* Tue Apr 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-184

- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. - Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448 - Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732 - Make virt_use_pcscd boolean off by default. - Create boolean to allow virtual machine use smartcards. rhbz#1029297 - Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754 - Allow mongod log to syslog. - Allow nsd daemon to create log file in /var/log as nsd_log_t - unlabeled_t can not be an entrypoint. - Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909 - Add new permissions stop/start to class system. rhbz#1324453
2016-04-26 15:03:41 +02:00 · 2016-04-26 15:03:41 +02:00 · 34332645c9
parent d8b5e9198b
commit 34332645c9
4 changed files with 553 additions and 348 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -868,7 +868,7 @@ index 3a45f23..ee7d7b3 100644
 constrain socket_class_set { create relabelto relabelfrom } 
 (
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..2e137e6 100644
+index a94b169..d0a8a5b 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@ -879,7 +879,7 @@ index a94b169..2e137e6 100644
 }
 
 
-@@ -393,6 +394,13 @@ class system
+@@ -393,6 +394,15 @@ class system
 	syslog_mod
 	syslog_console
 	module_request
@ -890,10 +890,12 @@ index a94b169..2e137e6 100644
 +    enable
 +    disable
 +    reload
+	stop
+	start
 }
 
 #
-@@ -443,10 +451,13 @@ class capability
+@@ -443,10 +453,13 @@ class capability
 class capability2 
 {
 	mac_override	# unused by SELinux
@ -908,7 +910,7 @@ index a94b169..2e137e6 100644
 }
 
 #
-@@ -690,6 +701,8 @@ class nscd
+@@ -690,6 +703,8 @@ class nscd
 	shmemhost
 	getserv
 	shmemserv
@ -917,7 +919,7 @@ index a94b169..2e137e6 100644
 }
 
 # Define the access vector interpretation for controlling
-@@ -831,6 +844,38 @@ inherits socket
+@@ -831,6 +846,38 @@ inherits socket
 	attach_queue
 }
 
@ -956,7 +958,7 @@ index a94b169..2e137e6 100644
 class x_pointer
 inherits x_device
 
-@@ -865,3 +910,18 @@ inherits database
+@@ -865,3 +912,18 @@ inherits database
 	implement
 	execute
 }
@ -6397,7 +6399,7 @@ index b31c054..50a45cf 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..3f6a351 100644
+index 76f285e..c542dd3 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -7353,7 +7355,7 @@ index 76f285e..3f6a351 100644
 ')
 
 ########################################
-@@ -3144,6 +3686,60 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3686,61 @@ interface(`dev_create_null_dev',`
 
 ########################################
 ## <summary>
@ -7407,6 +7409,7 @@ index 76f285e..3f6a351 100644
 +	')
 +
 +	read_chr_files_pattern($1, device_t, nvme_device_t)
+	read_blk_files_pattern($1, device_t, nvme_device_t)
 +')
 +
 +########################################
@ -7414,7 +7417,7 @@ index 76f285e..3f6a351 100644
 ##	Do not audit attempts to get the attributes
 ##	of the BIOS non-volatile RAM device.
 ## </summary>
-@@ -3163,6 +3759,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3760,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
 
 ########################################
 ## <summary>
@ -7439,7 +7442,7 @@ index 76f285e..3f6a351 100644
 ##	Read and write BIOS non-volatile RAM.
 ## </summary>
 ## <param name="domain">
-@@ -3254,7 +3868,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3869,25 @@ interface(`dev_rw_printer',`
 
 ########################################
 ## <summary>
@ -7466,7 +7469,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3262,12 +3894,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3895,13 @@ interface(`dev_rw_printer',`
 ##	</summary>
 ## </param>
 #
@ -7483,7 +7486,7 @@ index 76f285e..3f6a351 100644
 ')
 
 ########################################
-@@ -3399,7 +4032,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4033,7 @@ interface(`dev_dontaudit_read_rand',`
 
 ########################################
 ## <summary>
@ -7492,7 +7495,7 @@ index 76f285e..3f6a351 100644
 ##	number generator devices (e.g., /dev/random)
 ## </summary>
 ## <param name="domain">
-@@ -3413,7 +4046,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4047,7 @@ interface(`dev_dontaudit_append_rand',`
 		type random_device_t;
 	')
 
@ -7501,7 +7504,7 @@ index 76f285e..3f6a351 100644
 ')
 
 ########################################
-@@ -3855,7 +4488,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4489,7 @@ interface(`dev_getattr_sysfs_dirs',`
 
 ########################################
 ## <summary>
@ -7510,7 +7513,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3863,91 +4496,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4497,89 @@ interface(`dev_getattr_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -7621,7 +7624,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3955,68 +4586,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,68 +4587,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -7700,7 +7703,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4024,114 +4640,97 @@ interface(`dev_rw_sysfs',`
+@@ -4024,114 +4641,97 @@ interface(`dev_rw_sysfs',`
 ##	</summary>
 ## </param>
 #
@ -7845,7 +7848,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4139,35 +4738,50 @@ interface(`dev_getattr_generic_usb_dev',`
+@@ -4139,35 +4739,50 @@ interface(`dev_getattr_generic_usb_dev',`
 ##	</summary>
 ## </param>
 #
@ -7904,7 +7907,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4175,7 +4789,254 @@ interface(`dev_read_generic_usb_dev',`
+@@ -4175,7 +4790,254 @@ interface(`dev_read_generic_usb_dev',`
 ##	</summary>
 ## </param>
 #
@ -8160,7 +8163,7 @@ index 76f285e..3f6a351 100644
 	gen_require(`
 		type device_t, usb_device_t;
 	')
-@@ -4330,28 +5191,180 @@ interface(`dev_search_usbfs',`
+@@ -4330,28 +5192,180 @@ interface(`dev_search_usbfs',`
 
 ########################################
 ## <summary>
@ -8350,7 +8353,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4359,19 +5372,17 @@ interface(`dev_list_usbfs',`
+@@ -4359,19 +5373,17 @@ interface(`dev_list_usbfs',`
 ##	</summary>
 ## </param>
 #
@ -8374,7 +8377,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4379,19 +5390,17 @@ interface(`dev_setattr_usbfs_files',`
+@@ -4379,19 +5391,17 @@ interface(`dev_setattr_usbfs_files',`
 ##	</summary>
 ## </param>
 #
@ -8398,7 +8401,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4399,37 +5408,36 @@ interface(`dev_read_usbfs',`
+@@ -4399,37 +5409,36 @@ interface(`dev_read_usbfs',`
 ##	</summary>
 ## </param>
 #
@ -8447,7 +8450,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4437,18 +5445,18 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,18 +5446,18 @@ interface(`dev_getattr_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -8471,7 +8474,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4456,17 +5464,17 @@ interface(`dev_rw_userio_dev',`
+@@ -4456,17 +5465,17 @@ interface(`dev_rw_userio_dev',`
 ##	</summary>
 ## </param>
 #
@ -8493,7 +8496,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4474,36 +5482,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
+@@ -4474,36 +5483,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -8539,7 +8542,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4511,17 +5518,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
+@@ -4511,17 +5519,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -8561,7 +8564,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4529,17 +5536,17 @@ interface(`dev_read_video_dev',`
+@@ -4529,17 +5537,17 @@ interface(`dev_read_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -8583,7 +8586,7 @@ index 76f285e..3f6a351 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4547,12 +5554,12 @@ interface(`dev_write_video_dev',`
+@@ -4547,12 +5555,12 @@ interface(`dev_write_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -8598,7 +8601,7 @@ index 76f285e..3f6a351 100644
 ')
 
 ########################################
-@@ -4630,6 +5637,24 @@ interface(`dev_write_watchdog',`
+@@ -4630,6 +5638,24 @@ interface(`dev_write_watchdog',`
 
 ########################################
 ## <summary>
@ -8623,7 +8626,7 @@ index 76f285e..3f6a351 100644
 ##	Read and write the the wireless device.
 ## </summary>
 ## <param name="domain">
-@@ -4762,6 +5787,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5788,44 @@ interface(`dev_rw_xserver_misc',`
 
 ########################################
 ## <summary>
@ -8668,7 +8671,7 @@ index 76f285e..3f6a351 100644
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
-@@ -4851,3 +5914,1019 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5915,1019 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
@ -10963,7 +10966,7 @@ index b876c48..03f9342 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..89768e5 100644
+index f962f76..f0133ab 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -17042,7 +17045,7 @@ index f962f76..89768e5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6237,129 +8499,118 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8499,119 @@ interface(`files_dontaudit_write_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -17142,12 +17145,13 @@ index f962f76..89768e5 100644
 -		attribute pidfile;
 -		type var_t, var_run_t;
 +		attribute file_type;
+		type unlabeled_t;
 	')
 -
 -	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 -	delete_dirs_pattern($1, pidfile, pidfile)
-+	allow $1 file_type:file entrypoint;
+	allow $1 {file_type -unlabeled_t} :file entrypoint;
 ')
 
 ########################################
@ -17211,7 +17215,7 @@ index f962f76..89768e5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6367,18 +8618,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8619,19 @@ interface(`files_mounton_all_poly_members',`
 ##	</summary>
 ## </param>
 #
@ -17236,7 +17240,7 @@ index f962f76..89768e5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6386,132 +8638,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8639,227 @@ interface(`files_search_spool',`
 ##	</summary>
 ## </param>
 #
@ -17510,7 +17514,7 @@ index f962f76..89768e5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6519,53 +8866,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8867,17 @@ interface(`files_spool_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -17568,7 +17572,7 @@ index f962f76..89768e5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6573,10 +8884,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8885,10 @@ interface(`files_polyinstantiate_all',`
 ##	</summary>
 ## </param>
 #
@ -36598,7 +36602,7 @@ index 79a45f6..e69fa39 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..528f36a 100644
+index 17eda24..5559333 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -37735,7 +37739,7 @@ index 17eda24..528f36a 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1405,60 @@ optional_policy(`
+@@ -857,21 +1405,62 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37743,6 +37747,7 @@ index 17eda24..528f36a 100644
 +	virt_stream_connect(init_t)
 +	virt_noatsecure(init_t)
 +	virt_rlimitinh(init_t)
+	virt_transition_svirt_sandbox(init_t, system_r)
 +')
 +
 +optional_policy(`
@ -37751,6 +37756,7 @@ index 17eda24..528f36a 100644
 +	virt_manage_lib_files(initrc_t)
 	virt_stream_connect(initrc_t)
 -	virt_manage_virt_cache(initrc_t)
+	virt_transition_svirt_sandbox(initrc_t, system_r)
 +')
 +
 +# Cron jobs used to start and stop services
@ -37797,7 +37803,7 @@ index 17eda24..528f36a 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1474,10 @@ optional_policy(`
+@@ -887,6 +1476,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37808,7 +37814,7 @@ index 17eda24..528f36a 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1488,218 @@ optional_policy(`
+@@ -897,3 +1490,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 183%{?dist}
+Release: 184%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -653,6 +653,19 @@ exit 0
 %endif

 %changelog
+* Tue Apr 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-184
+- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.
+- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448
+- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732
+- Make virt_use_pcscd boolean off by default.
+- Create boolean to allow virtual machine use smartcards. rhbz#1029297
+- Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754
+- Allow mongod log to syslog.
+- Allow nsd daemon to create log file in /var/log as nsd_log_t
+- unlabeled_t can not be an entrypoint.
+- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909
+- Add new permissions stop/start to class system. rhbz#1324453
+
 * Mon Apr 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-183
 - Allow modemmanager to talk to logind
 - Dontaudit tor daemon needs net_admin capability. rhbz#1311788