From bc46371d779e09aa1196226b92bc116b30d701b1 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Nov 29 2016 13:40:40 +0000 Subject: * Tue Nov 29 2016 Lukas Vrabec - 3.13.1-227 - Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) - Allow pmie daemon to send signal pcmd daemon BZ(1398078) - Allow spamd_t to manage /var/spool/mail. BZ(1398437) - Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254) - Merge pull request #171 from t-woerner/rawhide-contrib - Allow firewalld to getattr open search read modules_object_t:dir - Allow systemd create /dev/log in own mount-namespace. BZ(1383867) - Add interface fs_dontaudit_getattr_nsfs_files() - Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853) - Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187) --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 9633bb7..3472067 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index e01d341..fbb472a 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -18132,7 +18132,7 @@ index d7c11a0..f521a50 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..ca45838 100644 +index 8416beb..b38387e 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18631,7 +18631,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -1878,95 +2122,169 @@ interface(`fs_search_fusefs',` +@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',` ## ## # @@ -18737,6 +18737,7 @@ index 8416beb..ca45838 100644 -# -interface(`fs_exec_fusefs_files',` - gen_require(` +- type fusefs_t; +## +##

+## Execute a file on a FUSE filesystem @@ -18770,86 +18771,34 @@ index 8416beb..ca45838 100644 +interface(`fs_ecryptfs_domtrans',` + gen_require(` + type ecryptfs_t; -+ ') -+ -+ allow $1 ecryptfs_t:dir search_dir_perms; -+ domain_auto_transition_pattern($1, ecryptfs_t, $2) -+') -+ -+######################################## -+##

-+## Mount a FUSE filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mount_fusefs',` -+ gen_require(` - type fusefs_t; ') - exec_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 fusefs_t:filesystem mount; ++ allow $1 ecryptfs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, ecryptfs_t, $2) ') ######################################## ## -## Create, read, write, and delete files -+## Unmount a FUSE filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_unmount_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:filesystem unmount; -+') -+ -+######################################## -+## -+## Mounton a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mounton_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir mounton; -+') -+ -+######################################## -+## -+## Search directories - ## on a FUSEFS filesystem. +-## on a FUSEFS filesystem. ++## Mount a FUSE filesystem. ## ## -@@ -1976,19 +2294,18 @@ interface(`fs_exec_fusefs_files',` + ## + ## Domain allowed access. + ## ## - ## +-## # -interface(`fs_manage_fusefs_files',` -+interface(`fs_search_fusefs',` ++interface(`fs_mount_fusefs',` gen_require(` type fusefs_t; ') - manage_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 fusefs_t:dir search_dir_perms; ++ allow $1 fusefs_t:filesystem mount; ') ######################################## @@ -18857,79 +18806,96 @@ index 8416beb..ca45838 100644 -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. -+## Do not audit attempts to list the contents -+## of directories on a FUSEFS filesystem. ++## Unmount a FUSE filesystem. ## ## ## -@@ -1996,217 +2313,274 @@ interface(`fs_manage_fusefs_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`fs_dontaudit_manage_fusefs_files',` -+interface(`fs_dontaudit_list_fusefs',` ++interface(`fs_unmount_fusefs',` gen_require(` type fusefs_t; ') - dontaudit $1 fusefs_t:file manage_file_perms; -+ dontaudit $1 fusefs_t:dir list_dir_perms; ++ allow $1 fusefs_t:filesystem unmount; ') ######################################## ## -## Read symbolic links on a FUSEFS filesystem. -+## Create, read, write, and delete directories -+## on a FUSEFS filesystem. ++## Mounton a FUSEFS filesystem. ## ## ## - ## Domain allowed access. +@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## -+## # -interface(`fs_read_fusefs_symlinks',` -+interface(`fs_manage_fusefs_dirs',` ++interface(`fs_mounton_fusefs',` gen_require(` type fusefs_t; ') - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 fusefs_t:dir manage_dir_perms; ++ allow $1 fusefs_t:dir mounton; ') ######################################## ## -## Get the attributes of an hugetlbfs -## filesystem. -+## Do not audit attempts to create, read, -+## write, and delete directories ++## Search directories +## on a FUSEFS filesystem. ## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## ++## # -interface(`fs_getattr_hugetlbfs',` -+interface(`fs_dontaudit_manage_fusefs_dirs',` ++interface(`fs_search_fusefs',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - allow $1 hugetlbfs_t:filesystem getattr; -+ dontaudit $1 fusefs_t:dir manage_dir_perms; ++ allow $1 fusefs_t:dir search_dir_perms; ') ######################################## ## -## List hugetlbfs. -+## Read, a FUSEFS filesystem. ++## Do not audit attempts to list the contents ++## of directories on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_list_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete directories ++## on a FUSEFS filesystem. ## ## ## @@ -18939,20 +18905,40 @@ index 8416beb..ca45838 100644 +## # -interface(`fs_list_hugetlbfs',` -+interface(`fs_read_fusefs_files',` ++interface(`fs_manage_fusefs_dirs',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - allow $1 hugetlbfs_t:dir list_dir_perms; -+ read_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 fusefs_t:dir manage_dir_perms; ') ######################################## ## -## Manage hugetlbfs dirs. -+## Execute files on a FUSEFS filesystem. ++## Do not audit attempts to create, read, ++## write, and delete directories ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_manage_fusefs_dirs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:dir manage_dir_perms; ++') ++ ++######################################## ++## ++## Read, a FUSEFS filesystem. ## ## ## @@ -18962,38 +18948,37 @@ index 8416beb..ca45838 100644 +## # -interface(`fs_manage_hugetlbfs_dirs',` -+interface(`fs_exec_fusefs_files',` ++interface(`fs_read_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ exec_files_pattern($1, fusefs_t, fusefs_t) ++ read_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## Read and write hugetlbfs files. -+## Make general progams in FUSEFS an entrypoint for -+## the specified domain. ++## Execute files on a FUSEFS filesystem. ## ## ## --## Domain allowed access. -+## The domain for which fusefs_t is an entrypoint. + ## Domain allowed access. ## ## ++## # -interface(`fs_rw_hugetlbfs_files',` -+interface(`fs_fusefs_entry_type',` ++interface(`fs_exec_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ domain_entry_file($1, fusefs_t) ++ exec_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## @@ -19011,94 +18996,93 @@ index 8416beb..ca45838 100644 ## # -interface(`fs_associate_hugetlbfs',` -+interface(`fs_fusefs_entrypoint',` ++interface(`fs_fusefs_entry_type',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - allow $1 hugetlbfs_t:filesystem associate; -+ allow $1 fusefs_t:file entrypoint; ++ domain_entry_file($1, fusefs_t) ') ######################################## ## -## Search inotifyfs filesystem. -+## Create, read, write, and delete files -+## on a FUSEFS filesystem. ++## Make general progams in FUSEFS an entrypoint for ++## the specified domain. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## The domain for which fusefs_t is an entrypoint. ## ## -+## # -interface(`fs_search_inotifyfs',` -+interface(`fs_manage_fusefs_files',` ++interface(`fs_fusefs_entrypoint',` gen_require(` - type inotifyfs_t; + type fusefs_t; ') - allow $1 inotifyfs_t:dir search_dir_perms; -+ manage_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 fusefs_t:file entrypoint; ') ######################################## ## -## List inotifyfs filesystem. -+## Do not audit attempts to create, -+## read, write, and delete files ++## Create, read, write, and delete files +## on a FUSEFS filesystem. ## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## ++## # -interface(`fs_list_inotifyfs',` -+interface(`fs_dontaudit_manage_fusefs_files',` ++interface(`fs_manage_fusefs_files',` gen_require(` - type inotifyfs_t; + type fusefs_t; ') - allow $1 inotifyfs_t:dir list_dir_perms; -+ dontaudit $1 fusefs_t:file manage_file_perms; ++ manage_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## Dontaudit List inotifyfs filesystem. -+## Read symbolic links on a FUSEFS filesystem. ++## Do not audit attempts to create, ++## read, write, and delete files ++## on a FUSEFS filesystem. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',` ## ## # -interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_read_fusefs_symlinks',` ++interface(`fs_dontaudit_manage_fusefs_files',` gen_require(` - type inotifyfs_t; + type fusefs_t; ') - dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ dontaudit $1 fusefs_t:file manage_file_perms; ') ######################################## ## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -+## Manage symbolic links on a FUSEFS filesystem. ++## Read symbolic links on a FUSEFS filesystem. ## ## ## @@ -19107,6 +19091,27 @@ index 8416beb..ca45838 100644 ## -## +# ++interface(`fs_read_fusefs_symlinks',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## ++## Manage symbolic links on a FUSEFS filesystem. ++## ++## + ## +-## The type of the object to be created. ++## Domain allowed access. + ## + ## +-## ++# +interface(`fs_manage_fusefs_symlinks',` + gen_require(` + type fusefs_t; @@ -19141,84 +19146,93 @@ index 8416beb..ca45838 100644 +## +## ## --## The type of the object to be created. +-## The object class of the object being created. +## Domain allowed to transition. ## ## --## +-## +## ## --## The object class of the object being created. +-## The name of the object being created. +## The type of the new process. ## ## --## -+# + # +-interface(`fs_hugetlbfs_filetrans',` +interface(`fs_fusefs_domtrans',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $2 hugetlbfs_t:filesystem associate; +- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) + allow $1 fusefs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, fusefs_t, $2) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount an iso9660 filesystem, which +-## is usually used on CDs. +## Get the attributes of a FUSEFS filesystem. -+## -+## + ## + ## ## --## The name of the object being created. -+## Domain allowed access. + ## Domain allowed access. ## ## +## # --interface(`fs_hugetlbfs_filetrans',` +-interface(`fs_mount_iso9660_fs',` +interface(`fs_getattr_fusefs',` gen_require(` -- type hugetlbfs_t; +- type iso9660_t; + type fusefs_t; ') -- allow $2 hugetlbfs_t:filesystem associate; -- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) +- allow $1 iso9660_t:filesystem mount; + allow $1 fusefs_t:filesystem getattr; ') ######################################## ## --## Mount an iso9660 filesystem, which --## is usually used on CDs. +-## Remount an iso9660 filesystem, which +-## is usually used on CDs. This allows +-## some mount options to be changed. +## Get the attributes of an hugetlbfs +## filesystem. ## ## ## -@@ -2214,19 +2588,681 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',` ## ## # --interface(`fs_mount_iso9660_fs',` +-interface(`fs_remount_iso9660_fs',` +interface(`fs_getattr_hugetlbfs',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type hugetlbfs_t; -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem remount; + allow $1 hugetlbfs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unmount an iso9660 filesystem, which +-## is usually used on CDs. +## List hugetlbfs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2253,38 +2606,725 @@ interface(`fs_remount_iso9660_fs',` + ## + ## + # +-interface(`fs_unmount_iso9660_fs',` +interface(`fs_list_hugetlbfs',` + gen_require(` + type hugetlbfs_t; @@ -19862,58 +19876,47 @@ index 8416beb..ca45838 100644 +## +# +interface(`fs_read_kdbus_files',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type cgroup_t; + - ') - -- allow $1 iso9660_t:filesystem mount; ++ ') ++ + read_files_pattern($1, kdbusfs_t, kdbusfs_t) + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Remount an iso9660 filesystem, which --## is usually used on CDs. This allows --## some mount options to be changed. ++') ++ ++######################################## ++## +## Write kdbusfs files. - ## - ## - ## -@@ -2234,18 +3270,19 @@ interface(`fs_mount_iso9660_fs',` - ## - ## - # --interface(`fs_remount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_write_kdbus_files', ` - gen_require(` -- type iso9660_t; ++ gen_require(` + type kdbusfs_t; - ') - -- allow $1 iso9660_t:filesystem remount; ++ ') ++ + write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Unmount an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## Read and write kdbusfs files. - ## - ## - ## -@@ -2253,38 +3290,41 @@ interface(`fs_remount_iso9660_fs',` - ## - ## - # --interface(`fs_unmount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_rw_kdbus_files',` gen_require(` - type iso9660_t; @@ -20301,7 +20304,7 @@ index 8416beb..ca45838 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3255,17 +4470,107 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,17 +4470,126 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -20360,6 +20363,25 @@ index 8416beb..ca45838 100644 +## +## +# ++interface(`fs_dontaudit_getattr_nsfs_files',` ++ gen_require(` ++ type nsfs_t; ++ ') ++ ++ dontaudit $1 nsfs_t:file getattr; ++') ++ ++ ++######################################## ++## ++## Getattr files on an nsfs filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_getattr_nsfs_files',` + gen_require(` + type nsfs_t; @@ -20413,7 +20435,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -3273,12 +4578,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3273,12 +4597,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # @@ -20428,7 +20450,7 @@ index 8416beb..ca45838 100644 ') ######################################## -@@ -3301,6 +4606,24 @@ interface(`fs_associate_ramfs',` +@@ -3301,6 +4625,24 @@ interface(`fs_associate_ramfs',` ######################################## ## @@ -20453,7 +20475,7 @@ index 8416beb..ca45838 100644 ## Mount a RAM filesystem. ## ## -@@ -3392,7 +4715,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4734,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20462,7 +20484,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -3429,7 +4752,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4771,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20471,7 +20493,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -3447,7 +4770,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4789,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20480,7 +20502,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -3779,6 +5102,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5121,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20505,7 +20527,7 @@ index 8416beb..ca45838 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5156,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5175,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20530,7 +20552,7 @@ index 8416beb..ca45838 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5267,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5286,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20539,7 +20561,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -3916,17 +5275,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5294,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20560,7 +20582,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -3934,17 +5293,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5312,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20581,7 +20603,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -3952,17 +5311,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5330,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20621,7 +20643,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -3970,31 +5348,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5367,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20677,7 +20699,7 @@ index 8416beb..ca45838 100644 ') ######################################## -@@ -4057,23 +5452,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5471,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -20854,7 +20876,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -4081,18 +5623,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5642,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -20877,7 +20899,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -4100,54 +5642,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5661,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20944,7 +20966,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -4155,17 +5696,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5715,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -20966,7 +20988,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -4173,17 +5715,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5734,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -20988,7 +21010,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -4191,37 +5734,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5753,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -21034,7 +21056,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -4229,18 +5771,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5790,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -21056,7 +21078,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -4248,18 +5790,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5809,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -21080,7 +21102,7 @@ index 8416beb..ca45838 100644 ## ## ## -@@ -4267,32 +5810,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5829,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -21119,7 +21141,7 @@ index 8416beb..ca45838 100644 ') ######################################## -@@ -4407,6 +5949,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5968,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -21145,7 +21167,7 @@ index 8416beb..ca45838 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6064,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6083,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -21154,7 +21176,7 @@ index 8416beb..ca45838 100644 ') ######################################## -@@ -4549,7 +6112,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6131,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -21163,7 +21185,7 @@ index 8416beb..ca45838 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6159,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6178,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -21190,7 +21212,7 @@ index 8416beb..ca45838 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6254,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6273,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -21216,7 +21238,7 @@ index 8416beb..ca45838 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6514,173 @@ interface(`fs_unconfined',` +@@ -4912,3 +6533,175 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -21255,10 +21277,12 @@ index 8416beb..ca45838 100644 +interface(`fs_tmpfs_filetrans_named_content',` + gen_require(` + type cgroup_t; ++ type devlog_t; + ') + + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") ++ fs_tmpfs_filetrans($1, devlog_t, lnk_file, "log") +') + +####################################### @@ -41694,7 +41718,7 @@ index 4e94884..31be8ac 100644 + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..6810e0b 100644 +index 59b04c1..2be561d 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -41929,13 +41953,14 @@ index 59b04c1..6810e0b 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +417,12 @@ optional_policy(` +@@ -355,13 +417,13 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; +allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; dontaudit syslogd_t self:capability sys_tty_config; ++dontaudit syslogd_t self:cap_userns sys_ptrace; +allow syslogd_t self:capability2 { syslog block_suspend }; # setpgid for metalog # setrlimit for syslog-ng @@ -41946,7 +41971,7 @@ index 59b04c1..6810e0b 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,11 +430,15 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,11 +431,15 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -41963,7 +41988,7 @@ index 59b04c1..6810e0b 100644 files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. -@@ -389,30 +454,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +455,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -42014,7 +42039,7 @@ index 59b04c1..6810e0b 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +504,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +505,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -42023,7 +42048,7 @@ index 59b04c1..6810e0b 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +516,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +517,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -42057,7 +42082,7 @@ index 59b04c1..6810e0b 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +555,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +556,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -42075,7 +42100,7 @@ index 59b04c1..6810e0b 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +577,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +578,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -42091,7 +42116,7 @@ index 59b04c1..6810e0b 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +609,7 @@ optional_policy(` +@@ -497,6 +610,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -42099,7 +42124,7 @@ index 59b04c1..6810e0b 100644 ') optional_policy(` -@@ -507,15 +620,44 @@ optional_policy(` +@@ -507,15 +621,44 @@ optional_policy(` ') optional_policy(` @@ -42144,7 +42169,7 @@ index 59b04c1..6810e0b 100644 ') optional_policy(` -@@ -526,3 +668,26 @@ optional_policy(` +@@ -526,3 +669,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -47450,10 +47475,10 @@ index a392fc4..b01eb22 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..fc4c791 +index 0000000..a0ed66f --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,71 @@ +@@ -0,0 +1,72 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -47511,6 +47536,7 @@ index 0000000..fc4c791 +/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0) +/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh) +/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) ++/usr/lib/systemd/resolv.* -- gen_context(system_u:object_r:lib_t,s0) +/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) + +/var/run/.*nologin.* gen_context(system_u:object_r:systemd_logind_var_run_t,s0) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d5c2491..15c12d8 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -29049,7 +29049,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..ee152e2 100644 +index 98072a3..0235724 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -29077,7 +29077,7 @@ index 98072a3..ee152e2 100644 allow firewalld_t firewalld_var_log_t:file append_file_perms; allow firewalld_t firewalld_var_log_t:file create_file_perms; -@@ -48,8 +56,14 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) +@@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) allow firewalld_t firewalld_tmp_t:file mmap_file_perms; @@ -29093,7 +29093,14 @@ index 98072a3..ee152e2 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -63,20 +77,26 @@ dev_search_sysfs(firewalld_t) + kernel_rw_net_sysctls(firewalld_t) + ++files_list_kernel_modules(firewalld_t) ++ + corecmd_exec_bin(firewalld_t) + corecmd_exec_shell(firewalld_t) + +@@ -63,20 +79,26 @@ dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -29114,20 +29121,20 @@ index 98072a3..ee152e2 100644 -seutil_exec_setfiles(firewalld_t) -seutil_read_file_contexts(firewalld_t) +logging_send_syslog_msg(firewalld_t) - --sysnet_read_config(firewalld_t) ++ +sysnet_dns_name_resolve(firewalld_t) +sysnet_manage_config_dirs(firewalld_t) +sysnet_manage_config(firewalld_t) +sysnet_relabelfrom_net_conf(firewalld_t) +sysnet_relabelto_net_conf(firewalld_t) -+ + +-sysnet_read_config(firewalld_t) +userdom_dontaudit_create_admin_dir(firewalld_t) +userdom_dontaudit_manage_admin_dir(firewalld_t) optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -91,10 +111,15 @@ optional_policy(` +@@ -91,10 +113,15 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(firewalld_t) @@ -46284,7 +46291,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..d46c5e7 100644 +index be0ab84..6180bdb 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) @@ -46359,7 +46366,7 @@ index be0ab84..d46c5e7 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,36 +71,52 @@ allow logrotate_t self:msg { send receive }; +@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -46386,6 +46393,7 @@ index be0ab84..d46c5e7 100644 +fs_search_auto_mountpoints(logrotate_t) +fs_getattr_all_fs(logrotate_t) +fs_list_inotifyfs(logrotate_t) ++fs_dontaudit_getattr_nsfs_files(logrotate_t) + +mls_file_read_all_levels(logrotate_t) +mls_file_write_all_levels(logrotate_t) @@ -46417,7 +46425,7 @@ index be0ab84..d46c5e7 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +134,56 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +135,56 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -46480,7 +46488,7 @@ index be0ab84..d46c5e7 100644 ') optional_policy(` -@@ -135,16 +198,17 @@ optional_policy(` +@@ -135,16 +199,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -46500,7 +46508,7 @@ index be0ab84..d46c5e7 100644 ') optional_policy(` -@@ -170,6 +234,11 @@ optional_policy(` +@@ -170,6 +235,11 @@ optional_policy(` ') optional_policy(` @@ -46512,7 +46520,7 @@ index be0ab84..d46c5e7 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +247,8 @@ optional_policy(` +@@ -178,7 +248,8 @@ optional_policy(` ') optional_policy(` @@ -46522,7 +46530,7 @@ index be0ab84..d46c5e7 100644 ') optional_policy(` -@@ -198,17 +268,18 @@ optional_policy(` +@@ -198,17 +269,18 @@ optional_policy(` ') optional_policy(` @@ -46544,7 +46552,7 @@ index be0ab84..d46c5e7 100644 ') optional_policy(` -@@ -216,6 +287,14 @@ optional_policy(` +@@ -216,6 +288,14 @@ optional_policy(` ') optional_policy(` @@ -46559,7 +46567,7 @@ index be0ab84..d46c5e7 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +307,50 @@ optional_policy(` +@@ -228,26 +308,50 @@ optional_policy(` ') optional_policy(` @@ -69146,10 +69154,10 @@ index 0000000..fa4cfaa Binary files /dev/null and b/pcp.pp differ diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..d6fdef6 +index 0000000..04a0b20 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,297 @@ +@@ -0,0 +1,299 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -69405,6 +69413,8 @@ index 0000000..d6fdef6 + +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto; + ++allow pcp_pmie_t pcp_pmcd_t:process signal; ++ +kernel_read_system_state(pcp_pmie_t) + +corecmd_exec_bin(pcp_pmie_t) @@ -90449,7 +90459,7 @@ index ccb5991..fa10c5a 100644 optional_policy(` diff --git a/rpc.fc b/rpc.fc -index a6fb30c..3148280 100644 +index a6fb30c..97ef313 100644 --- a/rpc.fc +++ b/rpc.fc @@ -1,12 +1,25 @@ @@ -90484,7 +90494,7 @@ index a6fb30c..3148280 100644 /usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -@@ -16,7 +29,12 @@ +@@ -16,7 +29,13 @@ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) @@ -90498,6 +90508,7 @@ index a6fb30c..3148280 100644 /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) -/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) ++/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0) + diff --git a/rpc.if b/rpc.if index 0bf13c2..ed393a0 100644 @@ -90960,7 +90971,7 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..23bddad 100644 +index 2da9fca..6935f5c 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91003,10 +91014,13 @@ index 2da9fca..23bddad 100644 attribute rpc_domain; -@@ -39,21 +44,23 @@ files_tmp_file(gssd_tmp_t) +@@ -39,21 +44,26 @@ files_tmp_file(gssd_tmp_t) type rpcd_var_run_t; files_pid_file(rpcd_var_run_t) ++type rpcd_lock_t; ++files_lock_file(rpcd_lock_t) ++ +# rpcd_t is the domain of rpc daemons. +# rpc_exec_t is the type of rpc daemon programs. rpc_domain_template(rpcd) @@ -91032,7 +91046,7 @@ index 2da9fca..23bddad 100644 type var_lib_nfs_t; files_mountpoint(var_lib_nfs_t) -@@ -71,7 +78,6 @@ allow rpc_domain self:tcp_socket { accept listen }; +@@ -71,7 +81,6 @@ allow rpc_domain self:tcp_socket { accept listen }; manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) @@ -91040,7 +91054,7 @@ index 2da9fca..23bddad 100644 kernel_read_kernel_sysctls(rpc_domain) kernel_rw_rpc_sysctls(rpc_domain) -@@ -79,8 +85,6 @@ dev_read_sysfs(rpc_domain) +@@ -79,8 +88,6 @@ dev_read_sysfs(rpc_domain) dev_read_urand(rpc_domain) dev_read_rand(rpc_domain) @@ -91049,7 +91063,7 @@ index 2da9fca..23bddad 100644 corenet_tcp_sendrecv_generic_if(rpc_domain) corenet_udp_sendrecv_generic_if(rpc_domain) corenet_tcp_sendrecv_generic_node(rpc_domain) -@@ -108,41 +112,45 @@ files_read_etc_runtime_files(rpc_domain) +@@ -108,41 +115,48 @@ files_read_etc_runtime_files(rpc_domain) files_read_usr_files(rpc_domain) files_list_home(rpc_domain) @@ -91093,6 +91107,9 @@ index 2da9fca..23bddad 100644 +read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t) + ++allow rpcd_t rpcd_lock_t:file manage_file_perms; ++files_lock_filetrans(rpcd_t, rpcd_lock_t, file) ++ +# rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) @@ -91103,7 +91120,7 @@ index 2da9fca..23bddad 100644 kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) -@@ -163,13 +171,21 @@ fs_getattr_all_fs(rpcd_t) +@@ -163,13 +177,21 @@ fs_getattr_all_fs(rpcd_t) storage_getattr_fixed_disk_dev(rpcd_t) @@ -91127,7 +91144,7 @@ index 2da9fca..23bddad 100644 ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcd_t) -@@ -181,19 +197,27 @@ optional_policy(` +@@ -181,19 +203,27 @@ optional_policy(` ') optional_policy(` @@ -91158,7 +91175,7 @@ index 2da9fca..23bddad 100644 ') ######################################## -@@ -202,41 +226,61 @@ optional_policy(` +@@ -202,41 +232,61 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -91229,7 +91246,7 @@ index 2da9fca..23bddad 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -91237,7 +91254,7 @@ index 2da9fca..23bddad 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -91252,7 +91269,7 @@ index 2da9fca..23bddad 100644 ') ######################################## -@@ -270,7 +313,7 @@ optional_policy(` +@@ -270,7 +319,7 @@ optional_policy(` # GSSD local policy # @@ -91261,7 +91278,7 @@ index 2da9fca..23bddad 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -91269,7 +91286,7 @@ index 2da9fca..23bddad 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +332,31 @@ kernel_signal(gssd_t) +@@ -288,25 +338,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -91304,7 +91321,7 @@ index 2da9fca..23bddad 100644 ') optional_policy(` -@@ -314,9 +364,12 @@ optional_policy(` +@@ -314,9 +370,12 @@ optional_policy(` ') optional_policy(` @@ -103021,7 +103038,7 @@ index 1499b0b..e695a62 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..d844f55 100644 +index cc58e35..963d86c 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) @@ -103728,7 +103745,7 @@ index cc58e35..d844f55 100644 ') optional_policy(` -@@ -463,9 +571,9 @@ optional_policy(` +@@ -463,9 +571,10 @@ optional_policy(` ') optional_policy(` @@ -103736,10 +103753,11 @@ index cc58e35..d844f55 100644 sendmail_stub(spamd_t) mta_read_config(spamd_t) - mta_send_mail(spamd_t) ++ mta_manage_spool(spamd_t) ') optional_policy(` -@@ -474,32 +582,32 @@ optional_policy(` +@@ -474,32 +583,32 @@ optional_policy(` ######################################## # @@ -103782,7 +103800,7 @@ index cc58e35..d844f55 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +616,26 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 0c11cd7..a5f3859 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 226%{?dist} +Release: 227%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,18 @@ exit 0 %endif %changelog +* Tue Nov 29 2016 Lukas Vrabec - 3.13.1-227 +- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) +- Allow pmie daemon to send signal pcmd daemon BZ(1398078) +- Allow spamd_t to manage /var/spool/mail. BZ(1398437) +- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254) +- Merge pull request #171 from t-woerner/rawhide-contrib +- Allow firewalld to getattr open search read modules_object_t:dir +- Allow systemd create /dev/log in own mount-namespace. BZ(1383867) +- Add interface fs_dontaudit_getattr_nsfs_files() +- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853) +- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187) + * Wed Nov 16 2016 Lukas Vrabec - 3.13.1-226 - Adding policy for tlp - Add interface dev_manage_sysfs()