From 02b9e479602a605c0c3fee943117033b606162d7 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 27 Apr 2016 14:27:01 +0200 Subject: [PATCH] * Wed Apr 27 2016 Lukas Vrabec 3.13.1-185 - Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895) - Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970) - Add mls support for some db classes --- docker-selinux.tgz | Bin 4315 -> 4313 bytes policy-rawhide-base.patch | 77 +++++++++++++++++++++++------------ policy-rawhide-contrib.patch | 21 ++++++---- selinux-policy.spec | 8 +++- 4 files changed, 71 insertions(+), 35 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 53d3064044167556aef4e7d3cd7fcce2947d2bcc..9b3e5aec4618851a3d1913905b0a86bb1637104d 100644 GIT binary patch literal 4313 zcmV;~5GL;*iwFRyuOL?d1MOVvkJ~m9&sY1e5RwAfJtVuEH?V1YIJEt69}Xz4{a8Si zCE8Y3uZq-qeL?>Bo8e0oMe4EkCfhp;NNkHUKa#`IaAr8#q>OJ!eUYx8Jlu5!*ZcQx z@$=P(cUR^oT(94~dGqGUtJfc1UBQ3v-+p)kpYN_-KMAfLa7_AYD2wVKc#_@L(Tc=g zy0P}Z=(T+IEcli-c^=jK?|XSy`Ff^Vy+j`E<0a`N3%LG|?e z9`=vCA&9c9+>s<;Wx(pFpeatr1$xO*;rlWz7^&A$OwN86LkXc1&iwqv@5{x86k$#N zY|rWdLIu72<7FBV8*;-gEHHs~*8MOfQhg@HMPRom1dirx~HDOG(W| ze@sn%RO038^JRqV(q7GUposrXqQsOhU&ya3*&2q#=f=k}U%p;lTySL3>@c$$=s|@{ zw^2G7ajTUk$#u5Z4d!f z!$71gjRQX8)<*~1g>;c&)T%nY#ZHj&3$CDrEJqRIC>;10vGS>uYi?PEM9>n)Ttsua z61-uYMU;BF;%)uDRz!A}%;^vRe+uz7%0J4!d&=s@H$^11x?Pd9*i7oy@k}WDH7%xf zJ`vui)zJEHUcN9#sYq>M|rT?>JhNM}eviv>xMye3(RUNcA~1!dta zfxHy6T)A~Az$>s6y9C!p;MmchF^p^c2=vP9_-}|s4keIVko>7wmx~JYr!G;kU3zqs zz$Pk^U{|L-Z#O47Y&&21>D+-x@=40!jLlKNc_2`fP-jTY7FZBi5;LBvitXp_v4I8d z6CX8IHm5U_!4qkF^W>e7L*Tu+Okws*YUOvg{tpD==?Z>#Y@Cw zZ4@SUMI~U&T$6&$5ief-ZU)568K#T6-9WMPB$Pu$$xjr$u_wElb(Dq;9hJ|@4Oe>? zpxmHbfZH-B_Cm{TO74MtKAz1A+g}7vMZ*PfJUyR@K;cfn_ zx>WJxwLw}msqis%Rm5%XyM!=MZfeD}spZ~s@M{#08jqk0{m`JHltI`ADp(0!Ms`dr_lGMukT@$ck6du0UWk%wty7bf? z=rPVJ_3ODdqETefTTCwDuU%UEm$+mujgbfJW2FB3!)r(V_p5iO`tL7s2}eK7%LHQS zGocMHf>#$;7gw`v)bd&IBZ)J3{Lx1S$7IQkKtgCNPb?~VRzWcJ58g|#+Y)ebYMrK! zxP4N20v^pnsQ>E^KL=G=Gku;>NmC=B(QvS)h*o;^dV>QC`65_H86_|i%RIa63qR>g zB9fOyC`_S3w2QjWm!dtS&FYUZO~QB^6&r%BIgg+;qozb_I7GHIT_wqbx6Y(zg#7ZT zF|7F}Miuq4?;?Ec-y5H$KlCt%XLuXktovD~)e^aJTp_sl+#IpG>&!uAXYo_ql;=V zT1-gbkiC1w9O({|vF~5H`E5E2rjw6S*#dp@tWRa}x2KHa(2(uVtQLzwAAa>!O_wIl zGi}mD!OBNjAWSCQkL0nVbnGa}*4N-aiY@h6@( zv?4_U_SPT4nFifi&e_{g^l4JplDR4iXY%$dL8k(Yo`(5>tTVA`^H65kk^7w{!~p=o zNmx8Ie1pGxJUeatVngWVf2WPz!))z6o`EaoPdIRX92$JqhtpFBzp;N!AG)7)g7!Jt z-KX$AUSr;>!{GC|{Xm;M*GiK`ohKMv1}M^auIn;y4Jn$xX)@%Sb@$g)84j^dkfD>k z>rr?lC^26mw2Tc#7kK4mQ?Rm_`uup`)0w76W9$?3$P3|~uxy@dO#Ex3`+FvD zcq+sk4#u!(2j4-MuHaK(CMfw7m?J<;Snxp@_o8>+*POBJz5=nKF&$)<2dl)VOL+`J zm*gFYGjX-NFs|aiAq1Cf^<21=-Rs}4W3?82r=O%Ys=`pqzWrH7vN9Mk0@`-GMraE^ z3zEsBHjx41CvJu(CY`=)exAXi_1K(GIAGk z>3bM>2t8^3PD;=GJG4XdLc%G_r0HB>(ok@%GLnHNiJ)jTQ07X65`xX0NNU5P$0fSm z)MZokyOqttkD~iLON$$eKpy8t9X*Eooqju=QdZVzU+ZWW@)aRB1vni6k%pzxY9(YHH5n6r)?G($OfsQ29gsam%}b=G7K$om zQwEZP8=`dGM{pEf)m7eg6wk#yG1QfP+ai7L23>b?W4zZY{P7{J#>n2U`qr&_sd^Y%VPi00GzpcuW@h`Cd zs;{zC5xw!zG^qrZA1GwrpX`_KfxVhXCn_vIKG7jO{5tsV)$;F`N5oASv5c{<;L@a<1F>ag4Yhar$E{^O#9GEUj_# zJ2e~O3*Dv_Jif)cbh$l$HiWW}za!W=Ni~S%0K**A3#_ukuTm5a2g*U=bbHN!-+_5u&&dx&ya7AF%=V{1a$t3V&Nod~Ji{*Fuu6mc52{yVDiZF+==O@`clLdy=fKk)GH;cG_OvQ_HU*m8 z82_k1$hv(m(X@dl)Vc#;4=LQV+#!CxD||k_dirFy<5abDH4F7G^@6p5s7|B2-h?I) z9OM_jQU~8s-Y@dfM3O{ zj;7-%3PE_=HtM&Cg%M@%Sn-dmXpVF6T>%Y?hc0Pn6L1mbQM^ry&gLuXCtZE4)0*sH z?GpFkpL<2p=>4bTLHno+?x`1IlZ-mK1+%d&@f^pzO>5?fBSf3+^Yfct#dkG_6!zRz zdFO;yjXmuYBr2~rNTd|FL&aCrBz+dF%NqTA$<@9-5mGT~YnU%|ag!d6v`A)0MiHd$i;P3Qi$V}MTfYpFm3S{e6?i_nqF+#Y}BHu*Xmt4 z7+1Q&r0ph2qL{yT=O*pslw7#;YL6jG!&eTRl`q^=#K6q*udPFk;B&t`cc`4L_aaNr zlh>y;(pMelFjDK1$5smd+F~32c>_Gh3k*Hq*@-PfBFB*d1V&~aSsocopOGyUQN)0u zau)5Mx=qo55jNh%@NF!dq1|0ZSbC-u97`T`jqnXy4)qqRHXE}QTgr{UB{EdnB?=>F z*FKqSGYg<}T0k3i1k&e~kdKa5yk%Li0eds2Ku zWIAK|_>Cg??)aVf_B?cd_w8CWI$fvhbe*o#b-GU1|Hk!S64=P) H0C)fZrY2#a literal 4315 zcmV<15G3y(iwFSKWgk}n1MOVhkJ~m9&#V1c2uXqL9+KV7rcHoN+ry#l!#x~OT>Dr+ zl_lC%S6>yW_4ECQQ530e}TE2J@d`p`=kLvyRzivrTR-|}M%chP=5LH!{#t}=)B8ba^MQK6mfD{|} zy!iG~u`K~)+STa|ek^{vCvn3_kZ?5&(js76{VOSR=<$LxT^d}$w^dX}c~C?-`R=)( zdj5S6`$ygoL|InuND{CzV0Bc`6sO|?z2vCyeVG=F)axiFXTOV~gwP3Re);P63FT;u8RC;NfH92<@h+;7u9YM2Ir!>LkKhKT7f59I8djvvDR8aRj8N63 zq~@YOrlvkA@pAR~Ji>KpuVy+>#Q!EyV#=2<Cf4MXB{<71gGU#~7MII?JVm{|?< zs6wXOs3uQF%zQKx1ubYNh&f9sLj`t9S)$m#M^|TrFDq^zz&m|adu#d+{uJZRNh=bk z>y#vN^Tb_`bS)R}FcGVc%m?ndk7dpd&<2-{dVrW6g8o-jL>uzNY*fw%^*B~aVn57I zDel4N;qfe8f3cp-hHWev+NMWXF`vnMJaPX3whydKx%vZSOwpB(lpi?C8%J#tnW1dgXQeH^d@`638t`{#2~XMFsj(m#Ek- zJvvHY6BS9YtJ9vho0A;2oiF@!?m#5@B;|0%<|yDi5GYEhGbCmUEC?)#8BbNk_H*~x zzykM*ESQsbYbfXs+jConirp2QQg>5)3Aw8nMJZwn$_GDfSt_cVcw2`;)psFuejLH# zC1SER3KP4c5-?`2Nx|lb7q5Od17hY3(?#8GpxAj5$|0iUCyL(KlU>a^O2dYZ%4g+< ztGx?QZcr}3ZJ85$q2)Fu_dq@$&t`?~uY%{I;Q~0GpU*^~a3}1-;H}v>;1+9y*KwAD z)FlQ8W&^pWtHA(-QIe;H&~;42Iu}zs2@2#wFXdqYU0D<| zn2=VhME@%aV9&n~C)8d^88gSdU+R{-Hhm zq)&ETs(A9+AT63y_?WsX;x_kPLKrAFwPM=Ta&I~K4T?vNN6-awSgf42;X4zsDip38 z7*!zW$0G{<0H@F~?EgHWQK;t$>|`HEYx9R))Nyyy zzbUqrArD!`7r{qxVQZLTK+{bTWx}fqK7E)Fga9nJxQD}w2#EUFOQm_2&0B=E!wmPTfA_#xxJ9Br#yR_YOM?bF9gs zWhIYcan1J7-yCG^;{d#C^G0RCYSJ+F0K7bTr!u&$RqYKQvdz_+EM>~{q|J<{W&h-=!bck zKrDSGwBc3o=Hlw&YL<;!z6gFKaR!e+`pDpzEV&U#2#w{5MJ3NF2&VqQdkJ=10xnLi z)ASLyPbyEqqj?DRfBoU-pek#o&oe4%Y6LVI4%QUWN{?P|a9|-{1?woI1ZHBHXP159 zCw)mo^0EkpDO8AdQTO>$w1>1={Sl@~7;mFuL$EdH5tL@slxPiy$d;z7Bzf@Gne>d1 zUmi7vHQ&UjqF(l0gb)3DVpl_b_sVx5Xlu;ZSvi+IWVln8$ufD43 z(!_bDO`0fJ`6vs7$%OlnJa&|h9VOZN20WfPrGt4F-J3%YEUq5P+9W;JQJ!`kuY(nT z;%P%GQY2t+{SlmL(4FO+y$wa5CUq^DtFmw=Z@&_BD!}Mzm>p#`AB1r)dgp!38O!b~5E~lPL1uZdN_@JM z#~^e`-hnt1SIZ0ID*hWnaLHEBg-hAJ{{1>uYteW5Nou1i47KdrpJXH}gApU3ZO3bb zw(zqcnLKI}86bY*X4nFg1VYDMS>F!Q@WcN-jafz=6g$N5x5KPxyd}v1Hb$GKsgemT ztT5(B0a47-J5a*JgqK7Ko^Cb?uez6TqJ{RRv{a|FJWaJS5_ad^Cb}hAW;5a>F{(QWsUZ=j&>nW)ZBv~k)-t2B;rX7 zd@c)0cPWdvMx(4;v1bUrN>c7j5c!UbDg`i_cnjWaIzwvlXK~RB0I6peNkP2(-9D9SSqbnLe^1}G2v(3cl5?26MEAD*;CZKM0#qW zs8Tj%ASt*ZO4oe^N6}SXxS(wA<~H7G=xQI{w@9BIYyU}X*q{`sIg zp-KMS7(f1Az6i4WSk!RhanWctHHqR7i#h5vA-J_}(gZ&$%#XrngFp9FW>oRpsw^4* z0{gG}DoYj78y`)RN?`ecLgxL+e)%5Qt9f*y!t&!29m2z}laGPeX8HY2I?|nwRHWiz z>1H#XF#bGjvZ>oN>_=BhG{C1$IIk14xgQ6TvTfzBOF%B?x{V*li2D(zKgKeTnWV$g z8aKaFvk|_~U0T88TdYf$+w*5bC=2;Jf}N98gGdfA%t5`tDm(ltMd5Iu928#ntSPul z3bvltLv&6NdnCOFTbE)j!2>ln7t>KQT3{HMNT60TH&hKEC$5ID28$4Pa_-6Ivd4OQ z`eSP;xX(7zm*amZXWM{YW~;8x#^XYC$8-&cALJl!GlRyk--tCD9^ zpvjH#j|zmW+xHSp8+bykI{@~O!cEH^;^(`<=i{rVPj)*_RZCa1Q2$adSR07yG|KBu zXaeCOd#eNtQXN_1jecC&k_nNukoGj3lq&N+iO^C|mru2++O>u6_%^_(AC{~dsoaS#5bS0s(ze>xttkGkNVdLcH+sFPbT8`~1kam>54W}Y}gwAnsCzv)$cS93^V z&s~-GPH5HG(@sI6@_K_rN`X66d__&t7s0x$(Z82m?duaE6{EI>`AQcz>Cs4wWOih9 z@j_6+LlI%9A&IacBISjq#$aq8)*OIbTt_8^I8Iq~h}#O&7JtE4Th^fI#g@%REt-0* z-j#!Kr7KL@ZjvO5`FnS6(oRmvg*&hI7@{YeB(f+yH6b%?*<6R8j#=;re-DQNOXG+1b~ISZ?S5#Fgv#}B5)&r$S3-*%6L?0kWy^Co~bg^^=bbyR(r3CUPZJCZV0bYHqO{{P|F@u4mg^ET7`!A2?8AR3e2XvL zDfub;xsd6M>Ekzw;Jf2@;@k7k{XMk1mU{28$h8AtLPD51pmh^!3^`1_Cu^upl+6P`eA<7B*|b?$DvoohZTsp!AYSr6 z)%7T-=$9P<7|?`i_znL)*?hb&y*r++({;K|*XcT4r|Wc`uG4k8PS@!=UH==`e*weV JlYRhr004`(U@ZUu diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index eae86150..ddf081b8 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1279,7 +1279,7 @@ index 216b3d1..064ec83 100644 + ') dnl end enable_mcs diff --git a/policy/mls b/policy/mls -index f11e5e2..2d2ab83 100644 +index f11e5e2..464a121 100644 --- a/policy/mls +++ b/policy/mls @@ -156,15 +156,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } @@ -1345,6 +1345,32 @@ index f11e5e2..2d2ab83 100644 # # MLS policy for the process class # +@@ -763,13 +763,14 @@ mlsconstrain context contains + # + + # make sure these database classes are "single level" +-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } ++mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto } + ( l2 eq h2 ); ++ + mlsconstrain { db_tuple } { insert relabelto } + ( l2 eq h2 ); + + # new database labels must be dominated by the relabeling subjects clearance +-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } ++mlsconstrain { db_database db_schema db_table db_column } { relabelto } + ( h1 dom h2 ); + + # the database "read" ops (note the check is dominance of the low level) +@@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select } + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + +-# the "single level" file "write" ops ++# the "single level" database "write" ops + mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index 2626ebf..5745bb2 100644 --- a/policy/modules/admin/bootloader.fc @@ -31047,7 +31073,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..fe6657c 100644 +index 8b40377..5d9d50d 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -31641,7 +31667,7 @@ index 8b40377..fe6657c 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +643,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +643,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -31688,10 +31714,11 @@ index 8b40377..fe6657c 100644 +systemd_dbus_chat_localed(xdm_t) +systemd_dbus_chat_hostnamed(xdm_t) +systemd_start_power_services(xdm_t) ++systemd_status_power_services(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +690,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +691,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -31861,7 +31888,7 @@ index 8b40377..fe6657c 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +859,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +860,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -31893,7 +31920,7 @@ index 8b40377..fe6657c 100644 ') optional_policy(` -@@ -518,8 +894,36 @@ optional_policy(` +@@ -518,8 +895,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -31931,7 +31958,7 @@ index 8b40377..fe6657c 100644 ') ') -@@ -530,6 +934,20 @@ optional_policy(` +@@ -530,6 +935,20 @@ optional_policy(` ') optional_policy(` @@ -31952,7 +31979,7 @@ index 8b40377..fe6657c 100644 hostname_exec(xdm_t) ') -@@ -547,28 +965,78 @@ optional_policy(` +@@ -547,28 +966,78 @@ optional_policy(` ') optional_policy(` @@ -32040,7 +32067,7 @@ index 8b40377..fe6657c 100644 ') optional_policy(` -@@ -580,6 +1048,14 @@ optional_policy(` +@@ -580,6 +1049,14 @@ optional_policy(` ') optional_policy(` @@ -32055,7 +32082,7 @@ index 8b40377..fe6657c 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1070,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1071,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -32064,7 +32091,7 @@ index 8b40377..fe6657c 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1080,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1081,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -32077,7 +32104,7 @@ index 8b40377..fe6657c 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1097,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1098,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -32093,7 +32120,7 @@ index 8b40377..fe6657c 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1113,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1114,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -32104,7 +32131,7 @@ index 8b40377..fe6657c 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1128,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1129,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -32146,7 +32173,7 @@ index 8b40377..fe6657c 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1179,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1180,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -32178,7 +32205,7 @@ index 8b40377..fe6657c 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1212,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1213,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -32193,7 +32220,7 @@ index 8b40377..fe6657c 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1233,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1234,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -32217,7 +32244,7 @@ index 8b40377..fe6657c 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1252,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1253,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -32226,7 +32253,7 @@ index 8b40377..fe6657c 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1296,54 @@ optional_policy(` +@@ -785,17 +1297,54 @@ optional_policy(` ') optional_policy(` @@ -32283,7 +32310,7 @@ index 8b40377..fe6657c 100644 ') optional_policy(` -@@ -803,6 +1351,10 @@ optional_policy(` +@@ -803,6 +1352,10 @@ optional_policy(` ') optional_policy(` @@ -32294,7 +32321,7 @@ index 8b40377..fe6657c 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1370,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1371,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -32319,7 +32346,7 @@ index 8b40377..fe6657c 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1393,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1394,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -32354,7 +32381,7 @@ index 8b40377..fe6657c 100644 ') optional_policy(` -@@ -912,7 +1458,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1459,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -32363,7 +32390,7 @@ index 8b40377..fe6657c 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1512,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1513,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -32395,7 +32422,7 @@ index 8b40377..fe6657c 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1558,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1559,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 5a0637c1..2d560ab5 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5451,7 +5451,7 @@ index f6eb485..ce5dba7 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962..84717e1 100644 +index 6649962..4cb64e5 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6235,7 +6235,7 @@ index 6649962..84717e1 100644 fs_read_iso9660_files(httpd_t) -fs_search_auto_mountpoints(httpd_t) +fs_rw_anon_inodefs_files(httpd_t) -+fs_read_hugetlbfs_files(httpd_t) ++fs_rw_hugetlbfs_files(httpd_t) + +auth_use_nsswitch(httpd_t) + @@ -66071,7 +66071,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..ede6e1c 100644 +index 44dbc99..370dd38 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -66103,9 +66103,9 @@ index 44dbc99..ede6e1c 100644 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; -allow openvswitch_t self:process { setrlimit setsched signal }; -+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource }; ++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid }; +allow openvswitch_t self:capability2 block_suspend; -+allow openvswitch_t self:process { fork setsched setrlimit signal }; ++allow openvswitch_t self:process { fork setsched setrlimit signal setcap }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; -allow openvswitch_t self:rawip_socket create_socket_perms; -allow openvswitch_t self:unix_stream_socket { accept connectto listen }; @@ -66137,12 +66137,15 @@ index 44dbc99..ede6e1c 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -65,33 +69,49 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -63,35 +67,51 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) - files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) - --can_exec(openvswitch_t, openvswitch_exec_t) +-files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) - +-can_exec(openvswitch_t, openvswitch_exec_t) ++files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file }) + +kernel_load_module(openvswitch_t) kernel_read_network_state(openvswitch_t) kernel_read_system_state(openvswitch_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a06746b3..94b2f6cf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 184%{?dist} +Release: 185%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -653,6 +653,12 @@ exit 0 %endif %changelog +* Wed Apr 27 2016 Lukas Vrabec 3.13.1-185 +- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. +- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895) +- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970) +- Add mls support for some db classes + * Tue Apr 26 2016 Lukas Vrabec 3.13.1-184 - Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. - Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448