From 2bb5c83b3d0395399f78a73eb90307190882aa7b Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 2 Nov 2016 18:02:58 +0100 Subject: [PATCH] * Wed Nov 02 2016 Lukas Vrabec - 3.13.1-222 - Allow abrt_dump_oops_t to drop capabilities. bz(1391040) - Add named_t domain net_raw capability bz(1389240) - Allow geoclue to read system info. bz(1389320) - Make openfortivpn_t as init_deamon_domain. bz(1159899) - Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487) - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Add interace lldpad_relabel_tmpfs - Merge pull request #155 from rhatdan/sandbox_nfs - Add pscsd_t wake_alarm capability2 - Allow sandbox domains to mount fuse file systems - Add boolean to allow sandbox domains to mount nfs - Allow hypervvssd_t to read all dirs. - Allow isnsd_t to connect to isns_port_t - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. - Make tor_var_lib_t and tor_var_log_t as mountpoints. - Allow systemd-rfkill to write to /proc/kmsg bz(1388669) - Allow init_t to relabel /dev/shm/lldpad.state - Merge pull request #168 from rhatdan/docker - Label tcp 51954 as isns_port_t - Lots of new domains like OCID and RKT are user container processes --- container-selinux.tgz | Bin 4870 -> 4908 bytes policy-rawhide-base.patch | 145 ++++++++++++++++++----------------- policy-rawhide-contrib.patch | 132 ++++++++++++++++++++----------- selinux-policy.spec | 25 +++++- 4 files changed, 189 insertions(+), 113 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 09d36e2b38b4ca0d722f9178c34b1581ec22d757..ba6d48af6723da707edef918381b2f8a3bfee702 100644 GIT binary patch delta 4881 zcmV+s6YlJWCaflZABzY84;&g;00Zq^>yO*G5zp84Um+w1WcQHlBS~|>=GvmT>xX_Q zdT8%kuT^DdSQV z>`2!&T<_n%!_S-VesisV!u9t0=Kb4eH*bOF-OYP=^6dJ5=Ixv7n`goGu_~lr4P{Xs z1kbX&I$D$1N;mcVfAm_tcoBS0n>>%|$KURaqKGEG>&5Rs$s< z#TGs*$D^A`)|BV zP25?!4icz-%*r|?bcUqQT#}CBm{5*(Hc!M-C{QgQ0pCS6l6JD?%oC4z}%?MQmOKRRD3yG7OhsX^=|8rDC z+u=g;H0D^&t9CTqCgBg!ZVF>+!W>mg8hh}6DVYLVKcZ4QPB%K#o187XpO6B@j zkT*pKBhtD8O6hgSBeLA5Y!^g8*f5YVOXGmIzH=Tx-6371>A|W_@30)C{DK`iK$f)# zu@(k=bj5j7$_>}VLMW)bV=kpRMG4+8<=JMe%3jverZvm&_>-|9u{m70N%#e*2t% z)s3x*NIEEXP10iPRjhf6C>`hRo*O5K%iGo_!8dQ1N=}$jCk(Gm6F;$w( zTQ|TLwkRBcqB9I)4rIK!xZ6ibeYZ#e%GnX4(8gT9`;jt|$1Ix_dHOJZ))Xn@;_o_2 zU?0yQTQ{WuuRxQC10H|XSp`F^E^!7-1ke_7 zv!Wsi?(5WKVCN)U)q;K6eD!;t4Gc^g|v9Y$f{{(i{pi2nN#ZPs@ru&RxQT z0lrn7!OVDLLt(J7N3I@mF7$<}X2?La3Aw8nMakkr6cm0MpkIynS{Fe9tfDM&PDqGqNocT1w~ zO3LWcfZQHm5VIz<%*FDy4D@8qCl6s?eNh*+K_!T_-g{%x*L?36x0eZj3=2%_w7>oI zLstNO$~}Kq#ooP#w5YJ*!?&lzZEiz_P*<+SMa${HCg%}gcZ}9r3xwUaJ?QSc_8P&qbYgQ4wuqv}Oe&i!udHK?< z2XDJzYDeWldp;2bc)4`+CX5=klc^V@5DtI%#8OmvedlBmafY6@(3*T;{*Z<=x_#J2 zq`7~i4ox09l3rI*@a~R-@`W^nBN(be&QI6o;jN!b%hL8oA zoUowPk5viH6_#pBrL@1?jDhcUnUOfEt|osa-&J?tL`RqDC+I{}zAH)ehE}Zvb;=-7 ztpiiH+g!adr!fa;unDC-b|4v(L zhMSWXvG+IkY&(CBTJ^W2Y(}e@SC5=)tm?L_)bZM3i-ovQ%&xb~H$Ob(l<#Yx{iA>U zD$01`!v-C2EoAYv*Jy0Jn0i>hiI{}axs{1jAW&D!1BN-8jcj#`N|MYPu2 z(AxN5_q_@>QAP>0$7YH`F=>RR9$ywfn>j6~KDDx@c#cF8k-RKIp`6bRCArRw2(FMe z>t91ydE;GFZ28li$6`!yEfboIo*XM(ZA*5%buP6uLdk@Vu;vZ|Rn$Yd2$z4SFAs5V zBtktzGp6?vqB97hw@Y&e`&*aiy{F>=(FPCuRn&Hg1s)fdIp%2GQCiTrUrKLVLPdYuo99M^F}zA~>0@^pG9ufBJ)VzQ#$a+|xsTN*aR?#gC3G2g zX3s~A20_EpGZHVq_hE%mzk)FS`+UeUcLD7dLYPre7Kr5;9tj`av~GVIs1paNE7HvWwzfni`fXOxhi90(J z1;eVV_6Tc|frXUe9^nL2x1F>l;90P`zn=u9*IAmUjMsz8WTff3wA&4sAEoU*i2aNS zX49r8FSvix6OF~y0w{k?GD4Zd-VKU3!J2Dm+R%y=iHmbMg7v1L+sOwEm;ug6uEpvw z9ut|ckW_NVcs(?oRyY)FeEMW>#K|NUPh>+@%RWt4E53QFb)TMbBMKS6UXA@Nmz* z@0qvO2m6hMnb@<(hA)2Kw)Yw-18B>LIZ)te?>inHEOcM|Lj>>N25D0rvk;Z!e#|n~ z*%5{1qk;xZ{6&8Zn(hIwLgft1s~F4^-9?={O+?%DHEF-*v zd|8NiLR~^xsVrr_XSz0TQD5|_=#FHW0}dsIVPd|Qu!Wy>8iz%hSgN42P*NmN(p}4z zZuVf>v#i0EjfIW3igzI-0g8&s0DF1W8}V*m^7GkIh)H-82aF%Ufa5CDrdbUrEr|- zW1gkOM?0;|W{+&M5lDJ6PPZ279x?U5ctOB=wMn^%X3V^|eN-hM|*luVC!tCPrdt2O-d)$gkO!<53o)D(RBke-2^H|3rTi@WFp86)O z-fj)>GLpB#;=W5OP(j6}oUo|>-4Mz`{wAtn-l~CKwkOPCRKuF*w&@kI+hR8mI~|4< zcs%;TY%%LKB7nmXzRdvuO0HEKP+xx*(Y7?%9oJB-E*<6KOPjDrCq-74l^4`xkeTGTn{fN>wOho(C~}#lK-3goWHs?1^OZo`57JzB45=ZhqXS-GHDOhwaw~t%Mi%`1 zmmmKU{1qB>M}nX6v>{K`vZoEM21jsssv<8&oXg|({A937FsM%{)HeDPKJaj)H~ekgy9V?^wzfJiJlcfLNbAPqK`|q3OIoq~!9k)F5g=I`%?V|*rwP@#YYJS3 zV|&YNk4s^oqRQ#->?$Vk~2MGk3 z!*%D+eI~w%GNfRbu1k}_4-ZNssyXDL=<+Zl%LnHB{J;-Y?RV&U(b%n*ofa zp7D_?&*!xRwWEx?b9(9ps;1!hL_k<)>&K}h@v5^)uHGKOL}~NRe}jLShbOy@XFB+~ zIt&Sn9qMt;L-2Y0E(X_Oz0rGrCVcrewL%^QoXfB6R!aoOfa5Ql>*7t;h?3z%xp@xy zl_;YvhE01`_O?JV{$kLtj-^c2z`isZjM2!%k`1^ogqHP&qj^&9#c}clJuWI%(nnmOS^m z$H60=bLOd|Hm+uY(*nosDX-pH9qW3o-dr@1OfvoYCD*gbypo0BotYpDmElSXIkX6O zeuxkHbdHEu(m^{a2ALOzaA!;E+AC~{wEZ-7M92u{xA)ePPj7#GDbla~-i4=fwUW8q z9PQl}?)QIOzrTTJgZF>jeD~ey{U2ZAy235Ot6wg~p=SPiA0DrHfTdTg&dsg-|AXq= zZW_tMi4@-ua@ElK3XDGV=dJ|KRZIEze_s9LTcMxMUcdInSIfD4Cnc6+Dn@)EV_ zOE^M*c4bJfL4NKx7`3-7NOV|VCDi%V<+m5VKl8?l)p=Yli4I2&xr5+VS75DZlAR0I zIhwq3eK5ef5~cluCmXy$mG^6cY^f-sUw-=wp4arRuQ-4CISs51OZX%ESDK%bSOyql z$aA~Qg(uIsNXP{d-y8rr#N2b-JBO;oJi>@o$mW52@VGU@FFJhfMJzLl75>75S-~zo zrU$@>4{cbD4p6_s)okmDU@bv1vu+kVQMq66e>Ix53QoYGCk%LW89e#l8!aS4slJ41 zLFa;wA^{hg9s}U3>>-{DDc@9~18w)iQJUmy`#h815*m}=5)BRi&)0temE=%g0H6Q> D3P_0S delta 4865 zcmV+c6aMV1CWa<|ABzY8?XCk@00Zq^-H+V15%=ruUm@55d>7dFVaEw@PFoa7ANo)v zX!F*zs#fCeD%MJ>DBVX5|L>g{k`g766ty4rwO9f6?n*O1l0$MhGaTyTBCn$~XVqo8 zdUmAi8m@1@{RTg8zI%7Af5P?l`sUlW&u-qr*YDnZ_x9a?yJy!oZ{J+Mdlp876lk6w!xFM{uRv)xA3y^eEd|yUYv<>oT z%YOGS#i&jpe};CigKP}qfDSzgbLpmX$ng z%R(rRa9+Op*Wzr=@~~q6Zqf>97iVYnW2v>E<*8p8ZZeQSSifJKy}Vc~&f=nC@iqxL zi>i1NF4O${tDB3(nJO+UqZ(?3ckN)NC-ubw3phf5M}cIYY%ifa=Jb$XXT(uXl+I4r zQ{I20GBt5$=`u*5`f*)UDdRIFeddyM6vvDc+Sxo2OQArud<1+KRY=;&mdX#lx-rq* zLOTPA4`0KQRa*{>t2AR=6)dT#M-Du)pPHy?Kz&X@TLyT`x2MGa%A#Z-ZtB`EF6as> zMlGa&>g*(L>li&FaPioz#9OS-AalNnD)yA5P8IT(yCCu;D>h3?%tjG14mn=?KDRhwNNL*XlNaazPi5L*bzvtq9L_N6QK(T1H9Yk&r z`d^|vS`QbJr!mL2RJEh&HVMCvc2gKr6XvLYTGH5qPstR}`Vp1dak|l=E{`hxA3$S* zRw|aifxJ077?IW$P)e^m9+Blftv5jggiQ?+uG2W6)_2YWs5_*KG(A{W=^d7Xl%KIf z2gtG(A=bixkFGd1rC5P2`T{X5QBI%&mB}?PVl@umvJ1i25P7KafsUcz1M97M7DYQn~EEU)K?8n1Cl z4v`a+Ed(2X6>FLt7G${)T97xzmJJ7hToL7pOU<*di%9Y+c-}s{1it4N^Kp0)3%9EW zhIe;C0~1}xc^zjdbc;j+fvv&9Bf;6QNT>=Ydx(3LP#xx~h&0az713Zk?K?xDrjybt zU0<^N?vSXPg4g`efMky!5VK;u$nGvt0tbN=y@UpThJ*ukT7fPJqhy=rVv=BZ+ScJ> z7Ac%dy}S4GM~ggHPFJf53$ziV0IZLPfY+cWw={WJ{lyn`Q5#f(SnHiPCVkEKesMdQ z@W-&gv`+im&p&hp@Tc5!W$fL1NQ(*^K74yh+$I|;gu0Rz7cJ)lo1DOJQ9`Odf-aEN zs*72F#)dI2t=#>pfm#K!edHI>bWfpRustYf)6Y7%ORFN^&ay&|(_K{0ecdl>Bu(|G z+g}@-A+Ug(AFPe{#roxG*GuOq_y|^a1=0w3y3V6a*q_0t_wzg~D2x=lnNU^C9jbI8 zXz@tvoS5R5A%+1zO4$QIbOv%OW2fa`d$G%Z<{P~JX>M(tOuO64aYnT;@|slyFD#2J zjUQ=*D=%NV_26yiwc1g+(4J330bU+DdJ{%Xy^*OGqYw@~d}1joRNpySM8we37Fv_{ z%pcN_Mz{Cdh%|T9zR5#J((6hJ-rccRzL17+1VdHG`RUp`)cW}*>v$HFSpzEeux9Ij z5YzYB{0U>|&0*x3f(FZ?$rDZ!2De8Jqszn&PYb_CqFqS6sRViHQ1TRcIcA-R3&BM+xbySiY1f6b0n z#>Dxb@4mUY9-aSrb8|ZX^Eocz+K1aBX)<=+j)qsk&E@sw^(-Z~coF=_;tVtjy2PNo z7Nlbm#$&npTFPx#hMSjAOmM$ppav^_qcI{oO9dP$ESP1%FF*VoltopyyR)TKU;-Vr zQr+ayQg1_Rk91C4-OLn|Y-eO z%hQ*KxHl4^9-1|7>=x=-T+=wuSS1B%i>@Gt_WV_Ul=VO*JnA}+IW3@>f zLI~Rex{RFJ^AV##(6IE3#7plHxa&dx-^u zrR_b4{fr4_)21gC+`s9GR>$Q5P?}_fGKakz6mNnhX=vW?lI4kub2x(arl8wN0|v|h zXC&8Rbr_F{Ojt;ND!F649-2-o>2~O1~_;lf=*a+cPO-6Ap2A04YFy$Jys)}v5p5fAeGtO|EsHQQ$L)LwmX!-g# zUgVeXaL2yynYY#lyN!jJ*t5rmFMi*)_Zle!Xv>J%Q{ZUtJ09&VbYJ{^1n=JlX;U4u z5S8S9%rchQ5ryTWf(A_VA_h(OfLEb%2If@^=85j2&YdQrZTgzDTXWij3gl)L`TLz_ znd@x)u7kyY19SG^@W4DY-t5`#!u083Nj!7a^c}@*RSvVv4l>Iz2_}mkadCao5m^q8 zxLuby!*}Ye^e#ig6La>o@Wh=xH9T?K<0pp(o;^>daDC=V@BKP6ZA{bg7XK0M)QWZ zKgsy5jA8Y|xW=|v&_Plcyer;sS#`Def)M^34+} z4b4nNMEJb1wWvFagF}ak-}1GExn=?fTY>Z?512e#U*-CJ3P{J?Ia zqGc7x`WYP-oGJhY8!EXFRAam483?nB?)Nr9CwD;=mzeVX?NlS8*G_S=uDXrlkEZR} z0Ck6O?B;Jhe{^gc2eCSgJ0VPqN7@DD=CO{0dcNTuJvmBRz1c`Ffz^anjmym%8(HwnPe1+?{1qB>$AVw*JQ^kQ z*b~bZgF_mW%tpnClUroZPX?<5gZh+0ZKFTo1I8q4zm|ZyL}G+0yE~ zP_zl1k=BjJqeMp9mb9$54-OKghycmjXd;x&o+eb|uE}v3j`3}mVQsDF0@pFH?K_(k z)%SrmZ}chU+P_d=5kb)laHa>(h48dmGf-iYC~9f!x_Np zI7C-;1vy%8WK!t{b9wB43c}g5(qMf>rT&qeI~w%GUQ;GE(?p! z?aEeku6Zb^)h3TGy_&T>1{#DGt{1_osL)N90NwjPLM~cpZ_=ywI8A%ty2m5?+~kbi zt`dAB+I!VZxo+sywha|x0KF1nC_>U>#&$|4J+O$tw&A zj2-H6(nIiRd|KaioNM%Em<;8c{NwIX2HhzY=A% z#jt5#7riY|jK3K4t79pXHL$Oa-8pINT2JKNg5P3l4?z-tsFt*+zN-#+codhJ;FB7? zS@u<*&_)+i3R1nqu2YFNZPB*PXPAwvqILT0`Ph{}uhN+~kR#7Q?r;!A=bU*8rH!Il z;IuGtd+MimcEh@Qt2fz9q>fC#j>q+EGK=Iu@XoxC1C`-Q0ok_*cQ%L*`gBH!SBgP9 zDh7ELhTvv@OX}JgY>BkpGj(Ld2b1t{dy@5wbJWdC>rwsORrd+n_Kz!W2)P3+Q`Fc9N!Re)$r;H zOgi+|t_03iOZoSIUj5^1p^wg9zxKvgYr1?VA(mr*Dn@)7JB^;qYyE3FtAU}5- zjM^!Ci4Nv{QBY#XWm$`I*&<`=y2qa+Y4@S1=fis*|}hy8%dSxgI&pte+lY~ zsa#us2jZJOAV-)OW}Vw^M;&Fi>c^YpY diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2487a9fd..7a93d33c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5946,7 +5946,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..25a5cfe 100644 +index b191055..9729941 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6134,7 +6134,8 @@ index b191055..25a5cfe 100644 +network_port(ircd, tcp,6667,s0, tcp,6697,s0) network_port(isakmp, udp,500,s0) network_port(iscsi, tcp,3260,s0) - network_port(isns, tcp,3205,s0, udp,3205,s0) +-network_port(isns, tcp,3205,s0, udp,3205,s0) ++network_port(isns, tcp,3205,s0, udp,3205,s0, tcp,51954,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) -network_port(jabber_interserver, tcp,5269,s0) -network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0) @@ -37458,7 +37459,7 @@ index 79a45f6..d092e6e 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..e33db3f 100644 +index 17eda24..e59e001 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37768,7 +37769,7 @@ index 17eda24..e33db3f 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +337,271 @@ ifdef(`distro_gentoo',` +@@ -186,29 +337,275 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38011,10 +38012,14 @@ index 17eda24..e33db3f 100644 optional_policy(` - auth_rw_login_records(init_t) -+ consolekit_manage_log(init_t) ++ lldpad_relabel_tmpfs(init_t) ') optional_policy(` ++ consolekit_manage_log(init_t) ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -38049,7 +38054,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -216,7 +609,30 @@ optional_policy(` +@@ -216,7 +613,30 @@ optional_policy(` ') optional_policy(` @@ -38081,7 +38086,7 @@ index 17eda24..e33db3f 100644 ') ######################################## -@@ -225,9 +641,9 @@ optional_policy(` +@@ -225,9 +645,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38093,7 +38098,7 @@ index 17eda24..e33db3f 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +674,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +678,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38110,7 +38115,7 @@ index 17eda24..e33db3f 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +699,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +703,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38153,7 +38158,7 @@ index 17eda24..e33db3f 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +736,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +740,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38165,7 +38170,7 @@ index 17eda24..e33db3f 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +748,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +752,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38176,7 +38181,7 @@ index 17eda24..e33db3f 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +759,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +763,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38186,7 +38191,7 @@ index 17eda24..e33db3f 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +768,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +772,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38194,7 +38199,7 @@ index 17eda24..e33db3f 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +775,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +779,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38202,7 +38207,7 @@ index 17eda24..e33db3f 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +783,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +787,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38220,7 +38225,7 @@ index 17eda24..e33db3f 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +801,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +805,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38234,7 +38239,7 @@ index 17eda24..e33db3f 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +816,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +820,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38248,7 +38253,7 @@ index 17eda24..e33db3f 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +829,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +833,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38259,7 +38264,7 @@ index 17eda24..e33db3f 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +842,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +846,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38267,7 +38272,7 @@ index 17eda24..e33db3f 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +861,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +865,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38291,7 +38296,7 @@ index 17eda24..e33db3f 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +894,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +898,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38299,7 +38304,7 @@ index 17eda24..e33db3f 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +928,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +932,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38310,7 +38315,7 @@ index 17eda24..e33db3f 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +952,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +956,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38319,7 +38324,7 @@ index 17eda24..e33db3f 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +967,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +971,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38327,7 +38332,7 @@ index 17eda24..e33db3f 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +988,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +992,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38335,7 +38340,7 @@ index 17eda24..e33db3f 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +998,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1002,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38380,7 +38385,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -559,14 +1043,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1047,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38412,7 +38417,7 @@ index 17eda24..e33db3f 100644 ') ') -@@ -577,6 +1078,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1082,39 @@ ifdef(`distro_suse',` ') ') @@ -38452,7 +38457,7 @@ index 17eda24..e33db3f 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1123,8 @@ optional_policy(` +@@ -589,6 +1127,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38461,7 +38466,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -610,6 +1146,7 @@ optional_policy(` +@@ -610,6 +1150,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38469,7 +38474,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -626,6 +1163,17 @@ optional_policy(` +@@ -626,6 +1167,17 @@ optional_policy(` ') optional_policy(` @@ -38487,7 +38492,7 @@ index 17eda24..e33db3f 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1190,13 @@ optional_policy(` +@@ -642,9 +1194,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38501,7 +38506,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -657,15 +1209,11 @@ optional_policy(` +@@ -657,15 +1213,11 @@ optional_policy(` ') optional_policy(` @@ -38519,7 +38524,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -686,6 +1234,15 @@ optional_policy(` +@@ -686,6 +1238,15 @@ optional_policy(` ') optional_policy(` @@ -38535,7 +38540,7 @@ index 17eda24..e33db3f 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1283,7 @@ optional_policy(` +@@ -726,6 +1287,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38543,7 +38548,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -743,7 +1301,13 @@ optional_policy(` +@@ -743,7 +1305,13 @@ optional_policy(` ') optional_policy(` @@ -38558,7 +38563,7 @@ index 17eda24..e33db3f 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1330,10 @@ optional_policy(` +@@ -766,6 +1334,10 @@ optional_policy(` ') optional_policy(` @@ -38569,7 +38574,7 @@ index 17eda24..e33db3f 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1343,20 @@ optional_policy(` +@@ -775,10 +1347,20 @@ optional_policy(` ') optional_policy(` @@ -38590,7 +38595,7 @@ index 17eda24..e33db3f 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1365,10 @@ optional_policy(` +@@ -787,6 +1369,10 @@ optional_policy(` ') optional_policy(` @@ -38601,7 +38606,7 @@ index 17eda24..e33db3f 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1390,6 @@ optional_policy(` +@@ -808,8 +1394,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38610,7 +38615,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -818,6 +1398,10 @@ optional_policy(` +@@ -818,6 +1402,10 @@ optional_policy(` ') optional_policy(` @@ -38621,7 +38626,7 @@ index 17eda24..e33db3f 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1411,12 @@ optional_policy(` +@@ -827,10 +1415,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38634,7 +38639,7 @@ index 17eda24..e33db3f 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1443,62 @@ optional_policy(` +@@ -857,21 +1447,62 @@ optional_policy(` ') optional_policy(` @@ -38698,7 +38703,7 @@ index 17eda24..e33db3f 100644 ') optional_policy(` -@@ -887,6 +1514,10 @@ optional_policy(` +@@ -887,6 +1518,10 @@ optional_policy(` ') optional_policy(` @@ -38709,7 +38714,7 @@ index 17eda24..e33db3f 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1528,218 @@ optional_policy(` +@@ -897,3 +1532,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -49137,10 +49142,10 @@ index 0000000..86e3d01 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..eff9e73 +index 0000000..2800431 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,972 @@ +@@ -0,0 +1,973 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49868,6 +49873,7 @@ index 0000000..eff9e73 + +dev_read_sysfs(systemd_rfkill_t) +dev_rw_wireless(systemd_rfkill_t) ++dev_write_kmsg(systemd_rfkill_t) + +init_search_var_lib_dirs(systemd_rfkill_t) + @@ -51261,10 +51267,10 @@ index 5ca20a9..5454d16 100644 + allow $1 unconfined_service_t:process signull; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902d..a349d18 100644 +index 5fe902d..b31eeba 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,28 @@ +@@ -1,207 +1,32 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) @@ -51352,8 +51358,7 @@ index 5fe902d..a349d18 100644 -optional_policy(` - firstboot_run(unconfined_t, unconfined_r) -') -+role unconfined_r types unconfined_service_t; - +- -optional_policy(` - ftp_run_ftpdctl(unconfined_t, unconfined_r) -') @@ -51369,15 +51374,12 @@ index 5fe902d..a349d18 100644 -optional_policy(` - java_run_unconfined(unconfined_t, unconfined_r) -') -+corecmd_bin_entry_type(unconfined_service_t) -+corecmd_shell_entry_type(unconfined_service_t) - - optional_policy(` +- +-optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r) -+ rpm_transition_script(unconfined_service_t, system_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r) -') - @@ -51429,7 +51431,8 @@ index 5fe902d..a349d18 100644 -optional_policy(` - rpm_run(unconfined_t, unconfined_r) -') -- ++role unconfined_r types unconfined_service_t; + -optional_policy(` - samba_run_net(unconfined_t, unconfined_r) - samba_run_winbind_helper(unconfined_t, unconfined_r) @@ -51451,16 +51454,20 @@ index 5fe902d..a349d18 100644 -optional_policy(` - unconfined_dbus_chat(unconfined_t) -') -- --optional_policy(` ++corecmd_bin_entry_type(unconfined_service_t) ++corecmd_shell_entry_type(unconfined_service_t) + + optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) --') -- --optional_policy(` ++ rpm_transition_script(unconfined_service_t, system_r) + ') + + optional_policy(` - vpn_run(unconfined_t, unconfined_r) --') -- --optional_policy(` ++ dbus_chat_system_bus(unconfined_service_t) + ') + + optional_policy(` - webalizer_run(unconfined_t, unconfined_r) -') - @@ -51482,7 +51489,7 @@ index 5fe902d..a349d18 100644 - -optional_policy(` - unconfined_dbus_chat(unconfined_execmem_t) -+ dbus_chat_system_bus(unconfined_service_t) ++ virt_transition_svirt(unconfined_service_t, system_r) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db75976..c54480a 100644 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d4a32611..c402de5d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9774,7 +9774,7 @@ index 531a8f2..3fcf187 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..ab9ec30 100644 +index 1241123..f726b13 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9801,7 +9801,7 @@ index 1241123..ab9ec30 100644 # -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; -+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource }; ++allow named_t self:capability { chown dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; +allow named_t self:capability2 block_suspend; allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; @@ -31429,10 +31429,10 @@ index 0000000..cf9f7bf +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..efd838f +index 0000000..fb8be0d --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,71 @@ +@@ -0,0 +1,72 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -31466,6 +31466,7 @@ index 0000000..efd838f +manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t) +files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file }) + ++kernel_read_system_state(geoclue_t) +kernel_read_network_state(geoclue_t) + +auth_read_passwd(geoclue_t) @@ -32381,10 +32382,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..3ba328e +index 0000000..0a33da3 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,303 @@ +@@ -0,0 +1,305 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32446,7 +32447,7 @@ index 0000000..3ba328e +# Local policy +# + -+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; ++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw }; + +allow glusterd_t self:capability2 block_suspend; +allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; @@ -32542,6 +32543,7 @@ index 0000000..3ba328e +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) +dev_read_rand(glusterd_t) ++dev_rw_infiniband_dev(glusterd_t) + +domain_read_all_domains_state(glusterd_t) +domain_getattr_all_sockets(glusterd_t) @@ -32551,6 +32553,7 @@ index 0000000..3ba328e +fs_mount_all_fs(glusterd_t) +fs_unmount_all_fs(glusterd_t) +fs_getattr_all_fs(glusterd_t) ++fs_getattr_all_dirs(glusterd_t) + +files_mounton_non_security(glusterd_t) + @@ -37724,10 +37727,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..de9cd55 100644 +index 4eb7041..b205df0 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,153 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,154 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -37889,6 +37892,7 @@ index 4eb7041..de9cd55 100644 -miscfiles_read_localization(hypervkvpd_t) +files_list_all_mountpoints(hypervvssd_t) +files_write_all_mountpoints(hypervvssd_t) ++files_list_non_auth_dirs(hypervvssd_t) -sysnet_dns_name_resolve(hypervkvpd_t) +logging_send_syslog_msg(hypervvssd_t) @@ -39918,7 +39922,7 @@ index ca020fa..d546e07 100644 + kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t) +') diff --git a/isns.te b/isns.te -index bc11034..183c526 100644 +index bc11034..20a7f39 100644 --- a/isns.te +++ b/isns.te @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) @@ -39939,9 +39943,11 @@ index bc11034..183c526 100644 corenet_all_recvfrom_unlabeled(isnsd_t) corenet_all_recvfrom_netlabel(isnsd_t) corenet_tcp_sendrecv_generic_if(isnsd_t) -@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t) +@@ -45,11 +49,8 @@ corenet_tcp_sendrecv_isns_port(isnsd_t) + corenet_tcp_bind_generic_node(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t) ++corenet_tcp_connect_isns_port(isnsd_t) -files_read_etc_files(isnsd_t) +auth_use_nsswitch(isnsd_t) @@ -46051,7 +46057,7 @@ index 8031a78..72e56ac 100644 + +/dev/shm/lldpad.* -- gen_context(system_u:object_r:lldpad_tmpfs_t,s0) diff --git a/lldpad.if b/lldpad.if -index d18c960..fb5b674 100644 +index d18c960..b7bd752 100644 --- a/lldpad.if +++ b/lldpad.if @@ -2,6 +2,25 @@ @@ -46095,6 +46101,29 @@ index d18c960..fb5b674 100644 init_labeled_script_domtrans($1, lldpad_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 lldpad_initrc_exec_t system_r; +@@ -56,3 +79,22 @@ interface(`lldpad_admin',` + files_search_pids($1) + admin_pattern($1, lldpad_var_run_t) + ') ++ ++######################################## ++## ++## Allow relabel lldpad_tmpfs_t ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lldpad_relabel_tmpfs',` ++ gen_require(` ++ type lldpad_tmpfs_t; ++ ') ++ ++ allow $1 lldpad_tmpfs_t:file relabelfrom; ++ allow $1 lldpad_tmpfs_t:file relabelto; ++') diff --git a/lldpad.te b/lldpad.te index 2a491d9..42e5578 100644 --- a/lldpad.te @@ -64805,10 +64834,10 @@ index 0000000..7581b52 +') diff --git a/openfortivpn.te b/openfortivpn.te new file mode 100644 -index 0000000..0d22f83 +index 0000000..3142896 --- /dev/null +++ b/openfortivpn.te -@@ -0,0 +1,69 @@ +@@ -0,0 +1,67 @@ +policy_module(openfortivpn, 1.0.0) + +######################################## @@ -64817,11 +64846,9 @@ index 0000000..0d22f83 +# + +type openfortivpn_t; -+domain_type(openfortivpn_t); +role system_r types openfortivpn_t; -+ +type openfortivpn_exec_t; -+domain_entry_file(openfortivpn_t, openfortivpn_exec_t) ++init_daemon_domain(openfortivpn_t, openfortivpn_exec_t) + +type openfortivpn_var_lib_t; +files_type(openfortivpn_var_lib_t) @@ -69440,14 +69467,15 @@ index 43d50f9..6b1544f 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 1fb1964..5212cd2 100644 +index 1fb1964..a8026bd 100644 --- a/pcscd.te +++ b/pcscd.te -@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") +@@ -22,10 +22,12 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") # allow pcscd_t self:capability { dac_override dac_read_search fsetid }; -allow pcscd_t self:process signal; ++allow pcscd_t self:capability2 { wake_alarm }; +allow pcscd_t self:process { signal signull }; allow pcscd_t self:fifo_file rw_fifo_file_perms; -allow pcscd_t self:unix_stream_socket { accept listen }; @@ -69458,7 +69486,7 @@ index 1fb1964..5212cd2 100644 allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) +@@ -36,7 +38,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) kernel_read_system_state(pcscd_t) @@ -69466,7 +69494,7 @@ index 1fb1964..5212cd2 100644 corenet_all_recvfrom_netlabel(pcscd_t) corenet_tcp_sendrecv_generic_if(pcscd_t) corenet_tcp_sendrecv_generic_node(pcscd_t) -@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t) +@@ -45,12 +46,13 @@ corenet_sendrecv_http_client_packets(pcscd_t) corenet_tcp_connect_http_port(pcscd_t) corenet_tcp_sendrecv_http_port(pcscd_t) @@ -69481,7 +69509,7 @@ index 1fb1964..5212cd2 100644 files_read_etc_runtime_files(pcscd_t) term_use_unallocated_ttys(pcscd_t) -@@ -60,16 +61,26 @@ locallogin_use_fds(pcscd_t) +@@ -60,16 +62,26 @@ locallogin_use_fds(pcscd_t) logging_send_syslog_msg(pcscd_t) @@ -69510,7 +69538,7 @@ index 1fb1964..5212cd2 100644 ') optional_policy(` -@@ -85,3 +96,8 @@ optional_policy(` +@@ -85,3 +97,8 @@ optional_policy(` optional_policy(` udev_read_db(pcscd_t) ') @@ -90925,7 +90953,7 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..7f491b0 100644 +index 2da9fca..23bddad 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91123,7 +91151,7 @@ index 2da9fca..7f491b0 100644 ') ######################################## -@@ -202,41 +226,56 @@ optional_policy(` +@@ -202,41 +226,61 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -91177,6 +91205,11 @@ index 2da9fca..7f491b0 100644 storage_dontaudit_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) ++allow nfsd_t nfsd_unit_file_t:file manage_file_perms; ++systemd_unit_file_filetrans(nfsd_t, nfsd_unit_file_t, file) ++systemd_create_unit_file_dirs(nfsd_t) ++systemd_create_unit_file_lnk(nfsd_t) ++ +# Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) @@ -91189,7 +91222,7 @@ index 2da9fca..7f491b0 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +284,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -91197,7 +91230,7 @@ index 2da9fca..7f491b0 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +295,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -91212,7 +91245,7 @@ index 2da9fca..7f491b0 100644 ') ######################################## -@@ -270,7 +308,7 @@ optional_policy(` +@@ -270,7 +313,7 @@ optional_policy(` # GSSD local policy # @@ -91221,7 +91254,7 @@ index 2da9fca..7f491b0 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +318,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -91229,7 +91262,7 @@ index 2da9fca..7f491b0 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +327,31 @@ kernel_signal(gssd_t) +@@ -288,25 +332,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -91264,7 +91297,7 @@ index 2da9fca..7f491b0 100644 ') optional_policy(` -@@ -314,9 +359,12 @@ optional_policy(` +@@ -314,9 +364,12 @@ optional_policy(` ') optional_policy(` @@ -109696,7 +109729,7 @@ index 61c2e07..3b86095 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..f24416b 100644 +index 5ceacde..c919a2d 100644 --- a/tor.te +++ b/tor.te @@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) @@ -109713,7 +109746,16 @@ index 5ceacde..f24416b 100644 type tor_t; type tor_exec_t; init_daemon_domain(tor_t, tor_exec_t) -@@ -32,6 +39,10 @@ logging_log_file(tor_var_log_t) +@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t) + + type tor_var_lib_t; + files_type(tor_var_lib_t) ++files_mountpoint(tor_var_lib_t) + + type tor_var_log_t; + logging_log_file(tor_var_log_t) ++files_mountpoint(tor_var_log_t) + type tor_var_run_t; files_pid_file(tor_var_run_t) init_daemon_run_dir(tor_var_run_t, "tor") @@ -109724,7 +109766,7 @@ index 5ceacde..f24416b 100644 ######################################## # -@@ -48,6 +59,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; +@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; allow tor_t tor_etc_t:file read_file_perms; allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; @@ -109733,7 +109775,7 @@ index 5ceacde..f24416b 100644 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -@@ -77,7 +90,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) +@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) corenet_udp_sendrecv_generic_node(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) @@ -109741,7 +109783,7 @@ index 5ceacde..f24416b 100644 corenet_sendrecv_dns_server_packets(tor_t) corenet_udp_bind_dns_port(tor_t) corenet_udp_sendrecv_dns_port(tor_t) -@@ -85,6 +97,7 @@ corenet_udp_sendrecv_dns_port(tor_t) +@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_tcp_bind_tor_port(tor_t) corenet_tcp_sendrecv_tor_port(tor_t) @@ -109749,7 +109791,7 @@ index 5ceacde..f24416b 100644 corenet_sendrecv_all_client_packets(tor_t) corenet_tcp_connect_all_ports(tor_t) -@@ -98,19 +111,22 @@ dev_read_urand(tor_t) +@@ -98,19 +113,22 @@ dev_read_urand(tor_t) domain_use_interactive_fds(tor_t) files_read_etc_runtime_files(tor_t) @@ -114182,7 +114224,7 @@ index facdee8..2cff369 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..923fbbe 100644 +index f03dcf5..af39887 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,403 @@ @@ -115766,7 +115808,7 @@ index f03dcf5..923fbbe 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1260,360 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1260,364 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116051,6 +116093,9 @@ index f03dcf5..923fbbe 100644 + fs_manage_nfs_files(svirt_sandbox_domain) + fs_manage_nfs_named_sockets(svirt_sandbox_domain) + fs_manage_nfs_symlinks(svirt_sandbox_domain) ++ fs_mount_nfs(svirt_sandbox_domain) ++ fs_unmount_nfs(svirt_sandbox_domain) ++ kernel_rw_fs_sysctls(svirt_sandbox_domain) +') + +tunable_policy(`virt_use_samba',` @@ -116064,6 +116109,8 @@ index f03dcf5..923fbbe 100644 + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) ++ fs_mount_fusefs(svirt_sandbox_domain) ++ fs_unmount_fusefs(svirt_sandbox_domain) ') optional_policy(` @@ -116091,7 +116138,6 @@ index f03dcf5..923fbbe 100644 +dontaudit container_t self:capability2 block_suspend ; +allow container_t self:process { execstack execmem }; +manage_chr_files_pattern(container_t, container_file_t, container_file_t) -+kernel_load_module(container_t) + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_t self:capability sys_admin; @@ -116271,7 +116317,7 @@ index f03dcf5..923fbbe 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1626,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1630,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116286,7 +116332,7 @@ index f03dcf5..923fbbe 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1644,7 @@ optional_policy(` +@@ -1192,7 +1648,7 @@ optional_policy(` ######################################## # @@ -116295,7 +116341,7 @@ index f03dcf5..923fbbe 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1653,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1657,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 11f9dc31..714f596e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 221%{?dist} +Release: 222%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,29 @@ exit 0 %endif %changelog +* Wed Nov 02 2016 Lukas Vrabec - 3.13.1-222 +- Allow abrt_dump_oops_t to drop capabilities. bz(1391040) +- Add named_t domain net_raw capability bz(1389240) +- Allow geoclue to read system info. bz(1389320) +- Make openfortivpn_t as init_deamon_domain. bz(1159899) +- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487) +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Add interace lldpad_relabel_tmpfs +- Merge pull request #155 from rhatdan/sandbox_nfs +- Add pscsd_t wake_alarm capability2 +- Allow sandbox domains to mount fuse file systems +- Add boolean to allow sandbox domains to mount nfs +- Allow hypervvssd_t to read all dirs. +- Allow isnsd_t to connect to isns_port_t +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. +- Make tor_var_lib_t and tor_var_log_t as mountpoints. +- Allow systemd-rfkill to write to /proc/kmsg bz(1388669) +- Allow init_t to relabel /dev/shm/lldpad.state +- Merge pull request #168 from rhatdan/docker +- Label tcp 51954 as isns_port_t +- Lots of new domains like OCID and RKT are user container processes + * Mon Oct 17 2016 Miroslav Grepl - 3.13.1-221 - Add container_file_t into contexts/customizable_types.