rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Nov 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223

Browse Source 
- nmbd_t needs net_admin capability like smbd
- Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids
- Add wake_alarm capability2 to openct_t domain
- Allow abrt_t to getattr on nsfs_t files.
- Add cupsd_t domain wake_alarm capability.
- Allow sblim_reposd_t domain to read cert_f files.
- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
- Revert "Allow abrt_dump_oops_t to drop capabilities. bz(1391040)"
- Allow isnsd_t to accept tcp connections
This commit is contained in:
Lukas Vrabec 2016-11-07 23:00:09 +01:00
parent 4011be7374
commit 25e7924958
3 changed files with 100 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
container-selinux.tgz
View File

Binary file not shown.

171
policy-rawhide-contrib.patch
View File

@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+') +')
+ +
diff --git a/abrt.te b/abrt.te diff --git a/abrt.te b/abrt.te
index eb50f07..3a70d84 100644 index eb50f07..d53d1e0 100644
--- a/abrt.te --- a/abrt.te
+++ b/abrt.te +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -805,7 +805,7 @@ index eb50f07..3a70d84 100644
domain_getattr_all_domains(abrt_t) domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t) domain_read_all_domains_state(abrt_t)
@@ -176,29 +198,43 @@ files_getattr_all_files(abrt_t) @@ -176,29 +198,44 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t) files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t) files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t) files_read_var_symlinks(abrt_t)
@ -829,6 +829,7 @@ index eb50f07..3a70d84 100644
fs_read_nfs_files(abrt_t) fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t) fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t) fs_search_all(abrt_t)
+fs_getattr_nsfs_files(abrt_t)
-auth_use_nsswitch(abrt_t) -auth_use_nsswitch(abrt_t)
+storage_dontaudit_read_fixed_disk(abrt_t) +storage_dontaudit_read_fixed_disk(abrt_t)
@ -852,7 +853,7 @@ index eb50f07..3a70d84 100644
tunable_policy(`abrt_anon_write',` tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t) miscfiles_manage_public_files(abrt_t)
@@ -206,15 +242,11 @@ tunable_policy(`abrt_anon_write',` @@ -206,15 +243,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(` optional_policy(`
apache_list_modules(abrt_t) apache_list_modules(abrt_t)
@ -869,7 +870,7 @@ index eb50f07..3a70d84 100644
') ')
optional_policy(` optional_policy(`
@@ -222,6 +254,32 @@ optional_policy(` @@ -222,6 +255,32 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -902,7 +903,7 @@ index eb50f07..3a70d84 100644
policykit_domtrans_auth(abrt_t) policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t) policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t) policykit_read_reload(abrt_t)
@@ -234,15 +292,22 @@ optional_policy(` @@ -234,15 +293,22 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -925,7 +926,7 @@ index eb50f07..3a70d84 100644
optional_policy(` optional_policy(`
sendmail_domtrans(abrt_t) sendmail_domtrans(abrt_t)
') ')
@@ -253,9 +318,21 @@ optional_policy(` @@ -253,9 +319,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t) sosreport_delete_tmp_files(abrt_t)
') ')
@ -948,7 +949,7 @@ index eb50f07..3a70d84 100644
# #
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +343,13 @@ tunable_policy(`abrt_handle_event',` @@ -266,9 +344,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t) can_exec(abrt_t, abrt_handle_event_exec_t)
') ')
@ -963,7 +964,7 @@ index eb50f07..3a70d84 100644
# #
allow abrt_helper_t self:capability { chown setgid sys_nice }; allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +362,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) @@ -281,6 +363,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@ -971,7 +972,7 @@ index eb50f07..3a70d84 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +371,20 @@ corecmd_read_all_executables(abrt_helper_t) @@ -289,15 +372,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t)
@ -992,7 +993,7 @@ index eb50f07..3a70d84 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +392,25 @@ ifdef(`hide_broken_symptoms',` @@ -305,11 +393,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -1019,7 +1020,7 @@ index eb50f07..3a70d84 100644
# #
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +428,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) @@ -327,10 +429,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t)
@ -1033,7 +1034,7 @@ index eb50f07..3a70d84 100644
optional_policy(` optional_policy(`
rpm_exec(abrt_retrace_coredump_t) rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +446,11 @@ optional_policy(` @@ -343,10 +447,11 @@ optional_policy(`
####################################### #######################################
# #
@ -1047,7 +1048,7 @@ index eb50f07..3a70d84 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +469,79 @@ corecmd_exec_shell(abrt_retrace_worker_t) @@ -365,38 +470,79 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t)
@ -1131,7 +1132,7 @@ index eb50f07..3a70d84 100644
####################################### #######################################
# #
@@ -404,25 +549,60 @@ logging_read_generic_logs(abrt_dump_oops_t) @@ -404,25 +550,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
# #
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1194,7 +1195,7 @@ index eb50f07..3a70d84 100644
') ')
####################################### #######################################
@@ -430,10 +610,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` @@ -430,10 +611,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy # Global local policy
# #
@ -13375,7 +13376,7 @@ index 4e4143e..f03dba0 100644
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0) /var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/chronyd.if b/chronyd.if diff --git a/chronyd.if b/chronyd.if
index 32e8265..c5a2913 100644 index 32e8265..ac74503 100644
--- a/chronyd.if --- a/chronyd.if
+++ b/chronyd.if +++ b/chronyd.if
@@ -57,6 +57,24 @@ interface(`chronyd_exec',` @@ -57,6 +57,24 @@ interface(`chronyd_exec',`
@ -13403,45 +13404,38 @@ index 32e8265..c5a2913 100644
##################################### #####################################
## <summary> ## <summary>
## Read chronyd log files. ## Read chronyd log files.
@@ -100,8 +118,7 @@ interface(`chronyd_rw_shm',` @@ -100,8 +118,25 @@ interface(`chronyd_rw_shm',`
######################################## ########################################
## <summary> ## <summary>
-## Connect to chronyd using a unix -## Connect to chronyd using a unix
-## domain stream socket. -## domain stream socket.
+## Read chronyd keys files. +## Read chronyd keys files.
## </summary> +## </summary>
## <param name="domain"> +## <param name="domain">
## <summary> +## <summary>
@@ -109,19 +126,17 @@ interface(`chronyd_rw_shm',` +## Domain allowed access.
## </summary> +## </summary>
## </param> +## </param>
# +#
-interface(`chronyd_stream_connect',`
+interface(`chronyd_read_keys',` +interface(`chronyd_read_keys',`
gen_require(` + gen_require(`
- type chronyd_t, chronyd_var_run_t;
+ type chronyd_keys_t; + type chronyd_keys_t;
') + ')
+
- files_search_pids($1)
- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) + read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
') +')
+
######################################## +########################################
## <summary> +## <summary>
-## Send to chronyd using a unix domain
-## datagram socket.
+## Append chronyd keys files. +## Append chronyd keys files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -129,18 +144,62 @@ interface(`chronyd_stream_connect',` @@ -109,6 +144,49 @@ interface(`chronyd_rw_shm',`
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`chronyd_dgram_send',`
+interface(`chronyd_append_keys',` +interface(`chronyd_append_keys',`
+ gen_require(` + gen_require(`
+ type chronyd_keys_t; + type chronyd_keys_t;
@ -13485,43 +13479,38 @@ index 32e8265..c5a2913 100644
+## </summary> +## </summary>
+## </param> +## </param>
+# +#
+interface(`chronyd_stream_connect',` interface(`chronyd_stream_connect',`
gen_require(` gen_require(`
type chronyd_t, chronyd_var_run_t; type chronyd_t, chronyd_var_run_t;
') @@ -140,7 +218,7 @@ interface(`chronyd_dgram_send',`
files_search_pids($1)
- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
')
######################################## ########################################
## <summary> ## <summary>
-## Read chronyd key files. -## Read chronyd key files.
+## Send to chronyd using a unix domain +## Manage pid files used by chronyd
+## datagram socket.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -148,13 +207,13 @@ interface(`chronyd_dgram_send',` @@ -148,13 +226,14 @@ interface(`chronyd_dgram_send',`
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`chronyd_read_key_files',` -interface(`chronyd_read_key_files',`
+interface(`chronyd_dgram_send',` +interface(`chronyd_manage_pid',`
gen_require(` gen_require(`
- type chronyd_keys_t; - type chronyd_keys_t;
+ type chronyd_t, chronyd_var_run_t; + type chronyd_var_run_t;
') ')
- files_search_etc($1) - files_search_etc($1)
- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) - read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+ files_search_pids($1) + files_search_pids($1)
+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) + manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
+ manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
') ')
#################################### ####################################
@@ -176,28 +235,38 @@ interface(`chronyd_read_key_files',` @@ -176,28 +255,38 @@ interface(`chronyd_read_key_files',`
# #
interface(`chronyd_admin',` interface(`chronyd_admin',`
gen_require(` gen_require(`
@ -20915,7 +20904,7 @@ index 3023be7..5afde80 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
') ')
diff --git a/cups.te b/cups.te diff --git a/cups.te b/cups.te
index c91813c..474a13f 100644 index c91813c..c3820a5 100644
--- a/cups.te --- a/cups.te
+++ b/cups.te +++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@ -21057,9 +21046,10 @@ index c91813c..474a13f 100644
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config }; +allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin }; dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:capability2 block_suspend; -allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; -allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-allow cupsd_t self:fifo_file rw_fifo_file_perms; -allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:capability2 { block_suspend wake_alarm };
+allow cupsd_t self:process { getpgid setpgid setsched }; +allow cupsd_t self:process { getpgid setpgid setsched };
allow cupsd_t self:unix_stream_socket { accept connectto listen }; allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms; allow cupsd_t self:netlink_selinux_socket create_socket_perms;
@ -46294,7 +46284,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
diff --git a/logrotate.te b/logrotate.te diff --git a/logrotate.te b/logrotate.te
index be0ab84..6f39336 100644 index be0ab84..d46c5e7 100644
--- a/logrotate.te --- a/logrotate.te
+++ b/logrotate.te +++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@ -46522,16 +46512,17 @@ index be0ab84..6f39336 100644
fail2ban_stream_connect(logrotate_t) fail2ban_stream_connect(logrotate_t)
') ')
@@ -178,7 +247,7 @@ optional_policy(` @@ -178,7 +247,8 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
- chronyd_read_key_files(logrotate_t) - chronyd_read_key_files(logrotate_t)
+ chronyd_read_keys(logrotate_t) + chronyd_read_keys(logrotate_t)
+ chronyd_manage_pid(logrotate_t)
') ')
optional_policy(` optional_policy(`
@@ -198,17 +267,18 @@ optional_policy(` @@ -198,17 +268,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -46553,7 +46544,7 @@ index be0ab84..6f39336 100644
') ')
optional_policy(` optional_policy(`
@@ -216,6 +286,14 @@ optional_policy(` @@ -216,6 +287,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -46568,7 +46559,7 @@ index be0ab84..6f39336 100644
samba_exec_log(logrotate_t) samba_exec_log(logrotate_t)
') ')
@@ -228,26 +306,50 @@ optional_policy(` @@ -228,26 +307,50 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -64341,10 +64332,18 @@ index e403097..45d387d 100644
+userdom_stream_connect(oddjob_mkhomedir_t) +userdom_stream_connect(oddjob_mkhomedir_t)
+ +
diff --git a/openct.te b/openct.te diff --git a/openct.te b/openct.te
index 3b6920e..3e9b17f 100644 index 3b6920e..577c90b 100644
--- a/openct.te --- a/openct.te
+++ b/openct.te +++ b/openct.te
@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) @@ -21,6 +21,7 @@ files_pid_file(openct_var_run_t)
#
dontaudit openct_t self:capability sys_tty_config;
+allow openct_t self:capability2 wake_alarm;
allow openct_t self:process signal_perms;
allow openct_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29,12 +30,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
@ -64359,7 +64358,7 @@ index 3b6920e..3e9b17f 100644
dev_read_sysfs(openct_t) dev_read_sysfs(openct_t)
dev_rw_usbfs(openct_t) dev_rw_usbfs(openct_t)
dev_rw_smartcard(openct_t) dev_rw_smartcard(openct_t)
@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t) @@ -42,15 +43,12 @@ dev_rw_generic_usb_dev(openct_t)
domain_use_interactive_fds(openct_t) domain_use_interactive_fds(openct_t)
@ -94896,7 +94895,7 @@ index 50d07fb..a34db48 100644
+ allow $1 samba_unit_file_t:service all_service_perms; + allow $1 samba_unit_file_t:service all_service_perms;
') ')
diff --git a/samba.te b/samba.te diff --git a/samba.te b/samba.te
index 2b7c441..ca83568 100644 index 2b7c441..02be6db 100644
--- a/samba.te --- a/samba.te
+++ b/samba.te +++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@ -95529,7 +95528,7 @@ index 2b7c441..ca83568 100644
rpc_search_nfs_state_data(smbd_t) rpc_search_nfs_state_data(smbd_t)
') ')
@@ -499,9 +549,48 @@ optional_policy(` @@ -499,12 +549,52 @@ optional_policy(`
udev_read_db(smbd_t) udev_read_db(smbd_t)
') ')
@ -95579,7 +95578,11 @@ index 2b7c441..ca83568 100644
# #
dontaudit nmbd_t self:capability sys_tty_config; dontaudit nmbd_t self:capability sys_tty_config;
@@ -512,9 +601,11 @@ allow nmbd_t self:msg { send receive }; +allow nmbd_t self:capability {net_admin};
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
@@ -512,9 +602,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms; allow nmbd_t self:shm create_shm_perms;
@ -95594,7 +95597,7 @@ index 2b7c441..ca83568 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
@@ -526,20 +617,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) @@ -526,20 +618,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -95619,7 +95622,7 @@ index 2b7c441..ca83568 100644
kernel_getattr_core_if(nmbd_t) kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t) kernel_getattr_message_if(nmbd_t)
@@ -547,53 +634,44 @@ kernel_read_kernel_sysctls(nmbd_t) @@ -547,53 +635,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t) kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t) kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t) kernel_read_system_state(nmbd_t)
@ -95688,7 +95691,7 @@ index 2b7c441..ca83568 100644
') ')
optional_policy(` optional_policy(`
@@ -606,18 +684,29 @@ optional_policy(` @@ -606,18 +685,29 @@ optional_policy(`
######################################## ########################################
# #
@ -95724,7 +95727,7 @@ index 2b7c441..ca83568 100644
samba_read_config(smbcontrol_t) samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t) samba_search_var(smbcontrol_t)
@@ -627,39 +716,38 @@ domain_use_interactive_fds(smbcontrol_t) @@ -627,39 +717,38 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t) dev_read_urand(smbcontrol_t)
@ -95776,7 +95779,7 @@ index 2b7c441..ca83568 100644
allow smbmount_t samba_secrets_t:file manage_file_perms; allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -668,26 +756,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) @@ -668,26 +757,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@ -95812,7 +95815,7 @@ index 2b7c441..ca83568 100644
fs_getattr_cifs(smbmount_t) fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t) fs_mount_cifs(smbmount_t)
@@ -699,58 +783,77 @@ fs_read_cifs_files(smbmount_t) @@ -699,58 +784,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t) storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t)
@ -95904,7 +95907,7 @@ index 2b7c441..ca83568 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@@ -759,17 +862,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) @@ -759,17 +863,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file) files_pid_filetrans(swat_t, swat_var_run_t, file)
@ -95928,7 +95931,7 @@ index 2b7c441..ca83568 100644
kernel_read_kernel_sysctls(swat_t) kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t) kernel_read_system_state(swat_t)
@@ -777,36 +876,25 @@ kernel_read_network_state(swat_t) @@ -777,36 +877,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t) corecmd_search_bin(swat_t)
@ -95971,7 +95974,7 @@ index 2b7c441..ca83568 100644
auth_domtrans_chk_passwd(swat_t) auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t) auth_use_nsswitch(swat_t)
@@ -818,10 +906,11 @@ logging_send_syslog_msg(swat_t) @@ -818,10 +907,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t) logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t) logging_search_logs(swat_t)
@ -95985,7 +95988,7 @@ index 2b7c441..ca83568 100644
optional_policy(` optional_policy(`
cups_read_rw_config(swat_t) cups_read_rw_config(swat_t)
cups_stream_connect(swat_t) cups_stream_connect(swat_t)
@@ -840,17 +929,20 @@ optional_policy(` @@ -840,17 +930,20 @@ optional_policy(`
# Winbind local policy # Winbind local policy
# #
@ -96011,7 +96014,7 @@ index 2b7c441..ca83568 100644
allow winbind_t samba_etc_t:dir list_dir_perms; allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -860,9 +952,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) @@ -860,9 +953,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -96022,7 +96025,7 @@ index 2b7c441..ca83568 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
@@ -873,38 +963,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") @@ -873,38 +964,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@ -96076,7 +96079,7 @@ index 2b7c441..ca83568 100644
corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -912,38 +1006,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) @@ -912,38 +1007,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t) dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t) dev_read_urand(winbind_t)
@ -96135,7 +96138,7 @@ index 2b7c441..ca83568 100644
') ')
optional_policy(` optional_policy(`
@@ -959,31 +1067,36 @@ optional_policy(` @@ -959,31 +1068,36 @@ optional_policy(`
# Winbind helper local policy # Winbind helper local policy
# #
@ -96179,7 +96182,7 @@ index 2b7c441..ca83568 100644
optional_policy(` optional_policy(`
apache_append_log(winbind_helper_t) apache_append_log(winbind_helper_t)
@@ -997,25 +1110,38 @@ optional_policy(` @@ -997,25 +1111,38 @@ optional_policy(`
######################################## ########################################
# #
@ -98440,7 +98443,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1) files_search_pids($1)
admin_pattern($1, sblim_var_run_t) admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te diff --git a/sblim.te b/sblim.te
index 299756b..7d15afd 100644 index 299756b..a256f80 100644
--- a/sblim.te --- a/sblim.te
+++ b/sblim.te +++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@ -98551,7 +98554,7 @@ index 299756b..7d15afd 100644
') ')
optional_policy(` optional_policy(`
@@ -117,6 +136,59 @@ optional_policy(` @@ -117,6 +136,61 @@ optional_policy(`
# Reposd local policy # Reposd local policy
# #
@ -98563,6 +98566,8 @@ index 299756b..7d15afd 100644
+ +
+logging_send_syslog_msg(sblim_reposd_t) +logging_send_syslog_msg(sblim_reposd_t)
+ +
+miscfiles_read_certs(sblim_reposd_t)
+
+####################################### +#######################################
+# +#
+# Sfcbd local policy +# Sfcbd local policy

13
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 222%{?dist} Release: 223%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -675,6 +675,17 @@ exit 0
%endif %endif
%changelog %changelog
* Mon Nov 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223
- nmbd_t needs net_admin capability like smbd
- Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids
- Add wake_alarm capability2 to openct_t domain
- Allow abrt_t to getattr on nsfs_t files.
- Add cupsd_t domain wake_alarm capability.
- Allow sblim_reposd_t domain to read cert_f files.
- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
- Revert "Allow abrt_dump_oops_t to drop capabilities. bz(1391040)"
- Allow isnsd_t to accept tcp connections
* Wed Nov 02 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-222 * Wed Nov 02 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-222
- Allow abrt_dump_oops_t to drop capabilities. bz(1391040) - Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
- Add named_t domain net_raw capability bz(1389240) - Add named_t domain net_raw capability bz(1389240)