* Fri Jul 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-205

- Dontaudit mock_build_t can list all ptys. - Allow ftpd_t to mamange userhome data without any boolean. - Add logrotate permissions for creating netlink selinux sockets. - Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data. - Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654) - Allow systemd gpt generator to run fstools BZ(1353585) - Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716) - Allow gnome-keyring also manage user_tmp_t sockets. - Allow systemd to mounton /etc filesystem. BZ(1341753)
2016-07-29 11:33:56 +02:00 · 2016-07-29 11:33:56 +02:00 · 247a84c954
parent 4f692c42ee
commit 247a84c954
4 changed files with 426 additions and 307 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -29712,7 +29712,7 @@ index 4498143..84a4858 100644
 	ftp_run_ftpdctl($1, $2)
 ')
 diff --git a/ftp.te b/ftp.te
-index 36838c2..0a8b621 100644
+index 36838c2..21cc5ed 100644
 --- a/ftp.te
 +++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@ -29877,11 +29877,16 @@ index 36838c2..0a8b621 100644
 miscfiles_read_public_files(ftpd_t)
 
 seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +228,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +228,55 @@ sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 userdom_dontaudit_search_user_home_dirs(ftpd_t)
 +userdom_filetrans_home_content(ftpd_t)
+userdom_manage_user_home_content_dirs(ftpd_t)
+userdom_manage_user_home_content_files(ftpd_t)
+userdom_manage_user_tmp_dirs(ftpd_t)
+userdom_manage_user_tmp_files(ftpd_t)
+
 
 -tunable_policy(`allow_ftpd_anon_write',`
 +tunable_policy(`ftpd_anon_write',`
@ -29935,7 +29940,7 @@ index 36838c2..0a8b621 100644
 ')
 
 tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,44 +291,24 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,44 +296,24 @@ tunable_policy(`ftpd_connect_db',`
 	corenet_sendrecv_mssql_client_packets(ftpd_t)
 	corenet_tcp_connect_mssql_port(ftpd_t)
 	corenet_tcp_sendrecv_mssql_port(ftpd_t)
@ -29985,7 +29990,7 @@ index 36838c2..0a8b621 100644
 	corecmd_exec_shell(ftpd_t)
 
 	files_read_usr_files(ftpd_t)
-@@ -363,9 +330,8 @@ optional_policy(`
+@@ -363,9 +335,8 @@ optional_policy(`
 
 optional_policy(`
 	selinux_validate_context(ftpd_t)
@ -29996,7 +30001,7 @@ index 36838c2..0a8b621 100644
 	kerberos_use(ftpd_t)
 ')
 
-@@ -416,86 +382,39 @@ optional_policy(`
+@@ -416,86 +387,39 @@ optional_policy(`
 #
 
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -45893,7 +45898,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..6f475e4 100644
+index be0ab84..9059174 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@ -45930,7 +45935,7 @@ index be0ab84..6f475e4 100644
 
 type logrotate_lock_t;
 files_lock_file(logrotate_lock_t)
-@@ -25,21 +38,30 @@ files_tmp_file(logrotate_tmp_t)
+@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t)
 type logrotate_var_lib_t;
 files_type(logrotate_var_lib_t)
 
@ -45964,10 +45969,11 @@ index be0ab84..6f475e4 100644
 allow logrotate_t self:unix_dgram_socket sendto;
 -allow logrotate_t self:unix_stream_socket { accept connectto listen };
 +allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:netlink_selinux_socket create_socket_perms;
 allow logrotate_t self:shm create_shm_perms;
 allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +70,52 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,52 @@ allow logrotate_t self:msg { send receive };
 allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
 
@ -46025,7 +46031,7 @@ index be0ab84..6f475e4 100644
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +133,55 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +134,55 @@ mls_process_write_to_clearance(logrotate_t)
 selinux_get_fs_mount(logrotate_t)
 selinux_get_enforce_mode(logrotate_t)
 
@ -46087,7 +46093,7 @@ index be0ab84..6f475e4 100644
 ')
 
 optional_policy(`
-@@ -135,16 +196,17 @@ optional_policy(`
+@@ -135,16 +197,17 @@ optional_policy(`
 
 optional_policy(`
 	apache_read_config(logrotate_t)
@ -46107,7 +46113,7 @@ index be0ab84..6f475e4 100644
 ')
 
 optional_policy(`
-@@ -170,6 +232,11 @@ optional_policy(`
+@@ -170,6 +233,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46119,7 +46125,7 @@ index be0ab84..6f475e4 100644
 	fail2ban_stream_connect(logrotate_t)
 ')
 
-@@ -178,7 +245,7 @@ optional_policy(`
+@@ -178,7 +246,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46128,7 +46134,7 @@ index be0ab84..6f475e4 100644
 ')
 
 optional_policy(`
-@@ -198,17 +265,18 @@ optional_policy(`
+@@ -198,17 +266,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46150,7 +46156,7 @@ index be0ab84..6f475e4 100644
 ')
 
 optional_policy(`
-@@ -216,6 +284,14 @@ optional_policy(`
+@@ -216,6 +285,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46165,7 +46171,7 @@ index be0ab84..6f475e4 100644
 	samba_exec_log(logrotate_t)
 ')
 
-@@ -228,26 +304,50 @@ optional_policy(`
+@@ -228,26 +305,50 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -49861,10 +49867,10 @@ index 0000000..f5b98e6
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..2d4fb00
+index 0000000..0dcf221
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,285 @@
+@@ -0,0 +1,286 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@ -50146,6 +50152,7 @@ index 0000000..2d4fb00
 +
 +term_use_all_inherited_terms(mock_build_t)
 +userdom_use_inherited_user_ptys(mock_build_t)
+term_dontaudit_manage_pty_dirs(mock_build_t)
 +
 +tunable_policy(`mock_enable_homedirs',`
 +	userdom_read_user_home_content_files(mock_build_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 204%{?dist}
+Release: 205%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -648,6 +648,17 @@ exit 0
 %endif

 %changelog
+* Fri Jul 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-205
+- Dontaudit mock_build_t can list all ptys.
+- Allow ftpd_t to mamange userhome data without any boolean.
+- Add logrotate permissions for creating netlink selinux sockets.
+- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
+- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
+- Allow systemd gpt generator to run fstools BZ(1353585)
+- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716)
+- Allow gnome-keyring also manage user_tmp_t sockets.
+- Allow systemd to mounton /etc filesystem. BZ(1341753)
+
 * Tue Jul 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-204
 - Allow lsmd_plugin_t to exec ldconfig.
 - Allow vnstatd domain to read /sys/class/net/ files