* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193

- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te - Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs - Allow gssproxy to get attributes on all filesystem object types. BZ(1333778) - Allow ipa_dnskey_t search httpd config files. - Dontaudit certmonger to write to etc_runtime_t - Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs. - Add interface ipa_delete_tmp() - Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t. - Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
2016-05-30 22:14:40 +02:00 · 2016-05-30 22:14:40 +02:00 · 2506c08574
parent 3289d158c4
commit 2506c08574
4 changed files with 342 additions and 219 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -12236,7 +12236,7 @@ index 008f8ef..144c074 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..943af3b 100644
+index 550b287..ea704c2 100644
 --- a/certmonger.te
 +++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@ -12273,7 +12273,7 @@ index 550b287..943af3b 100644
 
 corenet_all_recvfrom_unlabeled(certmonger_t)
 corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +55,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
 
 corenet_sendrecv_certmaster_client_packets(certmonger_t)
 corenet_tcp_connect_certmaster_port(certmonger_t)
@ -12297,10 +12297,11 @@ index 550b287..943af3b 100644
 -files_read_usr_files(certmonger_t)
 files_list_tmp(certmonger_t)
 +files_list_home(certmonger_t)
+files_dontaudit_write_etc_runtime_files(certmonger_t)
 
 fs_search_cgroup_dirs(certmonger_t)
 
-@@ -68,18 +82,21 @@ auth_rw_cache(certmonger_t)
+@@ -68,18 +83,21 @@ auth_rw_cache(certmonger_t)
 
 init_getattr_all_script_files(certmonger_t)
 
@ -12325,7 +12326,7 @@ index 550b287..943af3b 100644
 ')
 
 optional_policy(`
-@@ -92,11 +109,58 @@ optional_policy(`
+@@ -92,11 +110,58 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25086,10 +25087,10 @@ index 0000000..b214253
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..73d1b46
+index 0000000..aa290b1
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,200 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@ -25243,6 +25244,10 @@ index 0000000..73d1b46
 +    uuidd_stream_connect_manager(dirsrv_t)
 +')
 +
+optional_policy(`
+	systemd_manage_passwd_run(dirsrv_t)
+')
+
 +########################################
 +#
 +# dirsrv-snmp local policy
@ -29623,7 +29628,7 @@ index 4498143..84a4858 100644
 	ftp_run_ftpdctl($1, $2)
 ')
 diff --git a/ftp.te b/ftp.te
-index 36838c2..2812a63 100644
+index 36838c2..0a8b621 100644
 --- a/ftp.te
 +++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@ -29669,10 +29674,12 @@ index 36838c2..2812a63 100644
 
 ## <desc>
 ##	<p>
-@@ -66,14 +73,6 @@ gen_tunable(ftpd_connect_all_unreserved, false)
+@@ -64,49 +71,6 @@ gen_tunable(ftpd_use_passive_mode, false)
+ ## </desc>
+ gen_tunable(ftpd_connect_all_unreserved, false)
 
- ## <desc>
- ##	<p>
+-## <desc>
+-##	<p>
 -##	Determine whether ftpd can read and write
 -##	files in user home directories.
 -##	</p>
@ -29681,10 +29688,43 @@ index 36838c2..2812a63 100644
 -
 -## <desc>
 -##	<p>
- ##	Determine whether sftpd can modify
- ##	public files used for public file
- ##	transfer services. Directories/Files must
-@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t)
+-##	Determine whether sftpd can modify
+-##	public files used for public file
+-##	transfer services. Directories/Files must
+-##	be labeled public_content_rw_t.
+-##	</p>
+-## </desc>
+-gen_tunable(sftpd_anon_write, false)
+-
+-## <desc>
+-##	<p>
+-##	Determine whether sftpd-can read and write
+-##	files in user home directories.
+-##	</p>
+-## </desc>
+-gen_tunable(sftpd_enable_homedirs, false)
+-
+-## <desc>
+-##	<p>
+-##	Determine whether sftpd-can login to
+-##	local users and read and write all
+-##	files on the system, governed by DAC.
+-##	</p>
+-## </desc>
+-gen_tunable(sftpd_full_access, false)
+-
+-## <desc>
+-##	<p>
+-##	Determine whether sftpd can read and write
+-##	files in user ssh home directories.
+-##	</p>
+-## </desc>
+-gen_tunable(sftpd_write_ssh_home, false)
+-
+ attribute_role ftpdctl_roles;
+ 
+ type anon_sftpd_t;
+@@ -124,6 +88,9 @@ files_config_file(ftpd_etc_t)
 type ftpd_initrc_exec_t;
 init_script_file(ftpd_initrc_exec_t)
 
@ -29694,7 +29734,7 @@ index 36838c2..2812a63 100644
 type ftpd_keytab_t;
 files_type(ftpd_keytab_t)
 
-@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
+@@ -184,6 +151,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
 allow ftpd_t ftpd_lock_t:file manage_file_perms;
 files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
 
@ -29704,7 +29744,7 @@ index 36838c2..2812a63 100644
 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+@@ -198,22 +168,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
 
 allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
 
@ -29731,7 +29771,7 @@ index 36838c2..2812a63 100644
 corenet_all_recvfrom_netlabel(ftpd_t)
 corenet_tcp_sendrecv_generic_if(ftpd_t)
 corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -229,9 +196,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
 corenet_sendrecv_ftp_data_server_packets(ftpd_t)
 corenet_tcp_bind_ftp_data_port(ftpd_t)
 
@ -29745,7 +29785,7 @@ index 36838c2..2812a63 100644
 files_read_etc_runtime_files(ftpd_t)
 files_search_var_lib(ftpd_t)
 
-@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -250,7 +220,6 @@ logging_send_audit_msgs(ftpd_t)
 logging_send_syslog_msg(ftpd_t)
 logging_set_loginuid(ftpd_t)
 
@ -29753,7 +29793,7 @@ index 36838c2..2812a63 100644
 miscfiles_read_public_files(ftpd_t)
 
 seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +263,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +228,50 @@ sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 userdom_dontaudit_search_user_home_dirs(ftpd_t)
@ -29811,7 +29851,7 @@ index 36838c2..2812a63 100644
 ')
 
 tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,44 +326,24 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,44 +291,24 @@ tunable_policy(`ftpd_connect_db',`
 	corenet_sendrecv_mssql_client_packets(ftpd_t)
 	corenet_tcp_connect_mssql_port(ftpd_t)
 	corenet_tcp_sendrecv_mssql_port(ftpd_t)
@ -29861,7 +29901,7 @@ index 36838c2..2812a63 100644
 	corecmd_exec_shell(ftpd_t)
 
 	files_read_usr_files(ftpd_t)
-@@ -363,9 +365,8 @@ optional_policy(`
+@@ -363,9 +330,8 @@ optional_policy(`
 
 optional_policy(`
 	selinux_validate_context(ftpd_t)
@ -29872,7 +29912,7 @@ index 36838c2..2812a63 100644
 	kerberos_use(ftpd_t)
 ')
 
-@@ -416,21 +417,20 @@ optional_policy(`
+@@ -416,86 +382,39 @@ optional_policy(`
 #
 
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -29893,10 +29933,15 @@ index 36838c2..2812a63 100644
 #
 
 -files_read_etc_files(anon_sftpd_t)
- 
+-
 miscfiles_read_public_files(anon_sftpd_t)
 
-@@ -443,23 +443,34 @@ tunable_policy(`sftpd_anon_write',`
+-tunable_policy(`sftpd_anon_write',`
+-	miscfiles_manage_public_files(anon_sftpd_t)
+-')
+-
+ ########################################
+ #
 # Sftpd local policy
 #
 
@ -29905,26 +29950,12 @@ index 36838c2..2812a63 100644
 userdom_read_user_home_content_files(sftpd_t)
 userdom_read_user_home_content_symlinks(sftpd_t)
 +userdom_dontaudit_list_admin_dir(sftpd_t)
-+
-+tunable_policy(`sftpd_full_access',`
-+	allow sftpd_t self:capability { dac_override dac_read_search };
-+	fs_read_noxattr_fs_files(sftpd_t)
-+	files_manage_non_security_dirs(sftpd_t)
-+	files_manage_non_security_files(sftpd_t)
-+')
-+
-+optional_policy(`
-+	tunable_policy(`sftpd_write_ssh_home',`
-+		ssh_manage_home_files(sftpd_t)
-+	')
-+')
-+
+ 
+-tunable_policy(`sftpd_enable_homedirs',`
+-	allow sftpd_t self:capability { dac_override dac_read_search };
 +userdom_filetrans_home_content(sftpd_t)
 +userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
 
- tunable_policy(`sftpd_enable_homedirs',`
- 	allow sftpd_t self:capability { dac_override dac_read_search };
- 
 	userdom_manage_user_home_content_dirs(sftpd_t)
 	userdom_manage_user_home_content_files(sftpd_t)
 -	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
@ -29934,22 +29965,35 @@ index 36838c2..2812a63 100644
 -',`
 -	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
 -	userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
- ')
+-')
+-
+-tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(sftpd_t)
+-	fs_manage_nfs_files(sftpd_t)
+-	fs_manage_nfs_symlinks(sftpd_t)
+-')
 
- tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -481,21 +492,8 @@ tunable_policy(`sftpd_anon_write',`
- tunable_policy(`sftpd_full_access',`
- 	allow sftpd_t self:capability { dac_override dac_read_search };
- 	fs_read_noxattr_fs_files(sftpd_t)
-	files_manage_non_auth_files(sftpd_t)
-+	files_manage_non_security_files(sftpd_t)
- ')
- 
-tunable_policy(`sftpd_write_ssh_home',`
-	ssh_manage_home_files(sftpd_t)
+-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(sftpd_t)
+-	fs_manage_cifs_files(sftpd_t)
+-	fs_manage_cifs_symlinks(sftpd_t)
 -')
 +userdom_home_reader(sftpd_t)
 
+-tunable_policy(`sftpd_anon_write',`
+-	miscfiles_manage_public_files(sftpd_t)
+-')
+-
+-tunable_policy(`sftpd_full_access',`
+-	allow sftpd_t self:capability { dac_override dac_read_search };
+-	fs_read_noxattr_fs_files(sftpd_t)
+-	files_manage_non_auth_files(sftpd_t)
+-')
+-
+-tunable_policy(`sftpd_write_ssh_home',`
+-	ssh_manage_home_files(sftpd_t)
+-')
+-
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_list_cifs(sftpd_t)
 -	fs_read_cifs_files(sftpd_t)
@ -36215,10 +36259,10 @@ index 0000000..2277038
 +')
 diff --git a/gssproxy.te b/gssproxy.te
 new file mode 100644
-index 0000000..bbd5979
+index 0000000..dc1385d
 --- /dev/null
 +++ b/gssproxy.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,70 @@
 +policy_module(gssproxy, 1.0.0)
 +
 +########################################
@ -36266,6 +36310,8 @@ index 0000000..bbd5979
 +
 +files_read_etc_files(gssproxy_t)
 +
+fs_getattr_all_fs(gssproxy_t)
+
 +auth_use_nsswitch(gssproxy_t)
 +
 +dev_read_urand(gssproxy_t)
@ -38026,10 +38072,10 @@ index 0000000..e1ddda0
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..904782d
+index 0000000..ee3a606
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,178 @@
+@@ -0,0 +1,197 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@ -38208,12 +38254,31 @@ index 0000000..904782d
 +
 +	files_pid_filetrans($1, ipa_var_run_t, file, $2)
 +')
+
+########################################
+## <summary>
+##	Allow domain to manage ipa tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_delete_tmp',`
+	gen_require(`
+		type ipa_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 ipa_tmp_t:file unlink;
+')
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 0000000..5fad85e
+index 0000000..3ca42f7
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,199 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@ -38393,6 +38458,10 @@ index 0000000..5fad85e
 +sysnet_read_config(ipa_dnskey_t)
 +
 +optional_policy(`
+    apache_search_config(ipa_dnskey_t)
+')
+
+optional_policy(`
 +	bind_domtrans_ndc(ipa_dnskey_t)
 +	bind_read_dnssec_keys(ipa_dnskey_t)
 +	bind_manage_zone(ipa_dnskey_t)
@ -63471,10 +63540,10 @@ index 0000000..08d0e79
 +/var/opendnssec(/.*)?		gen_context(system_u:object_r:opendnssec_var_t,s0)
 diff --git a/opendnssec.if b/opendnssec.if
 new file mode 100644
-index 0000000..fb0141d
+index 0000000..eac3932
 --- /dev/null
 +++ b/opendnssec.if
-@@ -0,0 +1,206 @@
+@@ -0,0 +1,208 @@
 +
 +## <summary>policy for opendnssec</summary>
 +
@ -63533,6 +63602,7 @@ index 0000000..fb0141d
 +        ')
 +
 +        files_search_etc($1)
+        allow $1 opendnssec_conf_t:dir list_dir_perms;
 +        allow $1 opendnssec_conf_t:file read_file_perms;
 +')
 +
@ -63553,6 +63623,7 @@ index 0000000..fb0141d
 +        ')
 +
 +        files_search_etc($1)
+        allow $1 opendnssec_conf_t:dir manage_dir_perms;
 +        allow $1 opendnssec_conf_t:file manage_file_perms;
 +')
 +
@ -96494,7 +96565,7 @@ index cd6c213..372c7bb 100644
 +	')
 ')
 diff --git a/sanlock.te b/sanlock.te
-index 0045465..7afb413 100644
+index 0045465..5080a66 100644
 --- a/sanlock.te
 +++ b/sanlock.te
@@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0)
@ -96581,7 +96652,7 @@ index 0045465..7afb413 100644
 logging_log_filetrans(sanlock_t, sanlock_log_t, file)
 
 manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
-@@ -65,13 +84,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+@@ -65,13 +84,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
 kernel_read_system_state(sanlock_t)
 kernel_read_kernel_sysctls(sanlock_t)
 
@ -96591,6 +96662,8 @@ index 0045465..7afb413 100644
 domain_use_interactive_fds(sanlock_t)
 
 +files_read_mnt_symlinks(sanlock_t)
+
+fs_rw_cephfs_files(sanlock_t)
 +
 storage_raw_rw_fixed_disk(sanlock_t)
 
@ -96601,7 +96674,7 @@ index 0045465..7afb413 100644
 auth_use_nsswitch(sanlock_t)
 
 init_read_utmp(sanlock_t)
-@@ -79,20 +101,29 @@ init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +103,29 @@ init_dontaudit_write_utmp(sanlock_t)
 
 logging_send_syslog_msg(sanlock_t)
 
@ -96640,7 +96713,7 @@ index 0045465..7afb413 100644
 ')
 
 optional_policy(`
-@@ -100,7 +131,34 @@ optional_policy(`
+@@ -100,7 +133,34 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 192%{?dist}
+Release: 193%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -647,6 +647,17 @@ exit 0
 %endif

 %changelog
+* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
+- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
+- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
+- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)
+- Allow ipa_dnskey_t search httpd config files.
+- Dontaudit certmonger to write to etc_runtime_t
+- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.
+- Add interface ipa_delete_tmp()
+- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.
+- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
+
 * Wed May 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-192
 - Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)
 - Add SELinux policy for opendnssec service. BZ(1333106)