From 8fd4b445bdc0fda583b00712e47f9b91bfe11abe Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Dec 09 2015 13:29:48 +0000 Subject: * Tue Dec 09 2015 Lukas Vrabec 3.13.1-128.22 - Allow arpwatch to create netlink netfilter sockets. BZ(1282139) - Allow virt_domain to create socket file in /tmp. BZ(1268638) - Merge pull request #73 from vmojzis/f22-contrib - Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. - Allow apcupsd sending mails about battery state. BZ(1274018) - Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779) - Fix summary for userdom_user_tmp_content interface - Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182) --- diff --git a/policy-f22-base.patch b/policy-f22-base.patch index 2e1b644..4e06132 100644 --- a/policy-f22-base.patch +++ b/policy-f22-base.patch @@ -42988,10 +42988,10 @@ index 0000000..cde0261 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..b67939b +index 0000000..29270dd --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,730 @@ +@@ -0,0 +1,732 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -43273,6 +43273,8 @@ index 0000000..b67939b +sysnet_manage_config(systemd_networkd_t) +sysnet_manage_config_dirs(systemd_networkd_t) + ++systemd_dbus_chat_hostnamed(systemd_networkd_t) ++ +init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "netif") + +optional_policy(` @@ -45135,7 +45137,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..da23a61 100644 +index 9dc60c6..86cd136 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -46803,7 +46805,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -1397,12 +1841,51 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1841,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -46814,7 +46816,8 @@ index 9dc60c6..da23a61 100644 + +######################################## +## -+## Allow domain to attach to TUN devices created by administrative users. ++## Make the specified type usable as ++## user temporary content. +## +## +## @@ -46856,7 +46859,7 @@ index 9dc60c6..da23a61 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +1992,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +1993,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -46888,7 +46891,7 @@ index 9dc60c6..da23a61 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2058,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2059,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -46903,7 +46906,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -1570,9 +2081,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2082,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -46915,7 +46918,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -1613,6 +2126,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2127,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -46940,7 +46943,7 @@ index 9dc60c6..da23a61 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2162,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2163,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -47000,7 +47003,7 @@ index 9dc60c6..da23a61 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2288,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2289,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -47015,7 +47018,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -1741,10 +2327,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2328,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -47030,7 +47033,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -1769,7 +2357,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2358,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -47039,7 +47042,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -1777,19 +2365,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2366,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -47063,7 +47066,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -1797,55 +2383,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2384,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -47134,7 +47137,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -1853,18 +2439,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2440,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -47162,7 +47165,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -1872,17 +2459,151 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,17 +2460,151 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -47318,7 +47321,7 @@ index 9dc60c6..da23a61 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2614,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2615,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -47336,7 +47339,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -1938,7 +2662,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2663,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -47345,7 +47348,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -1946,10 +2670,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2671,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -47358,7 +47361,7 @@ index 9dc60c6..da23a61 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2681,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2682,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -47367,7 +47370,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -1966,12 +2689,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2690,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -47436,7 +47439,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -2007,8 +2784,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2785,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -47446,7 +47449,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -2024,20 +2800,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2801,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -47471,7 +47474,7 @@ index 9dc60c6..da23a61 100644 ######################################## ## -@@ -2120,7 +2890,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2891,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -47480,7 +47483,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -2128,19 +2898,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2899,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -47504,7 +47507,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -2148,12 +2916,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2917,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -47520,7 +47523,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -2388,18 +3156,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3157,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -47578,7 +47581,7 @@ index 9dc60c6..da23a61 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3218,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3219,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -47587,7 +47590,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -2455,6 +3259,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3260,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -47613,7 +47616,7 @@ index 9dc60c6..da23a61 100644 ######################################## ## -@@ -2538,7 +3361,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3362,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -47622,7 +47625,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -2546,19 +3369,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,19 +3370,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -47645,7 +47648,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -2566,19 +3389,19 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,19 +3390,19 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -47668,7 +47671,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -2586,19 +3409,60 @@ interface(`userdom_manage_user_tmp_pipes',` +@@ -2586,19 +3410,60 @@ interface(`userdom_manage_user_tmp_pipes',` ## ## # @@ -47733,7 +47736,7 @@ index 9dc60c6..da23a61 100644 ## a specified private type. ## ## -@@ -2661,6 +3525,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3526,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -47755,7 +47758,7 @@ index 9dc60c6..da23a61 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3551,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3552,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -47777,7 +47780,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -2692,19 +3566,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3567,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -47800,7 +47803,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -2713,13 +3581,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3582,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -47861,7 +47864,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -2814,6 +3725,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3726,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -47886,7 +47889,7 @@ index 9dc60c6..da23a61 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3761,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3762,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -47929,7 +47932,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -2856,14 +3797,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3798,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -47967,7 +47970,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -2882,8 +3842,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3843,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -47997,7 +48000,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -2955,69 +3934,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3935,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -48098,7 +48101,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -3025,12 +4003,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +4004,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -48113,7 +48116,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -3094,7 +4072,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4073,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -48122,7 +48125,7 @@ index 9dc60c6..da23a61 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4088,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4089,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -48156,7 +48159,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -3214,7 +4176,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4177,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -48183,7 +48186,7 @@ index 9dc60c6..da23a61 100644 ') ######################################## -@@ -3269,12 +4249,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4250,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -48199,7 +48202,7 @@ index 9dc60c6..da23a61 100644 ## ## ## -@@ -3282,46 +4263,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,46 +4264,122 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -48335,7 +48338,7 @@ index 9dc60c6..da23a61 100644 ') allow $1 userdomain:process getattr; -@@ -3382,6 +4439,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4440,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -48378,7 +48381,7 @@ index 9dc60c6..da23a61 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4495,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4496,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -48439,7 +48442,7 @@ index 9dc60c6..da23a61 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4582,1691 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4583,1691 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-f22-contrib.patch b/policy-f22-contrib.patch index fbea127..db6cea4 100644 --- a/policy-f22-contrib.patch +++ b/policy-f22-contrib.patch @@ -7780,7 +7780,7 @@ index f3c0aba..f6e25ed 100644 + files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") ') diff --git a/apcupsd.te b/apcupsd.te -index 080bc4d..5db6cde 100644 +index 080bc4d..5b4d973 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t) @@ -7818,7 +7818,7 @@ index 080bc4d..5db6cde 100644 corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -@@ -67,26 +73,38 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) +@@ -67,26 +73,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t) @@ -7829,9 +7829,12 @@ index 080bc4d..5db6cde 100644 corenet_sendrecv_snmp_server_packets(apcupsd_t) corenet_udp_sendrecv_snmp_port(apcupsd_t) ++corenet_tcp_connect_smtp_port(apcupsd_t) ++ +fs_getattr_xattr_fs(apcupsd_t) + +dev_read_sysfs(apcupsd_t) ++dev_read_urand(apcupsd_t) + dev_rw_generic_usb_dev(apcupsd_t) @@ -7862,7 +7865,7 @@ index 080bc4d..5db6cde 100644 optional_policy(` hostname_exec(apcupsd_t) -@@ -101,6 +119,11 @@ optional_policy(` +@@ -101,6 +122,11 @@ optional_policy(` shutdown_domtrans(apcupsd_t) ') @@ -7874,7 +7877,7 @@ index 080bc4d..5db6cde 100644 ######################################## # # CGI local policy -@@ -108,20 +131,20 @@ optional_policy(` +@@ -108,20 +134,20 @@ optional_policy(` optional_policy(` apache_content_template(apcupsd_cgi) @@ -7980,7 +7983,7 @@ index 1a7a97e..2c7252a 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431b..e9c4c5a 100644 +index 7fd431b..41f2a57 100644 --- a/apm.te +++ b/apm.te @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t) @@ -8009,7 +8012,7 @@ index 7fd431b..e9c4c5a 100644 domain_use_interactive_fds(apm_t) -@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t) +@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t) # Server local policy # @@ -8020,7 +8023,11 @@ index 7fd431b..e9c4c5a 100644 allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:netlink_socket create_socket_perms; -@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t) ++allow apmd_t self:netlink_generic_socket create_socket_perms; + allow apmd_t self:unix_stream_socket { accept listen }; + + allow apmd_t apmd_lock_t:file manage_file_perms; +@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t) kernel_rw_all_sysctls(apmd_t) kernel_read_system_state(apmd_t) kernel_write_proc_files(apmd_t) @@ -8028,7 +8035,7 @@ index 7fd431b..e9c4c5a 100644 dev_read_input(apmd_t) dev_read_mouse(apmd_t) -@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t) +@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t) fs_dontaudit_getattr_all_symlinks(apmd_t) fs_dontaudit_getattr_all_pipes(apmd_t) fs_dontaudit_getattr_all_sockets(apmd_t) @@ -8038,7 +8045,7 @@ index 7fd431b..e9c4c5a 100644 corecmd_exec_all_executables(apmd_t) -@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) +@@ -129,6 +133,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) auth_use_nsswitch(apmd_t) init_domtrans_script(apmd_t) @@ -8047,7 +8054,7 @@ index 7fd431b..e9c4c5a 100644 libs_exec_ld_so(apmd_t) libs_exec_lib_files(apmd_t) -@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t) +@@ -136,17 +142,16 @@ libs_exec_lib_files(apmd_t) logging_send_audit_msgs(apmd_t) logging_send_syslog_msg(apmd_t) @@ -8067,7 +8074,7 @@ index 7fd431b..e9c4c5a 100644 optional_policy(` automount_domtrans(apmd_t) -@@ -206,11 +210,15 @@ optional_policy(` +@@ -206,11 +211,15 @@ optional_policy(` ') optional_policy(` @@ -8215,7 +8222,7 @@ index 50c9b9c..533a555 100644 + allow $1 arpwatch_unit_file_t:service all_service_perms; ') diff --git a/arpwatch.te b/arpwatch.te -index 2d7bf34..2927585 100644 +index 2d7bf34..766a91a 100644 --- a/arpwatch.te +++ b/arpwatch.te @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) @@ -8228,15 +8235,16 @@ index 2d7bf34..2927585 100644 ######################################## # # Local policy -@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen }; +@@ -33,6 +36,8 @@ allow arpwatch_t self:unix_stream_socket { accept listen }; allow arpwatch_t self:tcp_socket { accept listen }; allow arpwatch_t self:packet_socket create_socket_perms; allow arpwatch_t self:socket create_socket_perms; +allow arpwatch_t self:netlink_socket create_socket_perms; ++allow arpwatch_t self:netlink_netfilter_socket create_socket_perms; manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) +@@ -45,11 +50,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) @@ -8261,7 +8269,7 @@ index 2d7bf34..2927585 100644 dev_read_sysfs(arpwatch_t) dev_read_usbmon_dev(arpwatch_t) dev_rw_generic_usb_dev(arpwatch_t) -@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t) +@@ -59,15 +76,12 @@ fs_search_auto_mountpoints(arpwatch_t) domain_use_interactive_fds(arpwatch_t) @@ -66196,10 +66204,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..08c51d3 +index 0000000..0182cf8 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,268 @@ +@@ -0,0 +1,270 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -66344,6 +66352,8 @@ index 0000000..08c51d3 + +logging_send_syslog_msg(pcp_pmcd_t) + ++lvm_domtrans(pcp_pmcd_t) ++ +storage_getattr_fixed_disk_dev(pcp_pmcd_t) + +userdom_read_user_tmp_files(pcp_pmcd_t) @@ -108643,7 +108653,7 @@ index facdee8..6d8af6c 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..c4c75a5 100644 +index f03dcf5..9415986 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,241 @@ @@ -109632,7 +109642,7 @@ index f03dcf5..c4c75a5 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +679,277 @@ optional_policy(` +@@ -746,44 +679,278 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -109708,7 +109718,8 @@ index f03dcf5..c4c75a5 100644 +manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) +manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) +manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) -+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file }) ++manage_sock_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) ++files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file sock_file}) +userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) @@ -109932,7 +109943,7 @@ index f03dcf5..c4c75a5 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +960,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +961,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -109959,7 +109970,7 @@ index f03dcf5..c4c75a5 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +980,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +981,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -109993,7 +110004,7 @@ index f03dcf5..c4c75a5 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1017,20 @@ optional_policy(` +@@ -856,14 +1018,20 @@ optional_policy(` ') optional_policy(` @@ -110015,7 +110026,7 @@ index f03dcf5..c4c75a5 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1055,65 @@ optional_policy(` +@@ -888,49 +1056,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -110099,7 +110110,7 @@ index f03dcf5..c4c75a5 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1125,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1126,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -110119,7 +110130,7 @@ index f03dcf5..c4c75a5 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1146,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1147,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -110143,7 +110154,7 @@ index f03dcf5..c4c75a5 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1171,332 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1172,332 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -110617,7 +110628,7 @@ index f03dcf5..c4c75a5 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1509,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1510,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -110632,7 +110643,7 @@ index f03dcf5..c4c75a5 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1527,8 @@ optional_policy(` +@@ -1192,9 +1528,8 @@ optional_policy(` ######################################## # @@ -110643,7 +110654,7 @@ index f03dcf5..c4c75a5 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1541,240 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1542,240 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 24fb8cc..a38d185 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 128.21%{?dist} +Release: 128.22%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -606,6 +606,16 @@ exit 0 %endif %changelog +* Tue Dec 09 2015 Lukas Vrabec 3.13.1-128.22 +- Allow arpwatch to create netlink netfilter sockets. BZ(1282139) +- Allow virt_domain to create socket file in /tmp. BZ(1268638) +- Merge pull request #73 from vmojzis/f22-contrib +- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. +- Allow apcupsd sending mails about battery state. BZ(1274018) +- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779) +- Fix summary for userdom_user_tmp_content interface +- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182) + * Fri Nov 20 2015 Lukas Vrabec 3.13.1-128.21 - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785 - Allow iscsid create netlink iscsid sockets.