From c88e657c3d92acb5a3cea103566dda6931796316 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Nov 19 2014 15:33:35 +0000 Subject: * Wed Nov 19 2014 Lukas Vrabec 3.13.1-94 - Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling. - Allow sendmail to create dead.letter. BZ(1165443) - Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active. - Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t. - Label sock file charon.vici as ipsec_var_run_t. BZ(1165065) - Add additional interfaces for load_policy/setfiles/read_lock related to access checks. --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2480dc5..b9c8b31 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -32228,7 +32228,7 @@ index 17eda24..d4113cc 100644 + ') + ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..353c3b7 100644 +index 662e79b..ad9ef4e 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -1,14 +1,25 @@ @@ -32258,7 +32258,7 @@ index 662e79b..353c3b7 100644 /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,16 +37,26 @@ +@@ -26,16 +37,27 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -32281,6 +32281,7 @@ index 662e79b..353c3b7 100644 /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0) ++/var/run/charon\.vici -s gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -37268,13 +37269,31 @@ index d43f3b1..870bc36 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..8686e0a 100644 +index 3822072..1b9a765 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if -@@ -135,6 +135,24 @@ interface(`seutil_exec_loadpolicy',` +@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` ######################################## ## ++## Allow access check on load_policy. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_access_check_load_policy',` ++ gen_require(` ++ type load_policy_exec_t; ++ ') ++ ++ allow $1 load_policy_exec_t:file audit_access; ++') ++ ++######################################## ++## +## Dontaudit access check on load_policy. +## +## @@ -37296,7 +37315,7 @@ index 3822072..8686e0a 100644 ## Read the load_policy program file. ## ## -@@ -192,11 +210,22 @@ interface(`seutil_domtrans_newrole',` +@@ -192,11 +228,22 @@ interface(`seutil_domtrans_newrole',` # interface(`seutil_run_newrole',` gen_require(` @@ -37321,7 +37340,7 @@ index 3822072..8686e0a 100644 ') ######################################## -@@ -359,6 +388,27 @@ interface(`seutil_exec_restorecon',` +@@ -359,6 +406,27 @@ interface(`seutil_exec_restorecon',` ######################################## ## @@ -37349,7 +37368,7 @@ index 3822072..8686e0a 100644 ## Execute run_init in the run_init domain. ## ## -@@ -425,11 +475,20 @@ interface(`seutil_init_script_domtrans_runinit',` +@@ -425,11 +493,20 @@ interface(`seutil_init_script_domtrans_runinit',` # interface(`seutil_run_runinit',` gen_require(` @@ -37373,7 +37392,7 @@ index 3822072..8686e0a 100644 ') ######################################## -@@ -461,11 +520,19 @@ interface(`seutil_run_runinit',` +@@ -461,11 +538,19 @@ interface(`seutil_run_runinit',` # interface(`seutil_init_script_run_runinit',` gen_require(` @@ -37396,7 +37415,7 @@ index 3822072..8686e0a 100644 ') ######################################## -@@ -535,6 +602,53 @@ interface(`seutil_run_setfiles',` +@@ -535,6 +620,53 @@ interface(`seutil_run_setfiles',` ######################################## ## @@ -37450,10 +37469,28 @@ index 3822072..8686e0a 100644 ## Execute setfiles in the caller domain. ## ## -@@ -555,6 +669,24 @@ interface(`seutil_exec_setfiles',` +@@ -555,6 +687,42 @@ interface(`seutil_exec_setfiles',` ######################################## ## ++## Allow access check on setfiles. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_access_check_setfiles',` ++ gen_require(` ++ type setfiles_exec_t; ++ ') ++ ++ allow $1 setfiles_exec_t:file audit_access; ++') ++ ++######################################## ++## +## Dontaudit access check on setfiles. +## +## @@ -37475,7 +37512,7 @@ index 3822072..8686e0a 100644 ## Do not audit attempts to search the SELinux ## configuration directory (/etc/selinux). ## -@@ -680,10 +812,115 @@ interface(`seutil_manage_config',` +@@ -680,10 +848,115 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -37591,7 +37628,7 @@ index 3822072..8686e0a 100644 ####################################### ## ## Create, read, write, and delete -@@ -694,15 +931,62 @@ interface(`seutil_manage_config',` +@@ -694,15 +967,62 @@ interface(`seutil_manage_config',` ## Domain allowed access. ## ## @@ -37657,7 +37694,7 @@ index 3822072..8686e0a 100644 ') ######################################## -@@ -746,6 +1030,29 @@ interface(`seutil_read_default_contexts',` +@@ -746,6 +1066,29 @@ interface(`seutil_read_default_contexts',` read_files_pattern($1, default_context_t, default_context_t) ') @@ -37687,7 +37724,7 @@ index 3822072..8686e0a 100644 ######################################## ## ## Create, read, write, and delete the default_contexts files. -@@ -784,7 +1091,9 @@ interface(`seutil_read_file_contexts',` +@@ -784,7 +1127,9 @@ interface(`seutil_read_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; @@ -37697,7 +37734,7 @@ index 3822072..8686e0a 100644 ') ######################################## -@@ -999,6 +1308,26 @@ interface(`seutil_domtrans_semanage',` +@@ -999,6 +1344,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -37724,7 +37761,7 @@ index 3822072..8686e0a 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1346,67 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1382,87 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -37773,6 +37810,26 @@ index 3822072..8686e0a 100644 + +######################################## +## ++## List of the semanage ++## module store. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_access_check_module_store',` ++ gen_require(` ++ type semanage_store_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 semanage_store_t:dir_file_class_set audit_access; ++') ++ ++######################################## ++## +## Full management of the semanage +## module store. +## @@ -37794,7 +37851,7 @@ index 3822072..8686e0a 100644 ') ######################################## -@@ -1043,7 +1428,11 @@ interface(`seutil_manage_module_store',` +@@ -1043,7 +1484,11 @@ interface(`seutil_manage_module_store',` files_search_etc($1) manage_dirs_pattern($1, selinux_config_t, semanage_store_t) manage_files_pattern($1, semanage_store_t, semanage_store_t) @@ -37806,10 +37863,28 @@ index 3822072..8686e0a 100644 ') ####################################### -@@ -1067,6 +1456,24 @@ interface(`seutil_get_semanage_read_lock',` +@@ -1067,6 +1512,42 @@ interface(`seutil_get_semanage_read_lock',` ####################################### ## ++## Allow access check on module store ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_access_check_semanage_read_lock',` ++ gen_require(` ++ type semanage_read_lock_t; ++ ') ++ ++ allow $1 semanage_read_lock_t:file audit_access; ++') ++ ++####################################### ++## +## Dontaudit access check on module store +## +## @@ -37831,7 +37906,7 @@ index 3822072..8686e0a 100644 ## Get trans lock on module store ## ## -@@ -1137,3 +1544,122 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9fc84d2..3f12b14 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -61915,7 +61915,7 @@ index 6837e9a..21e6dae 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 63957a3..3eb9dc1 100644 +index 63957a3..ba34f72 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) @@ -62040,7 +62040,7 @@ index 63957a3..3eb9dc1 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -164,6 +188,10 @@ tunable_policy(`openvpn_can_network_connect',` +@@ -164,10 +188,19 @@ tunable_policy(`openvpn_can_network_connect',` ') optional_policy(` @@ -62051,11 +62051,17 @@ index 63957a3..3eb9dc1 100644 daemontools_service_domain(openvpn_t, openvpn_exec_t) ') -@@ -173,5 +201,30 @@ optional_policy(` + optional_policy(` ++ networkmanager_stream_connect(openvpn_t) ++ networkmanager_manage_pid_files(openvpn_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(openvpn_t) + dbus_connect_system_bus(openvpn_t) - optional_policy(` +@@ -175,3 +208,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) -+ networkmanager_stream_connect(openvpn_t) ') ') + @@ -92301,7 +92307,7 @@ index 35ad2a7..6b75e85 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 12700b4..fde3c8d 100644 +index 12700b4..906b5db 100644 --- a/sendmail.te +++ b/sendmail.te @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; @@ -92441,7 +92447,7 @@ index 12700b4..fde3c8d 100644 ') optional_policy(` -@@ -164,6 +168,10 @@ optional_policy(` +@@ -164,14 +168,27 @@ optional_policy(` ') optional_policy(` @@ -92452,7 +92458,12 @@ index 12700b4..fde3c8d 100644 milter_stream_connect_all(sendmail_t) ') -@@ -172,6 +180,11 @@ optional_policy(` + optional_policy(` ++ mta_filetrans_home_content(sendmail_t) ++') ++ ++optional_policy(` + munin_dontaudit_search_lib(sendmail_t) ') optional_policy(` @@ -92464,7 +92475,7 @@ index 12700b4..fde3c8d 100644 postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_domtrans_postqueue(sendmail_t) -@@ -193,6 +206,10 @@ optional_policy(` +@@ -193,6 +210,10 @@ optional_policy(` ') optional_policy(` @@ -92475,7 +92486,7 @@ index 12700b4..fde3c8d 100644 udev_read_db(sendmail_t) ') -@@ -206,8 +223,8 @@ optional_policy(` +@@ -206,8 +227,8 @@ optional_policy(` # optional_policy(` @@ -97481,7 +97492,7 @@ index a240455..f4d8c79 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..ababeba 100644 +index 2d8db1f..dbb5dd6 100644 --- a/sssd.te +++ b/sssd.te @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t) @@ -97539,7 +97550,7 @@ index 2d8db1f..ababeba 100644 corecmd_exec_bin(sssd_t) -@@ -83,28 +79,30 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +79,36 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -97559,6 +97570,12 @@ index 2d8db1f..ababeba 100644 -# seutil_manage_login_config_files(sssd_t) +seutil_rw_login_config_dirs(sssd_t) +seutil_manage_login_config_files(sssd_t) ++ ++seutil_access_check_module_store(sssd_t) ++ ++seutil_access_check_load_policy(sssd_t) ++seutil_access_check_setfiles(sssd_t) ++seutil_access_check_semanage_read_lock(sssd_t) mls_file_read_to_clearance(sssd_t) mls_socket_read_to_clearance(sssd_t) @@ -97574,7 +97591,7 @@ index 2d8db1f..ababeba 100644 init_read_utmp(sssd_t) -@@ -112,18 +110,36 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +116,36 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6efdd23..8aef00c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 93%{?dist} +Release: 94%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -604,6 +604,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Nov 19 2014 Lukas Vrabec 3.13.1-94 +- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling. +- Allow sendmail to create dead.letter. BZ(1165443) +- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active. +- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t. +- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065) +- Add additional interfaces for load_policy/setfiles/read_lock related to access checks. + * Fri Nov 14 2014 Lukas Vrabec 3.13.1-93 - Allow bumblebee to use nsswitch. BZ(1155339) - Allow openvpn to stream connect to networkmanager. BZ(1164182)