* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289

- Allow tlp_t domain stream connect to sssd_t domain
- Add missing dac_override capability
- Add systemd_tmpfiles_t dac_override capability
This commit is contained in:
Lukas Vrabec 2017-09-27 13:16:05 +02:00
parent 8587149987
commit 233534cc51
4 changed files with 23 additions and 12 deletions

Binary file not shown.

View File

@ -3190,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1e7..9823c5a68 100644 index 1d732f1e7..ae2fa67f8 100644
--- a/policy/modules/admin/usermanage.te --- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t; @@ -26,6 +26,7 @@ type chfn_exec_t;
@ -3376,7 +3376,7 @@ index 1d732f1e7..9823c5a68 100644
# #
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+allow passwd_t self:capability { chown dac_read_search dac_read_search ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin }; +allow passwd_t self:capability { chown dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
dontaudit passwd_t self:capability sys_tty_config; dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:process { setrlimit setfscreate };
@ -35722,7 +35722,7 @@ index e4376aa98..2c98c5647 100644
+ allow $1 getty_unit_file_t:service start; + allow $1 getty_unit_file_t:service start;
+') +')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index f6743ea19..abcc39a8c 100644 index f6743ea19..8c64a7e19 100644
--- a/policy/modules/system/getty.te --- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te
@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t) @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
@ -35747,7 +35747,7 @@ index f6743ea19..abcc39a8c 100644
# Use capabilities. # Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_read_search chown setgid sys_resource sys_tty_config fowner fsetid }; +allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
dontaudit getty_t self:capability sys_tty_config; dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms }; allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms; allow getty_t self:fifo_file rw_fifo_file_perms;
@ -41173,7 +41173,7 @@ index 0e3c2a977..ea9bd57dc 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+') +')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 446fa9908..a0d1b1ff7 100644 index 446fa9908..31ffd73ab 100644
--- a/policy/modules/system/locallogin.te --- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@ -41208,7 +41208,7 @@ index 446fa9908..a0d1b1ff7 100644
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec }; -allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:capability { dac_read_search chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; +allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
allow local_login_t self:fd use; allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:fifo_file rw_fifo_file_perms;
@ -50091,10 +50091,10 @@ index 000000000..634d9596a
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 000000000..3660fe1c4 index 000000000..e83a61cca
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,1025 @@ @@ -0,0 +1,1027 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -50582,7 +50582,7 @@ index 000000000..3660fe1c4
+# Local policy +# Local policy
+# +#
+ +
+allow systemd_tmpfiles_t self:capability { chown dac_read_search fsetid fowner mknod sys_admin }; +allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
+allow systemd_tmpfiles_t self:process { setfscreate }; +allow systemd_tmpfiles_t self:process { setfscreate };
+ +
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@ -51029,6 +51029,8 @@ index 000000000..3660fe1c4
+dev_read_sysfs(systemd_resolved_t) +dev_read_sysfs(systemd_resolved_t)
+ +
+sysnet_manage_config(systemd_resolved_t) +sysnet_manage_config(systemd_resolved_t)
+sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
+sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
+ +
+userdom_dbus_send_all_users(systemd_resolved_t) +userdom_dbus_send_all_users(systemd_resolved_t)
+ +

View File

@ -111760,10 +111760,10 @@ index 000000000..368e18842
+') +')
diff --git a/tlp.te b/tlp.te diff --git a/tlp.te b/tlp.te
new file mode 100644 new file mode 100644
index 000000000..761cc35b0 index 000000000..1ef713150
--- /dev/null --- /dev/null
+++ b/tlp.te +++ b/tlp.te
@@ -0,0 +1,80 @@ @@ -0,0 +1,84 @@
+policy_module(tlp, 1.0.0) +policy_module(tlp, 1.0.0)
+ +
+######################################## +########################################
@ -111844,6 +111844,10 @@ index 000000000..761cc35b0
+optional_policy(` +optional_policy(`
+ mount_domtrans(tlp_t) + mount_domtrans(tlp_t)
+') +')
+
+optional_policy(`
+ sssd_stream_connect(tlp_t)
+')
diff --git a/tmpreaper.te b/tmpreaper.te diff --git a/tmpreaper.te b/tmpreaper.te
index 585a77f95..9858c8b8d 100644 index 585a77f95..9858c8b8d 100644
--- a/tmpreaper.te --- a/tmpreaper.te

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 288%{?dist} Release: 289%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -682,6 +682,11 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
- Allow tlp_t domain stream connect to sssd_t domain
- Add missing dac_override capability
- Add systemd_tmpfiles_t dac_override capability
* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288 * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288
- Remove all unnecessary dac_override capability in SELinux modules - Remove all unnecessary dac_override capability in SELinux modules