rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125 

- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Add ipa_manage_pid_files interface.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- cloudinit and rhsmcertd need to communicate with dbus
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
This commit is contained in:
Lukas Vrabec 2015-04-20 14:45:47 +02:00
parent 28cc160db1
commit 0bfe8f4452
3 changed files with 151 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
policy-rawhide-base.patch
View File

@ -35422,7 +35422,7 @@ index 4e94884..7ab6191 100644
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1..9d8e11d 100644
index 59b04c1..aaf4124 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -35646,7 +35646,7 @@ index 59b04c1..9d8e11d 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
@@ -369,11 +412,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@ -35658,7 +35658,12 @@ index 59b04c1..9d8e11d 100644
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
@@ -389,30 +434,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+# now is /dev/log lnk_file
+allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
@@ -389,30 +436,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -35709,7 +35714,7 @@ index 59b04c1..9d8e11d 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
@@ -422,6 +484,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
@@ -422,6 +486,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@ -35718,7 +35723,7 @@ index 59b04c1..9d8e11d 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
@@ -432,9 +496,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
@@ -432,9 +498,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -35746,7 +35751,7 @@ index 59b04c1..9d8e11d 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -448,13 +529,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
@@ -448,13 +531,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@ -35764,7 +35769,7 @@ index 59b04c1..9d8e11d 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
@@ -466,11 +551,12 @@ init_use_fds(syslogd_t)
@@ -466,11 +553,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@ -35780,7 +35785,7 @@ index 59b04c1..9d8e11d 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
@@ -497,6 +583,7 @@ optional_policy(`
@@ -497,6 +585,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -35788,7 +35793,7 @@ index 59b04c1..9d8e11d 100644
')
optional_policy(`
@@ -507,15 +594,40 @@ optional_policy(`
@@ -507,15 +596,40 @@ optional_policy(`
')
optional_policy(`
@ -35829,7 +35834,7 @@ index 59b04c1..9d8e11d 100644
')
optional_policy(`
@@ -526,3 +638,26 @@ optional_policy(`
@@ -526,3 +640,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')

195
policy-rawhide-contrib.patch
View File

@ -7617,7 +7617,7 @@ index f3c0aba..f6e25ed 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
index 080bc4d..de60b99 100644
index 080bc4d..12d701e 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@ -7655,7 +7655,7 @@ index 080bc4d..de60b99 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,26 +73,35 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
@@ -67,26 +73,36 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
@ -7678,6 +7678,7 @@ index 080bc4d..de60b99 100644
-term_use_unallocated_ttys(apcupsd_t)
+term_use_all_terms(apcupsd_t)
+term_use_usb_ttys(apcupsd_t)
-logging_send_syslog_msg(apcupsd_t)
+#apcupsd runs shutdown, probably need a shutdown domain
@ -7696,7 +7697,7 @@ index 080bc4d..de60b99 100644
optional_policy(`
hostname_exec(apcupsd_t)
@@ -101,6 +116,11 @@ optional_policy(`
@@ -101,6 +117,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
@ -7708,7 +7709,7 @@ index 080bc4d..de60b99 100644
########################################
#
# CGI local policy
@@ -108,20 +128,20 @@ optional_policy(`
@@ -108,20 +129,20 @@ optional_policy(`
optional_policy(`
apache_content_template(apcupsd_cgi)
@ -11578,7 +11579,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
index 550b287..7f683e5 100644
index 550b287..fc5b086 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@ -11667,7 +11668,7 @@ index 550b287..7f683e5 100644
')
optional_policy(`
@@ -92,11 +109,56 @@ optional_policy(`
@@ -92,11 +109,57 @@ optional_policy(`
')
optional_policy(`
@ -11680,6 +11681,7 @@ index 550b287..7f683e5 100644
+
+optional_policy(`
+ ipa_manage_lib(certmonger_t)
+ ipa_manage_pid_files(certmonger_t)
+')
+
+optional_policy(`
@ -13531,10 +13533,10 @@ index 0000000..a06f04b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
index 0000000..8c06c5d
index 0000000..ec3a39a
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,240 @@
@@ -0,0 +1,244 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@ -13654,6 +13656,10 @@ index 0000000..8c06c5d
+')
+
+optional_policy(`
+ rhsmcertd_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(cloud_init_t)
+')
+
@ -35693,16 +35699,17 @@ index 0000000..7fc3464
+')
diff --git a/iotop.te b/iotop.te
new file mode 100644
index 0000000..51d7e34
index 0000000..61f2003
--- /dev/null
+++ b/iotop.te
@@ -0,0 +1,37 @@
@@ -0,0 +1,39 @@
+policy_module(iotop, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role iotop_roles;
+roleattribute system_r iotop_roles;
+
@ -35719,6 +35726,7 @@ index 0000000..51d7e34
+
+allow iotop_t self:capability net_admin;
+allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
+allow iotop_t self:netlink_socket create_socket_perms;
+
+kernel_read_system_state(iotop_t)
+
@ -35736,22 +35744,24 @@ index 0000000..51d7e34
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 0000000..48d7322
index 0000000..877a747
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,6 @@
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
+/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
index 0000000..123e906
index 0000000..789b3e8
--- /dev/null
+++ b/ipa.if
@@ -0,0 +1,94 @@
@@ -0,0 +1,112 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@ -35846,12 +35856,30 @@ index 0000000..123e906
+ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa run files/dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_manage_pid_files',`
+ gen_require(`
+ type ipa_var_run_t;
+ ')
+ manage_files_pattern($1, ipa_var_run_t, ipa_var_run_t)
+ manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t)
+')
+
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..b60bc5f
index 0000000..a7f09d25
--- /dev/null
+++ b/ipa.te
@@ -0,0 +1,43 @@
@@ -0,0 +1,50 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@ -35871,6 +35899,9 @@ index 0000000..b60bc5f
+type ipa_var_lib_t;
+files_type(ipa_var_lib_t)
+
+type ipa_var_run_t;
+files_pid_file(ipa_var_run_t)
+
+########################################
+#
+# ipa_otpd local policy
@ -35881,6 +35912,10 @@ index 0000000..b60bc5f
+allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
+allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file)
+
+corenet_tcp_connect_radius_port(ipa_otpd_t)
+
+dev_read_urand(ipa_otpd_t)
@ -63782,7 +63817,7 @@ index bf59ef7..0e33327 100644
+')
+
diff --git a/passenger.te b/passenger.te
index 08ec33b..231f2e2 100644
index 08ec33b..56fba2e 100644
--- a/passenger.te
+++ b/passenger.te
@@ -14,6 +14,9 @@ role system_r types passenger_t;
@ -63809,7 +63844,7 @@ index 08ec33b..231f2e2 100644
+allow passenger_t self:process { setpgid setsched getsession signal_perms };
allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:unix_stream_socket { accept connectto listen };
+allow passenger_t self:tcp_socket listen;
+allow passenger_t self:tcp_socket { accept listen };
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(passenger_t, passenger_exec_t)
@ -80283,7 +80318,7 @@ index 16c8ecb..4e021ec 100644
+ ')
')
diff --git a/redis.te b/redis.te
index 25cd417..178198b 100644
index 25cd417..e331b5d 100644
--- a/redis.te
+++ b/redis.te
@@ -21,6 +21,9 @@ files_type(redis_var_lib_t)
@ -80296,7 +80331,15 @@ index 25cd417..178198b 100644
########################################
#
# Local policy
@@ -60,6 +63,4 @@ dev_read_urand(redis_t)
@@ -42,6 +45,7 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
kernel_read_system_state(redis_t)
@@ -60,6 +64,4 @@ dev_read_urand(redis_t)
logging_send_syslog_msg(redis_t)
@ -81906,7 +81949,7 @@ index c8bdea2..bf60580 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
index 6cf79c4..bfaf5c6 100644
index 6cf79c4..a70327a 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -82270,7 +82313,7 @@ index 6cf79c4..bfaf5c6 100644
-allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
+allow fenced_t self:capability { net_admin sys_rawio sys_resource };
+allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin };
+allow fenced_t self:process { getsched setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
@ -93053,7 +93096,7 @@ index 3a9a70b..903109c 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
index ce67935..88fea69 100644
index ce67935..130eca9 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
@ -93086,8 +93129,9 @@ index ce67935..88fea69 100644
+# setroubleshootd local policy
#
allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
-allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
+allow setroubleshootd_t self:capability { sys_nice sys_ptrace sys_tty_config };
+dontaudit setroubleshootd_t self:capability net_admin;
+
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
@ -93326,10 +93370,10 @@ index 0000000..c9d2d9c
+
diff --git a/sge.te b/sge.te
new file mode 100644
index 0000000..af30acf
index 0000000..b2096dd
--- /dev/null
+++ b/sge.te
@@ -0,0 +1,195 @@
@@ -0,0 +1,196 @@
+policy_module(sge, 1.0.0)
+
+########################################
@ -93489,6 +93533,7 @@ index 0000000..af30acf
+manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
+
+manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
+manage_lnk_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
+manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
+files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
+
@ -99729,7 +99774,7 @@ index 42946bc..9f70e4c 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
index 9afcbc9..b19622d 100644
index 9afcbc9..7b8ddb4 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2)
@ -99841,14 +99886,14 @@ index 9afcbc9..b19622d 100644
- corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
corenet_tcp_connect_generic_port(telepathy_gabble_t)
- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_gabble_t)
- fs_manage_nfs_files(telepathy_gabble_t)
+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_gabble_t)
- fs_manage_nfs_files(telepathy_gabble_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_gabble_t)
- fs_manage_cifs_files(telepathy_gabble_t)
@ -99961,11 +100006,11 @@ index 9afcbc9..b19622d 100644
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
+userdom_search_user_home_dirs(telepathy_mission_control_t)
+
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
@ -100008,7 +100053,7 @@ index 9afcbc9..b19622d 100644
optional_policy(`
dbus_system_bus_client(telepathy_mission_control_t)
@@ -248,59 +225,47 @@ optional_policy(`
@@ -248,59 +225,48 @@ optional_policy(`
devicekit_dbus_chat_power(telepathy_mission_control_t)
')
optional_policy(`
@ -100046,8 +100091,8 @@ index 9afcbc9..b19622d 100644
files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
-
userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
-
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
corenet_all_recvfrom_netlabel(telepathy_msn_t)
@ -100082,7 +100127,7 @@ index 9afcbc9..b19622d 100644
init_read_state(telepathy_msn_t)
@@ -310,18 +275,19 @@ logging_send_syslog_msg(telepathy_msn_t)
@@ -310,18 +276,19 @@ logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_all_certs(telepathy_msn_t)
@ -100107,7 +100152,7 @@ index 9afcbc9..b19622d 100644
')
optional_policy(`
@@ -332,43 +298,33 @@ optional_policy(`
@@ -332,43 +299,33 @@ optional_policy(`
')
')
@ -100156,7 +100201,7 @@ index 9afcbc9..b19622d 100644
')
optional_policy(`
@@ -381,73 +337,51 @@ optional_policy(`
@@ -381,73 +338,51 @@ optional_policy(`
#######################################
#
@ -100240,7 +100285,7 @@ index 9afcbc9..b19622d 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
@@ -455,31 +389,51 @@ optional_policy(`
@@ -455,31 +390,51 @@ optional_policy(`
#######################################
#
@ -100275,6 +100320,7 @@ index 9afcbc9..b19622d 100644
-miscfiles_read_localization(telepathy_domain)
+userdom_search_user_tmp_dirs(telepathy_domain)
+userdom_search_user_home_dirs(telepathy_domain)
+userdom_use_inherited_user_ttys(telepathy_domain)
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
@ -100298,7 +100344,6 @@ index 9afcbc9..b19622d 100644
+optional_policy(`
xserver_rw_xdm_pipes(telepathy_domain)
')
+
diff --git a/telnet.te b/telnet.te
index d7c8633..a91c027 100644
--- a/telnet.te
@ -106115,7 +106160,7 @@ index facdee8..c930866 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
index f03dcf5..e8341d7 100644
index f03dcf5..6fb7d3f 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,241 @@
@ -107205,7 +107250,7 @@ index f03dcf5..e8341d7 100644
-can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@ -107279,7 +107324,7 @@ index f03dcf5..e8341d7 100644
+optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_stream_connect(virt_domain)
+ sssd_dontaudit_read_lib(virt_domain)
@ -107615,7 +107660,7 @@ index f03dcf5..e8341d7 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1171,310 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1171,314 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -107631,21 +107676,21 @@ index f03dcf5..e8341d7 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
+
-miscfiles_read_localization(virtd_lxc_t)
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-miscfiles_read_localization(virtd_lxc_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
+
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
@ -107671,10 +107716,6 @@ index f03dcf5..e8341d7 100644
+allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow svirt_sandbox_domain self:passwd rootok;
+allow svirt_sandbox_domain self:filesystem associate;
+
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@ -107758,6 +107799,14 @@ index f03dcf5..e8341d7 100644
-miscfiles_read_fonts(svirt_lxc_domain)
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
+
+fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
+
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@ -107836,28 +107885,28 @@ index f03dcf5..e8341d7 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+
+optional_policy(`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
+')
+
+optional_policy(`
+ gear_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
+
+optional_policy(`
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+ ssh_use_ptys(svirt_sandbox_domain)
+')
+
+optional_policy(`
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
+ udev_read_pid_files(svirt_sandbox_domain)
+')
+
@ -108067,7 +108116,7 @@ index f03dcf5..e8341d7 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1487,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1491,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -108082,7 +108131,7 @@ index f03dcf5..e8341d7 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,9 +1505,8 @@ optional_policy(`
@@ -1192,9 +1509,8 @@ optional_policy(`
########################################
#
@ -108093,7 +108142,7 @@ index f03dcf5..e8341d7 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1207,5 +1519,238 @@ kernel_read_network_state(virt_bridgehelper_t)
@@ -1207,5 +1523,240 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@ -108315,6 +108364,7 @@ index f03dcf5..e8341d7 100644
+allow sandbox_net_domain self:packet_socket create_socket_perms;
+allow sandbox_net_domain self:socket create_socket_perms;
+allow sandbox_net_domain self:rawip_socket create_socket_perms;
+allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(sandbox_net_domain)
+corenet_udp_bind_generic_node(sandbox_net_domain)
@ -108334,6 +108384,7 @@ index f03dcf5..e8341d7 100644
+')
+
+allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
+
diff --git a/vlock.te b/vlock.te
index 6b72968..de409cc 100644
--- a/vlock.te

14
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 124%{?dist}
Release: 125%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -602,6 +602,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Add ipa_manage_pid_files interface.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- cloudinit and rhsmcertd need to communicate with dbus
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
* Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
- Add more restriction on entrypoint for unconfined domains.