From b9bc43a953ad4e4aaf7fd5d68b2d9e8eeb47ed02 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 07 2017 11:32:34 +0000 Subject: * Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280 - Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404) - Fix denials during ipa-server-install process on F27+ - Allow httpd_t to mmap cert_t - Add few rules to make tlp_t domain working in enforcing mode - Allow cloud_init_t to dbus chat with systemd_timedated_t - Allow logrotate_t to write to kmsg - Add capability kill to rhsmcertd_t - Allow winbind to manage smbd_tmp_t files - Allow groupadd_t domain to dbus chat with systemd.BZ(1488404) - Add interface miscfiles_map_generic_certs() --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 96dd93e..b1bd8aa 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4b9c6c9..b7cc288 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2201,7 +2201,7 @@ index c6ca761c9..0c86bfd54 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c3592a..5038ed0d5 100644 +index c44c3592a..cba535365 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -2259,7 +2259,7 @@ index c44c3592a..5038ed0d5 100644 fs_getattr_xattr_fs(netutils_t) -@@ -80,12 +86,12 @@ init_use_script_ptys(netutils_t) +@@ -80,15 +86,19 @@ init_use_script_ptys(netutils_t) auth_use_nsswitch(netutils_t) @@ -2275,7 +2275,14 @@ index c44c3592a..5038ed0d5 100644 userdom_use_all_users_fds(netutils_t) optional_policy(` -@@ -110,11 +116,10 @@ allow ping_t self:capability { setuid net_raw }; ++ kdump_dontaudit_inherited_kdumpctl_tmp_pipes(netutils_t) ++') ++ ++optional_policy(` + nis_use_ypbind(netutils_t) + ') + +@@ -110,11 +120,10 @@ allow ping_t self:capability { setuid net_raw }; allow ping_t self:process { getcap setcap }; dontaudit ping_t self:capability sys_tty_config; allow ping_t self:tcp_socket create_socket_perms; @@ -2289,7 +2296,7 @@ index c44c3592a..5038ed0d5 100644 corenet_all_recvfrom_netlabel(ping_t) corenet_tcp_sendrecv_generic_if(ping_t) corenet_raw_sendrecv_generic_if(ping_t) -@@ -124,6 +129,9 @@ corenet_raw_bind_generic_node(ping_t) +@@ -124,6 +133,9 @@ corenet_raw_bind_generic_node(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) fs_dontaudit_getattr_xattr_fs(ping_t) @@ -2299,7 +2306,7 @@ index c44c3592a..5038ed0d5 100644 domain_use_interactive_fds(ping_t) -@@ -131,14 +139,14 @@ files_read_etc_files(ping_t) +@@ -131,14 +143,14 @@ files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) kernel_read_system_state(ping_t) @@ -2318,7 +2325,7 @@ index c44c3592a..5038ed0d5 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',` +@@ -146,14 +158,29 @@ ifdef(`hide_broken_symptoms',` optional_policy(` nagios_dontaudit_rw_log(ping_t) nagios_dontaudit_rw_pipes(ping_t) @@ -2348,7 +2355,7 @@ index c44c3592a..5038ed0d5 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -161,6 +184,15 @@ optional_policy(` +@@ -161,6 +188,15 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -2364,7 +2371,7 @@ index c44c3592a..5038ed0d5 100644 ######################################## # # Traceroute local policy -@@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms; +@@ -174,7 +210,6 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -2372,7 +2379,7 @@ index c44c3592a..5038ed0d5 100644 corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) -@@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -198,6 +233,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -2380,7 +2387,7 @@ index c44c3592a..5038ed0d5 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t) +@@ -206,11 +242,17 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) @@ -3182,7 +3189,7 @@ index 99e3903ea..fa68362ea 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1e7..d698fdd02 100644 +index 1d732f1e7..6a7c8001a 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3313,7 +3320,7 @@ index 1d732f1e7..d698fdd02 100644 dontaudit groupadd_t self:capability { fsetid sys_tty_config }; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process { setrlimit setfscreate }; -@@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t) +@@ -212,17 +236,18 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -3324,7 +3331,8 @@ index 1d732f1e7..d698fdd02 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -221,8 +245,8 @@ init_dontaudit_write_utmp(groupadd_t) + init_dontaudit_write_utmp(groupadd_t) ++init_dbus_chat(groupadd_t) domain_use_interactive_fds(groupadd_t) @@ -3334,7 +3342,7 @@ index 1d732f1e7..d698fdd02 100644 files_read_etc_runtime_files(groupadd_t) files_read_usr_symlinks(groupadd_t) -@@ -232,14 +256,14 @@ corecmd_exec_bin(groupadd_t) +@@ -232,14 +257,14 @@ corecmd_exec_bin(groupadd_t) logging_send_audit_msgs(groupadd_t) logging_send_syslog_msg(groupadd_t) @@ -3351,7 +3359,7 @@ index 1d732f1e7..d698fdd02 100644 auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) -@@ -251,6 +275,10 @@ userdom_use_unpriv_users_fds(groupadd_t) +@@ -251,6 +276,10 @@ userdom_use_unpriv_users_fds(groupadd_t) userdom_dontaudit_search_user_home_dirs(groupadd_t) optional_policy(` @@ -3362,7 +3370,7 @@ index 1d732f1e7..d698fdd02 100644 dpkg_use_fds(groupadd_t) dpkg_rw_pipes(groupadd_t) ') -@@ -273,7 +301,7 @@ optional_policy(` +@@ -273,7 +302,7 @@ optional_policy(` # Passwd local policy # @@ -3371,7 +3379,7 @@ index 1d732f1e7..d698fdd02 100644 dontaudit passwd_t self:capability sys_tty_config; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; -@@ -288,6 +316,7 @@ allow passwd_t self:shm create_shm_perms; +@@ -288,6 +317,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; @@ -3379,7 +3387,7 @@ index 1d732f1e7..d698fdd02 100644 allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) -@@ -296,6 +325,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -296,6 +326,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -3387,7 +3395,7 @@ index 1d732f1e7..d698fdd02 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -310,26 +340,32 @@ selinux_compute_create_context(passwd_t) +@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -3424,7 +3432,7 @@ index 1d732f1e7..d698fdd02 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -338,12 +374,11 @@ init_use_fds(passwd_t) +@@ -338,12 +375,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) @@ -3438,7 +3446,7 @@ index 1d732f1e7..d698fdd02 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -352,6 +387,20 @@ userdom_read_user_tmp_files(passwd_t) +@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3459,7 +3467,7 @@ index 1d732f1e7..d698fdd02 100644 optional_policy(` nscd_run(passwd_t, passwd_roles) -@@ -362,7 +411,7 @@ optional_policy(` +@@ -362,7 +412,7 @@ optional_policy(` # Password admin local policy # @@ -3468,7 +3476,7 @@ index 1d732f1e7..d698fdd02 100644 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; -@@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3481,7 +3489,7 @@ index 1d732f1e7..d698fdd02 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -416,7 +466,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -3489,7 +3497,7 @@ index 1d732f1e7..d698fdd02 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -426,12 +475,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -3502,7 +3510,7 @@ index 1d732f1e7..d698fdd02 100644 userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -@@ -446,8 +492,10 @@ optional_policy(` +@@ -446,8 +493,10 @@ optional_policy(` # Useradd local policy # @@ -3515,7 +3523,7 @@ index 1d732f1e7..d698fdd02 100644 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; allow useradd_t self:fd use; -@@ -461,6 +509,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -3526,7 +3534,7 @@ index 1d732f1e7..d698fdd02 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +520,28 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3566,7 +3574,7 @@ index 1d732f1e7..d698fdd02 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,6 +549,7 @@ auth_rw_faillog(useradd_t) +@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -3574,7 +3582,11 @@ index 1d732f1e7..d698fdd02 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -508,35 +560,38 @@ init_rw_utmp(useradd_t) + + init_use_fds(useradd_t) + init_rw_utmp(useradd_t) ++init_dbus_chat(useradd_t) + logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -3624,7 +3636,7 @@ index 1d732f1e7..d698fdd02 100644 ') optional_policy(` -@@ -545,14 +600,27 @@ optional_policy(` +@@ -545,14 +602,27 @@ optional_policy(` ') optional_policy(` @@ -3652,7 +3664,7 @@ index 1d732f1e7..d698fdd02 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +630,12 @@ optional_policy(` +@@ -562,3 +632,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -42484,7 +42496,7 @@ index 9fe8e01e3..c62c76136 100644 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc31b..e4b9a3bf0 100644 +index fc28bc31b..7ed7664fb 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',` @@ -42515,7 +42527,33 @@ index fc28bc31b..e4b9a3bf0 100644 ## Read generic SSL certificates. ## ## -@@ -106,6 +127,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` +@@ -88,6 +109,25 @@ interface(`miscfiles_read_generic_certs',` + + ######################################## + ## ++## mmap generic SSL certificates. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_map_generic_certs',` ++ gen_require(` ++ type cert_t; ++ ') ++ ++ allow $1 cert_t:file map; ++') ++ ++######################################## ++## + ## Manage generic SSL certificates. + ## + ## +@@ -106,6 +146,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` ######################################## ## @@ -42540,7 +42578,7 @@ index fc28bc31b..e4b9a3bf0 100644 ## Manage generic SSL certificates. ## ## -@@ -121,7 +160,7 @@ interface(`miscfiles_manage_generic_cert_files',` +@@ -121,7 +179,7 @@ interface(`miscfiles_manage_generic_cert_files',` ') manage_files_pattern($1, cert_t, cert_t) @@ -42549,7 +42587,7 @@ index fc28bc31b..e4b9a3bf0 100644 ') ######################################## -@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',` +@@ -156,6 +214,26 @@ interface(`miscfiles_manage_cert_dirs',` ######################################## ## @@ -42576,7 +42614,7 @@ index fc28bc31b..e4b9a3bf0 100644 ## Manage SSL certificates. ## ## -@@ -191,6 +250,7 @@ interface(`miscfiles_read_fonts',` +@@ -191,6 +269,7 @@ interface(`miscfiles_read_fonts',` allow $1 fonts_t:dir list_dir_perms; read_files_pattern($1, fonts_t, fonts_t) @@ -42584,7 +42622,7 @@ index fc28bc31b..e4b9a3bf0 100644 read_lnk_files_pattern($1, fonts_t, fonts_t) allow $1 fonts_cache_t:dir list_dir_perms; -@@ -414,6 +474,7 @@ interface(`miscfiles_read_localization',` +@@ -414,6 +493,7 @@ interface(`miscfiles_read_localization',` allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) read_lnk_files_pattern($1, locale_t, locale_t) @@ -42592,7 +42630,7 @@ index fc28bc31b..e4b9a3bf0 100644 ') ######################################## -@@ -434,6 +495,7 @@ interface(`miscfiles_rw_localization',` +@@ -434,6 +514,7 @@ interface(`miscfiles_rw_localization',` files_search_usr($1) allow $1 locale_t:dir list_dir_perms; rw_files_pattern($1, locale_t, locale_t) @@ -42600,7 +42638,7 @@ index fc28bc31b..e4b9a3bf0 100644 ') ######################################## -@@ -453,6 +515,7 @@ interface(`miscfiles_relabel_localization',` +@@ -453,6 +534,7 @@ interface(`miscfiles_relabel_localization',` files_search_usr($1) relabel_files_pattern($1, locale_t, locale_t) @@ -42608,7 +42646,7 @@ index fc28bc31b..e4b9a3bf0 100644 ') ######################################## -@@ -470,7 +533,6 @@ interface(`miscfiles_legacy_read_localization',` +@@ -470,7 +552,6 @@ interface(`miscfiles_legacy_read_localization',` type locale_t; ') @@ -42616,7 +42654,7 @@ index fc28bc31b..e4b9a3bf0 100644 allow $1 locale_t:file execute; ') -@@ -531,6 +593,10 @@ interface(`miscfiles_read_man_pages',` +@@ -531,6 +612,10 @@ interface(`miscfiles_read_man_pages',` allow $1 { man_cache_t man_t }:dir list_dir_perms; read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -42627,7 +42665,7 @@ index fc28bc31b..e4b9a3bf0 100644 ') ######################################## -@@ -554,6 +620,29 @@ interface(`miscfiles_delete_man_pages',` +@@ -554,6 +639,29 @@ interface(`miscfiles_delete_man_pages',` delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -42657,7 +42695,7 @@ index fc28bc31b..e4b9a3bf0 100644 ') ######################################## -@@ -622,6 +711,30 @@ interface(`miscfiles_manage_man_cache',` +@@ -622,6 +730,30 @@ interface(`miscfiles_manage_man_cache',` ######################################## ## @@ -42688,7 +42726,7 @@ index fc28bc31b..e4b9a3bf0 100644 ## Read public files used for file ## transfer services. ## -@@ -784,8 +897,11 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -784,8 +916,11 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') @@ -42702,7 +42740,7 @@ index fc28bc31b..e4b9a3bf0 100644 ') ######################################## -@@ -809,3 +925,61 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +944,61 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 59f9fbf..9809300 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5579,7 +5579,7 @@ index f6eb4851f..fe461a3fc 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962b6..6dd10dd7d 100644 +index 6649962b6..a6b4312e6 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6297,7 +6297,7 @@ index 6649962b6..6dd10dd7d 100644 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -450,140 +570,177 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +570,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -6419,6 +6419,7 @@ index 6649962b6..6dd10dd7d 100644 miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) ++miscfiles_map_generic_certs(httpd_t) miscfiles_read_tetex_data(httpd_t) - -seutil_dontaudit_search_config(httpd_t) @@ -6539,7 +6540,7 @@ index 6649962b6..6dd10dd7d 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +751,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6599,7 +6600,7 @@ index 6649962b6..6dd10dd7d 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +803,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +804,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6702,7 +6703,7 @@ index 6649962b6..6dd10dd7d 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +862,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +863,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6783,7 +6784,7 @@ index 6649962b6..6dd10dd7d 100644 ') optional_policy(` -@@ -749,24 +915,32 @@ optional_policy(` +@@ -749,24 +916,32 @@ optional_policy(` ') optional_policy(` @@ -6822,7 +6823,7 @@ index 6649962b6..6dd10dd7d 100644 ') optional_policy(` -@@ -775,6 +949,10 @@ optional_policy(` +@@ -775,6 +950,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6833,7 +6834,7 @@ index 6649962b6..6dd10dd7d 100644 ') optional_policy(` -@@ -786,35 +964,62 @@ optional_policy(` +@@ -786,35 +965,62 @@ optional_policy(` ') optional_policy(` @@ -6909,7 +6910,7 @@ index 6649962b6..6dd10dd7d 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1027,31 @@ optional_policy(` +@@ -822,8 +1028,31 @@ optional_policy(` ') optional_policy(` @@ -6941,7 +6942,7 @@ index 6649962b6..6dd10dd7d 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1060,8 @@ optional_policy(` +@@ -832,6 +1061,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6950,7 +6951,7 @@ index 6649962b6..6dd10dd7d 100644 ') optional_policy(` -@@ -842,20 +1072,48 @@ optional_policy(` +@@ -842,20 +1073,48 @@ optional_policy(` ') optional_policy(` @@ -7005,7 +7006,7 @@ index 6649962b6..6dd10dd7d 100644 ') optional_policy(` -@@ -863,16 +1121,31 @@ optional_policy(` +@@ -863,16 +1122,31 @@ optional_policy(` ') optional_policy(` @@ -7039,7 +7040,7 @@ index 6649962b6..6dd10dd7d 100644 ') optional_policy(` -@@ -883,65 +1156,189 @@ optional_policy(` +@@ -883,65 +1157,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7251,7 +7252,7 @@ index 6649962b6..6dd10dd7d 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1347,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1348,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7405,7 +7406,7 @@ index 6649962b6..6dd10dd7d 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1432,107 @@ optional_policy(` +@@ -1083,172 +1433,107 @@ optional_policy(` ') ') @@ -7643,7 +7644,7 @@ index 6649962b6..6dd10dd7d 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1540,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1541,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7741,7 +7742,7 @@ index 6649962b6..6dd10dd7d 100644 ######################################## # -@@ -1321,8 +1615,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1616,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7758,7 +7759,7 @@ index 6649962b6..6dd10dd7d 100644 ') ######################################## -@@ -1330,49 +1631,41 @@ optional_policy(` +@@ -1330,49 +1632,41 @@ optional_policy(` # User content local policy # @@ -7825,7 +7826,7 @@ index 6649962b6..6dd10dd7d 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1675,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1676,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -9912,7 +9913,7 @@ index 531a8f244..3fcf18722 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 124112346..73543d306 100644 +index 124112346..57a8b4484 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9991,7 +9992,7 @@ index 124112346..73543d306 100644 corenet_tcp_bind_rndc_port(named_t) corenet_tcp_sendrecv_rndc_port(named_t) -@@ -141,9 +150,13 @@ corenet_sendrecv_all_client_packets(named_t) +@@ -141,13 +150,18 @@ corenet_sendrecv_all_client_packets(named_t) corenet_tcp_connect_all_ports(named_t) corenet_tcp_sendrecv_all_ports(named_t) @@ -10005,7 +10006,12 @@ index 124112346..73543d306 100644 domain_use_interactive_fds(named_t) -@@ -175,6 +188,19 @@ tunable_policy(`named_write_master_zones',` + files_read_etc_runtime_files(named_t) ++files_mmap_usr_files(named_t) + + fs_getattr_all_fs(named_t) + fs_search_auto_mountpoints(named_t) +@@ -175,6 +189,19 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -10025,7 +10031,7 @@ index 124112346..73543d306 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,7 +213,17 @@ optional_policy(` +@@ -187,7 +214,17 @@ optional_policy(` ') optional_policy(` @@ -10043,7 +10049,7 @@ index 124112346..73543d306 100644 kerberos_use(named_t) ') -@@ -214,8 +250,9 @@ optional_policy(` +@@ -214,8 +251,9 @@ optional_policy(` # NDC local policy # @@ -10055,7 +10061,7 @@ index 124112346..73543d306 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +266,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +267,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -10067,7 +10073,7 @@ index 124112346..73543d306 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +278,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +279,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -10077,7 +10083,7 @@ index 124112346..73543d306 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +296,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +297,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -14802,10 +14808,10 @@ index 000000000..55fe0d668 +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 000000000..21e6ae757 +index 000000000..73f3eb8a0 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,249 @@ +@@ -0,0 +1,250 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -14913,6 +14919,7 @@ index 000000000..21e6ae757 +selinux_validate_context(cloud_init_t) + +systemd_dbus_chat_hostnamed(cloud_init_t) ++systemd_dbus_chat_timedated(cloud_init_t) +systemd_exec_systemctl(cloud_init_t) +systemd_start_all_services(cloud_init_t) + @@ -25774,10 +25781,10 @@ index 000000000..b3784d85d +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 000000000..22cafcd43 +index 000000000..86c5021d6 --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,207 @@ +@@ -0,0 +1,211 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -25942,6 +25949,10 @@ index 000000000..22cafcd43 + systemd_manage_passwd_run(dirsrv_t) +') + ++optional_policy(` ++ rolekit_read_tmp(dirsrv_t) ++') ++ +######################################## +# +# dirsrv-snmp local policy @@ -39954,10 +39965,10 @@ index 000000000..d611c53d4 +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 000000000..28955ddc0 +index 000000000..99cb86250 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,273 @@ +@@ -0,0 +1,275 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -40154,6 +40165,8 @@ index 000000000..28955ddc0 + +dev_read_rand(ipa_dnskey_t) + ++can_exec(ipa_dnskey_t,ipa_dnskey_exec_t) ++ +libs_exec_ldconfig(ipa_dnskey_t) + +logging_send_syslog_msg(ipa_dnskey_t) @@ -47356,7 +47369,7 @@ index 2a491d96c..3399d597a 100644 + virt_dgram_send(lldpad_t) +') diff --git a/loadkeys.te b/loadkeys.te -index d2f464375..c8e6b37b0 100644 +index d2f464375..ecbfa88ff 100644 --- a/loadkeys.te +++ b/loadkeys.te @@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t) @@ -47383,6 +47396,15 @@ index d2f464375..c8e6b37b0 100644 userdom_list_user_home_content(loadkeys_t) ifdef(`hide_broken_symptoms',` +@@ -52,3 +51,8 @@ optional_policy(` + optional_policy(` + nscd_dontaudit_search_pid(loadkeys_t) + ') ++ ++optional_policy(` ++ sssd_read_public_files(loadkeys_t) ++ sssd_stream_connect(loadkeys_t) ++') diff --git a/lockdev.if b/lockdev.if index 4313b8bc0..cd1435cdf 100644 --- a/lockdev.if @@ -47493,7 +47515,7 @@ index dd8e01af3..9cd6b0b8e 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84b3..0129ddb61 100644 +index be0ab84b3..882160882 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) @@ -47568,7 +47590,7 @@ index be0ab84b3..0129ddb61 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive }; +@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -47591,6 +47613,7 @@ index be0ab84b3..0129ddb61 100644 +dev_read_urand(logrotate_t) +dev_read_sysfs(logrotate_t) ++dev_write_kmsg(logrotate_t) + +fs_search_auto_mountpoints(logrotate_t) +fs_getattr_all_fs(logrotate_t) @@ -47627,7 +47650,7 @@ index be0ab84b3..0129ddb61 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +135,57 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +136,57 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -47691,7 +47714,7 @@ index be0ab84b3..0129ddb61 100644 ') optional_policy(` -@@ -135,16 +200,17 @@ optional_policy(` +@@ -135,16 +201,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -47711,7 +47734,7 @@ index be0ab84b3..0129ddb61 100644 ') optional_policy(` -@@ -170,6 +236,11 @@ optional_policy(` +@@ -170,6 +237,11 @@ optional_policy(` ') optional_policy(` @@ -47723,7 +47746,7 @@ index be0ab84b3..0129ddb61 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +249,8 @@ optional_policy(` +@@ -178,7 +250,8 @@ optional_policy(` ') optional_policy(` @@ -47733,7 +47756,7 @@ index be0ab84b3..0129ddb61 100644 ') optional_policy(` -@@ -198,17 +270,18 @@ optional_policy(` +@@ -198,17 +271,18 @@ optional_policy(` ') optional_policy(` @@ -47755,7 +47778,7 @@ index be0ab84b3..0129ddb61 100644 ') optional_policy(` -@@ -216,6 +289,14 @@ optional_policy(` +@@ -216,6 +290,14 @@ optional_policy(` ') optional_policy(` @@ -47770,7 +47793,7 @@ index be0ab84b3..0129ddb61 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +309,50 @@ optional_policy(` +@@ -228,26 +310,50 @@ optional_policy(` ') optional_policy(` @@ -91002,7 +91025,7 @@ index 6dbc905b3..4b17c933e 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a279..75b615f81 100644 +index d32e1a279..b79ae3194 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -91015,11 +91038,13 @@ index d32e1a279..75b615f81 100644 type rhsmcertd_var_lib_t; files_type(rhsmcertd_var_lib_t) -@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t) +@@ -29,19 +32,22 @@ files_pid_file(rhsmcertd_var_run_t) + # Local policy # - allow rhsmcertd_t self:capability sys_nice; +-allow rhsmcertd_t self:capability sys_nice; -allow rhsmcertd_t self:process { signal setsched }; ++allow rhsmcertd_t self:capability { kill sys_nice }; +allow rhsmcertd_t self:process { signal_perms setsched }; + allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; @@ -92077,10 +92102,10 @@ index 000000000..504b6e13e +/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0) diff --git a/rolekit.if b/rolekit.if new file mode 100644 -index 000000000..b11fb8f6d +index 000000000..df5e3338c --- /dev/null +++ b/rolekit.if -@@ -0,0 +1,120 @@ +@@ -0,0 +1,138 @@ +## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. + +######################################## @@ -92201,6 +92226,24 @@ index 000000000..b11fb8f6d + systemd_read_fifo_file_passwd_run($1) + ') +') ++ ++######################################## ++## ++## Allow domain to read rolekit tmp files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rolekit_read_tmp',` ++ gen_require(` ++ type rolekit_tmp_t; ++ ') ++ ++ read_files_pattern($1, rolekit_tmp_t, rolekit_tmp_t) ++') diff --git a/rolekit.te b/rolekit.te new file mode 100644 index 000000000..da944537b @@ -94260,7 +94303,7 @@ index ef3b22507..79518530e 100644 admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) diff --git a/rpm.te b/rpm.te -index 6fc360e60..2f24b1e0c 100644 +index 6fc360e60..219964375 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -94603,7 +94646,7 @@ index 6fc360e60..2f24b1e0c 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -331,73 +331,129 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -331,73 +331,130 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -94636,9 +94679,10 @@ index 6fc360e60..2f24b1e0c 100644 +init_manage_transient_unit(rpm_script_t) init_domtrans_script(rpm_script_t) init_telinit(rpm_script_t) - -+systemd_config_all_services(rpm_script_t) ++init_dbus_chat(rpm_script_t) + ++systemd_config_all_services(rpm_script_t) + libs_exec_ld_so(rpm_script_t) libs_exec_lib_files(rpm_script_t) -libs_run_ldconfig(rpm_script_t, rpm_roles) @@ -94753,7 +94797,7 @@ index 6fc360e60..2f24b1e0c 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +465,6 @@ optional_policy(` +@@ -409,6 +466,6 @@ optional_policy(` ') optional_policy(` @@ -96873,7 +96917,7 @@ index 50d07fb2e..a34db489c 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441e7..c7a475130 100644 +index 2b7c441e7..5d52fba0f 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -98011,9 +98055,12 @@ index 2b7c441e7..c7a475130 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +972,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -871,40 +970,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) + manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) + files_var_filetrans(winbind_t, samba_var_t, dir, "samba") - rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +-rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) ++manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) -# This needs a file context specification -allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; @@ -111369,10 +111416,10 @@ index 000000000..368e18842 +') diff --git a/tlp.te b/tlp.te new file mode 100644 -index 000000000..f31ed95d7 +index 000000000..761cc35b0 --- /dev/null +++ b/tlp.te -@@ -0,0 +1,74 @@ +@@ -0,0 +1,80 @@ +policy_module(tlp, 1.0.0) + +######################################## @@ -111417,6 +111464,7 @@ index 000000000..f31ed95d7 +kernel_rw_fs_sysctls(tlp_t) +kernel_rw_kernel_sysctl(tlp_t) +kernel_rw_vm_sysctls(tlp_t) ++kernel_create_rpc_sysctls(tlp_t) + +auth_read_passwd(tlp_t) + @@ -111425,12 +111473,16 @@ index 000000000..f31ed95d7 +dev_list_sysfs(tlp_t) +dev_manage_sysfs(tlp_t) +dev_rw_cpu_microcode(tlp_t) ++dev_rw_wireless(tlp_t) + +files_read_kernel_modules(tlp_t) ++files_load_kernel_modules(tlp_t) + +modutils_exec_insmod(tlp_t) +modutils_read_module_config(tlp_t) + ++logging_send_syslog_msg(tlp_t) ++ +storage_raw_read_fixed_disk(tlp_t) +storage_raw_write_removable_device(tlp_t) + @@ -111438,6 +111490,7 @@ index 000000000..f31ed95d7 + +optional_policy(` + dbus_stream_connect_system_dbusd(tlp_t) ++ dbus_system_bus_client(tlp_t) +') + +optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 1c03730..9635f28 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 279%{?dist} +Release: 280%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,18 @@ exit 0 %endif %changelog +* Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280 +- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404) +- Fix denials during ipa-server-install process on F27+ +- Allow httpd_t to mmap cert_t +- Add few rules to make tlp_t domain working in enforcing mode +- Allow cloud_init_t to dbus chat with systemd_timedated_t +- Allow logrotate_t to write to kmsg +- Add capability kill to rhsmcertd_t +- Allow winbind to manage smbd_tmp_t files +- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404) +- Add interface miscfiles_map_generic_certs() + * Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279 - Allow abrt_dump_oops_t to read sssd_public_t files - Allow cockpit_ws_t to mmap usr_t files