diff --git a/policy-f23-base.patch b/policy-f23-base.patch index 721c132..d0afa25 100644 --- a/policy-f23-base.patch +++ b/policy-f23-base.patch @@ -42814,7 +42814,7 @@ index 2cea692..57c9025 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..30cf590 100644 +index a392fc4..78fa512 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -43019,20 +43019,25 @@ index a392fc4..30cf590 100644 ') optional_policy(` -@@ -221,7 +257,11 @@ optional_policy(` +@@ -221,7 +257,16 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) - seutil_dontaudit_search_config(dhcpc_t) + seutil_domtrans_setfiles(dhcpc_t) +') ++ ++optional_policy(` ++ systemd_dbus_chat_hostnamed(dhcpc_t) ++') ++ +optional_policy(` + systemd_passwd_agent_domtrans(dhcpc_t) + systemd_signal_passwd_agent(dhcpc_t) ') optional_policy(` -@@ -233,6 +273,10 @@ optional_policy(` +@@ -233,6 +278,10 @@ optional_policy(` ') optional_policy(` @@ -43043,7 +43048,7 @@ index a392fc4..30cf590 100644 vmware_append_log(dhcpc_t) ') -@@ -264,12 +308,25 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,12 +313,25 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -43069,7 +43074,7 @@ index a392fc4..30cf590 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +336,32 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -279,14 +341,32 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -43102,7 +43107,7 @@ index a392fc4..30cf590 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +374,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +379,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -43160,7 +43165,7 @@ index a392fc4..30cf590 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +429,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +434,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -43173,7 +43178,7 @@ index a392fc4..30cf590 100644 ') optional_policy(` -@@ -350,7 +447,16 @@ optional_policy(` +@@ -350,7 +452,16 @@ optional_policy(` ') optional_policy(` @@ -43191,7 +43196,7 @@ index a392fc4..30cf590 100644 ') optional_policy(` -@@ -371,3 +477,13 @@ optional_policy(` +@@ -371,3 +482,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -43207,10 +43212,10 @@ index a392fc4..30cf590 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..a03b5ee +index 0000000..946cdb9 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,51 @@ +@@ -0,0 +1,52 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -43256,6 +43261,7 @@ index 0000000..a03b5ee +/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0) ++/var/run/systemd/shutdown(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) +/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) @@ -43264,10 +43270,10 @@ index 0000000..a03b5ee +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..cde0261 +index 0000000..6162ce0 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1497 @@ +@@ -0,0 +1,1498 @@ +## SELinux policy for systemd components + +###################################### @@ -44383,6 +44389,7 @@ index 0000000..cde0261 + ') + + files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") ++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "shutdown") + init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") + init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") + files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) @@ -44767,10 +44774,10 @@ index 0000000..cde0261 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..7f0ff30 +index 0000000..8a0a511 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,733 @@ +@@ -0,0 +1,738 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -44965,6 +44972,7 @@ index 0000000..7f0ff30 +init_dbus_chat(systemd_logind_t) +init_dbus_chat_script(systemd_logind_t) +init_read_script_state(systemd_logind_t) ++init_read_utmp(systemd_logind_t) +init_rw_stream_sockets(systemd_logind_t) + +logging_send_syslog_msg(systemd_logind_t) @@ -44972,6 +44980,7 @@ index 0000000..7f0ff30 +udev_read_db(systemd_logind_t) +udev_manage_rules_files(systemd_logind_t) + ++userdom_destroy_unpriv_user_shared_mem(systemd_logind_t) +userdom_read_all_users_state(systemd_logind_t) +userdom_use_user_ttys(systemd_logind_t) +userdom_manage_tmp_role(system_r, systemd_logind_t) @@ -45043,6 +45052,9 @@ index 0000000..7f0ff30 +corenet_udp_bind_all_nodes(systemd_networkd_t) +corenet_tcp_bind_dhcpc_port(systemd_networkd_t) +corenet_udp_bind_dhcpc_port(systemd_networkd_t) ++corenet_tcp_bind_dhcpd_port(systemd_networkd_t) ++corenet_udp_bind_dhcpd_port(systemd_networkd_t) ++ + +fs_read_xenfs_files(systemd_networkd_t) + @@ -45117,7 +45129,7 @@ index 0000000..7f0ff30 +# Local policy +# + -+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; ++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod sys_admin }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; @@ -46917,7 +46929,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..7811266 100644 +index 9dc60c6..f5e3a79 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -49780,123 +49792,123 @@ index 9dc60c6..7811266 100644 ') ######################################## -@@ -2955,69 +3935,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3935,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') --######################################## +##################################### - ## --## Execute an Xserver session in all unprivileged user domains. This --## is an explicit transition, requiring the --## caller to use setexeccon(). ++## +## Allow domain dyntrans to unpriv userdomain. - ## - ## --## --## Domain allowed to transition. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`userdom_xsession_spec_domtrans_unpriv_users',` -- gen_require(` -- attribute unpriv_userdomain; -- ') ++## ++# +interface(`userdom_dyntransition_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') - -- xserver_xsession_spec_domtrans($1, unpriv_userdomain) -- allow unpriv_userdomain $1:fd use; -- allow unpriv_userdomain $1:fifo_file rw_file_perms; -- allow unpriv_userdomain $1:process sigchld; ++ + allow $1 unpriv_userdomain:process dyntransition; ++') ++ ++#################################### ++## ++## Allow domain dyntrans to admin userdomain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dyntransition_admin_users',` ++ gen_require(` ++ attribute admindomain; ++ ') ++ ++ allow $1 admindomain:process dyntransition; ++') ++ + ######################################## + ## + ## Execute an Xserver session in all unprivileged user domains. This +@@ -2978,24 +3994,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` + allow unpriv_userdomain $1:process sigchld; ') -####################################### -+#################################### - ## +-## -## Read and write unpriviledged user SysV sempaphores. -+## Allow domain dyntrans to admin userdomain. - ## - ## +-## +-## -## -## Domain allowed access. -## -+## -+## Domain allowed access. -+## - ## - # +-## +-# -interface(`userdom_rw_unpriv_user_semaphores',` - gen_require(` - attribute unpriv_userdomain; - ') -+interface(`userdom_dyntransition_admin_users',` -+ gen_require(` -+ attribute admindomain; -+ ') - +- - allow $1 unpriv_userdomain:sem rw_sem_perms; -+ allow $1 admindomain:process dyntransition; +-') +- + ######################################## + ## + ## Manage unpriviledged user SysV sempaphores. +@@ -3014,9 +4012,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` + allow $1 unpriv_userdomain:sem create_sem_perms; ') - ######################################## +-####################################### ++######################################## ## --## Manage unpriviledged user SysV sempaphores. -+## Execute an Xserver session in all unprivileged user domains. This -+## is an explicit transition, requiring the -+## caller to use setexeccon(). +-## Read and write unpriviledged user SysV shared ++## Manage unpriviledged user SysV shared + ## memory segments. ## ## - ## --## Domain allowed access. -+## Domain allowed to transition. +@@ -3025,17 +4023,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # --interface(`userdom_manage_unpriv_user_semaphores',` -+interface(`userdom_xsession_spec_domtrans_unpriv_users',` +-interface(`userdom_rw_unpriv_user_shared_mem',` ++interface(`userdom_manage_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') -- allow $1 unpriv_userdomain:sem create_sem_perms; -+ xserver_xsession_spec_domtrans($1, unpriv_userdomain) -+ allow unpriv_userdomain $1:fd use; -+ allow unpriv_userdomain $1:fifo_file rw_file_perms; -+ allow unpriv_userdomain $1:process sigchld; +- allow $1 unpriv_userdomain:shm rw_shm_perms; ++ allow $1 unpriv_userdomain:shm create_shm_perms; ') --####################################### -+######################################## + ######################################## ## --## Read and write unpriviledged user SysV shared --## memory segments. -+## Manage unpriviledged user SysV sempaphores. +-## Manage unpriviledged user SysV shared ++## Destroy unpriviledged user SysV shared + ## memory segments. ## ## - ## -@@ -3025,12 +4004,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3044,12 +4042,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # --interface(`userdom_rw_unpriv_user_shared_mem',` -+interface(`userdom_manage_unpriv_user_semaphores',` +-interface(`userdom_manage_unpriv_user_shared_mem',` ++interface(`userdom_destroy_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') -- allow $1 unpriv_userdomain:shm rw_shm_perms; -+ allow $1 unpriv_userdomain:sem create_sem_perms; +- allow $1 unpriv_userdomain:shm create_shm_perms; ++ allow $1 unpriv_userdomain:shm destroy; ') ######################################## -@@ -3094,7 +4073,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4092,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -49905,7 +49917,7 @@ index 9dc60c6..7811266 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4089,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4108,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -49939,7 +49951,7 @@ index 9dc60c6..7811266 100644 ') ######################################## -@@ -3214,7 +4177,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4196,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -49966,7 +49978,7 @@ index 9dc60c6..7811266 100644 ') ######################################## -@@ -3269,12 +4250,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4269,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -49982,7 +49994,7 @@ index 9dc60c6..7811266 100644 ## ## ## -@@ -3282,46 +4264,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,49 +4283,125 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -50040,8 +50052,9 @@ index 9dc60c6..7811266 100644 gen_require(` - attribute userdomain; + type user_tmp_t; -+ ') -+ + ') + +- allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + @@ -50115,10 +50128,13 @@ index 9dc60c6..7811266 100644 +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; - ') ++ ') ++ ++ allow $1 userdomain:process getattr; + ') - allow $1 userdomain:process getattr; -@@ -3382,6 +4440,42 @@ interface(`userdom_signal_all_users',` + ######################################## +@@ -3382,6 +4459,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -50161,7 +50177,7 @@ index 9dc60c6..7811266 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4496,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4515,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -50222,7 +50238,7 @@ index 9dc60c6..7811266 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4583,1691 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4602,1691 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch index c438be8..58d789f 100644 --- a/policy-f23-contrib.patch +++ b/policy-f23-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..76d954f 100644 +index eb50f07..ba2ecd8 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -608,7 +608,7 @@ index eb50f07..76d954f 100644 ## gen_tunable(abrt_anon_write, false) -@@ -37,87 +36,98 @@ attribute abrt_domain; +@@ -37,87 +36,99 @@ attribute abrt_domain; attribute_role abrt_helper_roles; roleattribute system_r abrt_helper_roles; @@ -647,6 +647,7 @@ index eb50f07..76d954f 100644 -type abrt_dump_oops_exec_t; +abrt_basic_types_template(abrt_dump_oops) init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) ++domain_obj_id_change_exemption(abrt_dump_oops_t) -type abrt_handle_event_t, abrt_domain; -type abrt_handle_event_exec_t; @@ -737,7 +738,7 @@ index eb50f07..76d954f 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -125,48 +135,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -125,48 +136,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -804,7 +805,7 @@ index eb50f07..76d954f 100644 domain_getattr_all_domains(abrt_t) domain_read_all_domains_state(abrt_t) -@@ -176,29 +197,43 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +198,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -851,7 +852,7 @@ index eb50f07..76d954f 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +241,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +242,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -868,7 +869,7 @@ index eb50f07..76d954f 100644 ') optional_policy(` -@@ -222,6 +253,28 @@ optional_policy(` +@@ -222,6 +254,28 @@ optional_policy(` ') optional_policy(` @@ -897,7 +898,7 @@ index eb50f07..76d954f 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +287,11 @@ optional_policy(` +@@ -234,6 +288,11 @@ optional_policy(` ') optional_policy(` @@ -909,7 +910,7 @@ index eb50f07..76d954f 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +301,7 @@ optional_policy(` +@@ -243,6 +302,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -917,7 +918,7 @@ index eb50f07..76d954f 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +312,21 @@ optional_policy(` +@@ -253,9 +313,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -940,7 +941,7 @@ index eb50f07..76d954f 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +337,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +338,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -955,7 +956,7 @@ index eb50f07..76d954f 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +356,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +357,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -963,7 +964,7 @@ index eb50f07..76d954f 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +365,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +366,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -984,7 +985,7 @@ index eb50f07..76d954f 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +386,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +387,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1011,7 +1012,7 @@ index eb50f07..76d954f 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +422,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +423,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1025,7 +1026,7 @@ index eb50f07..76d954f 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +440,11 @@ optional_policy(` +@@ -343,10 +441,11 @@ optional_policy(` ####################################### # @@ -1039,7 +1040,7 @@ index eb50f07..76d954f 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +463,70 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +464,71 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1061,7 +1062,7 @@ index eb50f07..76d954f 100644 # -allow abrt_dump_oops_t self:capability dac_override; -+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override }; ++allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid }; +allow abrt_dump_oops_t self:process setfscreate; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; -allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; @@ -1096,6 +1097,7 @@ index eb50f07..76d954f 100644 +domain_signull_all_domains(abrt_dump_oops_t) +domain_ptrace_all_domains(abrt_dump_oops_t) +domain_read_all_domains_state(abrt_dump_oops_t) ++domain_getattr_all_domains(abrt_dump_oops_t) + +files_manage_non_security_dirs(abrt_dump_oops_t) +files_manage_non_security_files(abrt_dump_oops_t) @@ -1114,7 +1116,7 @@ index eb50f07..76d954f 100644 ####################################### # -@@ -404,25 +534,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +536,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1177,7 +1179,7 @@ index eb50f07..76d954f 100644 ') ####################################### -@@ -430,10 +595,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +597,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -3160,10 +3162,10 @@ index 0000000..36251b9 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..6183b21 +index 0000000..12349f3 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,271 @@ +@@ -0,0 +1,272 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -3277,6 +3279,7 @@ index 0000000..6183b21 +corecmd_exec_shell(antivirus_domain) + +corenet_all_recvfrom_netlabel(antivirus_t) ++corenet_tcp_bind_all_unreserved_ports(antivirus_t) +corenet_tcp_sendrecv_generic_if(antivirus_t) +corenet_udp_sendrecv_generic_if(antivirus_t) +corenet_tcp_sendrecv_generic_node(antivirus_domain) @@ -9547,7 +9550,7 @@ index 531a8f2..0b86f2f 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..5336071 100644 +index 1241123..dcaf16b 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9603,11 +9606,12 @@ index 1241123..5336071 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -141,9 +143,12 @@ corenet_sendrecv_all_client_packets(named_t) +@@ -141,9 +143,13 @@ corenet_sendrecv_all_client_packets(named_t) corenet_tcp_connect_all_ports(named_t) corenet_tcp_sendrecv_all_ports(named_t) +corenet_tcp_bind_all_ephemeral_ports(named_t) ++corenet_udp_bind_all_ephemeral_ports(named_t) + dev_read_sysfs(named_t) dev_read_rand(named_t) @@ -9616,7 +9620,7 @@ index 1241123..5336071 100644 domain_use_interactive_fds(named_t) -@@ -175,6 +180,19 @@ tunable_policy(`named_write_master_zones',` +@@ -175,6 +181,19 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -9636,7 +9640,7 @@ index 1241123..5336071 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,7 +205,13 @@ optional_policy(` +@@ -187,7 +206,13 @@ optional_policy(` ') optional_policy(` @@ -9650,7 +9654,7 @@ index 1241123..5336071 100644 kerberos_use(named_t) ') -@@ -215,7 +239,8 @@ optional_policy(` +@@ -215,7 +240,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -9660,7 +9664,7 @@ index 1241123..5336071 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +254,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +255,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -9672,7 +9676,7 @@ index 1241123..5336071 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +266,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +267,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -9682,7 +9686,7 @@ index 1241123..5336071 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +284,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +285,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -14717,10 +14721,10 @@ index 5f306dd..e01156f 100644 ') diff --git a/cockpit.fc b/cockpit.fc new file mode 100644 -index 0000000..bb87537 +index 0000000..9ed6fdc --- /dev/null +++ b/cockpit.fc -@@ -0,0 +1,10 @@ +@@ -0,0 +1,12 @@ +# cockpit stuff + +/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) @@ -14731,12 +14735,14 @@ index 0000000..bb87537 +/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) + +/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0) ++ ++/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_var_run_t,s0) diff --git a/cockpit.if b/cockpit.if new file mode 100644 -index 0000000..eb2739a +index 0000000..d5920c0 --- /dev/null +++ b/cockpit.if -@@ -0,0 +1,184 @@ +@@ -0,0 +1,188 @@ +## policy for cockpit + +######################################## @@ -14896,6 +14902,7 @@ index 0000000..eb2739a + type cockpit_ws_t; + type cockpit_session_t; + type cockpit_var_lib_t; ++ type cockpit_var_run_t; + type cockpit_unit_file_t; + ') + @@ -14913,6 +14920,9 @@ index 0000000..eb2739a + files_search_var_lib($1) + admin_pattern($1, cockpit_var_lib_t) + ++ files_search_pids($1) ++ admin_pattern($1, cockpit_var_run_t) ++ + cockpit_systemctl($1) + admin_pattern($1, cockpit_unit_file_t) + allow $1 cockpit_unit_file_t:service all_service_perms; @@ -14923,10 +14933,10 @@ index 0000000..eb2739a +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..4ae76c5 +index 0000000..77cdd5e --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,102 @@ +@@ -0,0 +1,111 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -14941,6 +14951,9 @@ index 0000000..4ae76c5 +type cockpit_tmp_t; +files_tmp_file(cockpit_tmp_t) + ++type cockpit_var_run_t; ++files_pid_file(cockpit_var_run_t) ++ +type cockpit_unit_file_t; +systemd_unit_file(cockpit_unit_file_t) + @@ -14977,6 +14990,12 @@ index 0000000..4ae76c5 +manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t) +files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file }) + ++manage_dirs_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t) ++manage_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t) ++manage_lnk_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t) ++manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t) ++files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file }) ++ +read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) +list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) + @@ -66991,14 +67010,15 @@ index 0000000..509d898 + ') +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..d40433a 100644 +index dfd46e4..feaa8e1 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,32 @@ +@@ -1,15 +1,33 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) ++/etc/Pegasus/cimserver_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 4050253..7eabc09 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 154%{?dist} +Release: 155%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -659,6 +659,23 @@ exit 0 %endif %changelog +* Fri Nov 20 2015 Lukas Vrabec 3.13.1-155 +- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785 +- Allow abrt-hook-ccpp to change SELinux user identity for created objects. +- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern. +- Allow setuid/setgid capabilities for abrt-hook-ccpp. +- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf. +- cockpit has grown content in /var/run directory +- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. +- Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092) +- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269) +- Merge pull request #63 from vmojzis/f23-base +- Allow systemd-hostnamed to communicate with dhcp via dbus. #1242583 +- Allow systemd-logind to read /run/utmp when shutdown is invoked. +- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments. +- Add userdom_destroy_unpriv_user_shared_mem() interface. +- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked. + * Mon Nov 09 2015 Miroslav Grepl 3.13.1-154 - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system. - Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.