From 5e0fbd3d9619bbd8c5812aa578fdf1a85d8a5f50 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 02 2014 13:11:21 +0000 Subject: - varnishd wants chown capability - update ntp_filetrans_named_content() interface - Add additional fixes for neutron_t. #1083335 - Dontaudit getattr on proc_kcore_t - Allow pki_tomcat_t to read ipa lib files - Allow named_filetrans_domain to create /var/cache/ibus with correct labelign - Allow init_t run /sbin/augenrules - Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces - Allow unpriv SELinux user to use sandbox - Add default label for /tmp/hsperfdata_root --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 794c40f..02be679 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -8916,7 +8916,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..1abe365 100644 +index cf04cb5..c431f61 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -9055,7 +9055,7 @@ index cf04cb5..1abe365 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +233,330 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +233,334 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9072,6 +9072,10 @@ index cf04cb5..1abe365 100644 +dev_config_null_dev_service(unconfined_domain_type) + +optional_policy(` ++ dbus_filetrans_named_content_system(named_filetrans_domain) ++') ++ ++optional_policy(` + kdump_filetrans_named_content(unconfined_domain_type) +') + @@ -9387,7 +9391,7 @@ index cf04cb5..1abe365 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..3ef5eb5 100644 +index c2c6e05..2f8648d 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9521,7 +9525,7 @@ index c2c6e05..3ef5eb5 100644 # # /selinux # -@@ -178,25 +191,28 @@ ifdef(`distro_debian',` +@@ -178,25 +191,29 @@ ifdef(`distro_debian',` # # /srv # @@ -9540,6 +9544,7 @@ index c2c6e05..3ef5eb5 100644 /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /tmp/lost\+found/.* <> ++/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) +/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) # @@ -9553,7 +9558,7 @@ index c2c6e05..3ef5eb5 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +220,9 @@ ifdef(`distro_debian',` +@@ -204,15 +221,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9570,7 +9575,7 @@ index c2c6e05..3ef5eb5 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +230,6 @@ ifdef(`distro_debian',` +@@ -220,8 +231,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9579,7 +9584,7 @@ index c2c6e05..3ef5eb5 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +237,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +238,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9588,7 +9593,7 @@ index c2c6e05..3ef5eb5 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +245,25 @@ ifndef(`distro_redhat',` +@@ -237,11 +246,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9615,7 +9620,7 @@ index c2c6e05..3ef5eb5 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +278,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +279,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9630,7 +9635,7 @@ index c2c6e05..3ef5eb5 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +294,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +295,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -22367,7 +22372,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index cdfddf4..c6313b9 100644 +index cdfddf4..c3271fb 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -22383,7 +22388,7 @@ index cdfddf4..c6313b9 100644 # this module should be named user, but that is # a compile error since user is a keyword. -@@ -12,12 +19,100 @@ role user_r; +@@ -12,12 +19,102 @@ role user_r; userdom_unpriv_user_template(user) @@ -22396,6 +22401,8 @@ index cdfddf4..c6313b9 100644 +storage_read_scsi_generic(user_t) +storage_write_scsi_generic(user_t) + ++seutil_read_module_store(user_t) ++ +init_dbus_chat(user_t) +init_status(user_t) + @@ -22485,7 +22492,7 @@ index cdfddf4..c6313b9 100644 ') optional_policy(` -@@ -25,6 +120,18 @@ optional_policy(` +@@ -25,6 +122,18 @@ optional_policy(` ') optional_policy(` @@ -22504,7 +22511,7 @@ index cdfddf4..c6313b9 100644 vlock_run(user_t, user_r) ') -@@ -102,10 +209,6 @@ ifndef(`distro_redhat',` +@@ -102,10 +211,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22515,7 +22522,7 @@ index cdfddf4..c6313b9 100644 postgresql_role(user_r, user_t) ') -@@ -128,7 +231,6 @@ ifndef(`distro_redhat',` +@@ -128,7 +233,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') @@ -22523,7 +22530,7 @@ index cdfddf4..c6313b9 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +263,19 @@ ifndef(`distro_redhat',` +@@ -161,3 +265,19 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -31419,7 +31426,7 @@ index 24e7804..2863546 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..6f5676a 100644 +index dd3be8d..c983546 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -31624,7 +31631,7 @@ index dd3be8d..6f5676a 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +245,52 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +245,53 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -31664,6 +31671,7 @@ index dd3be8d..6f5676a 100644 +logging_send_audit_msgs(init_t) logging_rw_generic_logs(init_t) +logging_relabel_devlog_dev(init_t) ++logging_manage_audit_config(init_t) seutil_read_config(init_t) +seutil_read_module_store(init_t) @@ -31680,7 +31688,7 @@ index dd3be8d..6f5676a 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +299,226 @@ ifdef(`distro_gentoo',` +@@ -186,29 +300,226 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -31915,7 +31923,7 @@ index dd3be8d..6f5676a 100644 ') optional_policy(` -@@ -216,7 +526,30 @@ optional_policy(` +@@ -216,7 +527,30 @@ optional_policy(` ') optional_policy(` @@ -31946,7 +31954,7 @@ index dd3be8d..6f5676a 100644 ') ######################################## -@@ -225,8 +558,9 @@ optional_policy(` +@@ -225,8 +559,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -31958,7 +31966,7 @@ index dd3be8d..6f5676a 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +591,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +592,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -31975,7 +31983,7 @@ index dd3be8d..6f5676a 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +616,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +617,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -32018,7 +32026,7 @@ index dd3be8d..6f5676a 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +653,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +654,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -32030,7 +32038,7 @@ index dd3be8d..6f5676a 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +665,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +666,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -32041,7 +32049,7 @@ index dd3be8d..6f5676a 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +676,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +677,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -32051,7 +32059,7 @@ index dd3be8d..6f5676a 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +685,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +686,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -32059,7 +32067,7 @@ index dd3be8d..6f5676a 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +692,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +693,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -32067,7 +32075,7 @@ index dd3be8d..6f5676a 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +700,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +701,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -32085,7 +32093,7 @@ index dd3be8d..6f5676a 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +718,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +719,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -32099,7 +32107,7 @@ index dd3be8d..6f5676a 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +733,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +734,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -32113,7 +32121,7 @@ index dd3be8d..6f5676a 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +746,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +747,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -32121,7 +32129,7 @@ index dd3be8d..6f5676a 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +758,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +759,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -32129,7 +32137,7 @@ index dd3be8d..6f5676a 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +777,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +778,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -32153,7 +32161,7 @@ index dd3be8d..6f5676a 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +810,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +811,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -32161,7 +32169,7 @@ index dd3be8d..6f5676a 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +844,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +845,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -32172,7 +32180,7 @@ index dd3be8d..6f5676a 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +868,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +869,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -32181,7 +32189,7 @@ index dd3be8d..6f5676a 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +883,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +884,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -32189,7 +32197,7 @@ index dd3be8d..6f5676a 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +904,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +905,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -32197,7 +32205,7 @@ index dd3be8d..6f5676a 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +914,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +915,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -32242,7 +32250,7 @@ index dd3be8d..6f5676a 100644 ') optional_policy(` -@@ -558,14 +959,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +960,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -32274,7 +32282,7 @@ index dd3be8d..6f5676a 100644 ') ') -@@ -576,6 +994,39 @@ ifdef(`distro_suse',` +@@ -576,6 +995,39 @@ ifdef(`distro_suse',` ') ') @@ -32314,7 +32322,7 @@ index dd3be8d..6f5676a 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1039,8 @@ optional_policy(` +@@ -588,6 +1040,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -32323,7 +32331,7 @@ index dd3be8d..6f5676a 100644 ') optional_policy(` -@@ -609,6 +1062,7 @@ optional_policy(` +@@ -609,6 +1063,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -32331,7 +32339,7 @@ index dd3be8d..6f5676a 100644 ') optional_policy(` -@@ -625,6 +1079,17 @@ optional_policy(` +@@ -625,6 +1080,17 @@ optional_policy(` ') optional_policy(` @@ -32349,7 +32357,7 @@ index dd3be8d..6f5676a 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1106,13 @@ optional_policy(` +@@ -641,9 +1107,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -32363,7 +32371,7 @@ index dd3be8d..6f5676a 100644 ') optional_policy(` -@@ -656,15 +1125,11 @@ optional_policy(` +@@ -656,15 +1126,11 @@ optional_policy(` ') optional_policy(` @@ -32381,7 +32389,7 @@ index dd3be8d..6f5676a 100644 ') optional_policy(` -@@ -685,6 +1150,15 @@ optional_policy(` +@@ -685,6 +1151,15 @@ optional_policy(` ') optional_policy(` @@ -32397,7 +32405,7 @@ index dd3be8d..6f5676a 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1199,7 @@ optional_policy(` +@@ -725,6 +1200,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -32405,7 +32413,7 @@ index dd3be8d..6f5676a 100644 ') optional_policy(` -@@ -742,7 +1217,13 @@ optional_policy(` +@@ -742,7 +1218,13 @@ optional_policy(` ') optional_policy(` @@ -32420,7 +32428,7 @@ index dd3be8d..6f5676a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1246,10 @@ optional_policy(` +@@ -765,6 +1247,10 @@ optional_policy(` ') optional_policy(` @@ -32431,7 +32439,7 @@ index dd3be8d..6f5676a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1259,20 @@ optional_policy(` +@@ -774,10 +1260,20 @@ optional_policy(` ') optional_policy(` @@ -32452,7 +32460,7 @@ index dd3be8d..6f5676a 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1281,10 @@ optional_policy(` +@@ -786,6 +1282,10 @@ optional_policy(` ') optional_policy(` @@ -32463,7 +32471,7 @@ index dd3be8d..6f5676a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1306,6 @@ optional_policy(` +@@ -807,8 +1307,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -32472,7 +32480,7 @@ index dd3be8d..6f5676a 100644 ') optional_policy(` -@@ -817,6 +1314,10 @@ optional_policy(` +@@ -817,6 +1315,10 @@ optional_policy(` ') optional_policy(` @@ -32483,7 +32491,7 @@ index dd3be8d..6f5676a 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1327,12 @@ optional_policy(` +@@ -826,10 +1328,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -32496,7 +32504,7 @@ index dd3be8d..6f5676a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1359,35 @@ optional_policy(` +@@ -856,12 +1360,35 @@ optional_policy(` ') optional_policy(` @@ -32533,7 +32541,7 @@ index dd3be8d..6f5676a 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1397,18 @@ optional_policy(` +@@ -871,6 +1398,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -32552,7 +32560,7 @@ index dd3be8d..6f5676a 100644 ') optional_policy(` -@@ -886,6 +1424,10 @@ optional_policy(` +@@ -886,6 +1425,10 @@ optional_policy(` ') optional_policy(` @@ -32563,7 +32571,7 @@ index dd3be8d..6f5676a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1438,218 @@ optional_policy(` +@@ -896,3 +1439,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -39209,7 +39217,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..da5588b 100644 +index 6944526..821e74c 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -39496,7 +39504,7 @@ index 6944526..da5588b 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +919,94 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +919,114 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -39584,6 +39592,26 @@ index 6944526..da5588b 100644 +## +## +# ++interface(`sysnet_manage_ifconfig_run',` ++ gen_require(` ++ type ifconfig_var_run_t; ++ ') ++ ++ manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++ manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++ manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++') ++ ++######################################## ++## ++## Transition to sysnet ifconfig named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`sysnet_filetrans_named_content_ifconfig',` + gen_require(` + type ifconfig_var_run_t; diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 0e66a58..117a26a 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -19328,10 +19328,10 @@ index 188e2e6..719583e 100644 - -miscfiles_read_localization(dbskkd_t) diff --git a/dbus.fc b/dbus.fc -index dda905b..31f269b 100644 +index dda905b..ccd0ba9 100644 --- a/dbus.fc +++ b/dbus.fc -@@ -1,20 +1,26 @@ +@@ -1,20 +1,27 @@ -HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) +/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) @@ -19359,6 +19359,7 @@ index dda905b..31f269b 100644 -/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) ++/var/cache/ibus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) -/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - @@ -19370,7 +19371,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index afcf3a2..98a4fb7 100644 +index afcf3a2..8cc440f 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -20151,7 +20152,7 @@ index afcf3a2..98a4fb7 100644 ## ## ## -@@ -596,28 +570,32 @@ interface(`dbus_use_system_bus_fds',` +@@ -596,28 +570,49 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -20191,6 +20192,23 @@ index afcf3a2..98a4fb7 100644 - typeattribute $1 dbusd_unconfined; + dontaudit $1 system_bus_type:dbus send_msg; + dontaudit system_bus_type $1:dbus send_msg; ++') ++ ++####################################### ++## ++## Transition to dbus named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_filetrans_named_content_system',` ++ gen_require(` ++ type system_dbusd_var_lib_t; ++ ') ++ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") ') diff --git a/dbus.te b/dbus.te index 2c2e7e1..2ead441 100644 @@ -22591,7 +22609,7 @@ index 23ab808..84735a8 100644 +/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..e34a540 100644 +index 19aa0b8..b9895ba 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -22735,27 +22753,40 @@ index 19aa0b8..e34a540 100644 read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',` +@@ -214,37 +292,66 @@ interface(`dnsmasq_create_pid_dirs',` ######################################## ## -## Create specified objects in specified -## directories with a type transition to -## the dnsmasq pid file type. -+## Transition to dnsmasq named content ++## Create dnsmasq pid directories. ## ## ## --## Domain allowed access. --## --## + ## Domain allowed access. + ## + ## -## -## -## Directory to transition on. -## -## -## --## ++# ++interface(`dnsmasq_read_state',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ps_process_pattern($1, dnsmasq_t) ++') ++ ++######################################## ++## ++## Transition to dnsmasq named content ++## ++## + ## -## The object class of the object being created. +## Domain allowed access. ## @@ -22803,7 +22834,7 @@ index 19aa0b8..e34a540 100644 ') ######################################## -@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',` +@@ -267,12 +374,18 @@ interface(`dnsmasq_spec_filetrans_pid',` interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; @@ -22824,7 +22855,7 @@ index 19aa0b8..e34a540 100644 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dnsmasq_initrc_exec_t system_r; -@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',` +@@ -281,9 +394,13 @@ interface(`dnsmasq_admin',` files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) @@ -33364,10 +33395,10 @@ index 0000000..48d7322 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..d028154 +index 0000000..a2af18e --- /dev/null +++ b/ipa.if -@@ -0,0 +1,57 @@ +@@ -0,0 +1,76 @@ +## Policy for IPA services. + +######################################## @@ -33425,6 +33456,25 @@ index 0000000..d028154 + manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) +') + ++######################################## ++## ++## Allow domain to manage ipa lib files/dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_read_lib',` ++ gen_require(` ++ type ipa_var_lib_t; ++ ') ++ ++ read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++') ++ diff --git a/ipa.te b/ipa.te new file mode 100644 index 0000000..b60bc5f @@ -54308,7 +54358,7 @@ index af3c91e..6882a3f 100644 /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) diff --git a/ntp.if b/ntp.if -index b59196f..017b36f 100644 +index b59196f..1f30b63 100644 --- a/ntp.if +++ b/ntp.if @@ -1,4 +1,4 @@ @@ -54473,7 +54523,7 @@ index b59196f..017b36f 100644 logging_list_logs($1) admin_pattern($1, ntpd_log_t) -@@ -164,5 +246,28 @@ interface(`ntp_admin',` +@@ -164,5 +246,30 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) @@ -54498,13 +54548,15 @@ index b59196f..017b36f 100644 +interface(`ntp_filetrans_named_content',` + gen_require(` + type ntp_conf_t; ++ type ntp_drift_t; + ') + + files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf") + files_etc_filetrans($1, ntp_conf_t, dir, "ntp") ++ files_var_lib_filetrans($1, ntp_drift_t, dir, "sntp-kod") ') diff --git a/ntp.te b/ntp.te -index b90e343..8369b61 100644 +index b90e343..ae081d4 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -54517,7 +54569,15 @@ index b90e343..8369b61 100644 type ntp_conf_t; files_config_file(ntp_conf_t) -@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) +@@ -53,6 +56,7 @@ allow ntpd_t self:tcp_socket { accept listen }; + + manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) + manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) ++files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod") + + allow ntpd_t ntp_conf_t:file read_file_perms; + +@@ -60,9 +64,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) allow ntpd_t ntpd_log_t:dir setattr_dir_perms; @@ -54528,7 +54588,7 @@ index b90e343..8369b61 100644 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t) +@@ -83,21 +85,16 @@ kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) @@ -54552,7 +54612,7 @@ index b90e343..8369b61 100644 corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t) -@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t) +@@ -110,13 +107,15 @@ domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) files_read_etc_runtime_files(ntpd_t) @@ -54569,7 +54629,7 @@ index b90e343..8369b61 100644 auth_use_nsswitch(ntpd_t) -@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t) +@@ -124,8 +123,6 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -62210,10 +62270,10 @@ index 0000000..b975b85 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..010ddc9 +index 0000000..d1265c4 --- /dev/null +++ b/pki.te -@@ -0,0 +1,287 @@ +@@ -0,0 +1,291 @@ +policy_module(pki,10.0.11) + +######################################## @@ -62366,6 +62426,10 @@ index 0000000..010ddc9 + hostname_exec(pki_tomcat_t) +') + ++optional_policy(` ++ ipa_read_lib(pki_tomcat_t) ++') ++ +####################################### +# +# tps local policy @@ -72930,10 +72994,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..ec4b05c 100644 +index 769d1fd..8cfee4a 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,125 @@ +@@ -1,96 +1,131 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -72983,7 +73047,7 @@ index 769d1fd..ec4b05c 100644 -allow quantum_t self:key manage_key_perms; -allow quantum_t self:tcp_socket { accept listen }; -allow quantum_t self:unix_stream_socket { accept listen }; -+allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin }; ++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin }; +allow neutron_t self:process { setsched setrlimit }; +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; @@ -72996,37 +73060,39 @@ index 769d1fd..ec4b05c 100644 +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +logging_log_filetrans(neutron_t, neutron_log_t, dir) -+ -+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+files_tmp_filetrans(neutron_t, neutron_tmp_t, file) -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -logging_log_filetrans(quantum_t, quantum_log_t, dir) -+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) -+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) -+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) ++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++files_tmp_filetrans(neutron_t, neutron_tmp_t, file) -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) -files_tmp_filetrans(quantum_t, quantum_tmp_t, file) -+can_exec(neutron_t, neutron_tmp_t) ++manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) -manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) ++can_exec(neutron_t, neutron_tmp_t) + +-can_exec(quantum_t, quantum_tmp_t) +kernel_read_kernel_sysctls(neutron_t) +kernel_read_system_state(neutron_t) +kernel_read_network_state(neutron_t) +kernel_request_load_module(neutron_t) --can_exec(quantum_t, quantum_tmp_t) +-kernel_read_kernel_sysctls(quantum_t) +-kernel_read_system_state(quantum_t) +corecmd_exec_shell(neutron_t) +corecmd_exec_bin(neutron_t) --kernel_read_kernel_sysctls(quantum_t) --kernel_read_system_state(quantum_t) +-corecmd_exec_shell(quantum_t) +-corecmd_exec_bin(quantum_t) +corenet_all_recvfrom_unlabeled(neutron_t) +corenet_all_recvfrom_netlabel(neutron_t) +corenet_tcp_sendrecv_generic_if(neutron_t) @@ -73034,82 +73100,86 @@ index 769d1fd..ec4b05c 100644 +corenet_tcp_sendrecv_all_ports(neutron_t) +corenet_tcp_bind_generic_node(neutron_t) --corecmd_exec_shell(quantum_t) --corecmd_exec_bin(quantum_t) -+corenet_tcp_bind_neutron_port(neutron_t) -+corenet_tcp_connect_keystone_port(neutron_t) -+corenet_tcp_connect_amqp_port(neutron_t) -+corenet_tcp_connect_mysqld_port(neutron_t) - -corenet_all_recvfrom_unlabeled(quantum_t) -corenet_all_recvfrom_netlabel(quantum_t) -corenet_tcp_sendrecv_generic_if(quantum_t) -corenet_tcp_sendrecv_generic_node(quantum_t) -corenet_tcp_sendrecv_all_ports(quantum_t) -corenet_tcp_bind_generic_node(quantum_t) -+domain_named_filetrans(neutron_t) ++corenet_tcp_bind_neutron_port(neutron_t) ++corenet_tcp_connect_keystone_port(neutron_t) ++corenet_tcp_connect_amqp_port(neutron_t) ++corenet_tcp_connect_mysqld_port(neutron_t) -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) ++domain_named_filetrans(neutron_t) + +-files_read_usr_files(quantum_t) +dev_read_sysfs(neutron_t) +dev_read_urand(neutron_t) +dev_mounton_sysfs(neutron_t) +dev_mount_sysfs_fs(neutron_t) - --files_read_usr_files(quantum_t) -+auth_use_nsswitch(neutron_t) ++dev_unmount_sysfs_fs(neutron_t) -auth_use_nsswitch(quantum_t) -+libs_exec_ldconfig(neutron_t) ++files_mounton_non_security(neutron_t) -libs_exec_ldconfig(quantum_t) -+logging_send_audit_msgs(neutron_t) -+logging_send_syslog_msg(neutron_t) ++auth_use_nsswitch(neutron_t) -logging_send_audit_msgs(quantum_t) -logging_send_syslog_msg(quantum_t) -+sysnet_exec_ifconfig(neutron_t) -+sysnet_filetrans_named_content_ifconfig(neutron_t) ++libs_exec_ldconfig(neutron_t) -miscfiles_read_localization(quantum_t) -+optional_policy(` -+ brctl_domtrans(neutron_t) -+') ++logging_send_audit_msgs(neutron_t) ++logging_send_syslog_msg(neutron_t) -sysnet_domtrans_ifconfig(quantum_t) -+optional_policy(` -+ dnsmasq_domtrans(neutron_t) -+') ++sysnet_exec_ifconfig(neutron_t) ++sysnet_manage_ifconfig_run(neutron_t) ++sysnet_filetrans_named_content_ifconfig(neutron_t) optional_policy(` - brctl_domtrans(quantum_t) -+ iptables_domtrans(neutron_t) ++ brctl_domtrans(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ mysql_stream_connect(neutron_t) -+ mysql_read_config(neutron_t) ++ dnsmasq_domtrans(neutron_t) ++ dnsmasq_signal(neutron_t) ++ dnsmasq_read_state(neutron_t) ++') - mysql_tcp_connect(quantum_t) -+ mysql_tcp_connect(neutron_t) ++optional_policy(` ++ iptables_domtrans(neutron_t) ') optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) ++ mysql_stream_connect(neutron_t) ++ mysql_read_config(neutron_t) + +- postgresql_tcp_connect(quantum_t) ++ mysql_tcp_connect(neutron_t) + ') ++ ++optional_policy(` + postgresql_stream_connect(neutron_t) + postgresql_unpriv_client(neutron_t) + + postgresql_tcp_connect(neutron_t) +') - -- postgresql_tcp_connect(quantum_t) ++ +optional_policy(` + openvswitch_domtrans(neutron_t) + openvswitch_stream_connect(neutron_t) - ') ++') + +optional_policy(` + sudo_exec(neutron_t) @@ -85321,10 +85391,10 @@ index 0000000..89bc443 +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..b12aada +index 0000000..62a9666 --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,62 @@ +@@ -0,0 +1,63 @@ +policy_module(sandbox,1.0.0) + +attribute sandbox_domain; @@ -85370,6 +85440,7 @@ index 0000000..b12aada +') + +kernel_dontaudit_read_system_state(sandbox_domain) ++kernel_dontaudit_getattr_core_if(sandbox_domain) + +corecmd_exec_all_executables(sandbox_domain) + @@ -98668,7 +98739,7 @@ index 1c35171..2cba4df 100644 domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index 9d4d8cb..f50c3ff 100644 +index 9d4d8cb..a58e2dd 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -98680,7 +98751,7 @@ index 9d4d8cb..f50c3ff 100644 type varnishd_tmp_t; files_tmp_file(varnishd_tmp_t) -@@ -43,7 +43,7 @@ type varnishlog_var_run_t; +@@ -43,16 +43,16 @@ type varnishlog_var_run_t; files_pid_file(varnishlog_var_run_t) type varnishlog_log_t; @@ -98689,9 +98760,11 @@ index 9d4d8cb..f50c3ff 100644 ######################################## # -@@ -52,7 +52,7 @@ files_type(varnishlog_log_t) + # Local policy + # - allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; +-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; ++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown }; dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; +allow varnishd_t self:process { execmem signal }; diff --git a/selinux-policy.spec b/selinux-policy.spec index 9478949..a9cc53a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 149%{?dist} +Release: 150%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Apr 2 2014 Miroslav Grepl 3.12.1-150 +- varnishd wants chown capability +- update ntp_filetrans_named_content() interface +- Add additional fixes for neutron_t. #1083335 +- Dontaudit getattr on proc_kcore_t +- Allow pki_tomcat_t to read ipa lib files +- Allow named_filetrans_domain to create /var/cache/ibus with correct labelign +- Allow init_t run /sbin/augenrules +- Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces +- Allow unpriv SELinux user to use sandbox +- Add default label for /tmp/hsperfdata_root + * Mon Mar 31 2014 Lukas Vrabec 3.12.1-149 - Allow xauth_t to read user_home_dir_t lnk_file - Add labeling for lightdm-data