From 25e792495826bbed8ecf1b1ef33bea80cd2c2afd Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 7 Nov 2016 23:00:09 +0100 Subject: [PATCH] * Mon Nov 07 2016 Lukas Vrabec - 3.13.1-223 - nmbd_t needs net_admin capability like smbd - Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids - Add wake_alarm capability2 to openct_t domain - Allow abrt_t to getattr on nsfs_t files. - Add cupsd_t domain wake_alarm capability. - Allow sblim_reposd_t domain to read cert_f files. - Allow abrt_dump_oops_t to drop capabilities. bz(1391040) - Revert "Allow abrt_dump_oops_t to drop capabilities. bz(1391040)" - Allow isnsd_t to accept tcp connections --- container-selinux.tgz | Bin 4908 -> 4908 bytes policy-rawhide-contrib.patch | 171 ++++++++++++++++++----------------- selinux-policy.spec | 13 ++- 3 files changed, 100 insertions(+), 84 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index ba6d48af6723da707edef918381b2f8a3bfee702..cafd41f5e1b7c5b88e952c16a9a5891d6beedd49 100644 GIT binary patch delta 3195 zcmV->421KnCaflZABzY8yO;F5%<^Ize2DB_%5*TVY>-%PFfU6KlDS< zpv||YRkRX!SFv6dse9D$|K1rsBuXMFYFBGtixpt+t~B!_IV6WO!=WxN3l^mXsV~#b zvm;&CaDDU5JN&%)_IKC%CtPo@Z@zi^>;^vI?z^||-afm3zIl7|?YGZ@>tj_&zZ%M- zItZR+cXhNTv6XJ>`Tyv(dhsIojy8E7)sMgbc}Ie>BE@T3Hg!ybsH(Cwj#ye2L97N! zK#DDVUVe9_*j51IclAnxA7_7hAaTQphMpDy+vzuwGKVjhob^iM4Zf?QI?970%E|Z7 z1=aK4k4pHF{UCq8wzUcCreJAKLMV^pynOZR>TFAjuqOX*(i&)2XJ_oO(pu2+uvdng z1SAl$_p7s)7pv7-T-GGclaP|Aj(6cYEzZBXxmca4;=(FoP%FG^2Qxik7b`5_2pt8I zeX_lT@|e>@ew`6V1*dd&!h!PsJ1qogwKnm!zXOCX}O{%@eT{ z3RKHSz;{uNq@8Se`N3B=CYoDlXCU$6Ygmywr@**LGeT9tlA8C(!Xx{siJA|n&nalj z0B`vYl=$CBlnlhpyY`C%fwu~~_?Sf4@WbQjg+DM_7I$Y1V) z+(YVFN*RBSZJW>~kl~h3mrZkL#fQBS{5yQq-GAh>9@l4DkvQF?&_SXjacw0dmB-6W z#DGBl0~hxr>cPVXibb>SA##Jz{}L6^cDRr{jX9R{svS+YN%%vwo5GlyFh|vr#vXi1 zrhwLusMLF&T5DF^qm`iC+QGz#&vxrhl zQT*AstTmCvC3DKd|DOkCh4PQG@1L`}u{9A%2gR;QT5P?FHBS+xJ5MVdkg>GEo-0s^yeR+$jZU3m?}-?tsCGATNDmJ(HRCY2QuDV-0h>JzFQ;!a2nxR+l&fCIV=SxLHw= z1ow4nGO%-!!^-vLC-ptZD4#omZ1IGa2Kpfn1h$g>3~3I983Y4q_NQgV9_KFM!2sVX z&R}M|v7s>7*dteuI2ZatRWoED+JxLyjG|=mAqomV4f0ilxACqH#RRzzp%%*s883g~ zE_M#0Sba5N<2O>UIikjET#`fNoMD#OyM-FdPeNHs>;?aB(3XD-Me9T2v*85E$}OK9 z7G${)T99{TPKE>=(|LUn(bt0K}o8&pJt@wD#@ftpTAn{<0gin}FIcO_+X zX+Um|FNj$aT4r~bD1k*_MK7U&A>lxs)}TwmD9O`8OcD%F+d5p#B879QclTlbXjv4> z>1s7$i8f*sfc5bZPzHK3=aYx9FTSXY+Mp7|TJOCv>1)3Ci`&bDKZXUSb=rU5fBK;- zfIj7(t77loLt0eW@ZsB2;x@OTLZ~a(;-ckrV3Tw3Ta=KhkDv==wOBdJ*f7SWmAhXz zP^&<;kNZV@x~EVu*d9D+)6Y7%OY5@8XIUY~=`LQ+L)|ZHBu(|G+g}@-A+Ug(A8d{H z#roxG*GuOq_y|^a4bli`x-EaAOxT~nr}y(bEGUdCb~B->m^)PILeS!o);Tf7FGCCi zew4BYfanb5R>n@tzx865%{O@c)7;uPnRd68>6IQ{fcr?JvHABb(OiozP z>c^^t<_b$SrBd3TZ^nPX_qxnT99377lJBa!Z=$2i^b>RQZ}R2%&SMvHCA=oRqA-{u*E`LC}!8&<(o<$o^s0fHPHT1eidar z@nM4wxE8Yb(rYxfT}(Z!-$YD8>2ixF$Z5FTzVwlY)1_Tqu%D4*mEk`B^X~fXx7Wk- zKW}c{oX-Dzj+0skkpkaBv+V~A0ReuK`Uoi&V-WAk`y%*|!n(PEZveKTgr!N4e<+hV z3CIYK*jAoD6?|%w2?`ql>60Z2C;>N3wndBFe*kHc zOeUF#{YIW^V%F0-bwSvDS%2`8i3`*L2a{e59sv)teGDA|4oB1Gdw{w_ICk?B3qCrN zs134zM@ih&so9G+;r82Ww}^#N_%73sS?jsNbqs9#&L)L*kit#7fzR`7g-gVzL7QG{a~?XDnuYBz^(IGi zIVy+E$IxwQg^%jWXg6@RAuPP%3}AH}qAR+B9IZDpsbrG5Jaz?Pau~K%H@@II9*3NN z<8LJEhN{pgeiiRhvp7@Y>;xy0)!99kP=!9D8&<1E&bL9iU?gx#t5Sw-EY zHJc6+2r`H3&Y$~Cd=q6z!7yEy7MVFsc50SNw3<&Qtfg29*^vElQVX^N$`Dl?^QG9x}jIwHdHtR=#>aV5t1JB@l$?| z*W5~nvudcYA-!LuC!O_(yEg+EOFiQwRi4jl2Wm$dcjxrf3sg`uX3*LqIg zE%+^__7Eh2YDs(QyXt_4$Kx`89jdr3;)D7g;smnP`OUho9EHBRm{OtYC5D~SwCNL7 z&!KX1Y?^Bo-|y^|cy-dm0W5j$b&rEbI_Jz&M{Qiq0;dIz+f!b>vpUxGT)nwyBAI0R z^-Hd2lX)cz!8bq;{c7F z{n{H}E$8x`lvs|b81Zp``SlXe>$K?bmI6GM9J};_rOW3%n!7ExGw;g9TJX?{*(8DNYd&+Rf7o;>FwAs0k^a{%NJbI)<_9I6uY2qRV@n+NW} zZ3=v#lqBwFJq`x>@i<<$l4xYBXyV hoPa}581U#ac=FGa(-I;9OOy5zE(p1)QJ4Ur000EZKfM3| delta 3197 zcmV-@41)8lCaflZABzY84;&g;00Zq^>yO*G5zp84Um+w1WcQHlBS~|>=GvmT>xX_Q zdT8%kuT^DdSQV z>`2!&T<_n%!_S-VesisV!u9t0=Kb4eH*bOF-OYP=^6dJ5=Ixv7n`goGu_~lr4P{Xs z1kbX&I$D$1N;mcVfAm_tcoBS0n>>%|$KURaqKGEG>&5Rs$s< z#TGs%oC4z}%?MQmOKRRD3yG7OhsX^=|8rDC+u=g;H0D^&t9CTqCgBg!ZVF>+!W>mg8hh|5 znF3lrqEb6fH#*eiQKkO_XiU&b<@#5UH$?{{(z<^FO6hgSBeLA5Y!^g8*f5YVOXGmI zzH=Tx-6371>A|W_@30)C{DK`iK$f)#u@(k=bj5j7$_>}VLMW)bV=kpRMG4+8<=J zMe%3jverZvm&_>-|9u{m70N%#e*2u&jjf4DIw*Ec(qijXta*wk9p~+y8z+d%+twz* zH*bI7?=AejTh>1N=}$jCk(Gm6F;$w(TQ|TLwkRBcqB9I)4rIK!xZ6ibeYZ#e%GnX4 z(8gT9`;jt|$1Ix_dHOJZ))Xn@;_o_2U?CitK(X8>SQCL`@JF?p+~P;jj*QkLo#20x6$<16CVwjK)ma5YtS)f|Oa#ytakHW# z3GVCEWMJnchn4H=PwIP+Q9gGB+2RQ;4fI1E2y7+$8PXgIGYAIK>`%*zJ@-woD2tmToL7p%bRCk7m?&u@VtF?34G5l=Ht*Z7H(G$4DarP1}3_W^E%E_ z=oX0t0^5Rx#|3A@;zCt8*+bl`gzA4VS4E_GHmHaO<7wX+0yUkKHtF_~6n9Ia?n=t& z(tz9^Ul6k$HEr{q#du z0Da0mSH<4FhqS1$;lsD5#BFXvg-}}(_Orthq_bX$K!nXo^D&mZP_SWp;O>}En$F?Xoag`mYFt#e|EUxpY4 z{3vA)0MQx9t&E+Pf9u6An{V*?r@6IpGVN|F#~Iba$ZJ*+ys#>>G=AhGTzUD@tp{(r zU}{I@LVG?D1$eo1^d^iNwv(wBqYw^%_{36Fczx$&5pjl|w$PeC#L?{%4xII6BDCErzd-$X~3=_lw!RK6=o^oCZg1a-d^UuC)4J8fVx9CcJmVpJ~@-B z4YGfuByQ@|?8TdK`|Y(`#KI_YnWaF~6kcRC@gVb+K-&+}Tz3qqA*rJSUSKt0Rikn% z&PEpe{Ffj968se!bVq`p@w6dN)v~7zt_DYNc&Z{VMx4vz_WWe9N-(HTDbzOl6F%^H z>Fj}ym^&|v_&5A*-Ma?#LbkR#FFe|W&Padj#^XUTBW+7svHZb7q7)GzSsTp>WwWOV z)wpX4T!v$OmubkX^<3dP2DW`?lfpVk;ilcd=XtimCF0YdO|P{%4;@R*!uFSXlcTvD zmBZ#^=(e=NM|EYi8@SpK7T$0MusROW6~> z8^=pq$s5pn_b^hD$%ekP3Kb2My}ZAsHLGk6t&OqZo^^q77VF6%SPpc;?o|A&qVCd~ zO$P}CnZtGG&wVDoi87>Mn668U&h3B7R&=g;D5%vYk1xHNwLJzt2rXPMf=yYYn=S#m zx4VQ?w9ww9SM6b`_BefyNA|hN8N1yi_`bUjs+n@#(5r15Dx3lIN`#>ZNssyXDL=<+ zZl%LnHB{J;-Y?RV&U(b%n*ofap7D_?&*!xRwWEx?b9(9ps;1!hL_k<)>&JhoBk`)U zNv_@=!9;2E&VPfMhbOy@XFB+~It&Sn9qMt;L-2Y0E(X_Oz0rGrCVcrewL%^QoXfB6 zR!aoOfa5Ql>*7t;h?3z%xp@xyl_;YvhE01`_O?JV{$kLtj-^c2z`isZjM2!%k`1^ogqH zP&qj^&9#c}clJuWI%(nnmOS^m$H60=bLOd|Hm+uY(*nosDX-pH9qW3o-dr@1OfvoY zCD*gbypo0BotYpDmElSXIkX6OeuxkHbdHEu(m^{a2ALOzaA!;E+ADu-iM0JRbwtPr z=C}9Ol231ZDbla~-i4=fwUW8q9PQl}?)QIOzrTTJgZF>jeD~ey{U2ZAy235Ot6wg~ zp=SPiA0DrHfTdTg&dsg-|AXq=ZW_tMi4@-ua@ElK3XDGV=dJ|KRZIEze_s9LTcMxM zUcdInSIfD4Cnc6+Dn@^NTzEV_OE^M*c4bJfL4NKx7`3-7NOV|VCDi%V<+m5VKl8?l z)p=Yli4I2&xr5+VS75DZlAR0IIhwq3eK5ef5~cluCmXy$mG^&Zf^4ZMqF;Xd3!c~X zudg`yISs51OZX%ESDK%bSOyql$aA~Qg(uIsNXP{d-y8rr#N2b-JBO;oJi>@o$mW52 z@VGU@FFJhfMJzLl75>75S-~zorU$@>4{cbD4p6_s)okmDU@bv1vu+kVQMq66e>Ix5 j3QoYGCk%LW89V~{-;>i4A^~fY_7W}#mE=%g0H6Q>DF8pJ diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 7f21e550..b4f8d8fa 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..3a70d84 100644 +index eb50f07..d53d1e0 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -805,7 +805,7 @@ index eb50f07..3a70d84 100644 domain_getattr_all_domains(abrt_t) domain_read_all_domains_state(abrt_t) -@@ -176,29 +198,43 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +198,44 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -829,6 +829,7 @@ index eb50f07..3a70d84 100644 fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) ++fs_getattr_nsfs_files(abrt_t) -auth_use_nsswitch(abrt_t) +storage_dontaudit_read_fixed_disk(abrt_t) @@ -852,7 +853,7 @@ index eb50f07..3a70d84 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +242,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +243,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -869,7 +870,7 @@ index eb50f07..3a70d84 100644 ') optional_policy(` -@@ -222,6 +254,32 @@ optional_policy(` +@@ -222,6 +255,32 @@ optional_policy(` ') optional_policy(` @@ -902,7 +903,7 @@ index eb50f07..3a70d84 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,15 +292,22 @@ optional_policy(` +@@ -234,15 +293,22 @@ optional_policy(` ') optional_policy(` @@ -925,7 +926,7 @@ index eb50f07..3a70d84 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +318,21 @@ optional_policy(` +@@ -253,9 +319,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -948,7 +949,7 @@ index eb50f07..3a70d84 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +343,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +344,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -963,7 +964,7 @@ index eb50f07..3a70d84 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +362,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +363,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -971,7 +972,7 @@ index eb50f07..3a70d84 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +371,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +372,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -992,7 +993,7 @@ index eb50f07..3a70d84 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +392,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +393,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1019,7 +1020,7 @@ index eb50f07..3a70d84 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +428,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +429,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1033,7 +1034,7 @@ index eb50f07..3a70d84 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +446,11 @@ optional_policy(` +@@ -343,10 +447,11 @@ optional_policy(` ####################################### # @@ -1047,7 +1048,7 @@ index eb50f07..3a70d84 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +469,79 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +470,79 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1131,7 +1132,7 @@ index eb50f07..3a70d84 100644 ####################################### # -@@ -404,25 +549,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +550,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1194,7 +1195,7 @@ index eb50f07..3a70d84 100644 ') ####################################### -@@ -430,10 +610,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +611,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -13375,7 +13376,7 @@ index 4e4143e..f03dba0 100644 /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) /var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/chronyd.if b/chronyd.if -index 32e8265..c5a2913 100644 +index 32e8265..ac74503 100644 --- a/chronyd.if +++ b/chronyd.if @@ -57,6 +57,24 @@ interface(`chronyd_exec',` @@ -13403,45 +13404,38 @@ index 32e8265..c5a2913 100644 ##################################### ## ## Read chronyd log files. -@@ -100,8 +118,7 @@ interface(`chronyd_rw_shm',` +@@ -100,8 +118,25 @@ interface(`chronyd_rw_shm',` ######################################## ## -## Connect to chronyd using a unix -## domain stream socket. +## Read chronyd keys files. - ## - ## - ## -@@ -109,19 +126,17 @@ interface(`chronyd_rw_shm',` - ## - ## - # --interface(`chronyd_stream_connect',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`chronyd_read_keys',` - gen_require(` -- type chronyd_t, chronyd_var_run_t; ++ gen_require(` + type chronyd_keys_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ++ ') ++ + read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) - ') - - ######################################## - ## --## Send to chronyd using a unix domain --## datagram socket. ++') ++ ++######################################## ++## +## Append chronyd keys files. ## ## ## -@@ -129,18 +144,62 @@ interface(`chronyd_stream_connect',` +@@ -109,6 +144,49 @@ interface(`chronyd_rw_shm',` ## ## # --interface(`chronyd_dgram_send',` +interface(`chronyd_append_keys',` + gen_require(` + type chronyd_keys_t; @@ -13485,43 +13479,38 @@ index 32e8265..c5a2913 100644 +## +## +# -+interface(`chronyd_stream_connect',` + interface(`chronyd_stream_connect',` gen_require(` type chronyd_t, chronyd_var_run_t; - ') - - files_search_pids($1) -- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) -+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) - ') +@@ -140,7 +218,7 @@ interface(`chronyd_dgram_send',` ######################################## ## -## Read chronyd key files. -+## Send to chronyd using a unix domain -+## datagram socket. ++## Manage pid files used by chronyd ## ## ## -@@ -148,13 +207,13 @@ interface(`chronyd_dgram_send',` +@@ -148,13 +226,14 @@ interface(`chronyd_dgram_send',` ## ## # -interface(`chronyd_read_key_files',` -+interface(`chronyd_dgram_send',` ++interface(`chronyd_manage_pid',` gen_require(` - type chronyd_keys_t; -+ type chronyd_t, chronyd_var_run_t; ++ type chronyd_var_run_t; ') - files_search_etc($1) - read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) + files_search_pids($1) -+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ++ manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t) ++ manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) ') #################################### -@@ -176,28 +235,38 @@ interface(`chronyd_read_key_files',` +@@ -176,28 +255,38 @@ interface(`chronyd_read_key_files',` # interface(`chronyd_admin',` gen_require(` @@ -20915,7 +20904,7 @@ index 3023be7..5afde80 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..474a13f 100644 +index c91813c..c3820a5 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21057,9 +21046,10 @@ index c91813c..474a13f 100644 -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; +allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; - allow cupsd_t self:capability2 block_suspend; +-allow cupsd_t self:capability2 block_suspend; -allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; -allow cupsd_t self:fifo_file rw_fifo_file_perms; ++allow cupsd_t self:capability2 { block_suspend wake_alarm }; +allow cupsd_t self:process { getpgid setpgid setsched }; allow cupsd_t self:unix_stream_socket { accept connectto listen }; allow cupsd_t self:netlink_selinux_socket create_socket_perms; @@ -46294,7 +46284,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..6f39336 100644 +index be0ab84..d46c5e7 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) @@ -46522,16 +46512,17 @@ index be0ab84..6f39336 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +247,7 @@ optional_policy(` +@@ -178,7 +247,8 @@ optional_policy(` ') optional_policy(` - chronyd_read_key_files(logrotate_t) + chronyd_read_keys(logrotate_t) ++ chronyd_manage_pid(logrotate_t) ') optional_policy(` -@@ -198,17 +267,18 @@ optional_policy(` +@@ -198,17 +268,18 @@ optional_policy(` ') optional_policy(` @@ -46553,7 +46544,7 @@ index be0ab84..6f39336 100644 ') optional_policy(` -@@ -216,6 +286,14 @@ optional_policy(` +@@ -216,6 +287,14 @@ optional_policy(` ') optional_policy(` @@ -46568,7 +46559,7 @@ index be0ab84..6f39336 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +306,50 @@ optional_policy(` +@@ -228,26 +307,50 @@ optional_policy(` ') optional_policy(` @@ -64341,10 +64332,18 @@ index e403097..45d387d 100644 +userdom_stream_connect(oddjob_mkhomedir_t) + diff --git a/openct.te b/openct.te -index 3b6920e..3e9b17f 100644 +index 3b6920e..577c90b 100644 --- a/openct.te +++ b/openct.te -@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) +@@ -21,6 +21,7 @@ files_pid_file(openct_var_run_t) + # + + dontaudit openct_t self:capability sys_tty_config; ++allow openct_t self:capability2 wake_alarm; + allow openct_t self:process signal_perms; + allow openct_t self:netlink_kobject_uevent_socket create_socket_perms; + +@@ -29,12 +30,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) @@ -64359,7 +64358,7 @@ index 3b6920e..3e9b17f 100644 dev_read_sysfs(openct_t) dev_rw_usbfs(openct_t) dev_rw_smartcard(openct_t) -@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t) +@@ -42,15 +43,12 @@ dev_rw_generic_usb_dev(openct_t) domain_use_interactive_fds(openct_t) @@ -94896,7 +94895,7 @@ index 50d07fb..a34db48 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..ca83568 100644 +index 2b7c441..02be6db 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -95529,7 +95528,7 @@ index 2b7c441..ca83568 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +549,48 @@ optional_policy(` +@@ -499,12 +549,52 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -95579,7 +95578,11 @@ index 2b7c441..ca83568 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +601,11 @@ allow nmbd_t self:msg { send receive }; ++allow nmbd_t self:capability {net_admin}; + allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow nmbd_t self:fd use; + allow nmbd_t self:fifo_file rw_fifo_file_perms; +@@ -512,9 +602,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -95594,7 +95597,7 @@ index 2b7c441..ca83568 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +617,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +618,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -95619,7 +95622,7 @@ index 2b7c441..ca83568 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -547,53 +634,44 @@ kernel_read_kernel_sysctls(nmbd_t) +@@ -547,53 +635,44 @@ kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -95688,7 +95691,7 @@ index 2b7c441..ca83568 100644 ') optional_policy(` -@@ -606,18 +684,29 @@ optional_policy(` +@@ -606,18 +685,29 @@ optional_policy(` ######################################## # @@ -95724,7 +95727,7 @@ index 2b7c441..ca83568 100644 samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -627,39 +716,38 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,39 +717,38 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -95776,7 +95779,7 @@ index 2b7c441..ca83568 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +756,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +757,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -95812,7 +95815,7 @@ index 2b7c441..ca83568 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +783,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +784,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -95904,7 +95907,7 @@ index 2b7c441..ca83568 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +862,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +863,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -95928,7 +95931,7 @@ index 2b7c441..ca83568 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +876,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +877,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -95971,7 +95974,7 @@ index 2b7c441..ca83568 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +906,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +907,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -95985,7 +95988,7 @@ index 2b7c441..ca83568 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +929,20 @@ optional_policy(` +@@ -840,17 +930,20 @@ optional_policy(` # Winbind local policy # @@ -96011,7 +96014,7 @@ index 2b7c441..ca83568 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +952,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +953,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -96022,7 +96025,7 @@ index 2b7c441..ca83568 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +963,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +964,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -96076,7 +96079,7 @@ index 2b7c441..ca83568 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1006,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1007,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -96135,7 +96138,7 @@ index 2b7c441..ca83568 100644 ') optional_policy(` -@@ -959,31 +1067,36 @@ optional_policy(` +@@ -959,31 +1068,36 @@ optional_policy(` # Winbind helper local policy # @@ -96179,7 +96182,7 @@ index 2b7c441..ca83568 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1110,38 @@ optional_policy(` +@@ -997,25 +1111,38 @@ optional_policy(` ######################################## # @@ -98440,7 +98443,7 @@ index 98c9e0a..562666e 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..7d15afd 100644 +index 299756b..a256f80 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -98551,7 +98554,7 @@ index 299756b..7d15afd 100644 ') optional_policy(` -@@ -117,6 +136,59 @@ optional_policy(` +@@ -117,6 +136,61 @@ optional_policy(` # Reposd local policy # @@ -98563,6 +98566,8 @@ index 299756b..7d15afd 100644 + +logging_send_syslog_msg(sblim_reposd_t) + ++miscfiles_read_certs(sblim_reposd_t) ++ +####################################### +# +# Sfcbd local policy diff --git a/selinux-policy.spec b/selinux-policy.spec index 714f596e..09d7df10 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 222%{?dist} +Release: 223%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,17 @@ exit 0 %endif %changelog +* Mon Nov 07 2016 Lukas Vrabec - 3.13.1-223 +- nmbd_t needs net_admin capability like smbd +- Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids +- Add wake_alarm capability2 to openct_t domain +- Allow abrt_t to getattr on nsfs_t files. +- Add cupsd_t domain wake_alarm capability. +- Allow sblim_reposd_t domain to read cert_f files. +- Allow abrt_dump_oops_t to drop capabilities. bz(1391040) +- Revert "Allow abrt_dump_oops_t to drop capabilities. bz(1391040)" +- Allow isnsd_t to accept tcp connections + * Wed Nov 02 2016 Lukas Vrabec - 3.13.1-222 - Allow abrt_dump_oops_t to drop capabilities. bz(1391040) - Add named_t domain net_raw capability bz(1389240)