diff --git a/policy-f23-base.patch b/policy-f23-base.patch index 73d836c..ecb1ad7 100644 --- a/policy-f23-base.patch +++ b/policy-f23-base.patch @@ -28416,7 +28416,7 @@ index 6bf0ecc..6e6a123 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..b016816 100644 +index 8b40377..e6f025d 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -29010,7 +29010,7 @@ index 8b40377..b016816 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +643,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +643,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -29022,6 +29022,7 @@ index 8b40377..b016816 100644 +term_use_all_terms(xdm_t) +term_relabel_all_ttys(xdm_t) +term_relabel_unallocated_ttys(xdm_t) ++term_getattr_virtio_console(xdm_t) auth_domtrans_pam_console(xdm_t) -auth_manage_pam_pid(xdm_t) @@ -29059,7 +29060,7 @@ index 8b40377..b016816 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +689,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +690,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -29229,7 +29230,7 @@ index 8b40377..b016816 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +858,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +859,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -29261,7 +29262,7 @@ index 8b40377..b016816 100644 ') optional_policy(` -@@ -517,9 +892,34 @@ optional_policy(` +@@ -517,9 +893,34 @@ optional_policy(` optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -29297,7 +29298,7 @@ index 8b40377..b016816 100644 ') ') -@@ -530,6 +930,20 @@ optional_policy(` +@@ -530,6 +931,20 @@ optional_policy(` ') optional_policy(` @@ -29318,7 +29319,7 @@ index 8b40377..b016816 100644 hostname_exec(xdm_t) ') -@@ -547,28 +961,78 @@ optional_policy(` +@@ -547,28 +962,78 @@ optional_policy(` ') optional_policy(` @@ -29406,7 +29407,7 @@ index 8b40377..b016816 100644 ') optional_policy(` -@@ -580,6 +1044,14 @@ optional_policy(` +@@ -580,6 +1045,14 @@ optional_policy(` ') optional_policy(` @@ -29421,7 +29422,7 @@ index 8b40377..b016816 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1066,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1067,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -29430,7 +29431,7 @@ index 8b40377..b016816 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1076,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1077,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -29443,7 +29444,7 @@ index 8b40377..b016816 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1093,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1094,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -29459,7 +29460,7 @@ index 8b40377..b016816 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1109,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1110,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -29470,7 +29471,7 @@ index 8b40377..b016816 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1124,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1125,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -29507,7 +29508,7 @@ index 8b40377..b016816 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1170,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1171,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -29539,7 +29540,7 @@ index 8b40377..b016816 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1203,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1204,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -29554,7 +29555,7 @@ index 8b40377..b016816 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1224,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1225,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -29578,7 +29579,7 @@ index 8b40377..b016816 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1243,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1244,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -29587,7 +29588,7 @@ index 8b40377..b016816 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1287,54 @@ optional_policy(` +@@ -785,17 +1288,54 @@ optional_policy(` ') optional_policy(` @@ -29644,7 +29645,7 @@ index 8b40377..b016816 100644 ') optional_policy(` -@@ -803,6 +1342,10 @@ optional_policy(` +@@ -803,6 +1343,10 @@ optional_policy(` ') optional_policy(` @@ -29655,7 +29656,7 @@ index 8b40377..b016816 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1361,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1362,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -29680,7 +29681,7 @@ index 8b40377..b016816 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1384,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1385,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -29715,7 +29716,7 @@ index 8b40377..b016816 100644 ') optional_policy(` -@@ -912,7 +1449,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1450,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -29724,7 +29725,7 @@ index 8b40377..b016816 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1503,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1504,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -29756,7 +29757,7 @@ index 8b40377..b016816 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1549,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1550,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch index 24379e5..9924952 100644 --- a/policy-f23-contrib.patch +++ b/policy-f23-contrib.patch @@ -15489,7 +15489,7 @@ index 8e27a37..c69be28 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 9f2dfb2..3d5988c 100644 +index 9f2dfb2..def3424 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.1.0) @@ -15556,18 +15556,18 @@ index 9f2dfb2..3d5988c 100644 auth_use_nsswitch(colord_t) +-logging_send_syslog_msg(colord_t) +init_read_state(colord_t) -+ - logging_send_syslog_msg(colord_t) -miscfiles_read_localization(colord_t) -+systemd_read_logind_sessions_files(colord_t) ++logging_send_syslog_msg(colord_t) -tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(colord_t) - fs_read_nfs_files(colord_t) -') -- ++systemd_read_logind_sessions_files(colord_t) + -tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(colord_t) - fs_read_cifs_files(colord_t) @@ -15593,7 +15593,14 @@ index 9f2dfb2..3d5988c 100644 ') optional_policy(` -@@ -137,3 +147,16 @@ optional_policy(` +@@ -134,6 +144,23 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_hwdb_read_config(colord_t) ++') ++ ++optional_policy(` udev_read_db(colord_t) udev_read_pid_files(colord_t) ') @@ -20297,10 +20304,10 @@ index 001b502..47199aa 100644 optional_policy(` diff --git a/cups.fc b/cups.fc -index 949011e..9437dbe 100644 +index 949011e..8f8bc20 100644 --- a/cups.fc +++ b/cups.fc -@@ -1,77 +1,91 @@ +@@ -1,77 +1,92 @@ -/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) @@ -20419,6 +20426,7 @@ index 949011e..9437dbe 100644 +/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) +/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/ecblp0 -- gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) @@ -26164,7 +26172,7 @@ index d5badb7..c2431fc 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e..e1c4564 100644 +index 0aabc7e..315aa2f 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -26418,7 +26426,7 @@ index 0aabc7e..e1c4564 100644 sendmail_domtrans(dovecot_t) ') -@@ -227,46 +223,67 @@ optional_policy(` +@@ -227,46 +223,69 @@ optional_policy(` ######################################## # @@ -26446,14 +26454,16 @@ index 0aabc7e..e1c4564 100644 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -+dovecot_stream_connect_auth(dovecot_auth_t) ++manage_fifo_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; -+corecmd_exec_bin(dovecot_auth_t) ++dovecot_stream_connect_auth(dovecot_auth_t) -files_search_pids(dovecot_auth_t) -files_read_usr_files(dovecot_auth_t) -files_read_var_lib_files(dovecot_auth_t) ++corecmd_exec_bin(dovecot_auth_t) ++ +logging_send_audit_msgs(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) @@ -26495,7 +26505,7 @@ index 0aabc7e..e1c4564 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -277,53 +294,79 @@ optional_policy(` +@@ -277,53 +296,79 @@ optional_policy(` ') optional_policy(` @@ -26594,7 +26604,7 @@ index 0aabc7e..e1c4564 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -332,5 +375,6 @@ optional_policy(` +@@ -332,5 +377,6 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index cd4d62d..f00ef13 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 158.11%{?dist} +Release: 158.12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -659,6 +659,13 @@ exit 0 %endif %changelog +* Wed Mar 30 2016 Lukas Vrabec 3.13.1-158.12 +- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415) +- Allow colord to read /etc/udev/hwdb.bin. rhzb#1320745 +- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336 +- Dontaudit logrotate to setrlimit itself. rhbz#1309604 +- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 + * Wed Mar 16 2016 Lukas Vrabec 3.13.1-158.11 - Dontaudit logrotate to setrlimit itself. rhbz#1309604 - Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.