* Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141

- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
- Add snapper_read_inherited_pipe() interface.
- Add missing ";" in kerberos.te
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
- Add support for /etc/sanlock which is writable by sanlock daemon.
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
- Allow grubby to manage and create /run/blkid with correct labeling
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
This commit is contained in:
Lukas Vrabec 2015-08-10 18:38:57 +02:00
parent d8af5a753a
commit 28b73b2eef
3 changed files with 537 additions and 300 deletions

File diff suppressed because it is too large Load Diff

View File

@ -7703,7 +7703,7 @@ index f3c0aba..f6e25ed 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
index 080bc4d..12d701e 100644
index 080bc4d..5db6cde 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@ -7741,7 +7741,7 @@ index 080bc4d..12d701e 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,26 +73,36 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
@@ -67,26 +73,38 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
@ -7753,6 +7753,8 @@ index 080bc4d..12d701e 100644
corenet_udp_sendrecv_snmp_port(apcupsd_t)
+fs_getattr_xattr_fs(apcupsd_t)
+
+dev_read_sysfs(apcupsd_t)
+
dev_rw_generic_usb_dev(apcupsd_t)
@ -7770,10 +7772,10 @@ index 080bc4d..12d701e 100644
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+auth_use_nsswitch(apcupsd_t)
-miscfiles_read_localization(apcupsd_t)
+auth_use_nsswitch(apcupsd_t)
+
+logging_send_syslog_msg(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
@ -7783,7 +7785,7 @@ index 080bc4d..12d701e 100644
optional_policy(`
hostname_exec(apcupsd_t)
@@ -101,6 +117,11 @@ optional_policy(`
@@ -101,6 +119,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
@ -7795,7 +7797,7 @@ index 080bc4d..12d701e 100644
########################################
#
# CGI local policy
@@ -108,20 +129,20 @@ optional_policy(`
@@ -108,20 +131,20 @@ optional_policy(`
optional_policy(`
apache_content_template(apcupsd_cgi)
@ -12738,10 +12740,10 @@ index 0000000..5955ff0
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
index 4e4143e..d5e0260 100644
index 4e4143e..e20f1b4 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,7 +1,9 @@
@@ -1,8 +1,11 @@
-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
@ -12750,8 +12752,10 @@ index 4e4143e..d5e0260 100644
+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 32e8265..74fd151 100644
--- a/chronyd.if
@ -12923,7 +12927,7 @@ index 32e8265..74fd151 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
index e5b621c..e8b9178 100644
index e5b621c..08ecb52 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -12954,7 +12958,7 @@ index e5b621c..e8b9178 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -76,18 +83,30 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
@@ -76,18 +83,34 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@ -12968,10 +12972,14 @@ index e5b621c..e8b9178 100644
auth_use_nsswitch(chronyd_t)
+corecmd_exec_bin(chronyd_t)
+
logging_send_syslog_msg(chronyd_t)
-miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
+
+sysnet_read_dhcpc_state(chronyd_t)
optional_policy(`
gpsd_rw_shm(chronyd_t)
@ -22180,7 +22188,7 @@ index 62d22cb..f8ab4af 100644
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
diff --git a/dbus.te b/dbus.te
index c9998c8..011faba 100644
index c9998c8..44c6283 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@ -22304,7 +22312,7 @@ index c9998c8..011faba 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
@@ -123,66 +122,166 @@ term_dontaudit_use_console(system_dbusd_t)
@@ -123,66 +122,170 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@ -22357,10 +22365,9 @@ index c9998c8..011faba 100644
+
+optional_policy(`
+ getty_start_services(system_dbusd_t)
')
optional_policy(`
- seutil_sigchld_newrole(system_dbusd_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
@ -22381,10 +22388,15 @@ index c9998c8..011faba 100644
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+ snapper_read_inherited_pipe(system_dbusd_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
')
optional_policy(`
- seutil_sigchld_newrole(system_dbusd_t)
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@ -22444,11 +22456,11 @@ index c9998c8..011faba 100644
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
+
+########################################
+#
+# session_bus_type rules
@ -22485,7 +22497,7 @@ index c9998c8..011faba 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
@@ -191,23 +290,18 @@ corecmd_read_bin_files(session_bus_type)
@@ -191,23 +294,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@ -22510,7 +22522,7 @@ index c9998c8..011faba 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
@@ -215,7 +309,6 @@ fs_getattr_xattr_fs(session_bus_type)
@@ -215,7 +313,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@ -22518,7 +22530,7 @@ index c9998c8..011faba 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
@@ -225,18 +318,36 @@ selinux_compute_user_contexts(session_bus_type)
@@ -225,18 +322,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@ -22560,7 +22572,7 @@ index c9998c8..011faba 100644
')
########################################
@@ -244,5 +355,9 @@ optional_policy(`
@@ -244,5 +359,9 @@ optional_policy(`
# Unconfined access to this module
#
@ -39410,10 +39422,10 @@ index 0000000..20adcb3
+ ')
+')
diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd..b9f07ae 100644
index 4fe75fd..f01d946 100644
--- a/kerberos.fc
+++ b/kerberos.fc
@@ -1,52 +1,52 @@
@@ -1,52 +1,54 @@
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@ -39451,25 +39463,33 @@ index 4fe75fd..b9f07ae 100644
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-
+/var/lib/kdcproxy(/.*)? gen_context(system_u:object_r:krb5kdc_var_lib_t,s0)
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
@ -39484,13 +39504,6 @@ index 4fe75fd..b9f07ae 100644
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
+
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+
+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@ -39505,7 +39518,7 @@ index 4fe75fd..b9f07ae 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
index f6c00d8..7b777ab 100644
index f6c00d8..e3cb4f1 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@ -39823,7 +39836,7 @@ index f6c00d8..7b777ab 100644
## </summary>
## <param name="domain">
## <summary>
@@ -278,254 +290,255 @@ interface(`kerberos_read_keytab',`
@@ -278,49 +290,122 @@ interface(`kerberos_read_keytab',`
## </summary>
## </param>
#
@ -39893,31 +39906,23 @@ index f6c00d8..7b777ab 100644
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
+## <param name="role">
## <summary>
-## The name of the object being created.
-## Class of the object being created.
+## The role to be allowed to manage the kerberos domain.
## </summary>
## </param>
+## </summary>
+## </param>
+## <rolecap/>
#
-interface(`kerberos_etc_filetrans_keytab',`
+#
+interface(`kerberos_admin',`
gen_require(`
- type krb5_keytab_t;
+ gen_require(`
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
')
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ ')
+
+ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
@ -39957,6 +39962,33 @@ index f6c00d8..7b777ab 100644
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
+')
+
+########################################
+## <summary>
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
@@ -329,60 +414,63 @@ interface(`kerberos_manage_keytab_files',`
## </summary>
## </param>
#
-interface(`kerberos_etc_filetrans_keytab',`
+interface(`kerberos_tmp_filetrans_host_rcache',`
gen_require(`
- type krb5_keytab_t;
+ type krb5_host_rcache_t;
')
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
')
########################################
@ -39964,7 +39996,7 @@ index f6c00d8..7b777ab 100644
-## Create a derived type for kerberos
-## keytab files.
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
+## to the kadmind_tmp type.
## </summary>
-## <param name="prefix">
+## <param name="domain">
@ -39985,50 +40017,18 @@ index f6c00d8..7b777ab 100644
- refpolicywarn(`$0($*) has been deprecated.')
- kerberos_read_keytab($2)
- kerberos_use($2)
+interface(`kerberos_tmp_filetrans_host_rcache',`
+interface(`kerberos_tmp_filetrans_kadmin',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ type kadmind_tmp_t;
+ ')
+
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
')
########################################
## <summary>
-## Read kerberos kdc configuration files.
+## Type transition files created in /tmp
+## to the kadmind_tmp type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
-interface(`kerberos_read_kdc_config',`
+interface(`kerberos_tmp_filetrans_kadmin',`
gen_require(`
- type krb5kdc_conf_t;
+ type kadmind_tmp_t;
')
- files_search_etc($1)
- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
+ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
')
########################################
## <summary>
-## Create, read, write, and delete
-## kerberos host rcache files.
-## Read kerberos kdc configuration files.
+## read kerberos homedir content (.k5login)
## </summary>
## <param name="domain">
@ -40038,13 +40038,39 @@ index f6c00d8..7b777ab 100644
## </param>
-## <rolecap/>
#
-interface(`kerberos_manage_host_rcache',`
-interface(`kerberos_read_kdc_config',`
+interface(`kerberos_read_home_content',`
gen_require(`
- type krb5_host_rcache_t;
- type krb5kdc_conf_t;
+ type krb5_home_t;
')
- files_search_etc($1)
- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## kerberos host rcache files.
+## Manage the kerberos kdc /var/lib files
+## and directories.
## </summary>
## <param name="domain">
## <summary>
@@ -391,141 +479,88 @@ interface(`kerberos_read_kdc_config',`
## </param>
## <rolecap/>
#
-interface(`kerberos_manage_host_rcache',`
+interface(`kerberos_manage_kdc_var_lib',`
gen_require(`
- type krb5_host_rcache_t;
+ type krb5kdc_var_lib_t;
')
- domain_obj_id_change_exemption($1)
-
- tunable_policy(`allow_kerberos',`
@ -40057,8 +40083,9 @@ index f6c00d8..7b777ab 100644
- files_search_tmp($1)
- allow $1 krb5_host_rcache_t:file manage_file_perms;
- ')
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
+ files_search_etc($1)
+ manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+ manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
')
########################################
@ -40139,14 +40166,14 @@ index f6c00d8..7b777ab 100644
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
#
-interface(`kerberos_admin',`
@ -40215,7 +40242,7 @@ index f6c00d8..7b777ab 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
index 8833d59..462e466 100644
index 8833d59..1d0599a 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@ -40234,7 +40261,7 @@ index 8833d59..462e466 100644
type kadmind_t;
type kadmind_exec_t;
@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
@@ -35,23 +35,29 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
@ -40261,12 +40288,14 @@ index 8833d59..462e466 100644
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
+type krb5kdc_var_lib_t;
+files_type(krb5kdc_var_lib_t)
+
+# types for KDC principal file(s)
type krb5kdc_principal_t;
files_type(krb5kdc_principal_t)
@@ -74,28 +78,33 @@ files_pid_file(krb5kdc_var_run_t)
@@ -74,28 +80,33 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
@ -40306,7 +40335,7 @@ index 8833d59..462e466 100644
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
@@ -103,13 +114,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
@ -40325,7 +40354,7 @@ index 8833d59..462e466 100644
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
@@ -119,31 +130,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
@@ -119,31 +132,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
@ -40373,7 +40402,7 @@ index 8833d59..462e466 100644
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
@@ -154,11 +178,16 @@ optional_policy(`
@@ -154,11 +180,16 @@ optional_policy(`
')
optional_policy(`
@ -40390,7 +40419,7 @@ index 8833d59..462e466 100644
')
optional_policy(`
@@ -174,24 +203,27 @@ optional_policy(`
@@ -174,24 +205,27 @@ optional_policy(`
# Krb5kdc local policy
#
@ -40422,17 +40451,19 @@ index 8833d59..462e466 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
@@ -201,71 +233,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
@@ -201,71 +235,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
-
-can_exec(krb5kdc_t, krb5kdc_exec_t)
+manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
-can_exec(krb5kdc_t, krb5kdc_exec_t)
+manage_files_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
@ -40514,7 +40545,7 @@ index 8833d59..462e466 100644
')
optional_policy(`
@@ -273,6 +310,10 @@ optional_policy(`
@@ -273,6 +315,10 @@ optional_policy(`
')
optional_policy(`
@ -40525,7 +40556,7 @@ index 8833d59..462e466 100644
udev_read_db(krb5kdc_t)
')
@@ -281,10 +322,12 @@ optional_policy(`
@@ -281,10 +327,12 @@ optional_policy(`
# kpropd local policy
#
@ -40541,7 +40572,7 @@ index 8833d59..462e466 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
@@ -301,27 +344,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
@@ -301,27 +349,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
@ -40558,6 +40589,7 @@ index 8833d59..462e466 100644
-corenet_sendrecv_kprop_server_packets(kpropd_t)
corenet_tcp_bind_kprop_port(kpropd_t)
-corenet_tcp_sendrecv_kprop_port(kpropd_t)
+corenet_tcp_connect_kprop_port(kpropd_t)
dev_read_urand(kpropd_t)
@ -43365,7 +43397,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
index be0ab84..ce57aac 100644
index be0ab84..08c168f 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -43487,7 +43519,7 @@ index be0ab84..ce57aac 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -95,6 +123,8 @@ mls_process_write_to_clearance(logrotate_t)
@@ -95,32 +123,51 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
@ -43496,7 +43528,9 @@ index be0ab84..ce57aac 100644
auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
@@ -103,24 +133,40 @@ init_all_labeled_script_domtrans(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_reload_services(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
@ -43543,7 +43577,7 @@ index be0ab84..ce57aac 100644
')
optional_policy(`
@@ -135,16 +181,17 @@ optional_policy(`
@@ -135,16 +182,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@ -43563,7 +43597,7 @@ index be0ab84..ce57aac 100644
')
optional_policy(`
@@ -170,6 +217,11 @@ optional_policy(`
@@ -170,6 +218,11 @@ optional_policy(`
')
optional_policy(`
@ -43575,7 +43609,7 @@ index be0ab84..ce57aac 100644
fail2ban_stream_connect(logrotate_t)
')
@@ -178,7 +230,7 @@ optional_policy(`
@@ -178,7 +231,7 @@ optional_policy(`
')
optional_policy(`
@ -43584,7 +43618,7 @@ index be0ab84..ce57aac 100644
')
optional_policy(`
@@ -198,17 +250,18 @@ optional_policy(`
@@ -198,17 +251,18 @@ optional_policy(`
')
optional_policy(`
@ -43606,7 +43640,7 @@ index be0ab84..ce57aac 100644
')
optional_policy(`
@@ -216,6 +269,14 @@ optional_policy(`
@@ -216,6 +270,14 @@ optional_policy(`
')
optional_policy(`
@ -43621,7 +43655,7 @@ index be0ab84..ce57aac 100644
samba_exec_log(logrotate_t)
')
@@ -228,26 +289,43 @@ optional_policy(`
@@ -228,26 +290,43 @@ optional_policy(`
')
optional_policy(`
@ -44249,7 +44283,7 @@ index d314333..27ede09 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
index 4ec0eea..022172c 100644
index 4ec0eea..996fdc8 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@ -44266,7 +44300,7 @@ index 4ec0eea..022172c 100644
type lsmd_t;
type lsmd_exec_t;
@@ -12,6 +19,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
@@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
@ -44284,6 +44318,13 @@ index 4ec0eea..022172c 100644
########################################
#
# Local policy
#
-allow lsmd_t self:capability setgid;
+allow lsmd_t self:capability { setuid setgid };
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
@@ -26,4 +44,67 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@ -61205,10 +61246,10 @@ index 0000000..598789a
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
index 0000000..51acfae
index 0000000..ade6576
--- /dev/null
+++ b/openhpid.te
@@ -0,0 +1,47 @@
@@ -0,0 +1,52 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
@ -61254,8 +61295,13 @@ index 0000000..51acfae
+corenet_tcp_bind_openhpid_port(openhpid_t)
+
+dev_read_urand(openhpid_t)
+dev_rw_watchdog(openhpid_t)
+
+logging_send_syslog_msg(openhpid_t)
+
+miscfiles_read_generic_certs(openhpid_t)
+
+sysnet_read_config(openhpid_t)
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
index 0000000..30ca148
@ -79848,10 +79894,10 @@ index 951db7f..04b6dde 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
index c99753f..0d4e845 100644
index c99753f..f6bd1c6 100644
--- a/raid.te
+++ b/raid.te
@@ -15,54 +15,92 @@ role mdadm_roles types mdadm_t;
@@ -15,54 +15,100 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@ -79862,7 +79908,10 @@ index c99753f..0d4e845 100644
+systemd_unit_file(mdadm_unit_file_t)
+
+type mdadm_tmp_t;
+files_tmpfs_file(mdadm_tmp_t)
+files_tmp_file(mdadm_tmp_t)
+
+type mdadm_tmpfs_t;
+files_tmpfs_file(mdadm_tmpfs_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
@ -79891,6 +79940,10 @@ index c99753f..0d4e845 100644
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
+
+manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
+fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, { dir file })
manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
@ -79935,6 +79988,7 @@ index c99753f..0d4e845 100644
+dev_read_generic_files(mdadm_t)
+dev_read_generic_usb_dev(mdadm_t)
+dev_read_urand(mdadm_t)
+dev_read_rand(mdadm_t)
+
+domain_read_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
@ -79953,7 +80007,7 @@ index c99753f..0d4e845 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
@@ -71,15 +109,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
@@ -71,15 +117,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@ -79977,7 +80031,7 @@ index c99753f..0d4e845 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
@@ -90,17 +135,38 @@ optional_policy(`
@@ -90,17 +143,38 @@ optional_policy(`
')
optional_policy(`
@ -92507,14 +92561,16 @@ index 0000000..a3319b0
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
+
diff --git a/sanlock.fc b/sanlock.fc
index 3df2a0f..9059165 100644
index 3df2a0f..4eb82b8 100644
--- a/sanlock.fc
+++ b/sanlock.fc
@@ -1,7 +1,10 @@
@@ -1,7 +1,12 @@
+
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
+/etc/sanlock(/.*)? gen_context(system_u:object_r:sanlock_conf_t,s0)
+
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
@ -92661,10 +92717,10 @@ index cd6c213..82a5ff0 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
index 0045465..61da47f 100644
index 0045465..2059657 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
@@ -6,25 +6,33 @@ policy_module(sanlock, 1.1.0)
#
## <desc>
@ -92699,7 +92755,14 @@ index 0045465..61da47f 100644
type sanlock_t;
type sanlock_exec_t;
init_daemon_domain(sanlock_t, sanlock_exec_t)
@@ -34,6 +39,9 @@ logging_log_file(sanlock_log_t)
+type sanlock_conf_t;
+files_config_file(sanlock_conf_t)
+
type sanlock_var_run_t;
files_pid_file(sanlock_var_run_t)
@@ -34,6 +42,9 @@ logging_log_file(sanlock_log_t)
type sanlock_initrc_exec_t;
init_script_file(sanlock_initrc_exec_t)
@ -92709,7 +92772,7 @@ index 0045465..61da47f 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
')
@@ -44,17 +52,15 @@ ifdef(`enable_mls',`
@@ -44,17 +55,18 @@ ifdef(`enable_mls',`
########################################
#
@ -92723,6 +92786,9 @@ index 0045465..61da47f 100644
allow sanlock_t self:fifo_file rw_fifo_file_perms;
-allow sanlock_t self:unix_stream_socket { accept listen };
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
+manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
@ -92731,7 +92797,7 @@ index 0045465..61da47f 100644
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
@@ -65,13 +71,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
@@ -65,13 +77,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
kernel_read_kernel_sysctls(sanlock_t)
@ -92751,7 +92817,7 @@ index 0045465..61da47f 100644
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
@@ -79,20 +88,29 @@ init_dontaudit_write_utmp(sanlock_t)
@@ -79,20 +94,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
@ -92790,7 +92856,7 @@ index 0045465..61da47f 100644
')
optional_policy(`
@@ -100,7 +118,10 @@ optional_policy(`
@@ -100,7 +124,10 @@ optional_policy(`
')
optional_policy(`
@ -96334,10 +96400,10 @@ index 0000000..4f4bdb3
+/home/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
index 0000000..5a3cb30
index 0000000..ed76979
--- /dev/null
+++ b/snapper.if
@@ -0,0 +1,62 @@
@@ -0,0 +1,80 @@
+
+## <summary>policy for snapperd</summary>
+
@ -96381,6 +96447,24 @@ index 0000000..5a3cb30
+ allow snapperd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow a domain to read inherited snapper pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snapper_read_inherited_pipe',`
+ gen_require(`
+ type snapperd_t;
+ ')
+
+ allow $1 snapperd_t:fifo_file read_inherited_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to create .smapshot
@ -101164,7 +101248,7 @@ index 0000000..a6e216c
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
index 0000000..a2cb50c
index 0000000..6768bda
--- /dev/null
+++ b/targetd.te
@@ -0,0 +1,62 @@
@ -101214,8 +101298,8 @@ index 0000000..a2cb50c
+
+libs_exec_ldconfig(targetd_t)
+
+storage_getattr_fixed_disk_dev(targetd_t)
+storage_getattr_removable_dev(targetd_t)
+storage_raw_read_fixed_disk(targetd_t)
+storage_raw_read_removable_device(targetd_t)
+
+sysnet_read_config(targetd_t)
+

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 140%{?dist}
Release: 141%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -647,6 +647,37 @@ exit 0
%endif
%changelog
* Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
- Add snapper_read_inherited_pipe() interface.
- Add missing ";" in kerberos.te
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
- Add support for /etc/sanlock which is writable by sanlock daemon.
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
- Allow grubby to manage and create /run/blkid with correct labeling
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
* Wed Aug 05 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-140
- firewalld needs to relabel own config files. BZ(#1250537)
- Allow rhsmcertd to send signull to unconfined_service