From 936bb7a6487a5570ad755e50a529361abb820f8a Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jan 06 2016 11:19:09 +0000 Subject: * Wed Jan 06 2016 Lukas Vrabec 3.13.1-165 - Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." - Allow arping running as netutils_t sys_module capability for removing tap devices. - Add userdom_connectto_stream() interface. - Allow systemd-logind to read /run/utmp. BZ(#1278662) - Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." - Allow arping running as netutils_t sys_module capability for removing tap devices. - Add userdom_connectto_stream() interface. - Allow systemd-logind to read /run/utmp. BZ(#1278662) --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 1029221..5bf5064 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9d3eadc..b4a8532 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -26517,10 +26517,10 @@ index cc877c7..b8e6e98 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..b3baa75 100644 +index 8274418..12a5645 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc -@@ -2,13 +2,36 @@ +@@ -2,13 +2,38 @@ # HOME_DIR # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -26538,6 +26538,7 @@ index 8274418..b3baa75 100644 HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) ++HOME_DIR/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) + +/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -26553,11 +26554,12 @@ index 8274418..b3baa75 100644 +/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) ++/root/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) # # /dev -@@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -22,13 +47,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -26580,7 +26582,7 @@ index 8274418..b3baa75 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +77,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +79,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -26621,7 +26623,7 @@ index 8274418..b3baa75 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -91,19 +130,34 @@ ifndef(`distro_debian',` +@@ -91,19 +132,34 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -26660,7 +26662,7 @@ index 8274418..b3baa75 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -111,7 +165,18 @@ ifndef(`distro_debian',` +@@ -111,7 +167,18 @@ ifndef(`distro_debian',` /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -26680,7 +26682,7 @@ index 8274418..b3baa75 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..f2bbe7e 100644 +index 6bf0ecc..7d0c3c3 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,36 @@ @@ -27756,7 +27758,7 @@ index 6bf0ecc..f2bbe7e 100644 ') ######################################## -@@ -1284,10 +1640,660 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1640,662 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -28290,6 +28292,7 @@ index 6bf0ecc..f2bbe7e 100644 + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") @@ -28334,6 +28337,7 @@ index 6bf0ecc..f2bbe7e 100644 + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") @@ -45258,10 +45262,10 @@ index 0000000..c253b33 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..56ba5a6 +index 0000000..b4a073f --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,824 @@ +@@ -0,0 +1,825 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -45463,6 +45467,7 @@ index 0000000..56ba5a6 +init_undefined(systemd_logind_t) +init_signal_script(systemd_logind_t) +init_getattr_script_status_files(systemd_logind_t) ++init_read_utmp(systemd_logind_t) + +getty_systemctl(systemd_logind_t) + @@ -47499,7 +47504,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..cb235f4 100644 +index 9dc60c6..e6556aa 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -50801,7 +50806,7 @@ index 9dc60c6..cb235f4 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4622,1763 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -51369,6 +51374,24 @@ index 9dc60c6..cb235f4 100644 + +######################################## +## ++## Read and write userdomain stream. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_connectto_stream',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:unix_stream_socket connectto; ++') ++ ++######################################## ++## +## Do not audit attempts to read and write +## unserdomain datagram socket. +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d1ed53e..90745cc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3799,7 +3799,7 @@ index 7caefc3..b25689b 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..c55558a 100644 +index f6eb485..f1f976b 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3948,7 +3948,7 @@ index f6eb485..c55558a 100644 + manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) + manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) + -+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write }; ++ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown }; + + # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` @@ -20497,7 +20497,7 @@ index 3023be7..0317731 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..999581c 100644 +index c91813c..3d89006 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -20771,13 +20771,14 @@ index c91813c..999581c 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,22 +288,27 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,22 +288,28 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) -libs_read_lib_files(cupsd_t) libs_exec_lib_files(cupsd_t) +libs_exec_ldconfig(cupsd_t) ++libs_exec_ld_so(cupsd_t) logging_send_audit_msgs(cupsd_t) logging_send_syslog_msg(cupsd_t) @@ -20804,7 +20805,7 @@ index c91813c..999581c 100644 optional_policy(` apm_domtrans_client(cupsd_t) -@@ -272,6 +321,8 @@ optional_policy(` +@@ -272,6 +322,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -20813,7 +20814,7 @@ index c91813c..999581c 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -279,11 +330,17 @@ optional_policy(` +@@ -279,11 +331,17 @@ optional_policy(` ') optional_policy(` @@ -20831,7 +20832,7 @@ index c91813c..999581c 100644 ') ') -@@ -296,8 +353,8 @@ optional_policy(` +@@ -296,8 +354,8 @@ optional_policy(` ') optional_policy(` @@ -20841,7 +20842,7 @@ index c91813c..999581c 100644 ') optional_policy(` -@@ -306,7 +363,6 @@ optional_policy(` +@@ -306,7 +364,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -20849,7 +20850,7 @@ index c91813c..999581c 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -316,6 +372,10 @@ optional_policy(` +@@ -316,6 +373,10 @@ optional_policy(` ') optional_policy(` @@ -20860,7 +20861,7 @@ index c91813c..999581c 100644 samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) samba_stream_connect_nmbd(cupsd_t) -@@ -334,7 +394,11 @@ optional_policy(` +@@ -334,7 +395,11 @@ optional_policy(` ') optional_policy(` @@ -20873,7 +20874,7 @@ index c91813c..999581c 100644 ') ######################################## -@@ -342,12 +406,11 @@ optional_policy(` +@@ -342,12 +407,11 @@ optional_policy(` # Configuration daemon local policy # @@ -20889,7 +20890,7 @@ index c91813c..999581c 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -372,18 +435,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -372,18 +436,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -20910,7 +20911,7 @@ index c91813c..999581c 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +453,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +454,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -20931,7 +20932,7 @@ index c91813c..999581c 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +470,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,11 +471,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -20943,7 +20944,7 @@ index c91813c..999581c 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +497,12 @@ optional_policy(` +@@ -449,9 +498,12 @@ optional_policy(` ') optional_policy(` @@ -20957,7 +20958,7 @@ index c91813c..999581c 100644 ') optional_policy(` -@@ -467,6 +518,10 @@ optional_policy(` +@@ -467,6 +519,10 @@ optional_policy(` ') optional_policy(` @@ -20968,7 +20969,7 @@ index c91813c..999581c 100644 rpm_read_db(cupsd_config_t) ') -@@ -487,10 +542,6 @@ optional_policy(` +@@ -487,10 +543,6 @@ optional_policy(` # Lpd local policy # @@ -20979,7 +20980,7 @@ index c91813c..999581c 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +559,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +560,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -20997,7 +20998,7 @@ index c91813c..999581c 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +588,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +589,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -21007,7 +21008,7 @@ index c91813c..999581c 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -550,7 +598,6 @@ optional_policy(` +@@ -550,7 +599,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -21015,7 +21016,7 @@ index c91813c..999581c 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +613,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +614,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -21167,7 +21168,7 @@ index c91813c..999581c 100644 ######################################## # -@@ -735,7 +657,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +658,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -21175,7 +21176,7 @@ index c91813c..999581c 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +666,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +667,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -21189,7 +21190,7 @@ index c91813c..999581c 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +678,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +679,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -21198,7 +21199,7 @@ index c91813c..999581c 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +690,4 @@ optional_policy(` +@@ -773,3 +691,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -24084,7 +24085,7 @@ index c697edb..954c090 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 98a24b9..5a24c3a 100644 +index 98a24b9..cb5795e 100644 --- a/dhcp.te +++ b/dhcp.te @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -24122,7 +24123,7 @@ index 98a24b9..5a24c3a 100644 files_read_etc_runtime_files(dhcpd_t) files_search_var_lib(dhcpd_t) -@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t) +@@ -102,22 +103,44 @@ auth_use_nsswitch(dhcpd_t) logging_send_syslog_msg(dhcpd_t) @@ -24145,17 +24146,19 @@ index 98a24b9..5a24c3a 100644 + corenet_tcp_sendrecv_ldap_port(dhcpd_t) + corenet_tcp_connect_ldap_port(dhcpd_t) + corenet_sendrecv_ldap_client_packets(dhcpd_t) -+') -+ -+tunable_policy(`dhcpd_use_ldap',` -+ ldap_read_certs(dhcpd_t) + ') + + optional_policy(` ++ tunable_policy(`dhcpd_use_ldap',` ++ ldap_read_certs(dhcpd_t) ++ ') +') + +ifdef(`distro_gentoo',` + allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; - ') - - optional_policy(` ++') ++ ++optional_policy(` + # used for dynamic DNS bind_read_dnssec_keys(dhcpd_t) ') @@ -36395,10 +36398,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..3ba4a51 100644 +index 4eb7041..76a5802 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,142 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -36436,7 +36439,7 @@ index 4eb7041..3ba4a51 100644 # -# Local policy +# hyperv domain local policy - # ++# + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -36452,10 +36455,8 @@ index 4eb7041..3ba4a51 100644 +######################################## +# +# hypervkvp local policy - # - --allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; --allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++# ++ +allow hypervkvp_t self:capability sys_ptrace; +allow hypervkvp_t self:process setfscreate; +allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms; @@ -36537,16 +36538,21 @@ index 4eb7041..3ba4a51 100644 +') + +######################################## -+# + # +# hypervvssd local policy -+# + # --logging_send_syslog_msg(hypervkvpd_t) +-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; +-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; +allow hypervvssd_t self:capability sys_admin; --miscfiles_read_localization(hypervkvpd_t) +-logging_send_syslog_msg(hypervkvpd_t) +files_list_boot(hypervvssd_t) +-miscfiles_read_localization(hypervkvpd_t) ++files_list_all_mountpoints(hypervvssd_t) ++files_write_all_mountpoints(hypervvssd_t) + -sysnet_dns_name_resolve(hypervkvpd_t) +logging_send_syslog_msg(hypervvssd_t) diff --git a/i18n_input.te b/i18n_input.te @@ -37242,15 +37248,16 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..db194ec +index 0000000..749756a --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,10 @@ +@@ -0,0 +1,11 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) + +/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) ++/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) + +/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) + @@ -61471,10 +61478,10 @@ index 57c0161..c554eb6 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..ad16c77 100644 +index 5b2cb0d..7655e0b 100644 --- a/nut.te +++ b/nut.te -@@ -7,154 +7,143 @@ policy_module(nut, 1.3.0) +@@ -7,154 +7,148 @@ policy_module(nut, 1.3.0) attribute nut_domain; @@ -61584,12 +61591,13 @@ index 5b2cb0d..ad16c77 100644 -allow nut_upsmon_t self:capability dac_read_search; -allow nut_upsmon_t self:unix_stream_socket connectto; ++allow nut_upsmon_t self:capability kill; +allow nut_upsmon_t self:tcp_socket create_socket_perms; +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; - -+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + ++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + +kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) @@ -61609,6 +61617,9 @@ index 5b2cb0d..ad16c77 100644 -corenet_sendrecv_generic_client_packets(nut_upsmon_t) corenet_tcp_connect_generic_port(nut_upsmon_t) ++dev_read_rand(nut_upsmon_t) ++dev_read_urand(nut_upsmon_t) ++ +# Creates /etc/killpower files_manage_etc_runtime_files(nut_upsmon_t) files_etc_filetrans_etc_runtime(nut_upsmon_t, file) @@ -61655,6 +61666,7 @@ index 5b2cb0d..ad16c77 100644 dev_read_sysfs(nut_upsdrvctl_t) -dev_read_urand(nut_upsdrvctl_t) ++dev_read_usbfs(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) term_use_unallocated_ttys(nut_upsdrvctl_t) @@ -76890,7 +76902,7 @@ index d68e26d..d2c4d2a 100644 +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 7cb8b1f..9422c90 100644 +index 7cb8b1f..bef7217 100644 --- a/puppet.if +++ b/puppet.if @@ -1,4 +1,32 @@ @@ -76971,7 +76983,7 @@ index 7cb8b1f..9422c90 100644 ') ################################################ -@@ -78,158 +107,164 @@ interface(`puppet_read_config',` +@@ -78,158 +107,165 @@ interface(`puppet_read_config',` ## ## # @@ -77202,8 +77214,9 @@ index 7cb8b1f..9422c90 100644 - files_search_var_lib($1) - admin_pattern($1, puppet_var_lib_t) + files_search_etc($1) -+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) ++ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) + read_files_pattern($1, puppet_etc_t, puppet_etc_t) ++ read_lnk_files_pattern($1, puppet_etc_t, puppet_etc_t) +') +##################################### @@ -81711,10 +81724,10 @@ index 951db7f..00e699d 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f..c8696d7 100644 +index c99753f..c7b77bc 100644 --- a/raid.te +++ b/raid.te -@@ -15,54 +15,101 @@ role mdadm_roles types mdadm_t; +@@ -15,54 +15,102 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) @@ -81822,10 +81835,11 @@ index c99753f..c8696d7 100644 fs_rw_cgroup_files(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) +fs_manage_cgroup_files(mdadm_t) ++fs_read_efivarfs_files(mdadm_t) mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -71,15 +118,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -71,15 +119,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -81852,7 +81866,7 @@ index c99753f..c8696d7 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -90,17 +147,38 @@ optional_policy(` +@@ -90,17 +148,38 @@ optional_policy(` ') optional_policy(` @@ -93982,10 +93996,10 @@ index 0000000..3e89d71 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..c9449b4 +index 0000000..3dc39bf --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,505 @@ +@@ -0,0 +1,506 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -94282,6 +94296,7 @@ index 0000000..c9449b4 +#1103622 +corenet_tcp_connect_xserver_port(sandbox_x_domain) +xserver_stream_connect(sandbox_x_domain) ++userdom_connectto_stream(sandbox_x_domain) + +######################################## +# @@ -98580,10 +98595,10 @@ index 0000000..ed76979 + diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..90903a9 +index 0000000..243fc96 --- /dev/null +++ b/snapper.te -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +policy_module(snapper, 1.0.0) + +######################################## @@ -98609,6 +98624,8 @@ index 0000000..90903a9 +# snapperd local policy +# + ++allow snapperd_t self:capability dac_override; ++ +allow snapperd_t self:fifo_file rw_fifo_file_perms; +allow snapperd_t self:unix_stream_socket create_stream_socket_perms; + @@ -110492,7 +110509,7 @@ index facdee8..19b6ffb 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..a9548bd 100644 +index f03dcf5..7056171 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,248 @@ @@ -112081,7 +112098,7 @@ index f03dcf5..a9548bd 100644 +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto }; ++allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto }; + +allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; +rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) @@ -112497,24 +112514,30 @@ index f03dcf5..a9548bd 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1546,8 @@ optional_policy(` +@@ -1192,7 +1546,7 @@ optional_policy(` ######################################## # -# Bridgehelper local policy +# virt_bridgehelper local policy # -- + allow virt_bridgehelper_t self:process { setcap getcap }; - allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; - allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1205,7 +1558,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) +@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; + allow virt_bridgehelper_t self:tun_socket create_socket_perms; + allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; - kernel_read_network_state(virt_bridgehelper_t) ++allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write }; ++ + manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) + kernel_read_network_state(virt_bridgehelper_t) ++kernel_read_system_state(virt_bridgehelper_t) ++ +dev_read_urand(virt_bridgehelper_t) +dev_read_rand(virt_bridgehelper_t) -+ ++dev_read_sysfs(virt_bridgehelper_t) + corenet_rw_tun_tap_dev(virt_bridgehelper_t) -userdom_search_user_home_dirs(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 7a1e5c2..57fbaa3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 164%{?dist} +Release: 165%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -664,6 +664,18 @@ exit 0 %endif %changelog +* Wed Jan 06 2016 Lukas Vrabec 3.13.1-165 +- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) +- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." +- Allow arping running as netutils_t sys_module capability for removing tap devices. +- Add userdom_connectto_stream() interface. +- Allow systemd-logind to read /run/utmp. BZ(#1278662) +- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) +- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." +- Allow arping running as netutils_t sys_module capability for removing tap devices. +- Add userdom_connectto_stream() interface. +- Allow systemd-logind to read /run/utmp. BZ(#1278662) + * Tue Dec 15 2015 Lukas Vrabec 3.13.1-164 - Allow firewalld to create firewalld_var_run_t directory. BZ(1291243) - Add interface firewalld_read_pid_files()