From fcebe07f6ca82f340b436367ffb0fb8e1cf2043c Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 05 2017 07:36:30 +0000 Subject: * Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279 - Allow abrt_dump_oops_t to read sssd_public_t files - Allow cockpit_ws_t to mmap usr_t files - Allow systemd to read/write dri devices. --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 11ff2f9..96dd93e 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4e2480b..4b9c6c9 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -36943,7 +36943,7 @@ index 79a45f62e..6ed0c399a 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..a980b4d3f 100644 +index 17eda2480..4593a868a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37124,7 +37124,7 @@ index 17eda2480..a980b4d3f 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +213,27 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +213,28 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -37150,10 +37150,11 @@ index 17eda2480..a980b4d3f 100644 +dev_filetrans_all_named_dev(init_t) +dev_write_watchdog(init_t) +dev_rw_inherited_input_dev(init_t) ++dev_rw_dri(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,45 +241,103 @@ domain_signal_all_domains(init_t) +@@ -139,45 +242,103 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -37264,7 +37265,7 @@ index 17eda2480..a980b4d3f 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +346,283 @@ ifdef(`distro_gentoo',` +@@ -186,29 +347,283 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37557,7 +37558,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -216,7 +630,30 @@ optional_policy(` +@@ -216,7 +631,30 @@ optional_policy(` ') optional_policy(` @@ -37589,7 +37590,7 @@ index 17eda2480..a980b4d3f 100644 ') ######################################## -@@ -225,9 +662,9 @@ optional_policy(` +@@ -225,9 +663,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37601,7 +37602,7 @@ index 17eda2480..a980b4d3f 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +695,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +696,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37618,7 +37619,7 @@ index 17eda2480..a980b4d3f 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +720,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +721,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37661,7 +37662,7 @@ index 17eda2480..a980b4d3f 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +757,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +758,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37673,7 +37674,7 @@ index 17eda2480..a980b4d3f 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +769,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +770,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37684,7 +37685,7 @@ index 17eda2480..a980b4d3f 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +780,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +781,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37694,7 +37695,7 @@ index 17eda2480..a980b4d3f 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +789,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +790,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37702,7 +37703,7 @@ index 17eda2480..a980b4d3f 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +796,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +797,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37710,7 +37711,7 @@ index 17eda2480..a980b4d3f 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +804,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +805,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37728,7 +37729,7 @@ index 17eda2480..a980b4d3f 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +822,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +823,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37742,7 +37743,7 @@ index 17eda2480..a980b4d3f 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +837,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +838,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37756,7 +37757,7 @@ index 17eda2480..a980b4d3f 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +850,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +851,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37767,7 +37768,7 @@ index 17eda2480..a980b4d3f 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +863,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +864,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37775,7 +37776,7 @@ index 17eda2480..a980b4d3f 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +882,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +883,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37799,7 +37800,7 @@ index 17eda2480..a980b4d3f 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +915,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +916,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37807,7 +37808,7 @@ index 17eda2480..a980b4d3f 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +949,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +950,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37818,7 +37819,7 @@ index 17eda2480..a980b4d3f 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +973,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +974,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37827,7 +37828,7 @@ index 17eda2480..a980b4d3f 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +988,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +989,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37835,7 +37836,7 @@ index 17eda2480..a980b4d3f 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1009,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1010,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37843,7 +37844,7 @@ index 17eda2480..a980b4d3f 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1019,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1020,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37888,7 +37889,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -559,14 +1064,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1065,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37920,7 +37921,7 @@ index 17eda2480..a980b4d3f 100644 ') ') -@@ -577,6 +1099,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1100,39 @@ ifdef(`distro_suse',` ') ') @@ -37960,7 +37961,7 @@ index 17eda2480..a980b4d3f 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1144,8 @@ optional_policy(` +@@ -589,6 +1145,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37969,7 +37970,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -610,6 +1167,7 @@ optional_policy(` +@@ -610,6 +1168,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37977,7 +37978,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -626,6 +1184,17 @@ optional_policy(` +@@ -626,6 +1185,17 @@ optional_policy(` ') optional_policy(` @@ -37995,7 +37996,7 @@ index 17eda2480..a980b4d3f 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1211,13 @@ optional_policy(` +@@ -642,9 +1212,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38009,7 +38010,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -657,15 +1230,11 @@ optional_policy(` +@@ -657,15 +1231,11 @@ optional_policy(` ') optional_policy(` @@ -38027,7 +38028,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -686,6 +1255,15 @@ optional_policy(` +@@ -686,6 +1256,15 @@ optional_policy(` ') optional_policy(` @@ -38043,7 +38044,7 @@ index 17eda2480..a980b4d3f 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1304,7 @@ optional_policy(` +@@ -726,6 +1305,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38051,7 +38052,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -743,7 +1322,13 @@ optional_policy(` +@@ -743,7 +1323,13 @@ optional_policy(` ') optional_policy(` @@ -38066,7 +38067,7 @@ index 17eda2480..a980b4d3f 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1351,10 @@ optional_policy(` +@@ -766,6 +1352,10 @@ optional_policy(` ') optional_policy(` @@ -38077,7 +38078,7 @@ index 17eda2480..a980b4d3f 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1364,20 @@ optional_policy(` +@@ -775,10 +1365,20 @@ optional_policy(` ') optional_policy(` @@ -38098,7 +38099,7 @@ index 17eda2480..a980b4d3f 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1386,10 @@ optional_policy(` +@@ -787,6 +1387,10 @@ optional_policy(` ') optional_policy(` @@ -38109,7 +38110,7 @@ index 17eda2480..a980b4d3f 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1411,6 @@ optional_policy(` +@@ -808,8 +1412,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38118,7 +38119,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -818,6 +1419,10 @@ optional_policy(` +@@ -818,6 +1420,10 @@ optional_policy(` ') optional_policy(` @@ -38129,7 +38130,7 @@ index 17eda2480..a980b4d3f 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1432,12 @@ optional_policy(` +@@ -827,10 +1433,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38142,7 +38143,7 @@ index 17eda2480..a980b4d3f 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1464,62 @@ optional_policy(` +@@ -857,21 +1465,62 @@ optional_policy(` ') optional_policy(` @@ -38206,7 +38207,7 @@ index 17eda2480..a980b4d3f 100644 ') optional_policy(` -@@ -887,6 +1535,10 @@ optional_policy(` +@@ -887,6 +1536,10 @@ optional_policy(` ') optional_policy(` @@ -38217,7 +38218,7 @@ index 17eda2480..a980b4d3f 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1549,218 @@ optional_policy(` +@@ -897,3 +1550,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f1b2638..59f9fbf 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f070f..3c19e28fc 100644 +index eb50f070f..5c05075a4 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1060,7 +1060,7 @@ index eb50f070f..3c19e28fc 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +476,86 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +476,87 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1142,6 +1142,7 @@ index eb50f070f..3c19e28fc 100644 +init_read_var_lib_files(abrt_dump_oops_t) + +optional_policy(` ++ sssd_read_public_files(abrt_dump_oops_t) + sssd_stream_connect(abrt_dump_oops_t) +') + @@ -1151,7 +1152,7 @@ index eb50f070f..3c19e28fc 100644 ####################################### # -@@ -404,25 +563,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +564,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1214,7 +1215,7 @@ index eb50f070f..3c19e28fc 100644 ') ####################################### -@@ -430,10 +624,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +625,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -15550,10 +15551,10 @@ index 000000000..d5920c061 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 000000000..b802a9920 +index 000000000..08aaee4bb --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,121 @@ +@@ -0,0 +1,123 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -15618,6 +15619,8 @@ index 000000000..b802a9920 + +auth_use_nsswitch(cockpit_ws_t) + ++files_mmap_usr_files(cockpit_ws_t) ++ +init_stream_connect(cockpit_ws_t) + +logging_send_syslog_msg(cockpit_ws_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index aa074f6..1c03730 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 278%{?dist} +Release: 279%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,11 @@ exit 0 %endif %changelog +* Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279 +- Allow abrt_dump_oops_t to read sssd_public_t files +- Allow cockpit_ws_t to mmap usr_t files +- Allow systemd to read/write dri devices. + * Thu Aug 31 2017 Lukas Vrabec - 3.13.1-278 - Add couple rules related to map permissions - Allow ddclient use nsswitch BZ(1456241)