From 229bf3d0170d33ed5ab981c0cb1e065bc0f8f500 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Thu, 30 Apr 2015 20:10:17 +0200 Subject: [PATCH] * Mon Apr 30 2015 Lukas Vrabec 3.13.1-126 - allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd . - Add nagios_read_lib() interface. - Additional fix for mongod_unit_file_t in mongodb.te. - Fix decl of mongod_unit_file to mongod_unit_file_t. - Fix mongodb unit file declaration. - Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type. - Fix labeling for /usr/libexec/mysqld_safe-scl-helper. - Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons. - Allow sys_ptrace cap for sblim-gatherd caused by ps. - Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. - Add support for mongod/mongos systemd unit files. - Allow dnssec-trigger to send sigchld to networkmanager - add interface networkmanager_sigchld - Add dnssec-trigger unit file Label dnssec-trigger script in libexec - Remove duplicate specification for /etc/localtime. - Add default labeling for /etc/localtime symlink. --- policy-rawhide-base.patch | 46 ++++---- policy-rawhide-contrib.patch | 211 +++++++++++++++++++++++------------ selinux-policy.spec | 20 +++- 3 files changed, 181 insertions(+), 96 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 61760b82..fcd03586 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -17591,7 +17591,7 @@ index e100d88..991e1a5 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..15c063c 100644 +index 8dbab4c..46d7f18 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -17612,15 +17612,16 @@ index 8dbab4c..15c063c 100644 role system_r types kernel_t; sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) -@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) +@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) type debugfs_t; files_mountpoint(debugfs_t) fs_type(debugfs_t) ++dev_associate_sysfs(debugfs_t) + allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) -@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) +@@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) @@ -17653,7 +17654,7 @@ index 8dbab4c..15c063c 100644 type proc_xen_t, proc_type; files_mountpoint(proc_xen_t) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) -@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) +@@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) type sysctl_kernel_t, sysctl_type; genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) @@ -17668,7 +17669,7 @@ index 8dbab4c..15c063c 100644 # /proc/sys/net directory and files type sysctl_net_t, sysctl_type; genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) -@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) +@@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) @@ -17679,7 +17680,7 @@ index 8dbab4c..15c063c 100644 # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -17694,7 +17695,7 @@ index 8dbab4c..15c063c 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -189,6 +221,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +222,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # @@ -17702,7 +17703,7 @@ index 8dbab4c..15c063c 100644 allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; -@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -17710,7 +17711,7 @@ index 8dbab4c..15c063c 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -17736,7 +17737,7 @@ index 8dbab4c..15c063c 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -17746,7 +17747,7 @@ index 8dbab4c..15c063c 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +314,53 @@ files_list_root(kernel_t) +@@ -277,25 +315,53 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -17800,7 +17801,7 @@ index 8dbab4c..15c063c 100644 ') optional_policy(` -@@ -305,6 +370,19 @@ optional_policy(` +@@ -305,6 +371,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -17820,7 +17821,7 @@ index 8dbab4c..15c063c 100644 ') optional_policy(` -@@ -312,6 +390,11 @@ optional_policy(` +@@ -312,6 +391,11 @@ optional_policy(` ') optional_policy(` @@ -17832,7 +17833,7 @@ index 8dbab4c..15c063c 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +415,6 @@ optional_policy(` +@@ -332,9 +416,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -17842,7 +17843,7 @@ index 8dbab4c..15c063c 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +423,7 @@ optional_policy(` +@@ -343,9 +424,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -17853,7 +17854,7 @@ index 8dbab4c..15c063c 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +432,7 @@ optional_policy(` +@@ -354,7 +433,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -17862,7 +17863,7 @@ index 8dbab4c..15c063c 100644 ') ') -@@ -367,6 +445,15 @@ optional_policy(` +@@ -367,6 +446,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -17878,7 +17879,7 @@ index 8dbab4c..15c063c 100644 ######################################## # # Unlabeled process local policy -@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) { +@@ -399,14 +487,39 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -36486,7 +36487,7 @@ index 79048c4..c3a255a 100644 udev_read_pid_files(lvm_t) ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..3d71062 100644 +index 9fe8e01..ce00ccb 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,14 @@ ifdef(`distro_gentoo',` @@ -36497,7 +36498,7 @@ index 9fe8e01..3d71062 100644 -/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) +/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/etc/localtime gen_context(system_u:object_r:locale_t,s0) ++/etc/localtime -l gen_context(system_u:object_r:locale_t,s0) +/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) @@ -42364,10 +42365,10 @@ index 0000000..d2a8fc7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f3a8fe7 +index 0000000..c19260b --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,713 @@ +@@ -0,0 +1,714 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -42626,6 +42627,7 @@ index 0000000..f3a8fe7 + +kernel_dgram_send(systemd_networkd_t) +kernel_request_load_module(systemd_networkd_t) ++kernel_rw_net_sysctls(systemd_networkd_t) + +dev_read_sysfs(systemd_networkd_t) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 55d5d91a..a9db9647 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5157,7 +5157,7 @@ index f6eb485..164501c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..9c06038 100644 +index 6649962..d671bf8 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) @@ -6477,15 +6477,16 @@ index 6649962..9c06038 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1029,7 @@ optional_policy(` +@@ -832,6 +1029,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) ++ nagios_read_lib(httpd_t) + nagios_read_log(httpd_t) ') optional_policy(` -@@ -842,20 +1040,40 @@ optional_policy(` +@@ -842,20 +1041,40 @@ optional_policy(` ') optional_policy(` @@ -6532,7 +6533,7 @@ index 6649962..9c06038 100644 ') optional_policy(` -@@ -863,19 +1081,35 @@ optional_policy(` +@@ -863,19 +1082,35 @@ optional_policy(` ') optional_policy(` @@ -6568,7 +6569,7 @@ index 6649962..9c06038 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1117,189 @@ optional_policy(` +@@ -883,65 +1118,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6780,7 +6781,7 @@ index 6649962..9c06038 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1309,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6935,7 +6936,7 @@ index 6649962..9c06038 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1392,107 @@ optional_policy(` +@@ -1083,172 +1393,107 @@ optional_policy(` ') ') @@ -7173,7 +7174,7 @@ index 6649962..9c06038 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1501,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7270,7 +7271,7 @@ index 6649962..9c06038 100644 ######################################## # -@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1576,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7287,7 +7288,7 @@ index 6649962..9c06038 100644 ') ######################################## -@@ -1330,49 +1591,38 @@ optional_policy(` +@@ -1330,49 +1592,38 @@ optional_policy(` # User content local policy # @@ -7352,7 +7353,7 @@ index 6649962..9c06038 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1632,101 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1633,101 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -24751,11 +24752,14 @@ index 37a3b7b..921056a 100644 +') diff --git a/dnssec.fc b/dnssec.fc new file mode 100644 -index 0000000..9e231a8 +index 0000000..1714fa6 --- /dev/null +++ b/dnssec.fc -@@ -0,0 +1,3 @@ +@@ -0,0 +1,6 @@ ++/usr/lib/systemd/system/dnssec-triggerd.* -- gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0) ++ +/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0) ++/usr/libexec/dnssec-trigger-script -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0) + +/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) diff --git a/dnssec.if b/dnssec.if @@ -24851,10 +24855,10 @@ index 0000000..457d4dd +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..46f4d2c +index 0000000..64f1a64 --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,63 @@ +@@ -0,0 +1,68 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -24866,6 +24870,9 @@ index 0000000..46f4d2c +type dnssec_trigger_exec_t; +init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t) + ++type dnssec_trigger_unit_file_t; ++systemd_unit_file(dnssec_trigger_unit_file_t) ++ +type dnssec_trigger_var_run_t; +files_pid_file(dnssec_trigger_var_run_t) + @@ -24917,6 +24924,8 @@ index 0000000..46f4d2c + +optional_policy(` + networkmanager_stream_connect(dnssec_trigger_t) ++ networkmanager_sigchld(dnssec_trigger_t) ++ +') diff --git a/dnssectrigger.te b/dnssectrigger.te index c7bb4e7..e6fe2f40 100644 @@ -46851,16 +46860,22 @@ index 0000000..e7220a5 +logging_send_syslog_msg(mon_procd_t) + diff --git a/mongodb.fc b/mongodb.fc -index 6fcfc31..91adcaf 100644 +index 6fcfc31..e9e6bc5 100644 --- a/mongodb.fc +++ b/mongodb.fc -@@ -1,9 +1,13 @@ +@@ -1,9 +1,19 @@ /etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) -/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) ++/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0) ++/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0) ++ +/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) ++ ++/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0) /var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) @@ -46872,10 +46887,20 @@ index 6fcfc31..91adcaf 100644 +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/mongodb.te b/mongodb.te -index 169f236..571da1a 100644 +index 169f236..608c584 100644 --- a/mongodb.te +++ b/mongodb.te -@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t) +@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t) + type mongod_initrc_exec_t; + init_script_file(mongod_initrc_exec_t) + ++type mongod_unit_file_t; ++systemd_unit_file(mongod_unit_file_t) ++ + type mongod_log_t; + logging_log_file(mongod_log_t) + +@@ -21,19 +24,25 @@ files_type(mongod_var_lib_t) type mongod_var_run_t; files_pid_file(mongod_var_run_t) @@ -46907,7 +46932,7 @@ index 169f236..571da1a 100644 manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -@@ -41,21 +47,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) +@@ -41,21 +50,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) @@ -51970,10 +51995,10 @@ index b708708..dd6e04b 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index 06f8666..d813d8a 100644 +index 06f8666..c2c13aa 100644 --- a/mysql.fc +++ b/mysql.fc -@@ -1,12 +1,26 @@ +@@ -1,27 +1,46 @@ -HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) - -/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) @@ -52009,7 +52034,9 @@ index 06f8666..d813d8a 100644 /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) -@@ -14,14 +28,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) + /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) ++/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) ++ /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) @@ -53678,7 +53705,7 @@ index d78dfc3..40e1c77 100644 -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/nagios.if b/nagios.if -index 0641e97..cad402c 100644 +index 0641e97..ed3394e 100644 --- a/nagios.if +++ b/nagios.if @@ -1,12 +1,13 @@ @@ -53755,7 +53782,7 @@ index 0641e97..cad402c 100644 ## ## ## -@@ -73,15 +68,14 @@ interface(`nagios_read_config',` +@@ -73,15 +68,33 @@ interface(`nagios_read_config',` type nagios_etc_t; ') @@ -53764,6 +53791,25 @@ index 0641e97..cad402c 100644 allow $1 nagios_etc_t:file read_file_perms; - allow $1 nagios_etc_t:lnk_file read_lnk_file_perms; + files_search_etc($1) ++') ++###################################### ++## ++## Read nagios lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nagios_read_lib',` ++ gen_require(` ++ type nagios_var_lib_t; ++ ') ++ ++ files_search_var($1) ++ list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t) ++ read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t) ') ###################################### @@ -53773,7 +53819,7 @@ index 0641e97..cad402c 100644 ## ## ## -@@ -100,8 +94,7 @@ interface(`nagios_read_log',` +@@ -100,8 +113,7 @@ interface(`nagios_read_log',` ######################################## ## @@ -53783,17 +53829,18 @@ index 0641e97..cad402c 100644 ## ## ## -@@ -132,13 +125,33 @@ interface(`nagios_search_spool',` +@@ -132,13 +144,33 @@ interface(`nagios_search_spool',` type nagios_spool_t; ') - files_search_spool($1) allow $1 nagios_spool_t:dir search_dir_perms; + files_search_spool($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read nagios temporary files. +## Append nagios spool files. +## +## @@ -53809,17 +53856,16 @@ index 0641e97..cad402c 100644 + + allow $1 nagios_spool_t:file append_file_perms; + files_search_spool($1) - ') - - ######################################## - ## --## Read nagios temporary files. ++') ++ ++######################################## ++## +## Allow the specified domain to read +## nagios temporary files. ## ## ## -@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',` +@@ -151,13 +183,34 @@ interface(`nagios_read_tmp_files',` type nagios_tmp_t; ') @@ -53856,7 +53902,7 @@ index 0641e97..cad402c 100644 ## ## ## -@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',` +@@ -170,14 +223,13 @@ interface(`nagios_domtrans_nrpe',` type nrpe_t, nrpe_exec_t; ') @@ -53873,7 +53919,7 @@ index 0641e97..cad402c 100644 ## ## ## -@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',` +@@ -186,44 +238,43 @@ interface(`nagios_domtrans_nrpe',` ## ## ## @@ -54558,7 +54604,7 @@ index 94b9734..448a7e8 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 86dc29d..219892b 100644 +index 86dc29d..0c72c4d 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -54789,12 +54835,11 @@ index 86dc29d..219892b 100644 # -interface(`networkmanager_read_pid_files',` +interface(`networkmanager_manage_pid_files',` - gen_require(` - type NetworkManager_var_run_t; - ') - - files_search_pids($1) -- allow $1 NetworkManager_var_run_t:file read_file_perms; ++ gen_require(` ++ type NetworkManager_var_run_t; ++ ') ++ ++ files_search_pids($1) + manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) +') + @@ -54809,11 +54854,12 @@ index 86dc29d..219892b 100644 +## +# +interface(`networkmanager_manage_pid_sock_files',` -+ gen_require(` -+ type NetworkManager_var_run_t; -+ ') -+ -+ files_search_pids($1) + gen_require(` + type NetworkManager_var_run_t; + ') + + files_search_pids($1) +- allow $1 NetworkManager_var_run_t:file read_file_perms; + manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) +') + @@ -54888,7 +54934,7 @@ index 86dc29d..219892b 100644 ## ## ## Role allowed access. -@@ -287,33 +425,132 @@ interface(`networkmanager_stream_connect',` +@@ -287,33 +425,150 @@ interface(`networkmanager_stream_connect',` ## ## # @@ -54999,6 +55045,24 @@ index 86dc29d..219892b 100644 + +######################################## +## ++## Send sigchld to networkmanager. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++# ++interface(`networkmanager_sigchld',` ++ gen_require(` ++ type networkmanager_t; ++ ') ++ ++ allow $1 networkmanager_t:process sigchld; ++') ++######################################## ++## +## Transition to networkmanager named content +## +## @@ -91721,7 +91785,7 @@ index 98c9e0a..562666e 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..8ce51cb 100644 +index 299756b..7d15afd 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -91803,7 +91867,7 @@ index 299756b..8ce51cb 100644 -allow sblim_gatherd_t self:capability dac_override; -allow sblim_gatherd_t self:process signal; -+allow sblim_gatherd_t self:capability { dac_override sys_nice }; ++allow sblim_gatherd_t self:capability { dac_override sys_nice sys_ptrace }; +allow sblim_gatherd_t self:process { setsched signal }; allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:unix_stream_socket { accept listen }; @@ -104221,7 +104285,7 @@ index a4f20bc..b3bd64f 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..c930866 100644 +index facdee8..814626a 100644 --- a/virt.if +++ b/virt.if @@ -1,318 +1,226 @@ @@ -104822,7 +104886,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -495,53 +398,37 @@ interface(`virt_manage_virt_content',` +@@ -495,53 +398,38 @@ interface(`virt_manage_virt_content',` ## ## # @@ -104876,6 +104940,7 @@ index facdee8..c930866 100644 - virt_home_filetrans($1, virt_content_t, $2, $3) + files_search_pids($1) + read_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) ') ######################################## @@ -104886,7 +104951,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -549,34 +436,21 @@ interface(`virt_home_filetrans_virt_content',` +@@ -549,34 +437,21 @@ interface(`virt_home_filetrans_virt_content',` ## ## # @@ -104929,7 +104994,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -584,32 +458,36 @@ interface(`virt_manage_svirt_home_content',` +@@ -584,32 +459,36 @@ interface(`virt_manage_svirt_home_content',` ## ## # @@ -104978,7 +105043,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -618,54 +496,36 @@ interface(`virt_relabel_svirt_home_content',` +@@ -618,54 +497,36 @@ interface(`virt_relabel_svirt_home_content',` ## ## # @@ -105042,7 +105107,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -673,107 +533,136 @@ interface(`virt_home_filetrans',` +@@ -673,107 +534,136 @@ interface(`virt_home_filetrans',` ## ## # @@ -105223,7 +105288,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -781,19 +670,18 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +671,18 @@ interface(`virt_home_filetrans_virt_home',` ## ## # @@ -105248,7 +105313,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -801,18 +689,36 @@ interface(`virt_read_pid_files',` +@@ -801,18 +690,36 @@ interface(`virt_read_pid_files',` ## ## # @@ -105290,7 +105355,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -820,18 +726,17 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +727,17 @@ interface(`virt_manage_pid_files',` ## ## # @@ -105313,7 +105378,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -839,20 +744,18 @@ interface(`virt_search_lib',` +@@ -839,20 +745,18 @@ interface(`virt_search_lib',` ## ## # @@ -105338,7 +105403,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -860,94 +763,267 @@ interface(`virt_read_lib_files',` +@@ -860,94 +764,267 @@ interface(`virt_read_lib_files',` ## ## # @@ -105635,7 +105700,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -955,20 +1031,17 @@ interface(`virt_append_log',` +@@ -955,20 +1032,17 @@ interface(`virt_append_log',` ## ## # @@ -105660,7 +105725,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -976,18 +1049,17 @@ interface(`virt_manage_log',` +@@ -976,18 +1050,17 @@ interface(`virt_manage_log',` ## ## # @@ -105683,7 +105748,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -995,36 +1067,35 @@ interface(`virt_search_images',` +@@ -995,36 +1068,35 @@ interface(`virt_search_images',` ## ## # @@ -105739,7 +105804,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -1032,20 +1103,17 @@ interface(`virt_read_images',` +@@ -1032,20 +1104,17 @@ interface(`virt_read_images',` ## ## # @@ -105764,7 +105829,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -1053,15 +1121,57 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1122,57 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -105827,7 +105892,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -1069,21 +1179,28 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1180,28 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -105864,7 +105929,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -1091,36 +1208,188 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1209,188 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -106071,7 +106136,7 @@ index facdee8..c930866 100644 ## ## ## -@@ -1136,50 +1405,53 @@ interface(`virt_manage_images',` +@@ -1136,50 +1406,53 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` diff --git a/selinux-policy.spec b/selinux-policy.spec index a1da1e04..3656ec84 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 125%{?dist} +Release: 126%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,24 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Apr 30 2015 Lukas Vrabec 3.13.1-126 +- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd . +- Add nagios_read_lib() interface. +- Additional fix for mongod_unit_file_t in mongodb.te. +- Fix decl of mongod_unit_file to mongod_unit_file_t. +- Fix mongodb unit file declaration. +- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type. +- Fix labeling for /usr/libexec/mysqld_safe-scl-helper. +- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons. +- Allow sys_ptrace cap for sblim-gatherd caused by ps. +- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. +- Add support for mongod/mongos systemd unit files. +- Allow dnssec-trigger to send sigchld to networkmanager +- add interface networkmanager_sigchld +- Add dnssec-trigger unit file Label dnssec-trigger script in libexec +- Remove duplicate specification for /etc/localtime. +- Add default labeling for /etc/localtime symlink. + * Mon Apr 20 2015 Lukas Vrabec 3.13.1-125 - Define ipa_var_run_t type - Allow certmonger to manage renewal.lock. BZ(1213256)