diff --git a/policy-f23-base.patch b/policy-f23-base.patch index 7236f08..f5bac9c 100644 --- a/policy-f23-base.patch +++ b/policy-f23-base.patch @@ -36986,10 +36986,10 @@ index 446fa99..22f539c 100644 + plymouthd_exec_plymouth(sulogin_t) ') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index b50c5fe..13da95a 100644 +index b50c5fe..5c39fe5 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc -@@ -1,11 +1,14 @@ +@@ -1,11 +1,15 @@ -/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/dev/log -l gen_context(system_u:object_r:devlog_t,mls_systemhigh) @@ -37001,11 +37001,12 @@ index b50c5fe..13da95a 100644 /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0) ++/usr/lib/systemd/system/syslogd.* -- gen_context(system_u:object_r:syslogd_unit_file_t,s0) + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) -@@ -17,12 +20,25 @@ +@@ -17,12 +21,25 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -37032,7 +37033,7 @@ index b50c5fe..13da95a 100644 /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -@@ -38,21 +54,22 @@ ifdef(`distro_suse', ` +@@ -38,21 +55,22 @@ ifdef(`distro_suse', ` /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -37058,7 +37059,7 @@ index b50c5fe..13da95a 100644 ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -@@ -65,11 +82,16 @@ ifdef(`distro_redhat',` +@@ -65,11 +83,16 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) @@ -37077,7 +37078,7 @@ index b50c5fe..13da95a 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..7ab6191 100644 +index 4e94884..c665768 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -37191,21 +37192,14 @@ index 4e94884..7ab6191 100644 +interface(`logging_create_devlog_dev',` + gen_require(` + type devlog_t; - ') - -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; ++ ') ++ + allow $1 devlog_t:lnk_file manage_lnk_file_perms; + dev_filetrans($1, devlog_t, lnk_file, "log") + init_pid_filetrans($1, devlog_t, sock_file, "syslog") + logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log") +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Relabel the devlog sock_file. @@ -37219,15 +37213,18 @@ index 4e94884..7ab6191 100644 +interface(`logging_relabel_devlog_dev',` + gen_require(` + type devlog_t; -+ ') + ') -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; + allow $1 devlog_t:sock_file relabel_sock_file_perms; +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Allow domain to read the syslog pid files. @@ -37242,7 +37239,11 @@ index 4e94884..7ab6191 100644 + gen_require(` + type syslogd_var_run_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') @@ -37487,7 +37488,7 @@ index 4e94884..7ab6191 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1285,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1285,55 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -37518,10 +37519,32 @@ index 4e94884..7ab6191 100644 + allow $1 auditd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, auditd_t) ++') ++######################################## ++## ++## Execute auditd server in the auditd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`logging_systemctl_syslogd',` ++ gen_require(` ++ type syslogd_t; ++ type syslogd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 syslogd_unit_file_t:file read_file_perms; ++ allow $1 syslog_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, syslogd_t) ') ######################################## -@@ -1032,10 +1340,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1362,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -37539,7 +37562,7 @@ index 4e94884..7ab6191 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1370,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1392,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -37548,7 +37571,7 @@ index 4e94884..7ab6191 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1400,90 @@ interface(`logging_admin',` +@@ -1085,3 +1422,90 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -37640,7 +37663,7 @@ index 4e94884..7ab6191 100644 + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..e1ec2e8 100644 +index 59b04c1..7d9ca00 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -37699,7 +37722,7 @@ index 59b04c1..e1ec2e8 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t) +@@ -71,16 +99,23 @@ init_script_file(syslogd_initrc_exec_t) type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) @@ -37715,7 +37738,15 @@ index 59b04c1..e1ec2e8 100644 type var_log_t; logging_log_file(var_log_t) -@@ -94,6 +126,8 @@ ifdef(`enable_mls',` + files_mountpoint(var_log_t) + ++type syslogd_unit_file_t; ++systemd_unit_file(syslogd_unit_file_t) ++ + ifdef(`enable_mls',` + init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) + init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) +@@ -94,6 +129,8 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; @@ -37724,7 +37755,7 @@ index 59b04c1..e1ec2e8 100644 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; -@@ -111,7 +145,9 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +148,9 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -37735,7 +37766,7 @@ index 59b04c1..e1ec2e8 100644 init_dontaudit_use_fds(auditctl_t) -@@ -136,9 +172,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; +@@ -136,9 +175,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file read_file_perms; @@ -37747,7 +37778,7 @@ index 59b04c1..e1ec2e8 100644 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -@@ -148,6 +185,7 @@ kernel_read_kernel_sysctls(auditd_t) +@@ -148,6 +188,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) @@ -37755,7 +37786,7 @@ index 59b04c1..e1ec2e8 100644 dev_read_sysfs(auditd_t) -@@ -155,9 +193,6 @@ fs_getattr_all_fs(auditd_t) +@@ -155,9 +196,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) @@ -37765,7 +37796,7 @@ index 59b04c1..e1ec2e8 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +218,17 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +221,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -37787,7 +37818,7 @@ index 59b04c1..e1ec2e8 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,19 +273,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -37819,7 +37850,7 @@ index 59b04c1..e1ec2e8 100644 ') ######################################## -@@ -266,9 +312,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +@@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) @@ -37831,7 +37862,7 @@ index 59b04c1..e1ec2e8 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,13 +327,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,13 +330,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -37859,7 +37890,7 @@ index 59b04c1..e1ec2e8 100644 ######################################## # # klogd local policy -@@ -326,7 +386,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +389,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -37867,7 +37898,7 @@ index 59b04c1..e1ec2e8 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +414,12 @@ optional_policy(` +@@ -355,13 +417,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -37884,7 +37915,7 @@ index 59b04c1..e1ec2e8 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,11 +427,15 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,11 +430,15 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -37901,7 +37932,7 @@ index 59b04c1..e1ec2e8 100644 files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. -@@ -389,30 +451,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +454,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -37952,7 +37983,7 @@ index 59b04c1..e1ec2e8 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +501,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +504,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -37961,7 +37992,7 @@ index 59b04c1..e1ec2e8 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +513,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +516,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -37995,7 +38026,7 @@ index 59b04c1..e1ec2e8 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +552,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +555,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -38013,7 +38044,7 @@ index 59b04c1..e1ec2e8 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +574,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +577,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -38029,7 +38060,7 @@ index 59b04c1..e1ec2e8 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +606,7 @@ optional_policy(` +@@ -497,6 +609,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -38037,7 +38068,7 @@ index 59b04c1..e1ec2e8 100644 ') optional_policy(` -@@ -507,15 +617,40 @@ optional_policy(` +@@ -507,15 +620,40 @@ optional_policy(` ') optional_policy(` @@ -38078,7 +38109,7 @@ index 59b04c1..e1ec2e8 100644 ') optional_policy(` -@@ -526,3 +661,26 @@ optional_policy(` +@@ -526,3 +664,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch index 9f56b04..74c4687 100644 --- a/policy-f23-contrib.patch +++ b/policy-f23-contrib.patch @@ -13294,7 +13294,7 @@ index 32e8265..c5a2913 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..135100a 100644 +index e5b621c..74e168f 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -13325,7 +13325,7 @@ index e5b621c..135100a 100644 allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +83,38 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +83,41 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -13351,6 +13351,9 @@ index e5b621c..135100a 100644 +systemd_exec_systemctl(chronyd_t) + +userdom_dgram_send(chronyd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(chronyd_t) optional_policy(` gpsd_rw_shm(chronyd_t) @@ -16062,7 +16065,7 @@ index 881d92f..a2d588a 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040..32ebb0c 100644 +index ce9f040..dc29445 100644 --- a/condor.te +++ b/condor.te @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) @@ -16140,7 +16143,7 @@ index ce9f040..32ebb0c 100644 # -allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; -+allow condor_master_t self:capability { setuid setgid sys_ptrace }; ++allow condor_master_t self:capability { chown setuid setgid sys_ptrace }; allow condor_master_t condor_domain:process { sigkill signal }; @@ -19825,10 +19828,10 @@ index 8401fe6..d58f3e7 100644 /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/ctdb.if b/ctdb.if -index b25b01d..6b7d687 100644 +index b25b01d..06895f3 100644 --- a/ctdb.if +++ b/ctdb.if -@@ -1,9 +1,161 @@ +@@ -1,9 +1,178 @@ -## Clustered Database based on Samba Trivial Database. + +## policy for ctdbd @@ -19887,6 +19890,23 @@ index b25b01d..6b7d687 100644 + allow $1 ctdbd_t:process signal; +') + ++####################################### ++## ++## Allow domain to sigchld ctdbd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_sigchld',` ++ gen_require(` ++ type ctdbd_t; ++ ') ++ allow $1 ctdbd_t:process sigchld; ++') ++ +######################################## +## +## Read ctdbd's log files. @@ -19993,7 +20013,7 @@ index b25b01d..6b7d687 100644 ## ## ## -@@ -17,13 +169,12 @@ interface(`ctdbd_manage_lib_files',` +@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',` ') files_search_var_lib($1) @@ -20010,7 +20030,7 @@ index b25b01d..6b7d687 100644 ## ## ## -@@ -31,19 +182,58 @@ interface(`ctdbd_manage_lib_files',` +@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',` ## ## # @@ -20074,7 +20094,7 @@ index b25b01d..6b7d687 100644 ## ## ## -@@ -57,16 +247,19 @@ interface(`ctdbd_stream_connect',` +@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',` ## ## # @@ -20098,7 +20118,7 @@ index b25b01d..6b7d687 100644 domain_system_change_exemption($1) role_transition $2 ctdbd_initrc_exec_t system_r; allow $2 system_r; -@@ -74,12 +267,10 @@ interface(`ctdb_admin',` +@@ -74,12 +284,10 @@ interface(`ctdb_admin',` logging_search_logs($1) admin_pattern($1, ctdbd_log_t) @@ -37240,10 +37260,10 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..749756a +index 0000000..3a71430 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,11 @@ +@@ -0,0 +1,13 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) @@ -37253,6 +37273,8 @@ index 0000000..749756a + +/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) + ++/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0) ++ +/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) + diff --git a/ipa.if b/ipa.if @@ -37441,10 +37463,10 @@ index 0000000..904782d +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..694c092 +index 0000000..af46439 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,122 @@ +@@ -0,0 +1,130 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -37464,6 +37486,9 @@ index 0000000..694c092 +type ipa_otpd_unit_file_t; +systemd_unit_file(ipa_otpd_unit_file_t) + ++type ipa_log_t; ++logging_log_file(ipa_log_t) ++ +type ipa_var_lib_t; +files_type(ipa_var_lib_t) + @@ -37521,10 +37546,15 @@ index 0000000..694c092 +allow ipa_helper_t self:fifo_file rw_fifo_file_perms; +allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms; + ++manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t) ++logging_log_filetrans(ipa_helper_t, ipa_log_t, file) ++ +kernel_read_system_state(ipa_helper_t) + +corenet_tcp_connect_ldap_port(ipa_helper_t) +corenet_tcp_connect_smbd_port(ipa_helper_t) ++corenet_tcp_connect_http_port(ipa_helper_t) ++corenet_tcp_connect_kerberos_password_port(ipa_helper_t) + +corecmd_exec_bin(ipa_helper_t) +corecmd_exec_shell(ipa_helper_t) @@ -44642,7 +44672,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..08c168f 100644 +index be0ab84..24e669e 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -44764,7 +44794,7 @@ index be0ab84..08c168f 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +123,51 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +123,52 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -44781,6 +44811,7 @@ index be0ab84..08c168f 100644 logging_send_audit_msgs(logrotate_t) +# cjp: why is this needed? logging_exec_all_logs(logrotate_t) ++logging_systemctl_syslogd(logrotate_t) -miscfiles_read_localization(logrotate_t) +systemd_exec_systemctl(logrotate_t) @@ -44822,7 +44853,7 @@ index be0ab84..08c168f 100644 ') optional_policy(` -@@ -135,16 +182,17 @@ optional_policy(` +@@ -135,16 +183,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -44842,7 +44873,7 @@ index be0ab84..08c168f 100644 ') optional_policy(` -@@ -170,6 +218,11 @@ optional_policy(` +@@ -170,6 +219,11 @@ optional_policy(` ') optional_policy(` @@ -44854,7 +44885,7 @@ index be0ab84..08c168f 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +231,7 @@ optional_policy(` +@@ -178,7 +232,7 @@ optional_policy(` ') optional_policy(` @@ -44863,7 +44894,7 @@ index be0ab84..08c168f 100644 ') optional_policy(` -@@ -198,17 +251,18 @@ optional_policy(` +@@ -198,17 +252,18 @@ optional_policy(` ') optional_policy(` @@ -44885,7 +44916,7 @@ index be0ab84..08c168f 100644 ') optional_policy(` -@@ -216,6 +270,14 @@ optional_policy(` +@@ -216,6 +271,14 @@ optional_policy(` ') optional_policy(` @@ -44900,7 +44931,7 @@ index be0ab84..08c168f 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +290,43 @@ optional_policy(` +@@ -228,26 +291,43 @@ optional_policy(` ') optional_policy(` @@ -59417,10 +59448,10 @@ index bcd7d0a..0188086 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/nsd.fc b/nsd.fc -index 4f2b1b6..5348e92 100644 +index 4f2b1b6..adea830 100644 --- a/nsd.fc +++ b/nsd.fc -@@ -1,16 +1,13 @@ +@@ -1,16 +1,17 @@ -/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) -/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) @@ -59441,6 +59472,10 @@ index 4f2b1b6..5348e92 100644 -/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) +/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd-checkconf -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd-checkzone -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd-control -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd-control-setup -- gen_context(system_u:object_r:nsd_exec_t,s0) +/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) @@ -59534,7 +59569,7 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d2..a97c60f 100644 +index 47bb1d2..3316c17 100644 --- a/nsd.te +++ b/nsd.te @@ -9,9 +9,7 @@ type nsd_t; @@ -59548,7 +59583,7 @@ index 47bb1d2..a97c60f 100644 type nsd_conf_t; files_type(nsd_conf_t) -@@ -20,32 +18,28 @@ domain_type(nsd_crond_t) +@@ -20,32 +18,31 @@ domain_type(nsd_crond_t) domain_entry_file(nsd_crond_t, nsd_exec_t) role system_r types nsd_crond_t; @@ -59563,13 +59598,17 @@ index 47bb1d2..a97c60f 100644 +type nsd_zone_t alias nsd_db_t; files_type(nsd_zone_t) ++type nsd_tmp_t; ++files_tmp_file(nsd_tmp_t) ++ ######################################## # -# Local policy +# NSD Local policy # - allow nsd_t self:capability { chown dac_override kill setgid setuid }; +-allow nsd_t self:capability { chown dac_override kill setgid setuid }; ++allow nsd_t self:capability { chown dac_override kill setgid setuid net_admin }; dontaudit nsd_t self:capability sys_tty_config; allow nsd_t self:process signal_perms; +allow nsd_t self:tcp_socket create_stream_socket_perms; @@ -59588,7 +59627,18 @@ index 47bb1d2..a97c60f 100644 manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) files_pid_filetrans(nsd_t, nsd_var_run_t, file) -@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t) +@@ -55,6 +52,10 @@ manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) + manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) + files_var_lib_filetrans(nsd_t, nsd_zone_t, dir) + ++manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t) ++manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t) ++files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir }) ++ + can_exec(nsd_t, nsd_exec_t) + + kernel_read_system_state(nsd_t) +@@ -62,7 +63,6 @@ kernel_read_kernel_sysctls(nsd_t) corecmd_exec_bin(nsd_t) @@ -59596,7 +59646,7 @@ index 47bb1d2..a97c60f 100644 corenet_all_recvfrom_netlabel(nsd_t) corenet_tcp_sendrecv_generic_if(nsd_t) corenet_udp_sendrecv_generic_if(nsd_t) -@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t) +@@ -72,16 +72,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t) corenet_udp_sendrecv_all_ports(nsd_t) corenet_tcp_bind_generic_node(nsd_t) corenet_udp_bind_generic_node(nsd_t) @@ -59616,7 +59666,7 @@ index 47bb1d2..a97c60f 100644 fs_getattr_all_fs(nsd_t) fs_search_auto_mountpoints(nsd_t) -@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t) +@@ -90,8 +91,6 @@ auth_use_nsswitch(nsd_t) logging_send_syslog_msg(nsd_t) @@ -59625,7 +59675,7 @@ index 47bb1d2..a97c60f 100644 userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) -@@ -105,23 +97,24 @@ optional_policy(` +@@ -105,23 +104,24 @@ optional_policy(` ######################################## # @@ -59658,7 +59708,7 @@ index 47bb1d2..a97c60f 100644 manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) -@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t) +@@ -133,27 +133,27 @@ kernel_read_system_state(nsd_crond_t) corecmd_exec_bin(nsd_crond_t) corecmd_exec_shell(nsd_crond_t) @@ -64895,7 +64945,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..a17af8b 100644 +index 44dbc99..fce33b0 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -64961,7 +65011,7 @@ index 44dbc99..a17af8b 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -65,33 +69,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -65,33 +69,48 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -64997,9 +65047,10 @@ index 44dbc99..a17af8b 100644 fs_getattr_all_fs(openvswitch_t) fs_search_cgroup_dirs(openvswitch_t) - -+auth_use_nsswitch(openvswitch_t) ++fs_rw_hugetlbfs_files(openvswitch_t) + ++auth_use_nsswitch(openvswitch_t) + logging_send_syslog_msg(openvswitch_t) -miscfiles_read_localization(openvswitch_t) @@ -76645,7 +76696,7 @@ index d68e26d..d2c4d2a 100644 +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 7cb8b1f..9422c90 100644 +index 7cb8b1f..bef7217 100644 --- a/puppet.if +++ b/puppet.if @@ -1,4 +1,32 @@ @@ -76726,7 +76777,7 @@ index 7cb8b1f..9422c90 100644 ') ################################################ -@@ -78,158 +107,164 @@ interface(`puppet_read_config',` +@@ -78,158 +107,165 @@ interface(`puppet_read_config',` ## ## # @@ -76957,8 +77008,9 @@ index 7cb8b1f..9422c90 100644 - files_search_var_lib($1) - admin_pattern($1, puppet_var_lib_t) + files_search_etc($1) -+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) ++ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) + read_files_pattern($1, puppet_etc_t, puppet_etc_t) ++ read_lnk_files_pattern($1, puppet_etc_t, puppet_etc_t) +') +##################################### @@ -91724,7 +91776,7 @@ index 50d07fb..e9569d2 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..0232e85 100644 +index 2b7c441..ca83568 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -92552,7 +92604,7 @@ index 2b7c441..0232e85 100644 samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -627,16 +716,13 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,39 +716,38 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -92571,7 +92623,8 @@ index 2b7c441..0232e85 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +730,23 @@ optional_policy(` ++ ctdbd_sigchld(smbcontrol_t) + ') ######################################## # @@ -92603,7 +92656,7 @@ index 2b7c441..0232e85 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +755,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +756,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -92639,7 +92692,7 @@ index 2b7c441..0232e85 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +782,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +783,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -92731,7 +92784,7 @@ index 2b7c441..0232e85 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +861,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +862,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -92755,7 +92808,7 @@ index 2b7c441..0232e85 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +875,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +876,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -92798,7 +92851,7 @@ index 2b7c441..0232e85 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +905,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +906,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -92812,7 +92865,7 @@ index 2b7c441..0232e85 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +928,20 @@ optional_policy(` +@@ -840,17 +929,20 @@ optional_policy(` # Winbind local policy # @@ -92838,7 +92891,7 @@ index 2b7c441..0232e85 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +951,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +952,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -92849,7 +92902,7 @@ index 2b7c441..0232e85 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +962,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +963,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -92903,7 +92956,7 @@ index 2b7c441..0232e85 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1005,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1006,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -92962,7 +93015,7 @@ index 2b7c441..0232e85 100644 ') optional_policy(` -@@ -959,31 +1066,36 @@ optional_policy(` +@@ -959,31 +1067,36 @@ optional_policy(` # Winbind helper local policy # @@ -93006,7 +93059,7 @@ index 2b7c441..0232e85 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1109,38 @@ optional_policy(` +@@ -997,25 +1110,38 @@ optional_policy(` ######################################## # @@ -110121,7 +110174,7 @@ index facdee8..a6dcaaa 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..7e8aed1 100644 +index f03dcf5..3c37f58 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,241 @@ @@ -111702,7 +111755,7 @@ index f03dcf5..7e8aed1 100644 +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto }; ++allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto }; + +allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; +rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 11f7c45..6c5230a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 158.1%{?dist} +Release: 158.2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -659,6 +659,19 @@ exit 0 %endif %changelog +* Wed Jan 13 2016 Lukas Vrabec 3.13.1-158.2 +- Allow logrotate to systemctl rsyslog service. BZ(1284173) +- Allow condor_master_t domain capability chown. BZ(1297048) +- Allow chronyd to be dbus bus client. BZ(1297129) +- Allow openvswitch read/write hugetlb filesystem. +- Revert "Allow openvswitch read/write hugetlb filesystem." +- Allow smbcontrol domain to send sigchld to ctdbd domain. +- Allow openvswitch read/write hugetlb filesystem. +- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930) +- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146) +- Added interface logging_systemctl_syslogd +- Label rsyslog unit file + * Wed Jan 06 2016 Lukas Vrabec 3.13.1-158.1 - Allow cupsd to execute dynamic linker. BZ(1294718) - Allow qemu-bridge-helper running as virt_bridgehelper_t to access cpuinfo/cpuinfo_max_freq and unix stream socket the running virtual machine. BZ(#1267217).