From bb6a1f3c7f55e691afee403d028749f30573cc43 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 24 2013 09:31:47 +0000 Subject: * Thu Oct 24 2013 Miroslav Grepl 3.12.1-93 - Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c23bf3e..6ef476e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -890,7 +890,7 @@ index 4705ab6..b7e7ea5 100644 +## +gen_tunable(mount_anyfile, false) diff --git a/policy/mcs b/policy/mcs -index 216b3d1..81bc8c4 100644 +index 216b3d1..275d3d9 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ @@ -971,7 +971,17 @@ index 216b3d1..81bc8c4 100644 mlsconstrain process { signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -@@ -166,4 +165,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -135,6 +134,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d + mlsconstrain { db_tuple } { insert relabelto } + (( h1 dom h2 ) and ( l2 eq h2 )); + ++mlsconstrain context contains ++ (( h1 dom h2 ) and ( l1 domby l2)); ++ + # Access control for any database objects based on MCS rules. + mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } + ( h1 dom h2 ); +@@ -166,4 +168,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -5426,7 +5436,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..dc853a1 100644 +index 4edc40d..9455a13 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5620,7 +5630,7 @@ index 4edc40d..dc853a1 100644 network_port(matahari, tcp,49000,s0, udp,49000,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) -network_port(milter) # no defined portcon -+network_port(milter, tcp, 8891, s0) # no defined portcon ++network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0) network_port(monopd, tcp,1234,s0) @@ -18117,7 +18127,7 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te new file mode 100644 -index 0000000..3175fd7 +index 0000000..63bc797 --- /dev/null +++ b/policy/modules/roles/sysadm_secadm.te @@ -0,0 +1,25 @@ @@ -18133,7 +18143,7 @@ index 0000000..3175fd7 + role sysadm_r; +') + -+userdom_admin_user_template(sysadm_t, sysadm_r) ++userdom_security_admin_template(sysadm_t, sysadm_r) + +####################################### +# @@ -18781,10 +18791,10 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..36f6ee2 +index 0000000..539c163 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,332 @@ +@@ -0,0 +1,328 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -19103,10 +19113,6 @@ index 0000000..36f6ee2 +') + +optional_policy(` -+ usermanage_run_useradd(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) + virt_transition_svirt_sandbox(unconfined_t, unconfined_r) +') @@ -20611,7 +20617,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..1386603 100644 +index 5fc0391..692569b 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3) @@ -21101,7 +21107,7 @@ index 5fc0391..1386603 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +506,138 @@ optional_policy(` +@@ -331,3 +506,140 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -21112,8 +21118,10 @@ index 5fc0391..1386603 100644 +# + +allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid }; ++allow ssh_dyntransition_domain self:unix_dgram_socket create_socket_perms; + +allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; ++allow ssh_dyntransition_domain sshd_t:fd use; + +optional_policy(` + ssh_rw_stream_sockets(ssh_dyntransition_domain) @@ -26361,20 +26369,28 @@ index e4376aa..2c98c56 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index fc38c9c..1c9f909 100644 +index fc38c9c..4740426 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te -@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t) +@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t) type getty_var_run_t; files_pid_file(getty_var_run_t) +type getty_unit_file_t; +systemd_unit_file(getty_unit_file_t) + ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mcs_systemhigh) ++') ++ ++ifdef(`enable_mls',` ++ init_ranged_daemon_domain(getty_t, getty_exec_t, mls_systemhigh) ++') ++ ######################################## # # Getty local policy -@@ -83,8 +86,11 @@ term_use_unallocated_ttys(getty_t) +@@ -83,8 +94,11 @@ term_use_unallocated_ttys(getty_t) term_setattr_all_ttys(getty_t) term_setattr_unallocated_ttys(getty_t) term_setattr_console(getty_t) @@ -26386,7 +26402,7 @@ index fc38c9c..1c9f909 100644 init_rw_utmp(getty_t) init_use_script_ptys(getty_t) -@@ -94,7 +100,6 @@ locallogin_domtrans(getty_t) +@@ -94,7 +108,6 @@ locallogin_domtrans(getty_t) logging_send_syslog_msg(getty_t) @@ -26394,7 +26410,7 @@ index fc38c9c..1c9f909 100644 ifdef(`distro_gentoo',` # Gentoo default /etc/issue makes agetty -@@ -113,7 +118,7 @@ ifdef(`distro_ubuntu',` +@@ -113,7 +126,7 @@ ifdef(`distro_ubuntu',` ') ') @@ -26403,20 +26419,20 @@ index fc38c9c..1c9f909 100644 # Support logging in from /dev/console term_use_console(getty_t) ',` -@@ -121,11 +126,15 @@ tunable_policy(`console_login',` +@@ -121,11 +134,15 @@ tunable_policy(`console_login',` ') optional_policy(` - mta_send_mail(getty_t) + hostname_exec(getty_t) -+') -+ -+optional_policy(` -+ lockdev_manage_files(getty_t) ') optional_policy(` - nscd_use(getty_t) ++ lockdev_manage_files(getty_t) ++') ++ ++optional_policy(` + mta_send_mail(getty_t) ') @@ -39578,7 +39594,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..9b2cdf7 100644 +index 3c5dba7..5b93224 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -42444,7 +42460,7 @@ index 3c5dba7..9b2cdf7 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4299,1533 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4299,1630 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -42665,7 +42681,7 @@ index 3c5dba7..9b2cdf7 100644 + ') + + allow $1 unpriv_userdomain:unix_dgram_socket sendto; -+') + ') + +###################################### +## @@ -43977,7 +43993,104 @@ index 3c5dba7..9b2cdf7 100644 + ubac_constrained($1_t) + + auth_use_nsswitch($1_t) - ') ++') ++ ++######################################## ++## ++## Allow user to run as a secadm ++## ++## ++##

++## Create objects in a user home directory ++## with an automatic type transition to ++## a specified private type. ++##

++##

++## This is a templated interface, and should only ++## be called from a per-userdomain template. ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role of the object to create. ++## ++## ++# ++template(`userdom_security_admin_template',` ++ allow $1 self:capability { dac_read_search dac_override }; ++ ++ corecmd_exec_shell($1) ++ ++ domain_obj_id_change_exemption($1) ++ ++ dev_relabel_all_dev_nodes($1) ++ ++ files_create_boot_flag($1) ++ files_create_default_dir($1) ++ files_root_filetrans_default($1, dir) ++ ++ # Necessary for managing /boot/efi ++ fs_manage_dos_files($1) ++ ++ mls_process_read_up($1) ++ mls_file_read_all_levels($1) ++ mls_file_upgrade($1) ++ mls_file_downgrade($1) ++ ++ selinux_set_enforce_mode($1) ++ selinux_set_all_booleans($1) ++ selinux_set_parameters($1) ++ selinux_read_policy($1) ++ ++ files_relabel_all_files($1) ++ ++ auth_relabel_shadow($1) ++ ++ init_exec($1) ++ ++ logging_send_syslog_msg($1) ++ logging_read_audit_log($1) ++ logging_read_generic_logs($1) ++ logging_read_audit_config($1) ++ ++ seutil_manage_bin_policy($1) ++ seutil_manage_default_contexts($1) ++ seutil_manage_file_contexts($1) ++ seutil_manage_module_store($1) ++ seutil_manage_config($1) ++ seutil_manage_login_config($1) ++ seutil_run_checkpolicy($1,$2) ++ seutil_run_loadpolicy($1,$2) ++ seutil_run_semanage($1,$2) ++ seutil_run_setsebool($1,$2) ++ seutil_run_setfiles($1, $2) ++ ++ optional_policy(` ++ aide_run($1,$2) ++ ') ++ ++ optional_policy(` ++ consoletype_exec($1) ++ ') ++ ++ optional_policy(` ++ ipsec_run_setkey($1,$2) ++ ') ++ ++ optional_policy(` ++ netlabel_run_mgmt($1,$2) ++ ') ++ ++ optional_policy(` ++ samhain_run($1, $2) ++ ') ++') ++ diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index e2b538b..e0c6eeb 100644 --- a/policy/modules/system/userdomain.te diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 19aeacc..bc676e1 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..e84c56d 100644 +index 1a82e29..d0d7c0b 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -6066,7 +6066,7 @@ index 1a82e29..e84c56d 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1074,172 @@ optional_policy(` +@@ -877,65 +1074,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6077,6 +6077,7 @@ index 1a82e29..e84c56d 100644 +') + +optional_policy(` ++ zoneminder_append_log(httpd_t) + zoneminder_manage_lib_dirs(httpd_t) + zoneminder_manage_lib_files(httpd_t) + zoneminder_stream_connect(httpd_t) @@ -6261,7 +6262,7 @@ index 1a82e29..e84c56d 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6416,7 +6417,7 @@ index 1a82e29..e84c56d 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1332,104 @@ optional_policy(` +@@ -1077,172 +1333,104 @@ optional_policy(` ') ') @@ -6652,7 +6653,7 @@ index 1a82e29..e84c56d 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1437,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6749,7 +6750,7 @@ index 1a82e29..e84c56d 100644 ######################################## # -@@ -1315,8 +1512,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6766,7 +6767,7 @@ index 1a82e29..e84c56d 100644 ') ######################################## -@@ -1324,49 +1528,38 @@ optional_policy(` +@@ -1324,49 +1529,38 @@ optional_policy(` # User content local policy # @@ -6831,7 +6832,7 @@ index 1a82e29..e84c56d 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1569,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1570,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -21897,6 +21898,369 @@ index ef36d73..fddd51f 100644 sysnet_dns_name_resolve(dnssec_triggerd_t) sysnet_manage_config(dnssec_triggerd_t) sysnet_etc_filetrans_config(dnssec_triggerd_t) +diff --git a/docker.fc b/docker.fc +new file mode 100644 +index 0000000..484dd44 +--- /dev/null ++++ b/docker.fc +@@ -0,0 +1,12 @@ ++/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) ++ ++/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) ++ ++/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) ++ ++/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) ++/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) ++ ++/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0) ++ ++/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0) +\ No newline at end of file +diff --git a/docker.if b/docker.if +new file mode 100644 +index 0000000..097c75c +--- /dev/null ++++ b/docker.if +@@ -0,0 +1,202 @@ ++ ++## policy for docker ++ ++######################################## ++## ++## Execute TEMPLATE in the docker domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`docker_domtrans',` ++ gen_require(` ++ type docker_t, docker_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, docker_exec_t, docker_t) ++') ++ ++######################################## ++## ++## Search docker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_search_lib',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ allow $1 docker_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read docker lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_read_lib_files',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Manage docker lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_manage_lib_files',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Manage docker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_manage_lib_dirs',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Read docker PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_read_pid_files',` ++ gen_require(` ++ type docker_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, docker_var_run_t, docker_var_run_t) ++') ++ ++######################################## ++## ++## Execute docker server in the docker domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`docker_systemctl',` ++ gen_require(` ++ type docker_t; ++ type docker_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 docker_unit_file_t:file read_file_perms; ++ allow $1 docker_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, docker_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an docker environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`docker_admin',` ++ gen_require(` ++ type docker_t; ++ type docker_var_lib_t; ++ type docker_var_run_t; ++ type docker_unit_file_t; ++ ') ++ ++ allow $1 docker_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, docker_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, docker_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, docker_var_run_t) ++ ++ docker_systemctl($1) ++ admin_pattern($1, docker_unit_file_t) ++ allow $1 docker_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') ++ ++######################################## ++## ++## Read and write docker shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_rw_sem',` ++ gen_require(` ++ type docker_t; ++ ') ++ ++ allow $1 docker_t:sem rw_sem_perms; ++') +diff --git a/docker.te b/docker.te +new file mode 100644 +index 0000000..939365d +--- /dev/null ++++ b/docker.te +@@ -0,0 +1,130 @@ ++policy_module(docker, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type docker_t; ++type docker_exec_t; ++init_daemon_domain(docker_t, docker_exec_t) ++ ++type docker_var_lib_t; ++files_type(docker_var_lib_t) ++ ++type docker_log_t; ++logging_log_file(docker_log_t) ++ ++type docker_tmp_t; ++files_tmp_file(docker_tmp_t) ++ ++type docker_var_run_t; ++files_pid_file(docker_var_run_t) ++ ++type docker_unit_file_t; ++systemd_unit_file(docker_unit_file_t) ++ ++######################################## ++# ++# docker local policy ++# ++allow docker_t self:capability { chown fowner fsetid mknod net_admin }; ++allow docker_t self:process signal_perms; ++allow docker_t self:fifo_file rw_fifo_file_perms; ++allow docker_t self:unix_stream_socket create_stream_socket_perms; ++allow docker_t self:capability2 block_suspend; ++ ++manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) ++manage_files_pattern(docker_t, docker_log_t, docker_log_t) ++manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) ++logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t) ++manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) ++manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) ++files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) ++ ++kernel_read_system_state(docker_t) ++kernel_read_network_state(docker_t) ++kernel_read_all_sysctls(docker_t) ++ ++domain_use_interactive_fds(docker_t) ++ ++corecmd_exec_bin(docker_t) ++corecmd_exec_shell(docker_t) ++ ++corenet_tcp_bind_generic_node(docker_t) ++ ++files_read_etc_files(docker_t) ++ ++fs_read_cgroup_files(docker_t) ++ ++auth_use_nsswitch(docker_t) ++ ++miscfiles_read_localization(docker_t) ++ ++mount_domtrans(docker_t) ++ ++sysnet_dns_name_resolve(docker_t) ++ ++optional_policy(` ++ fstools_domtrans(docker_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(docker_t) ++') ++ ++# ++# lxc rules ++# ++ ++allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; ++allow docker_t self:process setsched; ++allow docker_t self:netlink_route_socket nlmsg_write; ++allow docker_t self:unix_dgram_socket create_socket_perms; ++ ++allow docker_t docker_var_lib_t:dir mounton; ++ ++kernel_setsched(docker_t) ++ ++dev_getattr_all_blk_files(docker_t) ++dev_read_urand(docker_t) ++ ++files_manage_isid_type_dirs(docker_t) ++files_manage_isid_type_files(docker_t) ++files_manage_isid_type_symlinks(docker_t) ++files_manage_isid_type_chr_files(docker_t) ++files_exec_isid_files(docker_t) ++files_mounton_isid(docker_t) ++files_mounton_non_security(docker_t) ++ ++fs_mount_all_fs(docker_t) ++fs_unmount_all_fs(docker_t) ++fs_remount_all_fs(docker_t) ++fs_manage_cgroup_dirs(docker_t) ++fs_manage_cgroup_files(docker_t) ++ ++term_use_generic_ptys(docker_t) ++term_use_ptmx(docker_t) ++term_getattr_pty_fs(docker_t) ++ ++dev_read_lvm_control(docker_t) ++ ++gen_require(` ++type lvm_t; ++') ++docker_rw_sem(lvm_t) diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 --- a/dovecot.fc @@ -51749,7 +52113,7 @@ index 0000000..f2d6119 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..fdc4a03 +index 0000000..e03de01 --- /dev/null +++ b/openshift.if @@ -0,0 +1,700 @@ @@ -52032,7 +52396,7 @@ index 0000000..fdc4a03 + + files_search_var_lib($1) + read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) +') + +######################################## @@ -54717,7 +55081,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..ba2f9bb 100644 +index 7bcf327..c1e0a6f 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -54741,7 +55105,7 @@ index 7bcf327..ba2f9bb 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,260 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,262 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -54862,9 +55226,11 @@ index 7bcf327..ba2f9bb 100644 + +###################################### +# -+# pegasus openlmi networking local policy ++# pegasus openlmi services local policy +# + ++allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms; ++ +optional_policy(` + dbus_system_bus_client(pegasus_openlmi_services_t) +') @@ -54875,12 +55241,12 @@ index 7bcf327..ba2f9bb 100644 + +###################################### +# -+# pegasus openlmi networking local policy ++# pegasus openlmi system (networking) local policy +# + +allow pegasus_openlmi_system_t self:capability { net_admin }; + -+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;; ++allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms; + +kernel_read_network_state(pegasus_openlmi_system_t) + @@ -55007,7 +55373,7 @@ index 7bcf327..ba2f9bb 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +293,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +295,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -55038,7 +55404,7 @@ index 7bcf327..ba2f9bb 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +319,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +321,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -55071,7 +55437,7 @@ index 7bcf327..ba2f9bb 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +347,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +349,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -55079,7 +55445,7 @@ index 7bcf327..ba2f9bb 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +362,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +364,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -55111,7 +55477,7 @@ index 7bcf327..ba2f9bb 100644 ') optional_policy(` -@@ -151,16 +392,24 @@ optional_policy(` +@@ -151,16 +394,24 @@ optional_policy(` ') optional_policy(` @@ -55140,7 +55506,7 @@ index 7bcf327..ba2f9bb 100644 ') optional_policy(` -@@ -168,7 +417,7 @@ optional_policy(` +@@ -168,7 +419,7 @@ optional_policy(` ') optional_policy(` @@ -73104,7 +73470,7 @@ index 050479d..0e1b364 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index d34cdec..33f56c0 100644 +index d34cdec..15d7ca6 100644 --- a/rlogin.te +++ b/rlogin.te @@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t) @@ -73134,15 +73500,16 @@ index d34cdec..33f56c0 100644 corenet_all_recvfrom_netlabel(rlogind_t) corenet_tcp_sendrecv_generic_if(rlogind_t) corenet_udp_sendrecv_generic_if(rlogind_t) -@@ -58,6 +58,7 @@ corenet_tcp_sendrecv_generic_node(rlogind_t) +@@ -58,6 +58,8 @@ corenet_tcp_sendrecv_generic_node(rlogind_t) corenet_udp_sendrecv_generic_node(rlogind_t) corenet_tcp_sendrecv_all_ports(rlogind_t) corenet_udp_sendrecv_all_ports(rlogind_t) +corenet_tcp_bind_rlogin_port(rlogind_t) ++corenet_tcp_bind_rlogind_port(rlogind_t) dev_read_urand(rlogind_t) -@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t) +@@ -67,6 +69,7 @@ fs_getattr_all_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) @@ -73150,7 +73517,7 @@ index d34cdec..33f56c0 100644 auth_rw_login_records(rlogind_t) auth_use_nsswitch(rlogind_t) -@@ -77,30 +79,23 @@ init_rw_utmp(rlogind_t) +@@ -77,30 +80,23 @@ init_rw_utmp(rlogind_t) logging_send_syslog_msg(rlogind_t) @@ -79374,10 +79741,10 @@ index 0000000..5da5bff +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..23af146 +index 0000000..710df6b --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,482 @@ +@@ -0,0 +1,483 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -79391,7 +79758,8 @@ index 0000000..23af146 +files_type(sandbox_exec_t) + +type sandbox_file_t, sandbox_file_type; -+files_type(sandbox_file_t) ++userdom_user_home_content(sandbox_file_t) ++ +typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t }; + +######################################## @@ -88659,7 +89027,7 @@ index 5406b6e..dc5b46e 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index c93c973..4ec1eb0 100644 +index c93c973..60f4ce9 100644 --- a/tgtd.te +++ b/tgtd.te @@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t) @@ -88667,7 +89035,7 @@ index c93c973..4ec1eb0 100644 # -allow tgtd_t self:capability sys_resource; -+allow tgtd_t self:capability { dac_override sys_resource sys_rawio sys_admin }; ++allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin }; allow tgtd_t self:capability2 block_suspend; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index cb66d04..b13826e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 92%{?dist} +Release: 93%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -572,6 +572,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Oct 24 2013 Miroslav Grepl 3.12.1-93 +- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp + * Tue Oct 22 2013 Miroslav Grepl 3.12.1-92 - Allow sshd_t to read openshift content, needs backport to RHEL6.5 - Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t