* Thu Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195

- Add hwloc-dump-hwdata SELinux policy - Add labels for mediawiki123 - Fix label for all fence_scsi_check scripts - Allow setcap for fenced - Allow glusterd domain read krb5_keytab_t files. - Allow tmpreaper_t to read/setattr all non_security_file_type dirs - Update refpolicy to handle hwloc - Fix typo in files_setattr_non_security_dirs. - Add interface files_setattr_non_security_dirs()
2016-06-09 16:45:01 +02:00 · 2016-06-09 16:45:01 +02:00 · 04ed479779
parent 8759fb6a8e
commit 04ed479779
4 changed files with 728 additions and 574 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -32032,10 +32032,10 @@ index 0000000..764ae00
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..33654d5
+index 0000000..c31e40e
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,302 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@ -32100,7 +32100,7 @@ index 0000000..33654d5
 +allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
 +
 +allow glusterd_t self:capability2 block_suspend;
-+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
 +allow glusterd_t self:sem create_sem_perms;
 +allow glusterd_t self:fifo_file rw_fifo_file_perms;
 +allow glusterd_t self:tcp_socket { accept listen };
@ -32284,6 +32284,11 @@ index 0000000..33654d5
 +    hostname_exec(glusterd_t)
 +')
 +
+
+optional_policy(`
+    kerberos_read_keytab(glusterd_t)
+')
+
 +optional_policy(`
 +    lvm_domtrans(glusterd_t)
 +')
@ -37023,6 +37028,166 @@ index 0000000..28816b4
 +auth_use_nsswitch(hsqldb_t)
 +
 +sysnet_read_config(hsqldb_t)
+diff --git a/hwloc.fc b/hwloc.fc
+new file mode 100644
+index 0000000..d0c5a15
+--- /dev/null
+++ b/hwloc.fc
+@@ -0,0 +1,5 @@
+/usr/sbin/hwloc-dump-hwdata	--	gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
+/usr/lib/systemd/system/hwloc-dump-hwdata.*	--	gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+
+/var/run/hwloc(/.*)?	gen_context(system_u:object_r:hwloc_var_run_t,s0)
+diff --git a/hwloc.if b/hwloc.if
+new file mode 100644
+index 0000000..c2349ec
+--- /dev/null
+++ b/hwloc.if
+@@ -0,0 +1,106 @@
+## <summary>Dump topology and locality information from hardware tables.</summary>
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hwloc_domtrans_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_t, hwloc_dhwd_exec_t;
+	')
+
+	domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain, and
+##	allow the specified role the hwloc dhwd domain,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_run_dhwd',`
+	gen_require(`
+		attribute_role hwloc_dhwd_roles;
+	')
+
+	hwloc_domtrans_dhwd($1)
+	roleattribute $2 hwloc_dhwd_roles;
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_exec_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_exec_t;
+	')
+
+	can_exec($1, hwloc_dhwd_exec_t)
+')
+
+########################################
+## <summary>
+##	Read hwloc runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_read_runtime_files',`
+	gen_require(`
+		type hwloc_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an hwloc environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_admin',`
+	gen_require(`
+		type hwloc_dhwd_t, hwloc_var_run_t;
+	')
+
+	allow $1 hwloc_dhwd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, hwloc_dhwd_t)
+
+	admin_pattern($1, hwloc_var_run_t)
+	files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
+')
+diff --git a/hwloc.te b/hwloc.te
+new file mode 100644
+index 0000000..0f45fd5
+--- /dev/null
+++ b/hwloc.te
+@@ -0,0 +1,31 @@
+policy_module(hwloc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role hwloc_dhwd_roles;
+roleattribute system_r hwloc_dhwd_roles;
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+role hwloc_dhwd_roles types hwloc_dhwd_t;
+
+type hwloc_var_run_t;
+files_pid_file(hwloc_var_run_t)
+
+type hwloc_dhwd_unit_t;
+systemd_unit_file(hwloc_dhwd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
+allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
+files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
+
+dev_read_sysfs(hwloc_dhwd_t)
 diff --git a/hypervkvp.fc b/hypervkvp.fc
 index b46130e..e2ae3b2 100644
 --- a/hypervkvp.fc
@ -48068,7 +48233,7 @@ index 0000000..8bc27f4
 +domain_use_interactive_fds(mcollective_t)
 +
 diff --git a/mediawiki.fc b/mediawiki.fc
-index 99f7c41..93ec6db 100644
+index 99f7c41..1745603 100644
 --- a/mediawiki.fc
 +++ b/mediawiki.fc
@@ -1,8 +1,8 @@
@ -48080,12 +48245,12 @@ index 99f7c41..93ec6db 100644
 +/usr/lib/mediawiki/math/texvc_tes	--	gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
 
 -/usr/share/mediawiki(/.*)?	gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-+/usr/share/mediawiki(/.*)?	gen_context(system_u:object_r:mediawiki_content_t,s0)
+/usr/share/mediawiki[0-9]?(/.*)?      gen_context(system_u:object_r:mediawiki_content_t,s0)
 
 -/var/www/wiki(/.*)?	gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
 -/var/www/wiki/.*\.php	--	gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-+/var/www/wiki(/.*)?	gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
-+/var/www/wiki/.*\.php	--	gen_context(system_u:object_r:mediawiki_content_t,s0)
+/var/www/wiki[0-9]?(/.*)?     gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
+/var/www/wiki[0-9]?\.php   --      gen_context(system_u:object_r:mediawiki_content_t,s0)
 diff --git a/mediawiki.if b/mediawiki.if
 index 9771b4b..9b183e6 100644
 --- a/mediawiki.if
@ -85688,10 +85853,10 @@ index c8a1e16..2d409bf 100644
 	xen_domtrans_xm(rgmanager_t)
 ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..dfb3396 100644
+index 47de2d6..bc62d96 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
-@@ -1,31 +1,95 @@
+@@ -1,31 +1,96 @@
 -/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
 +/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@ -85782,6 +85947,7 @@ index 47de2d6..dfb3396 100644
 +/usr/share/corosync/corosync    --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +
 +/usr/share/cluster/fence_scsi_check\.pl   --  gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_scsi_check_hardreboot     --  gen_context(system_u:object_r:fenced_exec_t,s0)
 +
 +/usr/lib/pcsd/pcsd          --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +
@ -86679,7 +86845,7 @@ index c8bdea2..1574225 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..1a605f9 100644
+index 6cf79c4..943fd8b 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -87047,7 +87213,7 @@ index 6cf79c4..1a605f9 100644
 -allow fenced_t self:process { getsched signal_perms };
 -allow fenced_t self:tcp_socket { accept listen };
 +allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin };
-+allow fenced_t self:process { getsched setpgid signal_perms };
+allow fenced_t self:process { getsched setcap setpgid signal_perms };
 +
 +allow fenced_t self:tcp_socket create_stream_socket_perms;
 +allow fenced_t self:udp_socket create_socket_perms;
@ -107668,7 +107834,7 @@ index 97cd155..49321a5 100644
 
 fs_search_auto_mountpoints(timidity_t)
 diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f..948bc5b 100644
+index 585a77f..a7cb326 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1)
@ -107714,7 +107880,7 @@ index 585a77f..948bc5b 100644
 
 dev_read_urand(tmpreaper_t)
 
-@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t)
+@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t)
 
 fs_getattr_xattr_fs(tmpreaper_t)
 fs_list_all(tmpreaper_t)
@ -107725,11 +107891,9 @@ index 585a77f..948bc5b 100644
 -files_getattr_all_files(tmpreaper_t)
 files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
+-files_setattr_all_tmp_dirs(tmpreaper_t)
 +files_delete_all_non_security_files(tmpreaper_t)
-+# why does it need setattr?
- files_setattr_all_tmp_dirs(tmpreaper_t)
-+files_setattr_isid_type_dirs(tmpreaper_t)
-+files_setattr_usr_dirs(tmpreaper_t)
+files_setattr_non_security_dirs(tmpreaper_t)
 +files_getattr_all_dirs(tmpreaper_t)
 +files_getattr_all_files(tmpreaper_t)
 
@ -107738,7 +107902,7 @@ index 585a77f..948bc5b 100644
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
 
-@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
+@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
 
 logging_send_syslog_msg(tmpreaper_t)
 
@ -107746,7 +107910,7 @@ index 585a77f..948bc5b 100644
 miscfiles_delete_man_pages(tmpreaper_t)
 
 ifdef(`distro_debian',`
-@@ -53,10 +82,33 @@ ifdef(`distro_debian',`
+@@ -53,10 +79,33 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_redhat',`
@ -107781,7 +107945,7 @@ index 585a77f..948bc5b 100644
 ')
 
 optional_policy(`
-@@ -64,6 +116,7 @@ optional_policy(`
+@@ -64,6 +113,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -107789,7 +107953,7 @@ index 585a77f..948bc5b 100644
 	apache_list_cache(tmpreaper_t)
 	apache_delete_cache_dirs(tmpreaper_t)
 	apache_delete_cache_files(tmpreaper_t)
-@@ -79,7 +132,19 @@ optional_policy(`
+@@ -79,7 +129,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -107810,7 +107974,7 @@ index 585a77f..948bc5b 100644
 ')
 
 optional_policy(`
-@@ -89,3 +154,8 @@ optional_policy(`
+@@ -89,3 +151,8 @@ optional_policy(`
 optional_policy(`
 	rpm_manage_cache(tmpreaper_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 194%{?dist}
+Release: 195%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -647,6 +647,17 @@ exit 0
 %endif

 %changelog
+* Thu Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195
+- Add hwloc-dump-hwdata SELinux policy
+- Add labels for mediawiki123
+- Fix label for all fence_scsi_check scripts
+- Allow setcap for fenced
+- Allow glusterd domain read krb5_keytab_t files.
+- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
+- Update refpolicy to handle hwloc
+- Fix typo in files_setattr_non_security_dirs.
+- Add interface files_setattr_non_security_dirs()
+
 * Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
 - Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
 - Add nrpe_dontaudit_write_pipes()