diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 469b4de..1601045 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -37060,7 +37060,7 @@ index 6b91740..5c1669a 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..a4ec06e 100644 +index 58bc27f..4e1936d 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -1,5 +1,22 @@ @@ -37163,7 +37163,7 @@ index 58bc27f..a4ec06e 100644 ###################################### ## ## Execute a domain transition to run clvmd. -@@ -123,3 +203,131 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +203,154 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -37295,6 +37295,29 @@ index 58bc27f..a4ec06e 100644 + ps_process_pattern($1, lvm_t) +') + ++######################################## ++## ++## Create, read, write, and delete ++## lvm lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_manage_lock',` ++ gen_require(` ++ type lvm_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_files_pattern($1, lvm_lock_t, lvm_lock_t) ++ manage_dirs_pattern($1, lvm_lock_t, lvm_lock_t) ++') ++ ++ ++ diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 79048c4..6cf8b94 100644 --- a/policy/modules/system/lvm.te diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index ccf332b..d819bb5 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -27934,7 +27934,7 @@ index c62c567..6460877 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..a0c36b3 100644 +index 98072a3..1b550dd 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -27957,7 +27957,7 @@ index 98072a3..a0c36b3 100644 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) -+relabelfrom_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) ++relabel_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) +manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) allow firewalld_t firewalld_var_log_t:file append_file_perms; @@ -44249,7 +44249,7 @@ index d314333..27ede09 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..0c195ed 100644 +index 4ec0eea..022172c 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -44284,7 +44284,7 @@ index 4ec0eea..0c195ed 100644 ######################################## # # Local policy -@@ -26,4 +44,61 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,67 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -44303,6 +44303,7 @@ index 4ec0eea..0c195ed 100644 +allow lsmd_plugin_t self:udp_socket create_socket_perms; +allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms; +allow lsmd_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow lsmd_plugin_t self:capability { sys_rawio } ; + +domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t) +allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write }; @@ -44325,6 +44326,7 @@ index 4ec0eea..0c195ed 100644 +auth_read_passwd(lsmd_plugin_t) + +dev_read_urand(lsmd_plugin_t) ++dev_read_sysfs(lsmd_plugin_t) + +corecmd_exec_bin(lsmd_plugin_t) + @@ -44343,9 +44345,13 @@ index 4ec0eea..0c195ed 100644 +logging_send_syslog_msg(lsmd_plugin_t) + +miscfiles_read_certs(lsmd_plugin_t) ++miscfiles_read_hwdata(lsmd_plugin_t) + +sysnet_read_config(lsmd_plugin_t) + ++storage_raw_rw_fixed_disk(lsmd_plugin_t) ++storage_read_scsi_generic(lsmd_plugin_t) ++storage_write_scsi_generic(lsmd_plugin_t) diff --git a/mailman.fc b/mailman.fc index 995d0a5..3d40d59 100644 --- a/mailman.fc @@ -61002,17 +61008,22 @@ index 3b6920e..3e9b17f 100644 userdom_dontaudit_search_user_home_dirs(openct_t) diff --git a/openhpi.te b/openhpi.te -index 8de6191..13fa6d2 100644 +index 8de6191..af7f2a8 100644 --- a/openhpi.te +++ b/openhpi.te -@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t) +@@ -50,8 +50,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t) dev_read_urand(openhpid_t) -files_read_etc_files(openhpid_t) - +- logging_send_syslog_msg(openhpid_t) + miscfiles_read_localization(openhpid_t) ++ ++optional_policy(` ++ snmp_read_snmp_var_lib_files(openhpid_t) ++') diff --git a/openhpid.fc b/openhpid.fc new file mode 100644 index 0000000..9441fd7 @@ -84654,7 +84665,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..96227fa 100644 +index d32e1a2..e44a0d9 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -84693,7 +84704,7 @@ index d32e1a2..96227fa 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -50,25 +56,71 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +56,75 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) @@ -84769,6 +84780,10 @@ index d32e1a2..96227fa 100644 + +optional_policy(` + virt_signull(rhsmcertd_t) ++') ++ ++optional_policy(` ++ unconfined_signull(rhsmcertd_t) ') diff --git a/ricci.if b/ricci.if index 2ab3ed1..23d579c 100644 @@ -100963,6 +100978,258 @@ index ffde368..0000000 -optional_policy(` - rpm_exec(stapserver_t) -') +diff --git a/targetd.fc b/targetd.fc +new file mode 100644 +index 0000000..c1ef053 +--- /dev/null ++++ b/targetd.fc +@@ -0,0 +1,5 @@ ++/etc/target(/.*)? gen_context(system_u:object_r:targetd_etc_rw_t,s0) ++ ++/usr/bin/targetd -- gen_context(system_u:object_r:targetd_exec_t,s0) ++ ++/usr/lib/systemd/system/targetd.* -- gen_context(system_u:object_r:targetd_unit_file_t,s0) +diff --git a/targetd.if b/targetd.if +new file mode 100644 +index 0000000..a6e216c +--- /dev/null ++++ b/targetd.if +@@ -0,0 +1,167 @@ ++ ++## Targetd is a service to allow the remote configuration of block device volumes and file systems within dedicated pools ++ ++######################################## ++## ++## Execute targetd_exec_t in the targetd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`targetd_domtrans',` ++ gen_require(` ++ type targetd_t, targetd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, targetd_exec_t, targetd_t) ++') ++ ++###################################### ++## ++## Execute targetd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`targetd_exec',` ++ gen_require(` ++ type targetd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, targetd_exec_t) ++') ++ ++######################################## ++## ++## Search targetd conf directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`targetd_search_conf',` ++ gen_require(` ++ type targetd_etc_rw_t; ++ ') ++ ++ allow $1 targetd_etc_rw_t:dir search_dir_perms; ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Read targetd conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`targetd_read_conf_files',` ++ gen_require(` ++ type targetd_etc_rw_t; ++ ') ++ ++ allow $1 targetd_etc_rw_t:dir list_dir_perms; ++ read_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t) ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Manage targetd conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`targetd_manage_conf_files',` ++ gen_require(` ++ type targetd_etc_rw_t; ++ ') ++ ++ manage_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t) ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Execute targetd server in the targetd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`targetd_systemctl',` ++ gen_require(` ++ type targetd_t; ++ type targetd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 targetd_unit_file_t:file read_file_perms; ++ allow $1 targetd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, targetd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an targetd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`targetd_admin',` ++ gen_require(` ++ type targetd_t; ++ type targetd_etc_rw_t; ++ type targetd_unit_file_t; ++ ') ++ ++ allow $1 targetd_t:process { signal_perms }; ++ ps_process_pattern($1, targetd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 targetd_t:process ptrace; ++ ') ++ ++ files_search_etc($1) ++ admin_pattern($1, targetd_etc_rw_t) ++ ++ targetd_systemctl($1) ++ admin_pattern($1, targetd_unit_file_t) ++ allow $1 targetd_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') ++ +diff --git a/targetd.te b/targetd.te +new file mode 100644 +index 0000000..a2cb50c +--- /dev/null ++++ b/targetd.te +@@ -0,0 +1,62 @@ ++policy_module(targetd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type targetd_t; ++type targetd_exec_t; ++init_daemon_domain(targetd_t, targetd_exec_t) ++ ++type targetd_etc_rw_t; ++files_type(targetd_etc_rw_t) ++ ++type targetd_unit_file_t; ++systemd_unit_file(targetd_unit_file_t) ++ ++######################################## ++# ++# targetd local policy ++# ++ ++allow targetd_t self:fifo_file rw_fifo_file_perms; ++allow targetd_t self:unix_stream_socket create_stream_socket_perms; ++allow targetd_t self:tcp_socket listen; ++allow targetd_t self:netlink_route_socket r_netlink_socket_perms; ++allow targetd_t self:process setfscreate; ++ ++manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t) ++manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t) ++files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file }) ++ ++kernel_read_system_state(targetd_t) ++ ++auth_use_nsswitch(targetd_t) ++ ++corecmd_exec_shell(targetd_t) ++ ++corenet_tcp_bind_generic_node(targetd_t) ++corenet_tcp_bind_lsm_plugin_port(targetd_t) ++ ++dev_read_sysfs(targetd_t) ++dev_read_urand(targetd_t) ++ ++libs_exec_ldconfig(targetd_t) ++ ++storage_getattr_fixed_disk_dev(targetd_t) ++storage_getattr_removable_dev(targetd_t) ++ ++sysnet_read_config(targetd_t) ++ ++optional_policy(` ++ lvm_read_config(targetd_t) ++ lvm_read_metadata(targetd_t) ++ lvm_manage_lock(targetd_t) ++ lvm_stream_connect(targetd_t) ++') ++ ++optional_policy(` ++ udev_read_pid_files(targetd_t) ++') ++ diff --git a/tcpd.te b/tcpd.te index 2d6d2c2..db18a80 100644 --- a/tcpd.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 2c02988..0d65310 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 139%{?dist} +Release: 140%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,13 @@ exit 0 %endif %changelog +* Wed Aug 05 2015 Miroslav Grepl 3.13.1-140 +- firewalld needs to relabel own config files. BZ(#1250537) +- Allow rhsmcertd to send signull to unconfined_service +- Allow lsm_plugin_t to rw raw_fixed_disk. +- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device +- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files). + * Tue Aug 04 2015 Lukas Vrabec 3.13.1-139 - Add header for sslh.if file - Fix sslh_admin() interface