From 3289d158c41c944448afb5dc6d5e11eb6c729b4a Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 25 May 2016 12:46:10 +0200 Subject: [PATCH] * Wed May 25 2016 Lukas Vrabec 3.13.1-192 - Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106) - Add SELinux policy for opendnssec service. BZ(1333106) --- docker-selinux.tgz | Bin 4317 -> 4316 bytes policy-rawhide-contrib.patch | 429 +++++++++++++++++++++++++++++++++-- selinux-policy.spec | 6 +- 3 files changed, 413 insertions(+), 22 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 77f76d54b9e0cce49977c65b8ccf983e3f7087e4..379579280a29a1f340b1abec88089689271919d8 100644 GIT binary patch delta 4244 zcmV;F5Nq$1KyO(u63G(rDoeDju3jfn>-7cs-*1L5Q531i+M8_eEFiHh&iqIYN5h%nXp=I&BlShPe(`kI z6yl7uPrMZmw^yuHL=-_QlnI_02a|S1*FACmfT$8p@(N z2wr6Ob+jU}mu{^6PkJq1y$ZggO`b>f{)b<;Bq%FVyrpGR$0UfVDof*trDYMsWx=Af zAay{B4SZgFcd6Kx05a|B^aei`e}5ox!$^>DH4M@sU|anwDRb!Yf-_wjT)}r$R7ZJG zL^=8XrJ#C$`9lx;C*BZ5Syt{y60kC0byUz4r{e;>nJ8?zl))S&09@%prTDz7d#O$UZC=ug{muMO@Y-&XbUmsE)VcDlN{w zx;|en6mVEY3_8WT7J~lC&X)*vWLd``pXViOoc5@HoTo`QjtWlMm+FDC{DpU3FT;u8RC;NfH92<@jj}Nu9YM2Ir!?jNAMn|7f59I8djvv zDR8aRj8N63q~@YOrlvkC@pAR~Ji>KpuVy+>#Q!2uV#=2<Cf4MXB{<71gGU#~7M zII?Jec9>ZW^rS+j+o&ebM$CLP69p}3Cx|&qDMJNzN?D@VzeiVRgfA=Z9>F_(ReNjt zH~tjk&Pgj0r|Xm?a`VJpk8~{;?=TUoj?4${xld)z4$uadje3Nb9fJO6R74x{%xqN7 z2lX^oN@73GPATre=i%urU4OBj&4z6(8QP|QCs;9`$$L6+{|L4ZtW3H317u9mm5-F{ zp^J|E_ej4>**1uPs$n2fmc{{}aqFXl?LxZ9Fltqu-eV_7`59NxLYAWlaTE@Gj9B?p z$~CvFLLz91V=kgOT?yVW<=ZUGcVlUn?TJOXl>4|G$KI8|5Em-@jyaM3((>k9BZ`5jN{Z}{e?-u@jeMCp<=YRb49CiZkeN<^OV;`uS!ednc zhfZ}>IZFS|aYHUj>ifgS zQY5cQR-)GoQb|EscuOEJ#Vl8DT?+7j3M|Dg!L<=McJyZq<2`-^dgXQeH^d@`638t` z{#2~XMFsj(m#Ek-JvvHY6BS9YtJ9vho0A;2oiF@!?m#5@B;|0%<|yDi5GYEhGbCmU zEC?)#8BbNk_H*~xzykM*ESQsbYbfXs+jConirp2QQg>5)3AwKrMJZwn$_GDxZCNU+ z_wlw4g{tpD==?Z>#Y@CwZ4@SUMI~U&T$6&$5ief-ZU)568K#T6-9WMPB$Pu$$xjr$ zu_wElb(Dq;9hJ|@4Oe>?pxmHbfZH-B_Cm{TO74MtKAz1A+usB)MZ*PfygZ+YK;cf< zg~401alkFs2yf#o1*uC65X=UDTq-UgCkmIGLdYKCPTy)hy#1>{!06uqnBq;@New9t z(4BR;aqzY!W%PJZ+{--*T1{w~-Cy8*4+Ip8fIGVc0@GK60SKccPYa>zn22>Q zrg#z*$c0|Y!veapC}c1ptyYQtR}{dW{}50H1}*2$0AXMFbb${A4Hk}ncgAtpR0p`* z!AvLkXbz6C9>4tjV|(~XpY6I-@#M8ZS~RKfF?ChMZSK2-Fi>u4#k8sA-g5BwC>}K) zK^Mqjv2xai?@Yj|P`GYjRDqlyk0|&9oI=O2|MP@Kp`ItOk7->N`7BT12^NZvaDLR{ z&Lyd(8whZ$%^!AA$K6eT|EAbhhCE~$Uj!e)g{@(V0ZlhWlnJjc`1D~y5CX8=;yPMY z|HBzLFT0Ux^D6Zqvka;&W)$EUw-7S2DwjetZ^n7$lkyuj&j`$S!qDGaB z3ac_p<2_eP72nE$7NX69sg(b@(LNIYzCLP#B8(cgl}GvAECp|Wc~0dFe58}>M>uu+ zkQ>uHq>{vd>E1i+EX=VchnAH*g~e5qpCacNTndwbi#-Yj@*j|q4S=)f)4fBnNW8pgKWuA3d zl}(XQZba~u<2crTTpZMB__=nx9oO`)hugi?YQFZC5JJ4gCRqEGsZA7EUptqP@!e6?y_D^xiTpA-!*vCly z_q!WM{rC0lss8(OT*A>0^D=>0`b=oUo8bE5>f&majat5c3VtGS29H1b$l#bPxe-VR zjpd0&CC@4drvAZu33gioE>5k}^bxmDDo?nNiHW@4FVmwn+UeMv;}vIvDKRETy__xVz^hqPJ!5vEBPZ=+&Eur=oq zlxEbFXbp#d$d;z7Bzf@Gne>d1Umi7vHQ&UjqF(l0gb)3D_)o>C(h`rcIhCSotUmgvo^akvw*kjvXc0`aO6&(JIYS zwhulA@wVI*!CeYwYz^N4VND53lOVq<$|NWV6X`(y4MIy@VZd+H(GD=#8Xz&7=IRYB zpGvQP)+B@dDZ})ti?U7DZ3u*GtnOy(pr1NR^OW%(sXRdS^s19Qc#vykd_)$>#o7?K<8BEB?gOhE}9Vz~1^JIMbjz%Q<@+iat&1S~6E<;Y{9s zCFoRu(bF(LkaZ?DZ63-DJ959%gg5{oI0=h?hlX$PcaLYMjbCgCz5MUAv3r=Uy~i_f z#rzQm&W}TbPx^3r>fkr_ujxbgvrf=HC%gL;-p6aqTXh(GI=3HaljptCWKrh{2A2Vf zG@k3a%v(c>=5Lw|`DWeyHC2W~tP^DDWbb+u9tlcLj|3;r8~qLY_l&s@vQL};$OzCrrs>fb`vg7mLbxX^o97x6|JvyOUdbDt3NeR+F)Z4_cMzs4_!O84N2*D*=Jr^!z_xkti zSgl3h=_jd;sxZ{DZ-0`JtPDnsfVLg45!%Aff@JcjO=N)hiJM^yOcDqkcV&GyNW%~R z_cUf1bx`aO!`}|GqVbj_1K1dCnx;x7w6MaM9|c4)OYcDm6BAw%C3w2oB)sZ>Uc!kM z+MCi+ozC(!)yhcNop+n)mSmaDh?B&qk_X-!_*tiM2yr>FP!t`7=npXOHEp_{N;wA= zlbs$~K2k1UOo)1jRQhwvSTzKu=;AWZtBgE^T>2gc9zsu=zmw84{|@cYypV9pGHE&& zm^2hztBhozNg^m(4V1YOp@d+6b0?D8u;_7#ZZ~z=RQ+ycv+$$nKF`wP&LWVV$Nx!bY%D2H&ZYl}?8G{M_eFI9PDenb zVX3rQ30X%?#)O~s(9s){Oz2GqWKU7^66vXhqDtA6fu!JuC|&mv97R`km3JM*b8$}$ zb!FeSNME}_*Psw(MqQ%taHJK(gOxcf_~(P}g(mrPWBmAg`6|dBVo}41$3>&r)Fg^S zEas@wgy7b?NfZ32Fh2@^pAG)pQ<+i4Z>zFo{0r>A>Z>eOL~ndFO)7!q2MU?@C;R1l zV6W!Ui3-b)PjmgnJLyPwK2nj2hozg%bi(-au*s%w)36_1DbWC*I^n!d z%;tU^NXoXAzb*l}oa;7z93$>WocIGKW;a4dNhXduH@VaMB!Cg|Y^}HUUbBfp_={?xG6l)0{sJXeA zj+)T|!@xuWwVJu1Y5+NLHDvePDzLh=VeySSMC{+r%Chn^xe?_it;U*Ch!Id6?!8=w zBXgeL8PTnOEPTb_^D zfP4N4v^0gkttP&T^Te^el3-M*J-+Q1WP-2t$N z6mDAX5I^4)J|AB_eX`qes#?05h5DCz!P-Dnr%_&SLK6rN*;^%Gkm|@1Z}j8JmQ0AO zg|w&Pq*R&rNraYyx_qil)vhgk$F~7S{jg-!P?asfui{ll({U7qAiQlG^;^Wkh_ZLA z_{UW=$2s_au7HNcLzlF(3Al*zDBh+;XY&>HldeA2X-#&pc8PoNue~B^^#0TFpncQ@ z_tXoqNk*OAg4x)Xc#dPYnVbXS!BvH)YyK|Fv za!M}Td9}w7rQs_F&dL|=DPmw|`PbH=M)0X$o;y^|)_akq=gI5S8tJQ!a~P?0$zv-8 ze{HdU4gb6Wp5q0Ep6~3$mLZYj$N&N(Gmk8f45rV>mWn81z)(4h_AlM0Xut>??_&5i z7S7P_E+Z^GQwokHkGe+qhAoGBi&dMA*@`XY#@`YdD(w=5k+W-`OtzT?P&zJkVHrsg zT|w4XCAoJC^`6Gi0n*6ZCEkYNGo^!3{l`py2Sa;Lo*s`pa2PcTI({%UevYCS`mTE< zWakSsoi_ojDU2Mes-x<|Oi0FR+L4s0qWjXN@&6Z>kom>>DPL?De*fd@_U86m`~8ov z-<|&c|7W=_F*APon=IMn?_tR!kTbcnHt*#hMy%h<2UJ#jQhYWIAK|_>Cg? z?)aVf_B?cdkCPq{A{n~|f-80mB&iAaYbw!(!Med>M^=akJNILgSr97=dx&S@$r@@C qW%CG=j}R9U2`c(!M*s#iVH$qJzfU$F?@N=o5FH3O+sUl}cmM#5Ts><5 delta 4245 zcmV;G5Nhw-A>AQ=ABzY8xl=?}00Zq@>yO(u63zi-izkL>5J>r=3)le4I zLGUcQtD_Z(y>w&kf6{CD;zjTsZSp*-_doo)B|%w{;x#RsIwnC>RaqKGEG>&5E(;c= z1*rp4Y~b_ayGzBk1dwT0r#JYq`1?JH8%BbJt6`890o&?dNtr{B7o6$R;0nI0qB_ch zBFf44&jrh<8zqbgdkD&%rm>J%SG~y+9(v*RUdW zPJwHkW`wFPB{diQF*Wr`iI=O-ml3W@do|O6BK{YN5>vi>A-}F{yn-nBYatL`vBhQtJ+)B zzwxIScTQT7I9;bCk((#(dZcT)c!!Btb!0wp&wVU&c7QgxY}5n9>=5)nqaxanCuXB^ zKB&jBQWE=Nc1m#%J`ay)>H3THWHxML$SU}ehHA0T6ju6(3q z4_$QRzeoCA%CvNR6(j9VWaY!}i+hEc2P^bR{g$}hNr7P1^gh@)`eW5mj* zQm(mW6%s*99CH!P=}Pd1aTZbP>58}Y`&tp%T{5RX{Qo(`+bI7i`~Eqr8{ZU>)arJB zMbct3sawZ0q3qYRnAZ73c%xQB>%X~ye{bO5w?}lOe*VW#PhltE-ba-tGxmYHDLhsM zaOhN5m810U95>{mq`o^mA2TTSUXEZ^kh`ahciF5z}91X?1UAq6cK zBt`O?WF>mdAe9u9g|`IqQp|GY)};V{ufS655?mXBV@H3+Fh1Z%pjTeUe?u&CD1qF9 zooX1A(H1IzwW% zz=FV%nDJCqY(IC84J>f4$bva}w}yiLusyeBsMuY>DRno+myo-PQIsOKpnULu)0U;8 z`VepHP^kJYgwBs6SiD3`)<$7sS5yMV%rz<49P#4S?`A;EoMF1C+YJ;uPeM6Fl>9`| z8+)>=Sx0Hu&{6rU+;Fvb0m==^1-LD9VlTAZrsN*T=i}L|u>Do=Tr^w&$Mf@<2o&yw zT^PJI8wcECjqp0oQjogD0Ksg3z@_2>a-wj_DTM4k?)0tJ!`r_K1dRR-fGOUToz#%h z0Nq)qn+sCh9S3h)Qbvyl#l764pw)zy+1&-s_dr0g2)MILATWJ37=SQJ^0W}Tj)_?3 zVu~k0fn4aNJS?Cqi$Vqy(rT6He?+#FaKemUT^vSME6;ECpq(zeoA5&LF+~&SZ2m|G&R!o~(?kxxZfZ|c( z5p;nZ7At3M_|62Z3We(iMit2U@rZ&yz$tVL`#(=;6zX{b`7|?W6M49mFg3li(1R(&+Ev}N zLmVdK;6~gHB~QW&9YH{%NM~05NM079Fog=yF6usCiuRB;t3Sdt3FB>4YzVgI zJc81Uni8#l;Skx5%SBU#<1p_7**8EzKig&e{X!2{?Nl5p5bkDv+ie| zR!ii@afRUGb92P%t}_RfoyAXaQ=XTcbqFo)Hi02}l)w2<`#Ag3_9)7<0X zUD<~SXJ)glhIwVk1Adqcys^))rX3deX)z&zL-y`}6?3FJOvb){>E^fTESOF{N@WZ5 z&9gq0#owMXibF%TKeJja27UO|S2bOlIM1|669p?DWq~l6a6gjAj?%HCBwK#~k0)BC zS<3dory$;zyCS$v!Hlip8z8JHVQCWNw?&x*1z{o`$iG2osVfZljXK%^CR+m}X471~ zf#p+w>D8KKus>y(UUgBn$+``JaE;a7Y#sDdXK9`?-XoO0sVP_vR1;i>rsSHc5|ll&4+Cn_$JCc-qj46baZ{e*|Y5bZ0qdZ$r_iNnK0ksw|wz z+ph$j3NU&a<_EIQ#HP(dnPErncbX6f00bw0Ve!!L4gT)&?6mQV4WXC+oi=t4v$gkl z2CkSt;lTNEXz*DdPEQ^D#{M;Z=zi7-+UI0JXj@vK3&RV5V|DqK%9xI<%Mw-{|zCyWUJ@GrR-k+ zejTf|=sW!+wNVv@TK4VFGLn_Sh!N1X<26EC_*sxl9<_-K5I=Du5Nz&5QX3XMF466#E}N>~t!x&46y4`pTHIO$@;Eo@ z=rP>y^xNr_va&||T1UH(Cu;7&k4RE_YZCD!20oVsrMr~HTcc4{uGljKUnMDbCWw4T zMwJ2>O}qtfHl3lhg;BUx96hHSlcYldrU-*KAnEu&DUFRK<;l79Karh(Sm(Z|F2Lys zh%_vfRx2UvsL7b{v+g^3W0DEI>45AhYF;8ewNO+kn=+6T+z_SfK7ym@s;=^`qj)av ziJ`9S+ZO3dH|QD^qRgmE6dsPWVtBAJhXwz9(4EjEe{PH)e=lDI*?lZ(IPth>G@F`4 zafrnnb(#>|S~qEe9~I_*N8z)3$F^ZsPN zd=Ko^JUUTf`SFPk;o;ZG$3See{C+1L>CQ(gQt_~Kvzbm9e;zj3)NLB}lPe_};8Q1@ z*NNHOPXkHWw({2{AeVF9#*bsf{fN^aW0}WH(qUln z7t>KQT3{HMNT60TH&hKEC$5IrH3^;URmg1PoFgS>la;T-lNd zk+qQaG@O(w^FE2tQc#yqwW->*h41(_z^EUVtQxAa1^89G>S#KSq7a0)ZKHmRSQt_E zjurp7ism?f2j3OYuz2W_b~XVQQ69zHwCHTUqJGlV$2zUa4%RMl5B{ZBB#qvGIv%u- zy5OFAAvVdVlUpzw+Y--l%)7K^o;X6Z**-tN=~aAJb4X#&U6uDvXw}%$PC=sbdV@qt zfjd-uMNQHd!Md!`zn5I?>k}arqqc_mN*6cj(MXGbWOih9@j_6+LlI%9A&IacBISjq z#$aq8)*OIbTt_8^I8Iq~h}#O&7JtE4Th^fI#g@%REt-0*-j#!Kr7KL@ZjvO5`FnS6 z(oRmvg*&hI7@{fP;aqnvoTw-rQG;iB15HJqA+rH?UTtivj9rRr7kQZ zDWWUL+Nvb?ZlT`O7&<^2dAr2hFnp$TFslE5nCW0>@5$4{kp~W=MnT69rpC`v^g`cu zkA&=efu{2&fHj4YV^wujeV7T!SWP>UGF5b6yEOj);u12ySU={A4a4t$T)nw@^RD;z z|KFYd{{I)bE-^EH`I{`+vo;^(A4aS{$Olwbds2Kue-D!#5F#1d27)Vg3?!)ucWWxqhQYeQVn ## -@@ -310,6 +354,27 @@ interface(`bind_read_zone',` +@@ -310,6 +354,47 @@ interface(`bind_read_zone',` ######################################## ## @@ -9641,11 +9641,31 @@ index 531a8f2..0b86f2f 100644 +') + +######################################## ++## ++## Create, read, write, and delete ++## bind zone files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_manage_zone_dirs',` ++ gen_require(` ++ type named_zone_t; ++ ') ++ ++ files_search_var($1) ++ allow $1 named_zone_t:dir manage_dir_perms; ++') ++ ++######################################## +## ## Create, read, write, and delete ## bind zone files. ## -@@ -344,6 +409,25 @@ interface(`bind_udp_chat_named',` +@@ -344,6 +429,25 @@ interface(`bind_udp_chat_named',` ######################################## ## @@ -9671,28 +9691,28 @@ index 531a8f2..0b86f2f 100644 ## All of the rules required to ## administrate an bind environment. ## -@@ -364,11 +448,17 @@ interface(`bind_admin',` +@@ -364,11 +468,17 @@ interface(`bind_admin',` type named_t, named_tmp_t, named_log_t; type named_cache_t, named_zone_t, named_initrc_exec_t; type dnssec_t, ndc_t, named_conf_t, named_var_run_t; - type named_keytab_t; + type named_keytab_t, named_unit_file_t; -+ ') -+ + ') + +- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { named_t ndc_t }) + allow $1 named_t:process signal_perms; + ps_process_pattern($1, named_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 named_t:process ptrace; - ') - -- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { named_t ndc_t }) ++ ') ++ + bind_run_ndc($1, $2) init_labeled_script_domtrans($1, named_initrc_exec_t) domain_system_change_exemption($1) -@@ -384,11 +474,15 @@ interface(`bind_admin',` +@@ -384,11 +494,15 @@ interface(`bind_admin',` files_list_etc($1) admin_pattern($1, { named_keytab_t named_conf_t }) @@ -9710,7 +9730,7 @@ index 531a8f2..0b86f2f 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..dcaf16b 100644 +index 1241123..bf5ad4a 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9800,10 +9820,14 @@ index 1241123..dcaf16b 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,7 +206,13 @@ optional_policy(` +@@ -187,7 +206,17 @@ optional_policy(` ') optional_policy(` ++ ipa_manage_lib(named_t) ++') ++ ++optional_policy(` + ipsec_rw_inherited_pipes(named_t) +') + @@ -9814,7 +9838,7 @@ index 1241123..dcaf16b 100644 kerberos_use(named_t) ') -@@ -215,7 +240,8 @@ optional_policy(` +@@ -215,7 +244,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -9824,7 +9848,7 @@ index 1241123..dcaf16b 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +255,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +259,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -9836,7 +9860,7 @@ index 1241123..dcaf16b 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +267,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +271,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -9846,7 +9870,7 @@ index 1241123..dcaf16b 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +285,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +289,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -37977,14 +38001,19 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..ce135f3 +index 0000000..e1ddda0 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,19 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + ++/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0) ++ +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) + ++/usr/libexec/ipa/ipa-dnskeysyncd -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0) ++/usr/libexec/ipa/ipa-dnskeysync-replica -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0) ++ +/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) +/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) +/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) @@ -38181,10 +38210,10 @@ index 0000000..904782d +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..af46439 +index 0000000..5fad85e --- /dev/null +++ b/ipa.te -@@ -0,0 +1,130 @@ +@@ -0,0 +1,195 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -38201,9 +38230,16 @@ index 0000000..af46439 +type ipa_otpd_exec_t; +init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t) + ++type ipa_dnskey_t, ipa_domain; ++type ipa_dnskey_exec_t; ++init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t) ++ +type ipa_otpd_unit_file_t; +systemd_unit_file(ipa_otpd_unit_file_t) + ++type ipa_dnskey_unit_file_t; ++systemd_unit_file(ipa_dnskey_unit_file_t) ++ +type ipa_log_t; +logging_log_file(ipa_log_t) + @@ -38220,6 +38256,9 @@ index 0000000..af46439 +init_system_domain(ipa_helper_t, ipa_helper_exec_t) +role ipa_helper_roles types ipa_helper_t; + ++type ipa_tmp_t; ++files_tmp_file(ipa_tmp_t) ++ +######################################## +# +# ipa_otpd local policy @@ -38315,6 +38354,61 @@ index 0000000..af46439 +optional_policy(` + sssd_manage_lib_files(ipa_helper_t) +') ++ ++######################################## ++# ++# ipa-dnskey local policy ++# ++allow ipa_dnskey_t self:tcp_socket create_stream_socket_perms; ++allow ipa_dnskey_t self:udp_socket create_socket_perms; ++allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms; ++allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read }; ++ ++manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) ++setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) ++list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) ++ ++manage_files_pattern(ipa_dnskey_t, ipa_tmp_t, ipa_tmp_t) ++files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file }) ++ ++kernel_dgram_send(ipa_dnskey_t) ++ ++auth_use_nsswitch(ipa_dnskey_t) ++ ++corecmd_exec_bin(ipa_dnskey_t) ++corecmd_exec_shell(ipa_dnskey_t) ++ ++corenet_tcp_bind_generic_node(ipa_dnskey_t) ++corenet_tcp_connect_kerberos_port(ipa_dnskey_t) ++corenet_tcp_connect_rndc_port(ipa_dnskey_t) ++ ++dev_read_rand(ipa_dnskey_t) ++ ++libs_exec_ldconfig(ipa_dnskey_t) ++ ++logging_send_syslog_msg(ipa_dnskey_t) ++ ++miscfiles_read_certs(ipa_dnskey_t) ++ ++sysnet_read_config(ipa_dnskey_t) ++ ++optional_policy(` ++ bind_domtrans_ndc(ipa_dnskey_t) ++ bind_read_dnssec_keys(ipa_dnskey_t) ++ bind_manage_zone(ipa_dnskey_t) ++ bind_manage_zone_dirs(ipa_dnskey_t) ++') ++ ++optional_policy(` ++ dirsrv_stream_connect(ipa_dnskey_t) ++') ++ ++optional_policy(` ++ opendnssec_domtrans(ipa_dnskey_t) ++ opendnssec_manage_config(ipa_dnskey_t) ++ opendnssec_manage_var_files(ipa_dnskey_t) ++ opendnssec_filetrans_etc_content(ipa_dnskey_t) ++') diff --git a/ipmievd.fc b/ipmievd.fc new file mode 100644 index 0000000..caf1fe5 @@ -63355,6 +63449,299 @@ index 3b6920e..3e9b17f 100644 userdom_dontaudit_use_unpriv_user_fds(openct_t) userdom_dontaudit_search_user_home_dirs(openct_t) +diff --git a/opendnssec.fc b/opendnssec.fc +new file mode 100644 +index 0000000..08d0e79 +--- /dev/null ++++ b/opendnssec.fc +@@ -0,0 +1,14 @@ ++/usr/lib/systemd/system/ods-enforcerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0) ++ ++/usr/lib/systemd/system/ods-signerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0) ++ ++/usr/sbin/ods-control -- gen_context(system_u:object_r:opendnssec_exec_t,s0) ++/usr/sbin/ods-enforcerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0) ++/usr/sbin/ods-signer -- gen_context(system_u:object_r:opendnssec_exec_t,s0) ++/usr/sbin/ods-signerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0) ++ ++/etc/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_conf_t,s0) ++ ++/var/run/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_run_t,s0) ++ ++/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0) +diff --git a/opendnssec.if b/opendnssec.if +new file mode 100644 +index 0000000..fb0141d +--- /dev/null ++++ b/opendnssec.if +@@ -0,0 +1,206 @@ ++ ++## policy for opendnssec ++ ++######################################## ++## ++## Execute opendnssec_exec_t in the opendnssec domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`opendnssec_domtrans',` ++ gen_require(` ++ type opendnssec_t, opendnssec_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, opendnssec_exec_t, opendnssec_t) ++') ++ ++###################################### ++## ++## Execute opendnssec in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_exec',` ++ gen_require(` ++ type opendnssec_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, opendnssec_exec_t) ++') ++ ++######################################## ++## ++## Read the opendnssec configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`opendnssec_read_config',` ++ gen_require(` ++ type opendnssec_conf_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 opendnssec_conf_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Read the opendnssec configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`opendnssec_manage_config',` ++ gen_require(` ++ type opendnssec_conf_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 opendnssec_conf_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Allow the specified domain to ++## read and write opendnssec /var files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_manage_var_files',` ++ gen_require(` ++ type opendnssec_var_t; ++ ') ++ ++ files_search_var($1) ++ files_search_var_lib($1) ++ manage_files_pattern($1, opendnssec_var_t, opendnssec_var_t) ++') ++ ++######################################## ++## ++## Read opendnssec PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_read_pid_files',` ++ gen_require(` ++ type opendnssec_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t) ++') ++ ++######################################## ++## ++## Execute opendnssec server in the opendnssec domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`opendnssec_systemctl',` ++ gen_require(` ++ type opendnssec_t; ++ type opendnssec_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 opendnssec_unit_file_t:file read_file_perms; ++ allow $1 opendnssec_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, opendnssec_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an opendnssec environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`opendnssec_admin',` ++ gen_require(` ++ type opendnssec_t; ++ type opendnssec_var_run_t; ++ type opendnssec_unit_file_t; ++ ') ++ ++ allow $1 opendnssec_t:process { signal_perms }; ++ ps_process_pattern($1, opendnssec_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 opendnssec_t:process ptrace; ++ ') ++ ++ files_search_pids($1) ++ admin_pattern($1, opendnssec_var_run_t) ++ ++ opendnssec_systemctl($1) ++ admin_pattern($1, opendnssec_unit_file_t) ++ allow $1 opendnssec_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') ++ ++######################################## ++## ++## Transition to quota named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_filetrans_etc_content',` ++ gen_require(` ++ type opendnssec_conf_t; ++ ') ++ ++ files_etc_filetrans($1, opendnssec_conf_t, file) ++') +diff --git a/opendnssec.te b/opendnssec.te +new file mode 100644 +index 0000000..a0e817d +--- /dev/null ++++ b/opendnssec.te +@@ -0,0 +1,55 @@ ++policy_module(opendnssec, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type opendnssec_t; ++type opendnssec_exec_t; ++init_daemon_domain(opendnssec_t, opendnssec_exec_t) ++ ++type opendnssec_conf_t; ++files_config_file(opendnssec_conf_t) ++ ++type opendnssec_var_t; ++files_type(opendnssec_var_t) ++ ++type opendnssec_var_run_t; ++files_pid_file(opendnssec_var_run_t) ++ ++type opendnssec_unit_file_t; ++systemd_unit_file(opendnssec_unit_file_t) ++ ++######################################## ++# ++# opendnssec local policy ++# ++allow opendnssec_t self:capability { chown setgid setuid sys_chroot }; ++allow opendnssec_t self:process { fork signal_perms }; ++allow opendnssec_t self:fifo_file rw_fifo_file_perms; ++allow opendnssec_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t) ++manage_dirs_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t) ++ ++manage_dirs_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t) ++manage_files_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t) ++files_var_filetrans(opendnssec_t, opendnssec_var_t, dir) ++ ++manage_dirs_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t) ++manage_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t) ++manage_lnk_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t) ++manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t) ++files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file }) ++ ++auth_use_nsswitch(opendnssec_t) ++ ++corecmd_exec_bin(opendnssec_t) ++ ++logging_send_syslog_msg(opendnssec_t) ++ ++optional_policy(` ++ ipa_manage_lib(opendnssec_t) ++') ++ diff --git a/openfortivpn.fc b/openfortivpn.fc new file mode 100644 index 0000000..2e4dd3f diff --git a/selinux-policy.spec b/selinux-policy.spec index c254865a..ab373154 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191%{?dist} +Release: 192%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,10 @@ exit 0 %endif %changelog +* Wed May 25 2016 Lukas Vrabec 3.13.1-192 +- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106) +- Add SELinux policy for opendnssec service. BZ(1333106) + * Tue May 24 2016 Lukas Vrabec 3.13.1-191 - Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t - Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)