diff --git a/policy-f23-base.patch b/policy-f23-base.patch index 0f7112d..721c132 100644 --- a/policy-f23-base.patch +++ b/policy-f23-base.patch @@ -44767,10 +44767,10 @@ index 0000000..cde0261 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..57fc297 +index 0000000..7f0ff30 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,731 @@ +@@ -0,0 +1,733 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -45347,6 +45347,8 @@ index 0000000..57fc297 +dev_write_kmsg(systemd_hostnamed_t) +dev_read_sysfs(systemd_hostnamed_t) + ++fs_read_xenfs_files(systemd_hostnamed_t) ++ +init_status(systemd_hostnamed_t) +init_stream_connect(systemd_hostnamed_t) + diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch index 81f73e3..82db54f 100644 --- a/policy-f23-contrib.patch +++ b/policy-f23-contrib.patch @@ -3430,10 +3430,10 @@ index 0000000..6183b21 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..77e26bf 100644 +index 7caefc3..b25689b 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,210 @@ +@@ -1,162 +1,211 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3596,6 +3596,7 @@ index 7caefc3..77e26bf 100644 +/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/nginx/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -54701,10 +54702,10 @@ index 687af38..5381f1b 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..c2babeb 100644 +index 7584bbe..dbbdb99 100644 --- a/mysql.te +++ b/mysql.te -@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1) +@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) # ## @@ -54719,7 +54720,13 @@ index 7584bbe..c2babeb 100644 gen_tunable(mysql_connect_any, false) -attribute_role mysqld_roles; -- ++## ++##

++## Allow mysqld to connect to http port ++##

++## ++gen_tunable(mysql_connect_http, false) + type mysqld_t; type mysqld_exec_t; init_daemon_domain(mysqld_t, mysqld_exec_t) @@ -54728,7 +54735,7 @@ index 7584bbe..c2babeb 100644 type mysqld_safe_t; type mysqld_safe_exec_t; -@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) +@@ -27,7 +29,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) type mysqld_var_run_t; files_pid_file(mysqld_var_run_t) @@ -54736,7 +54743,7 @@ index 7584bbe..c2babeb 100644 type mysqld_db_t; files_type(mysqld_db_t) -@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t) +@@ -38,6 +39,9 @@ files_config_file(mysqld_etc_t) type mysqld_home_t; userdom_user_home_content(mysqld_home_t) @@ -54746,7 +54753,7 @@ index 7584bbe..c2babeb 100644 type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) -@@ -62,28 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t) +@@ -62,28 +66,29 @@ files_pid_file(mysqlmanagerd_var_run_t) # Local policy # @@ -54783,7 +54790,7 @@ index 7584bbe..c2babeb 100644 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -@@ -95,50 +93,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +@@ -95,50 +100,64 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -54859,10 +54866,14 @@ index 7584bbe..c2babeb 100644 corenet_tcp_connect_all_ports(mysqld_t) - corenet_tcp_sendrecv_all_ports(mysqld_t) + corenet_sendrecv_all_client_packets(mysqld_t) ++') ++ ++tunable_policy(`mysql_connect_http',` ++ corenet_tcp_connect_http_port(mysqld_t) ') optional_policy(` -@@ -146,6 +154,10 @@ optional_policy(` +@@ -146,6 +165,10 @@ optional_policy(` ') optional_policy(` @@ -54873,7 +54884,7 @@ index 7584bbe..c2babeb 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +167,18 @@ optional_policy(` +@@ -155,21 +178,18 @@ optional_policy(` ####################################### # @@ -54900,7 +54911,7 @@ index 7584bbe..c2babeb 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +186,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +197,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -54911,7 +54922,7 @@ index 7584bbe..c2babeb 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +194,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +205,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -54927,9 +54938,9 @@ index 7584bbe..c2babeb 100644 +files_dontaudit_access_check_root(mysqld_safe_t) files_dontaudit_search_all_mountpoints(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) - -+files_write_root_dirs(mysqld_safe_t) + ++files_write_root_dirs(mysqld_safe_t) + +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) logging_send_syslog_msg(mysqld_safe_t) @@ -54947,7 +54958,7 @@ index 7584bbe..c2babeb 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +224,7 @@ optional_policy(` +@@ -209,7 +235,7 @@ optional_policy(` ######################################## # @@ -54956,7 +54967,7 @@ index 7584bbe..c2babeb 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +233,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -218,11 +244,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -54974,7 +54985,7 @@ index 7584bbe..c2babeb 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +246,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +257,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -91639,7 +91650,7 @@ index 50d07fb..e9569d2 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..bf7a710 100644 +index 2b7c441..0232e85 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -92764,7 +92775,7 @@ index 2b7c441..bf7a710 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +962,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +962,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -92797,6 +92808,7 @@ index 2b7c441..bf7a710 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) +kernel_read_usermodehelper_state(winbind_t) ++kernel_signull(winbind_t) corecmd_exec_bin(winbind_t) @@ -92817,7 +92829,7 @@ index 2b7c441..bf7a710 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1004,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1005,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -92876,7 +92888,7 @@ index 2b7c441..bf7a710 100644 ') optional_policy(` -@@ -959,31 +1065,36 @@ optional_policy(` +@@ -959,31 +1066,36 @@ optional_policy(` # Winbind helper local policy # @@ -92920,7 +92932,7 @@ index 2b7c441..bf7a710 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1108,38 @@ optional_policy(` +@@ -997,25 +1109,38 @@ optional_policy(` ######################################## # @@ -96335,10 +96347,10 @@ index 3a9a70b..903109c 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index ce67935..130eca9 100644 +index ce67935..6074e2f 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te -@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1) +@@ -7,68 +7,95 @@ policy_module(setroubleshoot, 1.12.1) type setroubleshootd_t alias setroubleshoot_t; type setroubleshootd_exec_t; @@ -96362,6 +96374,12 @@ index ce67935..130eca9 100644 type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) ++type setroubleshoot_tmp_t; ++files_tmp_file(setroubleshoot_tmp_t) ++ ++type setroubleshoot_tmpfs_t; ++files_tmpfs_file(setroubleshoot_tmpfs_t) ++ ######################################## # -# Local policy @@ -96382,8 +96400,19 @@ index ce67935..130eca9 100644 +allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; +allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; ++ -allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms; ++manage_files_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t) ++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t) ++files_tmp_filetrans(setroubleshootd_t, setroubleshoot_tmp_t, { file dir }) ++allow setroubleshootd_t setroubleshoot_tmp_t:file exec_file_perms; ++ ++manage_files_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t) ++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t) ++fs_tmpfs_filetrans(setroubleshootd_t, setroubleshoot_tmpfs_t, { file dir }) ++allow setroubleshootd_t setroubleshoot_tmpfs_t:file exec_file_perms; ++ +# database files +allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) @@ -96403,7 +96432,12 @@ index ce67935..130eca9 100644 manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t) + files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) + ++ + kernel_read_kernel_sysctls(setroubleshootd_t) + kernel_read_system_state(setroubleshootd_t) + kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) kernel_dontaudit_list_all_proc(setroubleshootd_t) kernel_read_irq_sysctls(setroubleshootd_t) @@ -96428,7 +96462,7 @@ index ce67935..130eca9 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) +@@ -76,10 +103,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) dev_getattr_all_chr_files(setroubleshootd_t) dev_getattr_mtrr_dev(setroubleshootd_t) @@ -96440,7 +96474,7 @@ index ce67935..130eca9 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -109,27 +117,24 @@ init_read_utmp(setroubleshootd_t) +@@ -109,27 +135,24 @@ init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -96473,7 +96507,7 @@ index ce67935..130eca9 100644 ') optional_policy(` -@@ -137,10 +142,18 @@ optional_policy(` +@@ -137,10 +160,18 @@ optional_policy(` ') optional_policy(` @@ -96492,7 +96526,7 @@ index ce67935..130eca9 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -150,26 +163,36 @@ optional_policy(` +@@ -150,26 +181,36 @@ optional_policy(` ######################################## # @@ -96531,7 +96565,7 @@ index ce67935..130eca9 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -177,23 +218,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 55cdc2e..8c748c3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 151%{?dist} +Release: 152%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -656,6 +656,14 @@ exit 0 %endif %changelog +* Wed Oct 21 2015 Miroslav Grepl 3.13.1-152 +- Allow setroubleshootd to create/execute a shared memory and temporary files. It is caused by libffi which is used for signal handlers. BZ(#1271061) +- Allow winbindd to send signull to kernel. BZ(#1269193) +- Merge pull request #51 from vmojzis/f23-contrib +- Add boolean allowing mysqld to connect to http port. #1262125 +- Fix context of "/usr/share/nginx/html". #1261855 +- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877) + * Tue Oct 13 2015 Lukas Vrabec 3.13.1-151 - Add few rules related to new policy for pkcs11proxyd - Added new policy for pkcs11proxyd daemon