From 9e60f7a62457382486fd6a338ae4d53123260a73 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 24 2017 19:33:04 +0000 Subject: * Tue Oct 24 2017 Lukas Vrabec - 3.13.1-283.12 - Allow chronyd_t do request kernel module and block_suspend capability - Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label - Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912) - Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220) - Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110) - Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables - Allow svnserve to use kerberos - Allow conman to use ptmx. Add conman_use_nfs boolean - Allow nnp transition for amavis and tmpreaper SELinux domains - Add dac_read_search capability to openvswitch_t domain - Allow svnserve to manage own svnserve_log_t files/dirs - Allow keepalived_t to search network sysctls - Allow puppetagent_t domain dbus chat with rhsmcertd_t domain - Add kill capability to openvswitch_t domain - Label also compressed logs in /var/log for different services - Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522) - Allow haproxy daemon to reexec itself. BZ(1447800) - Allow conmand to use usb ttys. - Allow openvswitch to run setfiles in setfiles_t domain. - Allow openvswitch_t domain to read process data of neutron_t domains - Fix typo in ipa_cert_filetrans_named_content() interface - Fix typo bug in summary of xguest SELinux module - Allow virtual machine with svirt_t label to stream connect to openvswitch. - Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t - Fixed typo httpd_sys_content_type should be httpd_user_content_type - Fix for Snapper file context definitions for home directory. bz(1465729) - Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852) - Add support for running certbot(letsencrypt) in crontab - Allow nnp trasintion for unconfined_service_t - Allow systemd_machined to read mock lib files. BZ(1504493) - Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081) - Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923) --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 9bd2073..dacf9c7 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f27-base.patch b/policy-f27-base.patch index 7694621..d707438 100644 --- a/policy-f27-base.patch +++ b/policy-f27-base.patch @@ -43416,7 +43416,7 @@ index 79048c410..924fa2e75 100644 udev_read_pid_files(lvm_t) ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01e3..c62c76136 100644 +index 9fe8e01e3..6aa1ea05a 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,16 @@ ifdef(`distro_gentoo',` @@ -43477,16 +43477,19 @@ index 9fe8e01e3..c62c76136 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +91,7 @@ ifdef(`distro_debian',` +@@ -89,7 +90,10 @@ ifdef(`distro_debian',` + /var/lib/usbutils(/.*)? gen_context(system_u:object_r:hwdata_t,s0) ') ++/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:cert_t,s0) ++ ifdef(`distro_redhat',` +/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc31b..7ed7664fb 100644 +index fc28bc31b..1701f0861 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',` @@ -43730,7 +43733,7 @@ index fc28bc31b..7ed7664fb 100644 ') ######################################## -@@ -809,3 +944,61 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +944,81 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -43784,6 +43787,7 @@ index fc28bc31b..7ed7664fb 100644 + files_var_filetrans($1, man_t, dir, "man") + files_etc_filetrans($1, cert_t, dir, "pki") + files_usr_filetrans($1, cert_t, dir, "certs") ++ files_var_lib_filetrans($1, cert_t, dir, "letsencrypt") + files_usr_filetrans($1, fonts_t, dir, "fonts") + files_usr_filetrans($1, hwdata_t, dir, "hwdata") + files_var_filetrans($1, fonts_cache_t, dir, "fontconfig") @@ -43792,6 +43796,25 @@ index fc28bc31b..7ed7664fb 100644 + files_var_lib_filetrans($1, tetex_data_t, dir, "texmf") + files_var_filetrans($1, public_content_t, dir, "ftp") +') ++ ++ ++######################################## ++## ++## Transition to miscfiles named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_filetrans_named_content_letsencrypt',` ++ gen_require(` ++ type cert_t; ++ ') ++ ++ files_var_lib_filetrans($1, cert_t, dir, "letsencrypt") ++') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 1361961d0..be6b7fc80 100644 --- a/policy/modules/system/miscfiles.te @@ -50109,10 +50132,10 @@ index 000000000..5871e072d +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..240cd57d5 +index 000000000..f03b8fa14 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1029 @@ +@@ -0,0 +1,1037 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50480,6 +50503,10 @@ index 000000000..240cd57d5 +') + +optional_policy(` ++ mock_read_lib_files(systemd_machined_t) ++') ++ ++optional_policy(` + virt_dbus_chat(systemd_machined_t) + virt_sandbox_read_state(systemd_machined_t) + virt_signal_sandbox(systemd_machined_t) @@ -51058,6 +51085,10 @@ index 000000000..240cd57d5 + dbus_connect_system_bus(systemd_resolved_t) +') + ++optional_policy(` ++ networkmanager_dbus_chat(systemd_resolved_t) ++') ++ +######################################## +# +# Common rules for systemd domains @@ -52294,10 +52325,10 @@ index 5ca20a97d..43bb011b3 100644 + allow $1 unconfined_service_t:process { noatsecure }; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902db3..0a7c3bb00 100644 +index 5fe902db3..9c6e6d4b9 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,33 @@ +@@ -1,207 +1,34 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) @@ -52317,6 +52348,7 @@ index 5fe902db3..0a7c3bb00 100644 +type unconfined_service_t; +domain_type(unconfined_service_t) +role system_r types unconfined_service_t; ++init_nnp_daemon_domain(unconfined_service_t) -type unconfined_exec_t; -init_system_domain(unconfined_t, unconfined_exec_t) diff --git a/policy-f27-contrib.patch b/policy-f27-contrib.patch index 411de0d..f640003 100644 --- a/policy-f27-contrib.patch +++ b/policy-f27-contrib.patch @@ -2531,10 +2531,18 @@ index 60d4f8c90..18ef0772c 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 91fa72ae1..1736250ae 100644 +index 91fa72ae1..be1f9677d 100644 --- a/amavis.te +++ b/amavis.te -@@ -39,14 +39,14 @@ type amavis_quarantine_t; +@@ -16,6 +16,7 @@ gen_tunable(amavis_use_jit, false) + type amavis_t; + type amavis_exec_t; + init_daemon_domain(amavis_t, amavis_exec_t) ++init_nnp_daemon_domain(amavis_t) + + type amavis_etc_t; + files_config_file(amavis_etc_t) +@@ -39,14 +40,14 @@ type amavis_quarantine_t; files_type(amavis_quarantine_t) type amavis_spool_t; @@ -2551,7 +2559,7 @@ index 91fa72ae1..1736250ae 100644 dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process signal_perms; allow amavis_t self:fifo_file rw_fifo_file_perms; -@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +@@ -67,9 +68,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) @@ -2565,7 +2573,7 @@ index 91fa72ae1..1736250ae 100644 manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) +@@ -95,7 +99,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) corecmd_exec_bin(amavis_t) corecmd_exec_shell(amavis_t) @@ -2573,7 +2581,7 @@ index 91fa72ae1..1736250ae 100644 corenet_all_recvfrom_netlabel(amavis_t) corenet_tcp_sendrecv_generic_if(amavis_t) corenet_udp_sendrecv_generic_if(amavis_t) -@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) +@@ -118,6 +121,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) corenet_sendrecv_razor_client_packets(amavis_t) corenet_tcp_connect_razor_port(amavis_t) @@ -2581,7 +2589,7 @@ index 91fa72ae1..1736250ae 100644 dev_read_rand(amavis_t) dev_read_sysfs(amavis_t) -@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t) +@@ -127,7 +131,6 @@ domain_use_interactive_fds(amavis_t) domain_dontaudit_read_all_domains_state(amavis_t) files_read_etc_runtime_files(amavis_t) @@ -2589,7 +2597,7 @@ index 91fa72ae1..1736250ae 100644 files_search_spool(amavis_t) fs_getattr_xattr_fs(amavis_t) -@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t) +@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t) logging_send_syslog_msg(amavis_t) @@ -2613,7 +2621,7 @@ index 91fa72ae1..1736250ae 100644 ') optional_policy(` -@@ -173,6 +181,10 @@ optional_policy(` +@@ -173,6 +182,10 @@ optional_policy(` ') optional_policy(` @@ -5615,7 +5623,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..959f12c4c 100644 +index 6649962b6..5066062d5 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -7796,7 +7804,7 @@ index 6649962b6..959f12c4c 100644 ') ######################################## -@@ -1330,49 +1633,42 @@ optional_policy(` +@@ -1330,49 +1633,43 @@ optional_policy(` # User content local policy # @@ -7836,7 +7844,8 @@ index 6649962b6..959f12c4c 100644 - fs_exec_nfs_files(httpd_user_script_t) + read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) + read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) -+ allow httpd_t httpd_sys_content_type:file map; ++ list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) ++ allow httpd_t httpd_user_content_type:file map; ') tunable_policy(`httpd_read_user_content',` @@ -7864,7 +7873,7 @@ index 6649962b6..959f12c4c 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1678,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1679,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -13838,7 +13847,7 @@ index 32e8265c2..ac74503d1 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c29..cfc64f1b0 100644 +index e5b621c29..c98b88f43 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -13851,13 +13860,14 @@ index e5b621c29..cfc64f1b0 100644 type chronyd_var_lib_t; files_type(chronyd_var_lib_t) -@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t) +@@ -32,11 +35,16 @@ files_pid_file(chronyd_var_run_t) # Local policy # -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; -allow chronyd_t self:process { getcap setcap setrlimit signal }; +allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin }; ++allow chronyd_t self:capability2 block_suspend; +allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; +allow chronyd_t self:udp_socket create_socket_perms; @@ -13869,16 +13879,17 @@ index e5b621c29..cfc64f1b0 100644 allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -62,6 +69,8 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) +@@ -61,6 +69,9 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) + kernel_read_system_state(chronyd_t) kernel_read_network_state(chronyd_t) - -+clock_read_adjtime(chronyd_t) ++kernel_request_load_module(chronyd_t) + ++clock_read_adjtime(chronyd_t) + corenet_all_recvfrom_unlabeled(chronyd_t) corenet_all_recvfrom_netlabel(chronyd_t) - corenet_udp_sendrecv_generic_if(chronyd_t) -@@ -76,18 +85,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +87,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -17120,10 +17131,10 @@ index 000000000..1cc5fa464 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 000000000..2357f3ba8 +index 000000000..246420052 --- /dev/null +++ b/conman.te -@@ -0,0 +1,97 @@ +@@ -0,0 +1,114 @@ +policy_module(conman, 1.0.0) + +######################################## @@ -17139,6 +17150,13 @@ index 000000000..2357f3ba8 +## +gen_tunable(conman_can_network, false) + ++## ++##

++## Allow conman to manage nfs files ++##

++## ++gen_tunable(conman_use_nfs, false) ++ +type conman_t; +type conman_exec_t; +init_daemon_domain(conman_t, conman_exec_t) @@ -17195,18 +17213,28 @@ index 000000000..2357f3ba8 + +corecmd_exec_bin(conman_t) + ++dev_read_urand(conman_t) ++ +logging_send_syslog_msg(conman_t) + +sysnet_dns_name_resolve(conman_t) + +userdom_use_user_ptys(conman_t) + ++term_use_usb_ttys(conman_t) ++term_use_ptmx(conman_t) ++ +tunable_policy(`conman_can_network',` + corenet_sendrecv_all_client_packets(conman_t) + corenet_tcp_connect_all_ports(conman_t) + corenet_tcp_sendrecv_all_ports(conman_t) +') + ++tunable_policy(`conman_use_nfs',` ++ fs_manage_nfs_files(conman_t) ++ fs_read_nfs_symlinks(conman_t) ++') ++ +optional_policy(` + freeipmi_stream_connect(conman_t) +') @@ -19633,7 +19661,7 @@ index 1303b3036..f5bd4aee8 100644 + logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log") ') diff --git a/cron.te b/cron.te -index 7de385956..e4c99bdd4 100644 +index 7de385956..e48b44ff3 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -20270,12 +20298,13 @@ index 7de385956..e4c99bdd4 100644 auth_use_nsswitch(system_cronjob_t) -@@ -516,20 +520,26 @@ logging_read_generic_logs(system_cronjob_t) +@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) -miscfiles_read_localization(system_cronjob_t) -- ++miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t) + seutil_read_config(system_cronjob_t) +userdom_manage_tmpfs_files(system_cronjob_t, file) @@ -20300,7 +20329,7 @@ index 7de385956..e4c99bdd4 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,10 +549,22 @@ tunable_policy(`cron_can_relabel',` +@@ -539,10 +551,22 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -20323,7 +20352,7 @@ index 7de385956..e4c99bdd4 100644 ') optional_policy(` -@@ -551,10 +573,6 @@ optional_policy(` +@@ -551,10 +575,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -20334,7 +20363,7 @@ index 7de385956..e4c99bdd4 100644 ') optional_policy(` -@@ -567,6 +585,10 @@ optional_policy(` +@@ -567,6 +587,10 @@ optional_policy(` ') optional_policy(` @@ -20345,7 +20374,7 @@ index 7de385956..e4c99bdd4 100644 ftp_read_log(system_cronjob_t) ') -@@ -591,6 +613,8 @@ optional_policy(` +@@ -591,6 +615,8 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -20354,7 +20383,7 @@ index 7de385956..e4c99bdd4 100644 ') optional_policy(` -@@ -598,7 +622,31 @@ optional_policy(` +@@ -598,7 +624,31 @@ optional_policy(` ') optional_policy(` @@ -20386,7 +20415,7 @@ index 7de385956..e4c99bdd4 100644 ') optional_policy(` -@@ -607,7 +655,12 @@ optional_policy(` +@@ -607,7 +657,12 @@ optional_policy(` ') optional_policy(` @@ -20399,7 +20428,7 @@ index 7de385956..e4c99bdd4 100644 ') optional_policy(` -@@ -615,12 +668,27 @@ optional_policy(` +@@ -615,12 +670,27 @@ optional_policy(` ') optional_policy(` @@ -20429,7 +20458,7 @@ index 7de385956..e4c99bdd4 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +696,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +698,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20463,7 +20492,7 @@ index 7de385956..e4c99bdd4 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +729,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +731,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -26768,10 +26797,10 @@ index 000000000..d22ed691a +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 000000000..238787661 +index 000000000..b93540692 --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -26815,6 +26844,8 @@ index 000000000..238787661 + +kernel_read_system_state(dnssec_trigger_t) + ++can_exec(dnssec_trigger_t, dnssec_trigger_exec_t) ++ +corecmd_exec_bin(dnssec_trigger_t) +corecmd_exec_shell(dnssec_trigger_t) +corecmd_read_all_executables(dnssec_trigger_t) @@ -31542,7 +31573,7 @@ index e5b15fb7e..220622e84 100644 diff --git a/ganesha.fc b/ganesha.fc new file mode 100644 -index 000000000..855f58e55 +index 000000000..c723bfb97 --- /dev/null +++ b/ganesha.fc @@ -0,0 +1,12 @@ @@ -31554,8 +31585,8 @@ index 000000000..855f58e55 + +/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) + -+/var/log/ganesha.log -- gen_context(system_u:object_r:ganesha_var_log_t,s0) -+/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:ganesha_var_log_t,s0) ++/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) ++/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) + +/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0) diff --git a/ganesha.if b/ganesha.if @@ -39764,7 +39795,7 @@ index 000000000..61f2003c8 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 000000000..74206edcb +index 000000000..61fd84f00 --- /dev/null +++ b/ipa.fc @@ -0,0 +1,29 @@ @@ -39793,16 +39824,16 @@ index 000000000..74206edcb + +/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0) + -+/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0) ++/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0) + +/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 000000000..d611c53d4 +index 000000000..72a6b78ba --- /dev/null +++ b/ipa.if -@@ -0,0 +1,309 @@ +@@ -0,0 +1,310 @@ +## Policy for IPA services. + +######################################## @@ -40089,6 +40120,7 @@ index 000000000..d611c53d4 +interface(`ipa_cert_filetrans_named_content',` + gen_require(` + type ipa_cert_t; ++ type cert_t; + ') + + filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key") @@ -43432,10 +43464,10 @@ index 000000000..bd7e7fa17 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 000000000..e5b8b3bbf +index 000000000..f84877209 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,100 @@ +@@ -0,0 +1,101 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -43477,6 +43509,7 @@ index 000000000..e5b8b3bbf +kernel_read_network_state(keepalived_t) +kernel_request_load_module(keepalived_t) +kernel_rw_usermodehelper_state(keepalived_t) ++kernel_search_network_sysctl(keepalived_t) + +auth_use_nsswitch(keepalived_t) + @@ -46199,7 +46232,7 @@ index 73e2803ee..34ca3aa22 100644 role_transition $2 l2tpd_initrc_exec_t system_r; allow $2 system_r; diff --git a/l2tp.te b/l2tp.te -index bb06a7fee..01e784bf5 100644 +index bb06a7fee..3339bd85c 100644 --- a/l2tp.te +++ b/l2tp.te @@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) @@ -46226,7 +46259,7 @@ index bb06a7fee..01e784bf5 100644 corenet_all_recvfrom_unlabeled(l2tpd_t) corenet_all_recvfrom_netlabel(l2tpd_t) corenet_raw_sendrecv_generic_if(l2tpd_t) -@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t) +@@ -75,19 +77,38 @@ corecmd_exec_bin(l2tpd_t) dev_read_urand(l2tpd_t) @@ -46258,6 +46291,7 @@ index bb06a7fee..01e784bf5 100644 + ipsec_mgmt_read_pid(l2tpd_t) + ipsec_filetrans_key_file(l2tpd_t) + ipsec_manage_key_file(l2tpd_t) ++ ipsec_kill_mgmt(l2tpd_t) +') + +optional_policy(` @@ -62952,7 +62986,7 @@ index bcd7d0a7d..9b397fdd7 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/nsd.fc b/nsd.fc -index 4f2b1b663..6b300d54f 100644 +index 4f2b1b663..0e24b49a9 100644 --- a/nsd.fc +++ b/nsd.fc @@ -1,16 +1,19 @@ @@ -62984,7 +63018,7 @@ index 4f2b1b663..6b300d54f 100644 +/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) + -+/var/log/nsd\.log -- gen_context(system_u:object_r:nsd_log_t,s0) ++/var/log/nsd\.log.* -- gen_context(system_u:object_r:nsd_log_t,s0) diff --git a/nsd.if b/nsd.if index a9c60ff87..ad4f14ad6 100644 --- a/nsd.if @@ -69101,7 +69135,7 @@ index 9b157305b..cb00f200a 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99ab..d11c99a93 100644 +index 44dbc99ab..6221f5b9a 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -69133,7 +69167,7 @@ index 44dbc99ab..d11c99a93 100644 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; -allow openvswitch_t self:process { setrlimit setsched signal }; -+allow openvswitch_t self:capability { dac_override net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid }; ++allow openvswitch_t self:capability { dac_override dac_read_search net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill }; +allow openvswitch_t self:capability2 block_suspend; +allow openvswitch_t self:process { fork setsched setrlimit signal setcap }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; @@ -69167,7 +69201,7 @@ index 44dbc99ab..d11c99a93 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -63,35 +67,63 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +@@ -63,35 +67,71 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) @@ -69240,6 +69274,14 @@ index 44dbc99ab..d11c99a93 100644 +optional_policy(` + plymouthd_exec_plymouth(openvswitch_t) +') ++ ++optional_policy(` ++ networkmanager_read_state(openvswitch_t) ++') ++ ++optional_policy(` ++ seutil_domtrans_setfiles(openvswitch_t) ++') diff --git a/openwsman.fc b/openwsman.fc new file mode 100644 index 000000000..00d0643d9 @@ -71298,10 +71340,10 @@ index 000000000..02df03ad6 +') diff --git a/pdns.te b/pdns.te new file mode 100644 -index 000000000..509d89837 +index 000000000..63ddc577c --- /dev/null +++ b/pdns.te -@@ -0,0 +1,82 @@ +@@ -0,0 +1,83 @@ +policy_module(pdns, 1.0.2) + +######################################## @@ -71319,6 +71361,7 @@ index 000000000..509d89837 +type pdns_t; +type pdns_exec_t; +init_daemon_domain(pdns_t, pdns_exec_t) ++init_nnp_daemon_domain(pdns_t) + +type pdns_unit_file_t; +systemd_unit_file(pdns_unit_file_t) @@ -81707,7 +81750,7 @@ index 7cb8b1f9c..bef72173b 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfeed..d5d0cfcb8 100644 +index 618dcfeed..5b18765bc 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -81769,7 +81812,7 @@ index 618dcfeed..d5d0cfcb8 100644 type puppetmaster_t; type puppetmaster_exec_t; -@@ -56,161 +62,174 @@ files_tmp_file(puppetmaster_tmp_t) +@@ -56,161 +62,178 @@ files_tmp_file(puppetmaster_tmp_t) ######################################## # @@ -81968,53 +82011,49 @@ index 618dcfeed..d5d0cfcb8 100644 + +optional_policy(` + mysql_stream_connect(puppetagent_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(puppetagent_t) ++') ++ ++optional_policy(` ++ cfengine_read_lib_files(puppetagent_t) ++') ++ ++optional_policy(` ++ consoletype_exec(puppetagent_t) ') optional_policy(` - cfengine_read_lib_files(puppet_t) -+ postgresql_stream_connect(puppetagent_t) ++ hostname_exec(puppetagent_t) ') optional_policy(` - consoletype_exec(puppet_t) -+ cfengine_read_lib_files(puppetagent_t) ++ mount_domtrans(puppetagent_t) ') optional_policy(` - hostname_exec(puppet_t) -+ consoletype_exec(puppetagent_t) ++ mta_send_mail(puppetagent_t) ') optional_policy(` - mount_domtrans(puppet_t) -+ hostname_exec(puppetagent_t) ++ networkmanager_dbus_chat(puppetagent_t) ') optional_policy(` - mta_send_mail(puppet_t) -+ mount_domtrans(puppetagent_t) ++ firewalld_dbus_chat(puppetagent_t) ') optional_policy(` - portage_domtrans(puppet_t) - portage_domtrans_fetch(puppet_t) - portage_domtrans_gcc_config(puppet_t) -+ mta_send_mail(puppetagent_t) - ') - - optional_policy(` -- files_rw_var_files(puppet_t) -+ networkmanager_dbus_chat(puppetagent_t) -+') -+ -+optional_policy(` -+ firewalld_dbus_chat(puppetagent_t) -+') - -- rpm_domtrans(puppet_t) -- rpm_manage_db(puppet_t) -- rpm_manage_log(puppet_t) -+optional_policy(` + portage_domtrans(puppetagent_t) + portage_domtrans_fetch(puppetagent_t) + portage_domtrans_gcc_config(puppetagent_t) @@ -82026,21 +82065,29 @@ index 618dcfeed..d5d0cfcb8 100644 + rpm_domtrans(puppetagent_t) + rpm_manage_db(puppetagent_t) + rpm_manage_log(puppetagent_t) + ') + + optional_policy(` +- files_rw_var_files(puppet_t) ++ shorewall_domtrans(puppetagent_t) +') -+ + +- rpm_domtrans(puppet_t) +- rpm_manage_db(puppet_t) +- rpm_manage_log(puppet_t) +optional_policy(` -+ shorewall_domtrans(puppetagent_t) ++ unconfined_domain_noaudit(puppetagent_t) ') optional_policy(` - unconfined_domain(puppet_t) -+ unconfined_domain_noaudit(puppetagent_t) ++ shorewall_domtrans(puppet_t) ') optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) -+ shorewall_domtrans(puppet_t) ++ rhsmcertd_dbus_chat(puppetagent_t) ') ######################################## @@ -82061,7 +82108,7 @@ index 618dcfeed..d5d0cfcb8 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +240,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +244,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -82069,7 +82116,7 @@ index 618dcfeed..d5d0cfcb8 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -229,15 +249,12 @@ corecmd_exec_shell(puppetca_t) +@@ -229,15 +253,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) @@ -82085,7 +82132,7 @@ index 618dcfeed..d5d0cfcb8 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,38 +263,48 @@ optional_policy(` +@@ -246,38 +267,48 @@ optional_policy(` hostname_exec(puppetca_t) ') @@ -82150,7 +82197,7 @@ index 618dcfeed..d5d0cfcb8 100644 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_network_state(puppetmaster_t) -@@ -289,23 +316,24 @@ corecmd_exec_bin(puppetmaster_t) +@@ -289,23 +320,24 @@ corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t) @@ -82181,7 +82228,7 @@ index 618dcfeed..d5d0cfcb8 100644 selinux_validate_context(puppetmaster_t) -@@ -314,26 +342,32 @@ auth_use_nsswitch(puppetmaster_t) +@@ -314,26 +346,32 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) miscfiles_read_generic_certs(puppetmaster_t) @@ -82219,7 +82266,7 @@ index 618dcfeed..d5d0cfcb8 100644 ') optional_policy(` -@@ -342,3 +376,9 @@ optional_policy(` +@@ -342,3 +380,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -84487,10 +84534,10 @@ index 70ab68b02..b985b6570 100644 +/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) +/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) diff --git a/quantum.if b/quantum.if -index afc00688d..589a7fdde 100644 +index afc00688d..e974fad4b 100644 --- a/quantum.if +++ b/quantum.if -@@ -2,41 +2,295 @@ +@@ -2,41 +2,314 @@ ######################################## ## @@ -84516,13 +84563,12 @@ index afc00688d..589a7fdde 100644 +######################################## +## +## Allow read/write neutron pipes - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`neutron_rw_inherited_pipes',` + gen_require(` @@ -84535,13 +84581,13 @@ index afc00688d..589a7fdde 100644 +######################################## +## +## Send sigchld to neutron. -+## -+## + ## + ## ## --## Role allowed access. -+## Domain allowed access. -+## -+## + ## Domain allowed access. + ## + ## +-## +# +# +interface(`neutron_sigchld',` @@ -84557,7 +84603,8 @@ index afc00688d..589a7fdde 100644 +## Read neutron's log files. +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. ## ## @@ -84669,11 +84716,7 @@ index afc00688d..589a7fdde 100644 + gen_require(` + type neutron_var_lib_t; + ') - -- init_labeled_script_domtrans($1, quantum_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 quantum_initrc_exec_t system_r; -- allow $2 system_r; ++ + files_search_var_lib($1) + manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) + manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) @@ -84693,7 +84736,11 @@ index afc00688d..589a7fdde 100644 + gen_require(` + type neutron_var_lib_t; + ') -+ + +- init_labeled_script_domtrans($1, quantum_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 quantum_initrc_exec_t system_r; +- allow $2 system_r; + files_search_var_lib($1) + manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t) +') @@ -84762,6 +84809,25 @@ index afc00688d..589a7fdde 100644 + ps_process_pattern($1, neutron_t) +') + ++####################################### ++## ++## Read neutron process state files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_read_state',` ++ gen_require(` ++ type neutron_t; ++ ') ++ ++ allow $1 neutron_t:dir search_dir_perms; ++ allow $1 neutron_t:file read_file_perms; ++ allow $1 neutron_t:lnk_file read_lnk_file_perms; ++') + +######################################## +## @@ -89789,7 +89855,7 @@ index c8bdea28d..beb2872e3 100644 + allow $1 haproxy_unit_file_t:service {status start}; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c449..0dbfae6d5 100644 +index 6cf79c449..11d931106 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -90315,7 +90381,7 @@ index 6cf79c449..0dbfae6d5 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +607,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +607,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -90347,6 +90413,8 @@ index 6cf79c449..0dbfae6d5 100644 +manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) +files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file }) + ++can_exec(haproxy_t, haproxy_exec_t) ++ +corenet_sendrecv_unlabeled_packets(haproxy_t) + +corenet_tcp_connect_commplex_link_port(haproxy_t) @@ -90375,7 +90443,7 @@ index 6cf79c449..0dbfae6d5 100644 ###################################### # # qdiskd local policy -@@ -292,7 +671,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +@@ -292,7 +673,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) @@ -90383,7 +90451,7 @@ index 6cf79c449..0dbfae6d5 100644 kernel_read_software_raid_state(qdiskd_t) kernel_getattr_core_if(qdiskd_t) -@@ -321,6 +699,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +701,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -108036,10 +108104,10 @@ index 27a8480bc..fc3fca520 100644 + allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/svnserve.fc b/svnserve.fc -index effffd028..12ca090e1 100644 +index effffd028..0d5c275de 100644 --- a/svnserve.fc +++ b/svnserve.fc -@@ -1,8 +1,13 @@ +@@ -1,8 +1,15 @@ -/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) +/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) @@ -108058,6 +108126,8 @@ index effffd028..12ca090e1 100644 +/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) ++ ++/var/log/svnserve(/.*)? gen_context(system_u:object_r:svnserve_log_t,s0) diff --git a/svnserve.if b/svnserve.if index 2ac91b6e0..a97033d2b 100644 --- a/svnserve.if @@ -108196,10 +108266,10 @@ index 2ac91b6e0..a97033d2b 100644 ') + diff --git a/svnserve.te b/svnserve.te -index 49d688d66..451a64768 100644 +index 49d688d66..f7e23fe71 100644 --- a/svnserve.te +++ b/svnserve.te -@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) +@@ -12,12 +12,21 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) type svnserve_initrc_exec_t; init_script_file(svnserve_initrc_exec_t) @@ -108215,10 +108285,13 @@ index 49d688d66..451a64768 100644 +type svnserve_tmp_t; +files_tmp_file(svnserve_tmp_t) + ++type svnserve_log_t; ++logging_log_file(svnserve_log_t) ++ ######################################## # # Local policy -@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms; +@@ -27,6 +36,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms; allow svnserve_t self:tcp_socket create_stream_socket_perms; allow svnserve_t self:unix_stream_socket { listen accept }; @@ -108230,17 +108303,19 @@ index 49d688d66..451a64768 100644 manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) -@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) +@@ -34,8 +48,9 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) -files_read_etc_files(svnserve_t) -files_read_usr_files(svnserve_t) -- ++manage_files_pattern(svnserve_t, svnserve_log_t, svnserve_log_t) ++manage_dirs_pattern(svnserve_t, svnserve_log_t, svnserve_log_t) ++logging_log_filetrans(svnserve_t, svnserve_log_t, { dir file }) + corenet_all_recvfrom_unlabeled(svnserve_t) corenet_all_recvfrom_netlabel(svnserve_t) - corenet_tcp_sendrecv_generic_if(svnserve_t) -@@ -52,8 +60,9 @@ corenet_tcp_sendrecv_svn_port(svnserve_t) +@@ -52,8 +67,13 @@ corenet_tcp_sendrecv_svn_port(svnserve_t) corenet_udp_bind_svn_port(svnserve_t) corenet_udp_sendrecv_svn_port(svnserve_t) @@ -108252,6 +108327,10 @@ index 49d688d66..451a64768 100644 +logging_send_syslog_msg(svnserve_t) sysnet_dns_name_resolve(svnserve_t) ++ ++optional_policy(` ++ kerberos_use(svnserve_t) ++') diff --git a/swift.fc b/swift.fc new file mode 100644 index 000000000..6d897bc25 @@ -111207,10 +111286,10 @@ index 000000000..9524b50aa +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 000000000..2b15dca23 +index 000000000..d6affa561 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,172 @@ +@@ -0,0 +1,173 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -111261,6 +111340,7 @@ index 000000000..2b15dca23 +manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t) +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails") +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log") ++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file) +userdom_dontaudit_access_check_user_content(thumb_t) +userdom_rw_inherited_user_tmp_files(thumb_t) +userdom_manage_home_texlive(thumb_t) @@ -111755,10 +111835,10 @@ index 000000000..5185a9e8e + sssd_stream_connect(tlp_t) +') diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f95..a7cb3263d 100644 +index 585a77f95..a00757adc 100644 --- a/tmpreaper.te +++ b/tmpreaper.te -@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1) +@@ -5,9 +5,35 @@ policy_module(tmpreaper, 1.7.1) # Declarations # @@ -111790,10 +111870,11 @@ index 585a77f95..a7cb3263d 100644 type tmpreaper_exec_t; init_system_domain(tmpreaper_t, tmpreaper_exec_t) +application_domain(tmpreaper_t, tmpreaper_exec_t) ++init_nnp_daemon_domain(tmpreaper_t) ######################################## # -@@ -19,6 +44,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms; +@@ -19,6 +45,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms; kernel_list_unlabeled(tmpreaper_t) kernel_read_system_state(tmpreaper_t) @@ -111801,7 +111882,7 @@ index 585a77f95..a7cb3263d 100644 dev_read_urand(tmpreaper_t) -@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t) +@@ -27,15 +54,16 @@ corecmd_exec_shell(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) fs_list_all(tmpreaper_t) @@ -111823,7 +111904,7 @@ index 585a77f95..a7cb3263d 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t) +@@ -45,7 +73,6 @@ init_use_inherited_script_ptys(tmpreaper_t) logging_send_syslog_msg(tmpreaper_t) @@ -111831,7 +111912,7 @@ index 585a77f95..a7cb3263d 100644 miscfiles_delete_man_pages(tmpreaper_t) ifdef(`distro_debian',` -@@ -53,10 +79,33 @@ ifdef(`distro_debian',` +@@ -53,10 +80,33 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -111866,7 +111947,7 @@ index 585a77f95..a7cb3263d 100644 ') optional_policy(` -@@ -64,6 +113,7 @@ optional_policy(` +@@ -64,6 +114,7 @@ optional_policy(` ') optional_policy(` @@ -111874,7 +111955,7 @@ index 585a77f95..a7cb3263d 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -79,7 +129,19 @@ optional_policy(` +@@ -79,7 +130,19 @@ optional_policy(` ') optional_policy(` @@ -111895,7 +111976,7 @@ index 585a77f95..a7cb3263d 100644 ') optional_policy(` -@@ -89,3 +151,8 @@ optional_policy(` +@@ -89,3 +152,8 @@ optional_policy(` optional_policy(` rpm_manage_cache(tmpreaper_t) ') @@ -114767,10 +114848,10 @@ index 3d11c6a3d..c5d84287e 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bcfc..58d0a33f2 100644 +index a4f20bcfc..c4c8eb4b3 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,111 @@ +@@ -1,51 +1,113 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -114827,6 +114908,7 @@ index a4f20bcfc..58d0a33f2 100644 +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/bin/qemu-pr-helper -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) @@ -114860,6 +114942,7 @@ index a4f20bcfc..58d0a33f2 100644 +/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virtd_var_run_t,s0) -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) @@ -117146,7 +117229,7 @@ index facdee8b3..2a619ba9e 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf567..d0c180d96 100644 +index f03dcf567..c94628c56 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,424 @@ @@ -117759,10 +117842,10 @@ index f03dcf567..d0c180d96 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) +- +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +allow svirt_t self:process ptrace; --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; @@ -117946,12 +118029,12 @@ index f03dcf567..d0c180d96 100644 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -118051,13 +118134,13 @@ index f03dcf567..d0c180d96 100644 +sysnet_read_config(virtd_t) -userdom_read_all_users_state(virtd_t) -- --ifdef(`hide_broken_symptoms',` -- dontaudit virtd_t self:capability { sys_module sys_ptrace }; --') +systemd_dbus_chat_logind(virtd_t) +systemd_write_inhibit_pipes(virtd_t) +-ifdef(`hide_broken_symptoms',` +- dontaudit virtd_t self:capability { sys_module sys_ptrace }; +-') +- -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virtd_t) - fs_manage_fusefs_files(virtd_t) @@ -118111,7 +118194,7 @@ index f03dcf567..d0c180d96 100644 ') optional_policy(` -@@ -691,99 +653,445 @@ optional_policy(` +@@ -691,99 +653,449 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -118411,6 +118494,10 @@ index f03dcf567..d0c180d96 100644 +') + +optional_policy(` ++ openvswitch_stream_connect(svirt_t) ++') ++ ++optional_policy(` + ptchown_domtrans(virt_domain) +') + @@ -118608,7 +118695,7 @@ index f03dcf567..d0c180d96 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1102,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1106,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -118635,7 +118722,7 @@ index f03dcf567..d0c180d96 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1122,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1126,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -118669,7 +118756,7 @@ index f03dcf567..d0c180d96 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1159,20 @@ optional_policy(` +@@ -856,14 +1163,20 @@ optional_policy(` ') optional_policy(` @@ -118691,7 +118778,7 @@ index f03dcf567..d0c180d96 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1197,66 @@ optional_policy(` +@@ -888,49 +1201,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -118776,7 +118863,7 @@ index f03dcf567..d0c180d96 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1268,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1272,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -118796,7 +118883,7 @@ index f03dcf567..d0c180d96 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,15 +1289,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,15 +1293,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -118815,7 +118902,7 @@ index f03dcf567..d0c180d96 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -982,186 +1303,307 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -982,186 +1307,307 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -119252,7 +119339,7 @@ index f03dcf567..d0c180d96 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1616,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1620,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -119267,7 +119354,7 @@ index f03dcf567..d0c180d96 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1634,7 @@ optional_policy(` +@@ -1192,7 +1638,7 @@ optional_policy(` ######################################## # @@ -119276,7 +119363,7 @@ index f03dcf567..d0c180d96 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1643,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1647,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -122426,6 +122513,16 @@ index 0928c5d6a..b9bcf8824 100644 miscfiles_read_fonts(xfs_t) userdom_dontaudit_use_unpriv_user_fds(xfs_t) +diff --git a/xguest.if b/xguest.if +index 4f1d07d71..5c819abe8 100644 +--- a/xguest.if ++++ b/xguest.if +@@ -1,4 +1,4 @@ +-## Least privledge xwindows user role. ++## Least privileged xwindows user role. + + ######################################## + ## diff --git a/xguest.te b/xguest.te index a64aad347..12dc86b2f 100644 --- a/xguest.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 2f39ef5..96db5f2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 283.11%{?dist} +Release: 283.12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -722,6 +722,40 @@ exit 0 %endif %changelog +* Tue Oct 24 2017 Lukas Vrabec - 3.13.1-283.12 +- Allow chronyd_t do request kernel module and block_suspend capability +- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label +- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912) +- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220) +- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110) +- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables +- Allow svnserve to use kerberos +- Allow conman to use ptmx. Add conman_use_nfs boolean +- Allow nnp transition for amavis and tmpreaper SELinux domains +- Add dac_read_search capability to openvswitch_t domain +- Allow svnserve to manage own svnserve_log_t files/dirs +- Allow keepalived_t to search network sysctls +- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain +- Add kill capability to openvswitch_t domain +- Label also compressed logs in /var/log for different services +- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522) +- Allow haproxy daemon to reexec itself. BZ(1447800) +- Allow conmand to use usb ttys. +- Allow openvswitch to run setfiles in setfiles_t domain. +- Allow openvswitch_t domain to read process data of neutron_t domains +- Fix typo in ipa_cert_filetrans_named_content() interface +- Fix typo bug in summary of xguest SELinux module +- Allow virtual machine with svirt_t label to stream connect to openvswitch. +- Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t +- Fixed typo httpd_sys_content_type should be httpd_user_content_type +- Fix for Snapper file context definitions for home directory. bz(1465729) +- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852) +- Add support for running certbot(letsencrypt) in crontab +- Allow nnp trasintion for unconfined_service_t +- Allow systemd_machined to read mock lib files. BZ(1504493) +- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081) +- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923) + * Tue Oct 17 2017 Lukas Vrabec - 3.13.1-283.11 - Fix for Snapper file context definitions for home directory. bz(1465729) - Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)