From e2a064a427c98aaee9128b2bd3e44b45c188c59d Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mar 16 2015 17:04:20 +0000 Subject: * Mon Mar 16 2015 Lukas Vrabec 3.13.1-118 - docker watches for content in the /etc directory - Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib - Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling. - Allow docker to communicate with openvswitch - Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib - Allow docker to relablefrom/to sockets and docker_log_t - Allow journald to set loginuid. BZ(1190498) - Add cap. sys_admin for passwd_t. BZ(1185191) - Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling. --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 12f8a66..6ea32b6 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2725,7 +2725,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..4aef39e 100644 +index 1d732f1..0dbda7d 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -2883,7 +2883,7 @@ index 1d732f1..4aef39e 100644 # -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; -+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource }; ++allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin }; dontaudit passwd_t self:capability sys_tty_config; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; @@ -17087,7 +17087,7 @@ index e100d88..f45a698 100644 + allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms; ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..15230be 100644 +index 8dbab4c..96d9a91 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -17242,7 +17242,7 @@ index 8dbab4c..15230be 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +314,49 @@ files_list_root(kernel_t) +@@ -277,25 +314,53 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -17271,6 +17271,10 @@ index 8dbab4c..15230be 100644 + +optional_policy(` ++ abrt_filetrans_named_content(kernel_t) ++') ++ ++optional_policy(` + apache_filetrans_home_content(kernel_t) +') + @@ -17292,7 +17296,7 @@ index 8dbab4c..15230be 100644 ') optional_policy(` -@@ -305,6 +366,19 @@ optional_policy(` +@@ -305,6 +370,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -17312,7 +17316,7 @@ index 8dbab4c..15230be 100644 ') optional_policy(` -@@ -312,6 +386,11 @@ optional_policy(` +@@ -312,6 +390,11 @@ optional_policy(` ') optional_policy(` @@ -17324,7 +17328,7 @@ index 8dbab4c..15230be 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +411,6 @@ optional_policy(` +@@ -332,9 +415,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -17334,7 +17338,7 @@ index 8dbab4c..15230be 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +419,7 @@ optional_policy(` +@@ -343,9 +423,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -17345,7 +17349,7 @@ index 8dbab4c..15230be 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +428,7 @@ optional_policy(` +@@ -354,7 +432,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -17354,7 +17358,7 @@ index 8dbab4c..15230be 100644 ') ') -@@ -367,6 +441,15 @@ optional_policy(` +@@ -367,6 +445,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -17370,7 +17374,7 @@ index 8dbab4c..15230be 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +496,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; @@ -34876,7 +34880,7 @@ index 4e94884..8c67cd0 100644 + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..df37453 100644 +index 59b04c1..9d8e11d 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -35218,13 +35222,14 @@ index 59b04c1..df37453 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +551,11 @@ init_use_fds(syslogd_t) +@@ -466,11 +551,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) - -miscfiles_read_localization(syslogd_t) +logging_manage_all_logs(syslogd_t) ++logging_set_loginuid(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) -userdom_dontaudit_search_user_home_dirs(syslogd_t) @@ -35233,7 +35238,7 @@ index 59b04c1..df37453 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +582,7 @@ optional_policy(` +@@ -497,6 +583,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -35241,7 +35246,7 @@ index 59b04c1..df37453 100644 ') optional_policy(` -@@ -507,15 +593,40 @@ optional_policy(` +@@ -507,15 +594,40 @@ optional_policy(` ') optional_policy(` @@ -35282,7 +35287,7 @@ index 59b04c1..df37453 100644 ') optional_policy(` -@@ -526,3 +637,26 @@ optional_policy(` +@@ -526,3 +638,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 07f13fa..9e4b237 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -80,7 +80,7 @@ index 1a93dc5..f2b26f5 100644 -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..1e92177 100644 +index 058d908..158acba 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,26 @@ @@ -537,7 +537,7 @@ index 058d908..1e92177 100644 + type abrt_var_run_t; + ') + -+ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt") ++ files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt") + files_etc_filetrans($1, abrt_etc_t, dir, "abrt") + files_var_filetrans($1, abrt_var_cache_t, dir, "abrt") + files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix") @@ -3036,7 +3036,7 @@ index 0000000..36251b9 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..cb58319 +index 0000000..253a684 --- /dev/null +++ b/antivirus.te @@ -0,0 +1,270 @@ @@ -3305,9 +3305,9 @@ index 0000000..cb58319 + +optional_policy(` + spamd_stream_connect(clamd_t) -+ spamassassin_exec(antivirus_domain) -+ spamassassin_exec_client(antivirus_domain) -+ spamassassin_read_lib_files(antivirus_domain) ++ spamassassin_exec(antivirus_domain) ++ spamassassin_exec_client(antivirus_domain) ++ spamassassin_read_lib_files(antivirus_domain) + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc @@ -25334,10 +25334,10 @@ index 0000000..1542da8 + diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..df9e6ce +index 0000000..0a03a30 --- /dev/null +++ b/docker.te -@@ -0,0 +1,318 @@ +@@ -0,0 +1,325 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -25425,6 +25425,7 @@ index 0000000..df9e6ce +manage_files_pattern(docker_t, docker_log_t, docker_log_t) +manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) +logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file }) ++allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto }; + +manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t) +manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) @@ -25492,7 +25493,7 @@ index 0000000..df9e6ce +corenet_udp_bind_generic_node(docker_t) +corenet_udp_bind_all_ports(docker_t) + -+files_read_etc_files(docker_t) ++files_read_config_files(docker_t) + +fs_read_cgroup_files(docker_t) +fs_read_tmpfs_symlinks(docker_t) @@ -25502,6 +25503,7 @@ index 0000000..df9e6ce +storage_raw_rw_fixed_disk(docker_t) + +auth_use_nsswitch(docker_t) ++auth_dontaudit_getattr_shadow(docker_t) + +init_read_state(docker_t) +init_status(docker_t) @@ -25527,6 +25529,10 @@ index 0000000..df9e6ce + iptables_domtrans(docker_t) +') + ++optional_policy(` ++ openvswitch_stream_connect(docker_t) ++') ++ +# +# lxc rules +# @@ -25648,6 +25654,7 @@ index 0000000..df9e6ce +domtrans_pattern(docker_t, docker_var_lib_t, spc_t) +allow docker_t spc_t:process { setsched signal_perms }; +ps_process_pattern(docker_t, spc_t) ++allow docker_t spc_t:socket_class_set { relabelto relabelfrom }; + +optional_policy(` + unconfined_domain_noaudit(spc_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 1e2acc2..8c9a926 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 117%{?dist} +Release: 118%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Mar 16 2015 Lukas Vrabec 3.13.1-118 +- docker watches for content in the /etc directory +- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib +- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling. +- Allow docker to communicate with openvswitch +- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib +- Allow docker to relablefrom/to sockets and docker_log_t +- Allow journald to set loginuid. BZ(1190498) +- Add cap. sys_admin for passwd_t. BZ(1185191) +- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling. + * Fri Mar 09 2015 Lukas Vrabec 3.13.1-117 - Allow spamc read spamd_etc_t files. BZ(1199339). - Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)