7 @@ index a392fc4bc..41a5b082f 100644 ') optional_policy(` -@@ -350,7 +470,16 @@ optional_policy(` +@@ -350,7 +471,16 @@ optional_policy(` ') optional_policy(` @@ -45943,7 +45954,7 @@ index a392fc4bc..41a5b082f 100644 ') optional_policy(` -@@ -371,3 +500,17 @@ optional_policy(` +@@ -371,3 +501,17 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch index 8052b47..ba80bfb 100644 --- a/policy-f25-contrib.patch +++ b/policy-f25-contrib.patch @@ -21231,7 +21231,7 @@ index 3023be7f6..5afde8039 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813ccb..1585454d9 100644 +index c91813ccb..3e21f0ca7 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21508,7 +21508,7 @@ index c91813ccb..1585454d9 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,22 +289,28 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,22 +289,29 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -21516,6 +21516,7 @@ index c91813ccb..1585454d9 100644 libs_exec_lib_files(cupsd_t) +libs_exec_ldconfig(cupsd_t) +libs_exec_ld_so(cupsd_t) ++libs_use_ld_so(cupsd_t) logging_send_audit_msgs(cupsd_t) logging_send_syslog_msg(cupsd_t) @@ -21542,7 +21543,7 @@ index c91813ccb..1585454d9 100644 optional_policy(` apm_domtrans_client(cupsd_t) -@@ -272,6 +323,8 @@ optional_policy(` +@@ -272,6 +324,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -21551,7 +21552,7 @@ index c91813ccb..1585454d9 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -279,11 +332,17 @@ optional_policy(` +@@ -279,11 +333,17 @@ optional_policy(` ') optional_policy(` @@ -21569,7 +21570,7 @@ index c91813ccb..1585454d9 100644 ') ') -@@ -296,8 +355,8 @@ optional_policy(` +@@ -296,8 +356,8 @@ optional_policy(` ') optional_policy(` @@ -21579,7 +21580,7 @@ index c91813ccb..1585454d9 100644 ') optional_policy(` -@@ -306,7 +365,6 @@ optional_policy(` +@@ -306,7 +366,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -21587,7 +21588,7 @@ index c91813ccb..1585454d9 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -316,6 +374,10 @@ optional_policy(` +@@ -316,6 +375,10 @@ optional_policy(` ') optional_policy(` @@ -21598,7 +21599,7 @@ index c91813ccb..1585454d9 100644 samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) samba_stream_connect_nmbd(cupsd_t) -@@ -326,7 +388,7 @@ optional_policy(` +@@ -326,7 +389,7 @@ optional_policy(` ') optional_policy(` @@ -21607,7 +21608,7 @@ index c91813ccb..1585454d9 100644 ') optional_policy(` -@@ -334,7 +396,11 @@ optional_policy(` +@@ -334,7 +397,11 @@ optional_policy(` ') optional_policy(` @@ -21620,7 +21621,7 @@ index c91813ccb..1585454d9 100644 ') ######################################## -@@ -342,12 +408,11 @@ optional_policy(` +@@ -342,12 +409,11 @@ optional_policy(` # Configuration daemon local policy # @@ -21636,7 +21637,7 @@ index c91813ccb..1585454d9 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -367,23 +432,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +@@ -367,23 +433,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -21664,7 +21665,7 @@ index c91813ccb..1585454d9 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +457,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +458,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -21685,7 +21686,7 @@ index c91813ccb..1585454d9 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +474,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,11 +475,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -21697,7 +21698,7 @@ index c91813ccb..1585454d9 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +501,12 @@ optional_policy(` +@@ -449,9 +502,12 @@ optional_policy(` ') optional_policy(` @@ -21711,7 +21712,7 @@ index c91813ccb..1585454d9 100644 ') optional_policy(` -@@ -467,6 +522,10 @@ optional_policy(` +@@ -467,6 +523,10 @@ optional_policy(` ') optional_policy(` @@ -21722,7 +21723,7 @@ index c91813ccb..1585454d9 100644 rpm_read_db(cupsd_config_t) ') -@@ -487,10 +546,6 @@ optional_policy(` +@@ -487,10 +547,6 @@ optional_policy(` # Lpd local policy # @@ -21733,7 +21734,7 @@ index c91813ccb..1585454d9 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +563,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +564,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -21751,7 +21752,7 @@ index c91813ccb..1585454d9 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +592,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +593,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -21761,7 +21762,7 @@ index c91813ccb..1585454d9 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -549,8 +601,7 @@ optional_policy(` +@@ -549,8 +602,7 @@ optional_policy(` # Pdf local policy # @@ -21771,7 +21772,7 @@ index c91813ccb..1585454d9 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +617,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +618,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -21923,7 +21924,7 @@ index c91813ccb..1585454d9 100644 ######################################## # -@@ -735,7 +661,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +662,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -21931,7 +21932,7 @@ index c91813ccb..1585454d9 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +670,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +671,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -21945,7 +21946,7 @@ index c91813ccb..1585454d9 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +682,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +683,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -21954,7 +21955,7 @@ index c91813ccb..1585454d9 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +694,4 @@ optional_policy(` +@@ -773,3 +695,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -24002,7 +24003,7 @@ index 5606b4069..cd18cf2a7 100644 domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff --git a/ddclient.te b/ddclient.te -index a4caa1b5b..42f30662d 100644 +index a4caa1b5b..f244f9a63 100644 --- a/ddclient.te +++ b/ddclient.te @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t) @@ -24047,7 +24048,7 @@ index a4caa1b5b..42f30662d 100644 fs_getattr_all_fs(ddclient_t) fs_search_auto_mountpoints(ddclient_t) -+auth_read_passwd(ddclient_t) ++auth_use_nsswitch(ddclient_t) + logging_send_syslog_msg(ddclient_t) @@ -40350,7 +40351,7 @@ index 1a354203e..8101022be 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020faa9..9c628b22e 100644 +index ca020faa9..c53375b3b 100644 --- a/iscsi.te +++ b/iscsi.te @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) @@ -40415,7 +40416,7 @@ index ca020faa9..9c628b22e 100644 corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,22 +90,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,22 +90,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -40446,6 +40447,8 @@ index ca020faa9..9c628b22e 100644 -miscfiles_read_localization(iscsid_t) +modutils_read_module_config(iscsid_t) + ++mount_read_pid_files(iscsid_t) ++ +optional_policy(` + iscsi_systemctl(iscsid_t) +') @@ -44751,7 +44754,7 @@ index 93a64bc50..af6d741d6 100644 + allow $1 ksmtuned_unit_file_t:service all_service_perms; ') diff --git a/ksmtuned.te b/ksmtuned.te -index 8eef134ac..a2ca1a009 100644 +index 8eef134ac..9636a5343 100644 --- a/ksmtuned.te +++ b/ksmtuned.te @@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1) @@ -44782,8 +44785,12 @@ index 8eef134ac..a2ca1a009 100644 type ksmtuned_initrc_exec_t; init_script_file(ksmtuned_initrc_exec_t) -@@ -43,6 +60,7 @@ corecmd_exec_shell(ksmtuned_t) - dev_rw_sysfs(ksmtuned_t) +@@ -40,9 +57,10 @@ kernel_read_system_state(ksmtuned_t) + corecmd_exec_bin(ksmtuned_t) + corecmd_exec_shell(ksmtuned_t) + +-dev_rw_sysfs(ksmtuned_t) ++dev_manage_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) +domain_dontaudit_read_all_domains_state(ksmtuned_t) @@ -61928,7 +61935,7 @@ index 8f2ab09f5..a29819859 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index bcd7d0a7d..0188086f9 100644 +index bcd7d0a7d..9b397fdd7 100644 --- a/nscd.te +++ b/nscd.te @@ -4,33 +4,34 @@ gen_require(` @@ -61976,7 +61983,7 @@ index bcd7d0a7d..0188086f9 100644 type nscd_log_t; logging_log_file(nscd_log_t) -@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t) +@@ -40,56 +41,59 @@ logging_log_file(nscd_log_t) # allow nscd_t self:capability { kill setgid setuid }; @@ -62012,6 +62019,7 @@ index bcd7d0a7d..0188086f9 100644 -kernel_read_kernel_sysctls(nscd_t) kernel_read_network_state(nscd_t) +kernel_read_kernel_sysctls(nscd_t) ++kernel_search_network_sysctl(nscd_t) +kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) @@ -62053,7 +62061,7 @@ index bcd7d0a7d..0188086f9 100644 corenet_rw_tun_tap_dev(nscd_t) selinux_get_fs_mount(nscd_t) -@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t) +@@ -98,16 +102,23 @@ selinux_compute_access_vector(nscd_t) selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) @@ -62078,7 +62086,7 @@ index bcd7d0a7d..0188086f9 100644 userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) -@@ -121,13 +131,11 @@ optional_policy(` +@@ -121,13 +132,11 @@ optional_policy(` ') optional_policy(` @@ -62096,7 +62104,7 @@ index bcd7d0a7d..0188086f9 100644 ') optional_policy(` -@@ -138,3 +146,20 @@ optional_policy(` +@@ -138,3 +147,20 @@ optional_policy(` xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -76785,7 +76793,7 @@ index b9e71b537..a7502cd0e 100644 domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index fd58805e5..2ff8a1e4c 100644 +index fd58805e5..248d22985 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -76806,15 +76814,20 @@ index fd58805e5..2ff8a1e4c 100644 dontaudit postgrey_t self:capability sys_tty_config; allow postgrey_t self:process signal_perms; allow postgrey_t self:fifo_file create_fifo_file_perms; -@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t) +@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) + kernel_read_system_state(postgrey_t) + kernel_read_kernel_sysctls(postgrey_t) - corecmd_search_bin(postgrey_t) +-corecmd_search_bin(postgrey_t) ++auth_use_nsswitch(postgrey_t) ++ ++corecmd_exec_bin(postgrey_t) -corenet_all_recvfrom_unlabeled(postgrey_t) corenet_all_recvfrom_netlabel(postgrey_t) corenet_tcp_sendrecv_generic_if(postgrey_t) corenet_tcp_sendrecv_generic_node(postgrey_t) -@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t) +@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t) domain_use_interactive_fds(postgrey_t) @@ -84720,7 +84733,7 @@ index 44605825c..4c66c2502 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fed1..482046ace 100644 +index 403a4fed1..193195e3c 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -84750,7 +84763,7 @@ index 403a4fed1..482046ace 100644 # -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; -+allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config}; ++allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace }; dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; +allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace}; @@ -99266,7 +99279,7 @@ index 000000000..7a058a82a +') diff --git a/sbd.te b/sbd.te new file mode 100644 -index 000000000..b86f200a7 +index 000000000..7e35f83f6 --- /dev/null +++ b/sbd.te @@ -0,0 +1,54 @@ @@ -99291,7 +99304,7 @@ index 000000000..b86f200a7 +# +# sbd local policy +# -+allow sbd_t self:capability { dac_read_search dac_override ipc_lock sys_nice sys_admin}; ++allow sbd_t self:capability { dac_read_search dac_override ipc_lock sys_boot sys_nice sys_admin}; +allow sbd_t self:process { fork setsched signal_perms }; +allow sbd_t self:fifo_file rw_fifo_file_perms; +allow sbd_t self:unix_stream_socket create_stream_socket_perms; @@ -109910,10 +109923,10 @@ index 000000000..9524b50aa +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 000000000..d366c8b37 +index 000000000..2b15dca23 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,168 @@ +@@ -0,0 +1,172 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -110082,6 +110095,10 @@ index 000000000..d366c8b37 + corenet_dontaudit_udp_bind_all_ports(thumb_t) + corenet_dontaudit_udp_bind_generic_node(thumb_t) +') ++ ++optional_policy(` ++ storage_getattr_fixed_disk_dev(thumb_t) ++') diff --git a/thunderbird.te b/thunderbird.te index 5e867da56..b25ea6e08 100644 --- a/thunderbird.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 7bd7c76..13d2777 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 225.21%{?dist} +Release: 225.22%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,20 @@ exit 0 %endif %changelog +* Thu Aug 31 2017 Lukas Vrabec - 3.13.1-225.22 +- Allow ddclient use nsswitch BZ(1456241) +- Allow thumb_t domain getattr fixed_disk device. BZ(1379137) +- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy +- Allow cupsd_t to execute ld_so_cache +- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain +- Allow nscd_t domain to search network sysctls +- Allow iscsid_t domain to read mount pid files +- Allow ksmtuned_t domain manage sysfs_t files/dirs +- Dontaudit useradd_t sys_ptrace BZ(1480121) +- Allow ipsec_t can exec ipsec_exec_t +- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy +- Allow ifconfig_t domain unmount fs_t + * Mon Aug 14 2017 Lukas Vrabec - 3.13.1-225.21 - Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524) - Fix ntp SELinux module