From fccc315ba4fcebea64ea3e2dd7df30688db30ba2 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Dec 19 2013 20:15:16 +0000 Subject: - Add labeling for /var/lib/servicelog/servicelog.db-journal - Add support for freeipmi port - Add sysadm_u_default_contexts - Make new type to texlive files in homedir - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Additional fixes for docker.te - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Fix typo in docker.te - Allow amanda to do backups over UDP - Allow bumblebee to read /etc/group and clean up bumblebee.te - type transitions with a filename not allowed inside conditionals - Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7 - Make new type to texlive files in homedir --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index e8b6035..e01726d 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -9333,7 +9333,7 @@ index cf04cb5..7e91ba9 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..52d2b7c 100644 +index c2c6e05..2282452 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9534,7 +9534,7 @@ index c2c6e05..52d2b7c 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +245,24 @@ ifndef(`distro_redhat',` +@@ -237,11 +245,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9552,7 +9552,8 @@ index c2c6e05..52d2b7c 100644 +/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) + -+/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0) ++/var/lib/servicelog/servicelog\.db -- gen_context(system_u:object_r:system_db_t,s0) ++/var/lib/servicelog/servicelog\.db-journal -- gen_context(system_u:object_r:system_db_t,s0) + +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0) +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) @@ -9560,7 +9561,7 @@ index c2c6e05..52d2b7c 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +277,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +278,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9575,7 +9576,7 @@ index c2c6e05..52d2b7c 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +293,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +294,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 1f59ff1..9cb2d5a 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -2084,7 +2084,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index ed45974..ec7bb41 100644 +index ed45974..f367ba0 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2122,7 +2122,7 @@ index ed45974..ec7bb41 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2134,11 +2134,12 @@ index ed45974..ec7bb41 100644 corenet_tcp_bind_generic_node(amanda_t) +corenet_tcp_bind_amanda_port(amanda_t) ++corenet_udp_bind_amanda_port(amanda_t) + corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) +@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) @@ -2146,7 +2147,7 @@ index ed45974..ec7bb41 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2154,7 +2155,7 @@ index ed45974..ec7bb41 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -4736,7 +4737,7 @@ index 83e899c..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..bfe87eb 100644 +index 1a82e29..9a065a0 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5808,7 +5809,7 @@ index 1a82e29..bfe87eb 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,66 +821,56 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5843,16 +5844,27 @@ index 1a82e29..bfe87eb 100644 -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) -') -+optional_policy(` -+ cobbler_list_config(httpd_t) -+ cobbler_read_config(httpd_t) - +- -tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_fusefs_dirs(httpd_t) - fs_manage_fusefs_files(httpd_t) - fs_read_fusefs_symlinks(httpd_t) -') +- +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_t) +-') ++optional_policy(` ++ cobbler_list_config(httpd_t) ++ cobbler_read_config(httpd_t) + +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_nfs_dirs(httpd_t) +- fs_manage_nfs_files(httpd_t) +- fs_manage_nfs_symlinks(httpd_t) +-') + tunable_policy(`httpd_serve_cobbler_files',` + cobbler_manage_lib_files(httpd_t) +',` @@ -5860,27 +5872,22 @@ index 1a82e29..bfe87eb 100644 + cobbler_search_lib(httpd_t) + ') --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_t) +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_t) + tunable_policy(`httpd_can_network_connect_cobbler',` + corenet_tcp_connect_cobbler_port(httpd_t) + ') ') --tunable_policy(`httpd_use_nfs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_nfs_dirs(httpd_t) -- fs_manage_nfs_files(httpd_t) -- fs_manage_nfs_symlinks(httpd_t) -+optional_policy(` + optional_policy(` +- calamaris_read_www_files(httpd_t) + tunable_policy(`httpd_use_sasl',` + sasl_connect(httpd_t) + ') ') --tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_t) -+optional_policy(` + optional_policy(` +- ccs_read_config(httpd_t) + # Support for ABRT retrace server + # mod_wsgi + abrt_manage_spool_retrace(httpd_t) @@ -5889,22 +5896,18 @@ index 1a82e29..bfe87eb 100644 ') optional_policy(` -@@ -743,14 +873,6 @@ optional_policy(` - ccs_read_config(httpd_t) +- clamav_domtrans_clamscan(httpd_t) ++ calamaris_read_www_files(httpd_t) ') --optional_policy(` -- clamav_domtrans_clamscan(httpd_t) --') -- --optional_policy(` + optional_policy(` - cobbler_read_config(httpd_t) - cobbler_read_lib_files(httpd_t) --') ++ ccs_read_config(httpd_t) + ') optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +887,23 @@ optional_policy(` +@@ -765,6 +886,23 @@ optional_policy(` ') optional_policy(` @@ -5928,7 +5931,7 @@ index 1a82e29..bfe87eb 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +920,46 @@ optional_policy(` +@@ -781,34 +919,51 @@ optional_policy(` ') optional_policy(` @@ -5942,6 +5945,11 @@ index 1a82e29..bfe87eb 100644 +') + +optional_policy(` ++ mirrormanager_read_lib_files(httpd_t) ++ mirrormanager_read_log(httpd_t) ++') ++ ++optional_policy(` + jetty_admin(httpd_t) +') + @@ -5986,7 +5994,7 @@ index 1a82e29..bfe87eb 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +967,18 @@ optional_policy(` +@@ -816,8 +971,18 @@ optional_policy(` ') optional_policy(` @@ -6005,7 +6013,7 @@ index 1a82e29..bfe87eb 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +987,7 @@ optional_policy(` +@@ -826,6 +991,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6013,7 +6021,7 @@ index 1a82e29..bfe87eb 100644 ') optional_policy(` -@@ -836,20 +998,39 @@ optional_policy(` +@@ -836,20 +1002,39 @@ optional_policy(` ') optional_policy(` @@ -6059,7 +6067,7 @@ index 1a82e29..bfe87eb 100644 ') optional_policy(` -@@ -857,19 +1038,35 @@ optional_policy(` +@@ -857,19 +1042,35 @@ optional_policy(` ') optional_policy(` @@ -6095,7 +6103,7 @@ index 1a82e29..bfe87eb 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1074,173 @@ optional_policy(` +@@ -877,65 +1078,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6168,10 +6176,11 @@ index 1a82e29..bfe87eb 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache PHP script local policy +# + @@ -6230,11 +6239,10 @@ index 1a82e29..bfe87eb 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache suexec local policy # @@ -6291,7 +6299,7 @@ index 1a82e29..bfe87eb 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1253,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6446,7 +6454,7 @@ index 1a82e29..bfe87eb 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1333,106 @@ optional_policy(` +@@ -1077,172 +1337,106 @@ optional_policy(` ') ') @@ -6468,11 +6476,11 @@ index 1a82e29..bfe87eb 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -- --append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) --read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +allow httpd_sys_script_t self:process getsched; +-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6683,7 +6691,7 @@ index 1a82e29..bfe87eb 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1444,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6780,7 +6788,7 @@ index 1a82e29..bfe87eb 100644 ######################################## # -@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1519,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6797,7 +6805,7 @@ index 1a82e29..bfe87eb 100644 ') ######################################## -@@ -1324,49 +1531,38 @@ optional_policy(` +@@ -1324,49 +1535,38 @@ optional_policy(` # User content local policy # @@ -6862,7 +6870,7 @@ index 1a82e29..bfe87eb 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1576,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -9742,10 +9750,10 @@ index 0000000..b5ee23b +/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0) diff --git a/bumblebee.if b/bumblebee.if new file mode 100644 -index 0000000..23a4f86 +index 0000000..de66654 --- /dev/null +++ b/bumblebee.if -@@ -0,0 +1,126 @@ +@@ -0,0 +1,121 @@ +## policy for bumblebee + +######################################## @@ -9839,11 +9847,6 @@ index 0000000..23a4f86 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`bumblebee_admin',` @@ -9874,10 +9877,10 @@ index 0000000..23a4f86 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..8d91220 +index 0000000..8c82398 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,47 @@ +@@ -0,0 +1,44 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -9916,15 +9919,12 @@ index 0000000..8d91220 + +dev_read_sysfs(bumblebee_t) + -+domain_use_interactive_fds(bumblebee_t) -+ -+files_read_etc_files(bumblebee_t) ++auth_read_passwd(bumblebee_t) + +logging_send_syslog_msg(bumblebee_t) + +modutils_domtrans_insmod(bumblebee_t) + -+miscfiles_read_localization(bumblebee_t) diff --git a/cachefilesd.fc b/cachefilesd.fc index 648c790..aa03fc8 100644 --- a/cachefilesd.fc @@ -18422,8 +18422,19 @@ index 9f34c2e..d084359 100644 udev_read_db(ptal_t) ') + +diff --git a/cvs.fc b/cvs.fc +index 75c8be9..9dcffb2 100644 +--- a/cvs.fc ++++ b/cvs.fc +@@ -1,3 +1,6 @@ ++HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0) ++/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0) ++ + /etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0) + + /opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) diff --git a/cvs.if b/cvs.if -index 9fa7ffb..fd3262c 100644 +index 9fa7ffb..089c8d4 100644 --- a/cvs.if +++ b/cvs.if @@ -1,5 +1,23 @@ @@ -18450,8 +18461,38 @@ index 9fa7ffb..fd3262c 100644 ######################################## ## ## Read CVS data and metadata content. -@@ -62,9 +80,14 @@ interface(`cvs_admin',` - type cvs_data_t, cvs_var_run_t; +@@ -41,6 +59,24 @@ interface(`cvs_exec',` + + ######################################## + ## ++## Transition to cvs named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cvs_filetrans_home_content',` ++ gen_require(` ++ type cvs_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore") ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an cvs environment + ## +@@ -59,12 +95,18 @@ interface(`cvs_exec',` + interface(`cvs_admin',` + gen_require(` + type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; +- type cvs_data_t, cvs_var_run_t; ++ type cvs_data_t, cvs_var_run_t, cvs_keytab_t; ++ type cvs_home_t; ') - allow $1 cvs_t:process { ptrace signal_perms }; @@ -18466,8 +18507,16 @@ index 9fa7ffb..fd3262c 100644 init_labeled_script_domtrans($1, cvs_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cvs_initrc_exec_t system_r; +@@ -78,4 +120,7 @@ interface(`cvs_admin',` + + files_list_pids($1) + admin_pattern($1, cvs_var_run_t) ++ ++ userdom_search_user_home_dirs($1) ++ admin_pattern($1, cvs_home_t) + ') diff --git a/cvs.te b/cvs.te -index 53fc3af..897ad64 100644 +index 53fc3af..d7cdaaf 100644 --- a/cvs.te +++ b/cvs.te @@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1) @@ -18484,7 +18533,31 @@ index 53fc3af..897ad64 100644 application_executable_file(cvs_exec_t) type cvs_data_t; # customizable -@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t) +@@ -30,16 +31,22 @@ files_tmp_file(cvs_tmp_t) + type cvs_var_run_t; + files_pid_file(cvs_var_run_t) + ++type cvs_home_t; ++userdom_user_home_content(cvs_home_t) ++ + ######################################## + # + # Local policy + # + +-allow cvs_t self:capability { setuid setgid }; ++allow cvs_t self:capability { dac_override dac_read_search setuid setgid }; + allow cvs_t self:process signal_perms; + allow cvs_t self:fifo_file rw_fifo_file_perms; + allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + ++userdom_search_user_home_dirs(cvs_t) ++allow cvs_t cvs_home_t:file read_file_perms; ++ + manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) + manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) + manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) +@@ -58,6 +65,15 @@ kernel_read_network_state(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) @@ -18500,7 +18573,7 @@ index 53fc3af..897ad64 100644 dev_read_urand(cvs_t) files_read_etc_runtime_files(cvs_t) -@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t) +@@ -70,18 +86,16 @@ auth_use_nsswitch(cvs_t) init_read_utmp(cvs_t) @@ -18513,8 +18586,8 @@ index 53fc3af..897ad64 100644 - mta_send_mail(cvs_t) - userdom_dontaudit_search_user_home_dirs(cvs_t) - +-userdom_dontaudit_search_user_home_dirs(cvs_t) +- # cjp: typeattribute doesnt work in conditionals yet auth_can_read_shadow_passwords(cvs_t) -tunable_policy(`allow_cvs_read_shadow',` @@ -18522,7 +18595,7 @@ index 53fc3af..897ad64 100644 allow cvs_t self:capability dac_override; auth_tunable_read_shadow(cvs_t) ') -@@ -103,4 +113,5 @@ optional_policy(` +@@ -103,4 +117,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -22408,10 +22481,10 @@ index 0000000..484dd44 \ No newline at end of file diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..d856375 +index 0000000..543baf1 --- /dev/null +++ b/docker.if -@@ -0,0 +1,196 @@ +@@ -0,0 +1,250 @@ + +## The open-source application container engine. + @@ -22455,6 +22528,25 @@ index 0000000..d856375 + +######################################## +## ++## Execute docker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_exec_lib',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ allow $1 docker_var_lib_t:dir search_dir_perms; ++ can_exec($1, docker_var_lib_t) ++') ++ ++######################################## ++## +## Read docker lib files. +## +## @@ -22512,6 +22604,41 @@ index 0000000..d856375 + +######################################## +## ++## Create objects in a docker var lib directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`docker_lib_filetrans',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) ++') ++ ++######################################## ++## +## Read docker PID files. +## +## @@ -22610,7 +22737,7 @@ index 0000000..d856375 +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..85e2ddb +index 0000000..f156949 --- /dev/null +++ b/docker.te @@ -0,0 +1,145 @@ @@ -22711,10 +22838,10 @@ index 0000000..85e2ddb + +allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; +allow docker_t self:process { setpgid setsched signal_perms }; -+allow docker_t self:netlink_route_socket nlmsg_write; -+allow docker_t self:netlink_audit_socket create_netlink_perms; ++allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; ++allow docker_t self:netlink_audit_socket create_netlink_socket_perms; +allow docker_t self:unix_dgram_socket create_socket_perms; -+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto } ++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow docker_t docker_var_lib_t:dir mounton; +allow docker_t docker_var_lib_t:chr_file mounton; @@ -40011,10 +40138,10 @@ index 0000000..767bbad +/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0) diff --git a/mip6d.if b/mip6d.if new file mode 100644 -index 0000000..9e2bf1b +index 0000000..8169129 --- /dev/null +++ b/mip6d.if -@@ -0,0 +1,80 @@ +@@ -0,0 +1,79 @@ + +## Mobile IPv6 and NEMO Basic Support implementation + @@ -40053,7 +40180,7 @@ index 0000000..9e2bf1b + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 mip6d_unit_file_t:file read_file_perms; + allow $1 mip6d_unit_file_t:service manage_service_perms; + @@ -40071,22 +40198,21 @@ index 0000000..9e2bf1b +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`mip6d_admin',` + gen_require(` + type mip6d_t; -+ type mip6d_unit_file_t; ++ type mip6d_unit_file_t; + ') + -+ allow $1 mip6d_t:process { ptrace signal_perms }; ++ allow $1 mip6d_t:process { signal_perms }; + ps_process_pattern($1, mip6d_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mip6d_t:process ptrace; ++ ') ++ + mip6d_systemctl($1) + admin_pattern($1, mip6d_unit_file_t) + allow $1 mip6d_unit_file_t:service all_service_perms; @@ -40134,6 +40260,300 @@ index 0000000..1d34063 + +logging_send_syslog_msg(mip6d_t) + +diff --git a/mirrormanager.fc b/mirrormanager.fc +new file mode 100644 +index 0000000..c713b27 +--- /dev/null ++++ b/mirrormanager.fc +@@ -0,0 +1,7 @@ ++/usr/share/mirrormanager/server/mirrormanager -- gen_context(system_u:object_r:mirrormanager_exec_t,s0) ++ ++/var/lib/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_lib_t,s0) ++ ++/var/log/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_log_t,s0) ++ ++/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0) +diff --git a/mirrormanager.if b/mirrormanager.if +new file mode 100644 +index 0000000..7ba3eed +--- /dev/null ++++ b/mirrormanager.if +@@ -0,0 +1,222 @@ ++ ++## policy for mirrormanager ++ ++######################################## ++## ++## Execute TEMPLATE in the mirrormanager domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mirrormanager_domtrans',` ++ gen_require(` ++ type mirrormanager_t, mirrormanager_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t) ++') ++######################################## ++## ++## Read mirrormanager's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`mirrormanager_read_log',` ++ gen_require(` ++ type mirrormanager_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++') ++ ++######################################## ++## ++## Append to mirrormanager log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_append_log',` ++ gen_require(` ++ type mirrormanager_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++') ++ ++######################################## ++## ++## Manage mirrormanager log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_manage_log',` ++ gen_require(` ++ type mirrormanager_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++ manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++ manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) ++') ++ ++######################################## ++## ++## Search mirrormanager lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_search_lib',` ++ gen_require(` ++ type mirrormanager_var_lib_t; ++ ') ++ ++ allow $1 mirrormanager_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read mirrormanager lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_read_lib_files',` ++ gen_require(` ++ type mirrormanager_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++') ++ ++######################################## ++## ++## Manage mirrormanager lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_manage_lib_files',` ++ gen_require(` ++ type mirrormanager_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++') ++ ++######################################## ++## ++## Manage mirrormanager lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_manage_lib_dirs',` ++ gen_require(` ++ type mirrormanager_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++') ++ ++######################################## ++## ++## Read mirrormanager PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_read_pid_files',` ++ gen_require(` ++ type mirrormanager_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mirrormanager environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`mirrormanager_admin',` ++ gen_require(` ++ type mirrormanager_t; ++ type mirrormanager_log_t; ++ type mirrormanager_var_lib_t; ++ type mirrormanager_var_run_t; ++ ') ++ ++ allow $1 mirrormanager_t:process { signal_perms }; ++ ps_process_pattern($1, mirrormanager_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mirrormanager_t:process ptrace; ++ ') ++ ++ logging_search_logs($1) ++ admin_pattern($1, mirrormanager_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, mirrormanager_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, mirrormanager_var_run_t) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/mirrormanager.te b/mirrormanager.te +new file mode 100644 +index 0000000..a19c096 +--- /dev/null ++++ b/mirrormanager.te +@@ -0,0 +1,47 @@ ++policy_module(mirrormanager, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type mirrormanager_t; ++type mirrormanager_exec_t; ++cron_system_entry(mirrormanager_t, mirrormanager_exec_t) ++ ++type mirrormanager_log_t; ++logging_log_file(mirrormanager_log_t) ++ ++type mirrormanager_var_lib_t; ++files_type(mirrormanager_var_lib_t) ++ ++type mirrormanager_var_run_t; ++files_pid_file(mirrormanager_var_run_t) ++ ++######################################## ++# ++# mirrormanager local policy ++# ++allow mirrormanager_t self:fifo_file rw_fifo_file_perms; ++allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t) ++manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t) ++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t) ++logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t) ++files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t) ++manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t) ++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t) ++files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir file lnk_file }) ++ ++domain_use_interactive_fds(mirrormanager_t) ++ ++files_read_etc_files(mirrormanager_t) ++ ++miscfiles_read_localization(mirrormanager_t) diff --git a/mock.fc b/mock.fc new file mode 100644 index 0000000..8d0e473 @@ -84258,20 +84678,24 @@ index 5f35d78..50651d2 100644 + uucp_domtrans_uux(sendmail_t) ') diff --git a/sensord.fc b/sensord.fc -index 8185d5a..719ac47 100644 +index 8185d5a..97926d2 100644 --- a/sensord.fc +++ b/sensord.fc -@@ -1,3 +1,5 @@ +@@ -1,5 +1,9 @@ +/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0) + /etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0) /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) + ++/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0) ++ + /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) diff --git a/sensord.if b/sensord.if -index d204752..5eba5fd 100644 +index d204752..31cc6e6 100644 --- a/sensord.if +++ b/sensord.if -@@ -1,35 +1,75 @@ +@@ -1,35 +1,80 @@ -## Sensor information logging daemon. + +## Sensor information logging daemon @@ -84339,7 +84763,9 @@ index d204752..5eba5fd 100644 gen_require(` - type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; + type sensord_t; -+ type sensord_unit_file_t; ++ type sensord_unit_file_t; ++ type sensord_log_t; ++ type sensord_var_run_t; ') allow $1 sensord_t:process { ptrace signal_perms }; @@ -84354,17 +84780,19 @@ index d204752..5eba5fd 100644 + allow $1 sensord_unit_file_t:service all_service_perms; - files_search_pids($1) -- admin_pattern($1, sensord_var_run_t) ++ admin_pattern($1, sensord_log_t) + admin_pattern($1, sensord_var_run_t) ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') ') diff --git a/sensord.te b/sensord.te -index 5e82fd6..fa352d8 100644 +index 5e82fd6..f3e5808 100644 --- a/sensord.te +++ b/sensord.te -@@ -9,6 +9,9 @@ type sensord_t; +@@ -9,12 +9,18 @@ type sensord_t; type sensord_exec_t; init_daemon_domain(sensord_t, sensord_exec_t) @@ -84374,7 +84802,24 @@ index 5e82fd6..fa352d8 100644 type sensord_initrc_exec_t; init_script_file(sensord_initrc_exec_t) -@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file) + type sensord_var_run_t; + files_pid_file(sensord_var_run_t) + ++type sensord_log_t; ++logging_log_file(sensord_log_t) ++ + ######################################## + # + # Local policy +@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t) + allow sensord_t self:fifo_file rw_fifo_file_perms; + allow sensord_t self:unix_stream_socket create_stream_socket_perms; + ++manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t) ++logging_log_filetrans(sensord_t, sensord_log_t, file) ++ + manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t) + files_pid_filetrans(sensord_t, sensord_var_run_t, file) dev_read_sysfs(sensord_t) @@ -86570,7 +87015,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index 703efa3..bdd8566 100644 +index 703efa3..2c05493 100644 --- a/sosreport.te +++ b/sosreport.te @@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t) @@ -86732,13 +87177,17 @@ index 703efa3..bdd8566 100644 ') optional_policy(` -@@ -135,9 +193,21 @@ optional_policy(` +@@ -135,9 +193,25 @@ optional_policy(` ') optional_policy(` - rpm_exec(sosreport_t) - rpm_dontaudit_manage_db(sosreport_t) - rpm_read_db(sosreport_t) ++ rhsmcertd_manage_lib_files(sosreport_t) ++') ++ ++optional_policy(` + rpm_dontaudit_manage_db(sosreport_t) + rpm_manage_cache(sosreport_t) + rpm_manage_log(sosreport_t) @@ -96532,10 +96981,10 @@ index 9dec06c..43128c6 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..15485c6 100644 +index 1f22fba..156d389 100644 --- a/virt.te +++ b/virt.te -@@ -1,147 +1,173 @@ +@@ -1,147 +1,194 @@ -policy_module(virt, 1.6.10) +policy_module(virt, 1.5.0) @@ -96675,9 +97124,6 @@ index 1f22fba..15485c6 100644 -attribute virt_tmpfs_type; - -attribute svirt_lxc_domain; -- --attribute_role virt_domain_roles; --roleattribute system_r virt_domain_roles; +## +##

+## Allow confined virtual guests to use usb devices @@ -96685,22 +97131,44 @@ index 1f22fba..15485c6 100644 +## +gen_tunable(virt_use_usb, true) +-attribute_role virt_domain_roles; +-roleattribute system_r virt_domain_roles; ++## ++##

++## Allow sandbox containers to send audit messages ++##

++## ++gen_tunable(virt_sandbox_use_audit, false) + -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; -+virt_domain_template(svirt) -+role system_r types svirt_t; -+typealias svirt_t alias qemu_t; ++## ++##

++## Allow sandbox containers to use netlink system calls ++##

++## ++gen_tunable(virt_sandbox_use_netlink, false) -attribute_role svirt_lxc_domain_roles; -roleattribute system_r svirt_lxc_domain_roles; -+virt_domain_template(svirt_tcg) -+role system_r types svirt_tcg_t; ++## ++##

++## Allow sandbox containers to use sys_admin system calls, for example mount ++##

++## ++gen_tunable(virt_sandbox_use_sys_admin, false) --virt_domain_template(svirt) + virt_domain_template(svirt) -virt_domain_template(svirt_prot_exec) -+type qemu_exec_t, virt_file_type; ++role system_r types svirt_t; ++typealias svirt_t alias qemu_t; ++ ++virt_domain_template(svirt_tcg) ++role system_r types svirt_tcg_t; -type virt_cache_t alias svirt_cache_t; ++type qemu_exec_t, virt_file_type; ++ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -96782,7 +97250,7 @@ index 1f22fba..15485c6 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -150,295 +176,142 @@ ifdef(`enable_mls',` +@@ -150,295 +197,142 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -97164,7 +97632,7 @@ index 1f22fba..15485c6 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +321,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +342,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -97211,7 +97679,7 @@ index 1f22fba..15485c6 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +356,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +377,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -97221,19 +97689,19 @@ index 1f22fba..15485c6 100644 - -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +369,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +390,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -97241,7 +97709,7 @@ index 1f22fba..15485c6 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +377,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +398,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -97269,7 +97737,7 @@ index 1f22fba..15485c6 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +397,27 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +418,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -97302,7 +97770,7 @@ index 1f22fba..15485c6 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +448,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +469,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -97322,7 +97790,7 @@ index 1f22fba..15485c6 100644 selinux_validate_context(virtd_t) -@@ -613,18 +470,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +491,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -97359,7 +97827,7 @@ index 1f22fba..15485c6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +498,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +519,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -97368,7 +97836,7 @@ index 1f22fba..15485c6 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,20 +523,12 @@ optional_policy(` +@@ -658,20 +544,12 @@ optional_policy(` ') optional_policy(` @@ -97389,7 +97857,7 @@ index 1f22fba..15485c6 100644 ') optional_policy(` -@@ -684,14 +541,20 @@ optional_policy(` +@@ -684,14 +562,20 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -97412,7 +97880,7 @@ index 1f22fba..15485c6 100644 iptables_manage_config(virtd_t) ') -@@ -704,11 +567,13 @@ optional_policy(` +@@ -704,11 +588,13 @@ optional_policy(` ') optional_policy(` @@ -97426,7 +97894,7 @@ index 1f22fba..15485c6 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -719,10 +584,18 @@ optional_policy(` +@@ -719,10 +605,18 @@ optional_policy(` ') optional_policy(` @@ -97445,7 +97913,7 @@ index 1f22fba..15485c6 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +610,264 @@ optional_policy(` +@@ -737,44 +631,264 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -97473,28 +97941,22 @@ index 1f22fba..15485c6 100644 -allow virsh_t self:fifo_file rw_fifo_file_perms; -allow virsh_t self:unix_stream_socket { accept connectto listen }; -allow virsh_t self:tcp_socket { accept listen }; -- ++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) ++read_files_pattern(virt_domain, virt_content_t, virt_content_t) ++dontaudit virt_domain virt_content_t:file write_file_perms; ++dontaudit virt_domain virt_content_t:dir write; + -manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) -- ++kernel_read_net_sysctls(virt_domain) + -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) -+read_files_pattern(virt_domain, virt_content_t, virt_content_t) -+dontaudit virt_domain virt_content_t:file write_file_perms; -+dontaudit virt_domain virt_content_t:dir write; - --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -+kernel_read_net_sysctls(virt_domain) - --dontaudit virsh_t virt_var_lib_t:file read_file_perms; +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -97504,13 +97966,14 @@ index 1f22fba..15485c6 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) - --allow virsh_t svirt_lxc_domain:process transition; ++ +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --can_exec(virsh_t, virsh_exec_t) +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -97541,11 +98004,14 @@ index 1f22fba..15485c6 100644 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; -+ + +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +dontaudit virt_domain virt_tmpfs_type:file { read write }; -+ + +-allow virsh_t svirt_lxc_domain:process transition; +append_files_pattern(virt_domain, virt_log_t, virt_log_t) -+ + +-can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +corecmd_exec_bin(virt_domain) @@ -97559,7 +98025,7 @@ index 1f22fba..15485c6 100644 +corenet_tcp_bind_virt_migration_port(virt_domain) +corenet_tcp_connect_virt_migration_port(virt_domain) +corenet_rw_inherited_tun_tap_dev(virt_domain) - ++ +dev_list_sysfs(virt_domain) +dev_getattr_fs(virt_domain) +dev_dontaudit_getattr_all(virt_domain) @@ -97696,7 +98162,7 @@ index 1f22fba..15485c6 100644 +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; -+ + +ps_process_pattern(virsh_t, svirt_sandbox_domain) + +can_exec(virsh_t, virsh_exec_t) @@ -97734,7 +98200,7 @@ index 1f22fba..15485c6 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +878,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +899,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -97761,7 +98227,7 @@ index 1f22fba..15485c6 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,23 +898,23 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,23 +919,23 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -97794,7 +98260,7 @@ index 1f22fba..15485c6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -847,14 +933,20 @@ optional_policy(` +@@ -847,14 +954,20 @@ optional_policy(` ') optional_policy(` @@ -97816,7 +98282,7 @@ index 1f22fba..15485c6 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +971,65 @@ optional_policy(` +@@ -879,49 +992,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -97856,7 +98322,7 @@ index 1f22fba..15485c6 100644 manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) -+allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill }; ++allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms }; + allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; -manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) @@ -97900,7 +98366,7 @@ index 1f22fba..15485c6 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1041,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1062,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -97920,7 +98386,7 @@ index 1f22fba..15485c6 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1062,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1083,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -97944,7 +98410,7 @@ index 1f22fba..15485c6 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1087,246 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1108,271 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -97971,11 +98437,15 @@ index 1f22fba..15485c6 100644 -seutil_read_config(virtd_lxc_t) -seutil_read_default_contexts(virtd_lxc_t) +optional_policy(` -+ gnome_read_generic_cache_files(virtd_lxc_t) ++ docker_exec_lib(virtd_lxc_t) +') -sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` ++ gnome_read_generic_cache_files(virtd_lxc_t) ++') ++ ++optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') + @@ -98160,17 +98630,22 @@ index 1f22fba..15485c6 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ docker_read_lib_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ ssh_use_ptys(svirt_sandbox_domain) ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) ++ ssh_use_ptys(svirt_sandbox_domain) ++') ++ ++optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') + @@ -98187,7 +98662,7 @@ index 1f22fba..15485c6 100644 +typeattribute svirt_lxc_net_t sandbox_net_domain; -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap }; dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:tcp_socket { accept listen }; @@ -98195,15 +98670,18 @@ index 1f22fba..15485c6 100644 -allow svirt_lxc_net_t self:packet_socket create_socket_perms; -allow svirt_lxc_net_t self:socket create_socket_perms; -allow svirt_lxc_net_t self:rawip_socket create_socket_perms; -+allow svirt_lxc_net_t self:process { execstack execmem }; - allow svirt_lxc_net_t self:netlink_socket create_socket_perms; +-allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; -+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; - allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; - +-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; +- -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) -- ++allow svirt_lxc_net_t self:process { execstack execmem }; ++ ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') + -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) -corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t) @@ -98214,13 +98692,20 @@ index 1f22fba..15485c6 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) -+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; -+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; ++tunable_policy(`virt_sandbox_use_netlink',` ++ allow svirt_lxc_net_t self:netlink_socket create_socket_perms; ++ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++ allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++', ` ++ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) ++') -corenet_sendrecv_all_server_packets(svirt_lxc_net_t) -corenet_udp_bind_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_all_ports(svirt_lxc_net_t) -- ++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; ++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; + -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_lxc_net_t) @@ -98238,22 +98723,25 @@ index 1f22fba..15485c6 100644 fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) +fs_manage_cgroup_files(svirt_lxc_net_t) -+ + +-auth_use_nsswitch(svirt_lxc_net_t) +term_pty(svirt_sandbox_file_t) - auth_use_nsswitch(svirt_lxc_net_t) +-logging_send_audit_msgs(svirt_lxc_net_t) ++auth_use_nsswitch(svirt_lxc_net_t) +-userdom_use_user_ptys(svirt_lxc_net_t) +rpm_read_db(svirt_lxc_net_t) -+ - logging_send_audit_msgs(svirt_lxc_net_t) - - userdom_use_user_ptys(svirt_lxc_net_t) -optional_policy(` - rpm_read_db(svirt_lxc_net_t) --') -- ++tunable_policy(`virt_sandbox_use_audit',` ++ logging_send_audit_msgs(svirt_lxc_net_t) + ') + -####################################### ++userdom_use_user_ptys(svirt_lxc_net_t) ++ +######################################## # -# Prot exec local policy @@ -98265,9 +98753,12 @@ index 1f22fba..15485c6 100644 +allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +dontaudit svirt_qemu_net_t self:capability2 block_suspend; +allow svirt_qemu_net_t self:process { execstack execmem }; -+allow svirt_qemu_net_t self:netlink_socket create_socket_perms; -+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++ ++tunable_policy(`virt_sandbox_use_netlink',` ++ allow svirt_qemu_net_t self:netlink_socket create_socket_perms; ++ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++') + +manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) @@ -98287,10 +98778,10 @@ index 1f22fba..15485c6 100644 +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) + +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) -+ -+kernel_read_irq_sysctls(svirt_qemu_net_t) -allow svirt_prot_exec_t self:process { execmem execstack }; ++kernel_read_irq_sysctls(svirt_qemu_net_t) ++ +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) @@ -98309,7 +98800,9 @@ index 1f22fba..15485c6 100644 + +rpm_read_db(svirt_qemu_net_t) + -+logging_send_audit_msgs(svirt_qemu_net_t) ++tunable_policy(`virt_sandbox_use_audit',` ++ logging_send_audit_msgs(svirt_qemu_net_t) ++') + +userdom_use_user_ptys(svirt_qemu_net_t) @@ -98327,7 +98820,7 @@ index 1f22fba..15485c6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1385,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -98342,7 +98835,7 @@ index 1f22fba..15485c6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1357,8 @@ optional_policy(` +@@ -1183,9 +1403,8 @@ optional_policy(` ######################################## # @@ -98353,7 +98846,7 @@ index 1f22fba..15485c6 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1371,193 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1417,198 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -98490,9 +98983,12 @@ index 1f22fba..15485c6 100644 + +allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +dontaudit svirt_kvm_net_t self:capability2 block_suspend; -+allow svirt_kvm_net_t self:netlink_socket create_socket_perms; -+allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++ ++tunable_policy(`virt_sandbox_use_netlink',` ++ allow svirt_kvm_net_t self:netlink_socket create_socket_perms; ++ allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++ allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++') + +term_use_generic_ptys(svirt_kvm_net_t) +term_use_ptmx(svirt_kvm_net_t) @@ -98527,7 +99023,9 @@ index 1f22fba..15485c6 100644 + +rpm_read_db(svirt_kvm_net_t) + -+logging_send_audit_msgs(svirt_kvm_net_t) ++tunable_policy(`virt_sandbox_use_audit',` ++ logging_send_audit_msgs(svirt_kvm_net_t) ++') + +userdom_use_user_ptys(svirt_kvm_net_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 054a5ee..0bda977 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -576,6 +576,27 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Dec 19 2013 Miroslav Grepl 3.12.1-111 +- Add labeling for /var/lib/servicelog/servicelog.db-journal +- Add support for freeipmi port +- Add sysadm_u_default_contexts +- Make new type to texlive files in homedir +- Allow subscription-manager running as sosreport_t to manage rhsmcertd +- Additional fixes for docker.te +- Remove ability to do mount/sys_admin by default in virt_sandbox domains +- New rules required to run docker images within libivrt +- Add label for ~/.cvsignore +- Change mirrormanager to be run by cron +- Add mirrormanager policy +- Fixed bumblebee_admin() and mip6d_admin() +- Add log support for sensord +- Fix typo in docker.te +- Allow amanda to do backups over UDP +- Allow bumblebee to read /etc/group and clean up bumblebee.te +- type transitions with a filename not allowed inside conditionals +- Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7 +- Make new type to texlive files in homedir + * Thu Dec 12 2013 Miroslav Grepl 3.12.1-110 - Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template()