- Fix virt_use_samba boolean

- Looks like all domains that use dbus libraries are now reading /dev/uran
- Add glance_use_fusefs() boolean
- Allow tgtd to read /proc/net/psched
- Additional access required for gear management of openshift directories
- Allow sys_ptrace for mock-build
- Fix mock_read_lib_files() interface
- Allow mock-build to write all inherited ttys and ptys
- Allow spamd to create razor home dirs with correct labeling
- Clean up sysnet_use_ldap()
- systemd calling needs to be optional
- Allow init_t to setattr/relabelfrom dhcp state files
This commit is contained in:
Miroslav Grepl 2014-04-25 09:09:15 +02:00
parent 345f520dd6
commit 3f5abd2216
3 changed files with 249 additions and 119 deletions

View File

@ -8744,7 +8744,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..806e1cc 100644
index cf04cb5..e0615d1 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -8785,7 +8785,7 @@ index cf04cb5..806e1cc 100644
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *;
@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@ -8827,13 +8827,14 @@ index cf04cb5..806e1cc 100644
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
+
+tunable_policy(`domain_kernel_load_modules',`
+ kernel_request_load_module(domain)
+')
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',`
@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@ -8852,7 +8853,7 @@ index cf04cb5..806e1cc 100644
')
optional_policy(`
@@ -133,6 +190,9 @@ optional_policy(`
@@ -133,6 +191,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@ -8862,7 +8863,7 @@ index cf04cb5..806e1cc 100644
')
########################################
@@ -147,12 +207,18 @@ optional_policy(`
@@ -147,12 +208,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@ -8882,7 +8883,7 @@ index cf04cb5..806e1cc 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -166,5 +232,346 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
@@ -166,5 +233,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@ -9086,6 +9087,7 @@ index cf04cb5..806e1cc 100644
+ systemd_filetrans_named_content(named_filetrans_domain)
+ systemd_filetrans_named_hostname(named_filetrans_domain)
+ systemd_filetrans_home_content(named_filetrans_domain)
+ systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
+')
+
+optional_policy(`
@ -27067,7 +27069,7 @@ index 3efd5b6..0bd3a26 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791d..73376ca 100644
index 09b791d..ff0708e 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -27338,17 +27340,37 @@ index 09b791d..73376ca 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
-tunable_policy(`authlogin_nsswitch_use_ldap',`
- files_list_var_lib(nsswitch_domain)
+systemd_hostnamed_read_config(nsswitch_domain)
+
+
tunable_policy(`authlogin_nsswitch_use_ldap',`
- files_list_var_lib(nsswitch_domain)
+ allow nsswitch_domain self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
+ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
+ corenet_tcp_connect_ldap_port(nsswitch_domain)
+ corenet_sendrecv_ldap_client_packets(nsswitch_domain)
+')
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+ # Support for LDAPS
+ dev_read_rand(nsswitch_domain)
+ # LDAP Configuration using encrypted requires
+ dev_read_urand(nsswitch_domain)
+ sysnet_read_config(nsswitch_domain)
+')
+tunable_policy(`authlogin_nsswitch_use_ldap',`
miscfiles_read_generic_certs(nsswitch_domain)
sysnet_use_ldap(nsswitch_domain)
- sysnet_use_ldap(nsswitch_domain)
')
optional_policy(`
@ -27359,10 +27381,11 @@ index 09b791d..73376ca 100644
+
+optional_policy(`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ ldap_read_certs(nsswitch_domain)
ldap_stream_connect(nsswitch_domain)
')
')
@@ -438,6 +480,7 @@ optional_policy(`
@@ -438,6 +501,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@ -27370,7 +27393,7 @@ index 09b791d..73376ca 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
@@ -456,10 +499,145 @@ optional_policy(`
@@ -456,10 +520,145 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@ -31296,7 +31319,7 @@ index 0d4c8d3..e6ffda3 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd04..d6d434a 100644
index 312cd04..3c62b4c 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -31493,7 +31516,7 @@ index 312cd04..d6d434a 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t)
@@ -288,17 +325,23 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@ -31517,11 +31540,12 @@ index 312cd04..d6d434a 100644
+optional_policy(`
+ bind_read_dnssec_keys(ipsec_mgmt_t)
+ bind_read_config(ipsec_mgmt_t)
+ bind_read_state(ipsec_mgmt_t)
+')
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
@@ -322,6 +364,10 @@ optional_policy(`
@@ -322,6 +365,10 @@ optional_policy(`
')
optional_policy(`
@ -31532,7 +31556,7 @@ index 312cd04..d6d434a 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -335,7 +381,7 @@ optional_policy(`
@@ -335,7 +382,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@ -31541,7 +31565,7 @@ index 312cd04..d6d434a 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t)
@@ -370,13 +417,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@ -31561,7 +31585,7 @@ index 312cd04..d6d434a 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t)
@@ -401,10 +447,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@ -31574,7 +31598,7 @@ index 312cd04..d6d434a 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t)
@@ -438,9 +484,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@ -37506,7 +37530,7 @@ index 40edc18..a072ac2 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 2cea692..1c0de21 100644
index 2cea692..e094fc0 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -37843,17 +37867,22 @@ index 2cea692..1c0de21 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
@@ -763,6 +968,9 @@ interface(`sysnet_use_ldap',`
@@ -760,9 +965,14 @@ interface(`sysnet_use_ldap',`
# Support for LDAPS
dev_read_rand($1)
+ # LDAP Configuration using encrypted requires
dev_read_urand($1)
sysnet_read_config($1)
+
+ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
+ optional_policy(`
+ ldap_read_certs($1)
+ ')
')
########################################
@@ -784,7 +992,6 @@ interface(`sysnet_use_portmap',`
@@ -784,7 +994,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@ -37861,7 +37890,7 @@ index 2cea692..1c0de21 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -796,3 +1003,115 @@ interface(`sysnet_use_portmap',`
@@ -796,3 +1005,115 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@ -37978,7 +38007,7 @@ index 2cea692..1c0de21 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..b0a854f 100644
index a392fc4..f1782ee 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -38208,7 +38237,7 @@ index a392fc4..b0a854f 100644
vmware_append_log(dhcpc_t)
')
@@ -264,12 +312,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
@@ -264,12 +312,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@ -38225,6 +38254,7 @@ index a392fc4..b0a854f 100644
+can_exec(ifconfig_t, ifconfig_exec_t)
+
+manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
+allow ifconfig_t ifconfig_var_run_t:file mounton;
@ -38232,7 +38262,7 @@ index a392fc4..b0a854f 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
@@ -279,14 +338,31 @@ kernel_rw_net_sysctls(ifconfig_t)
@@ -279,14 +339,32 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@ -38249,7 +38279,8 @@ index a392fc4..b0a854f 100644
+dev_unmount_sysfs_fs(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
+domain_read_all_domains_state(ifconfig_t)
+
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
+files_dontaudit_rw_inherited_pipes(ifconfig_t)
@ -38257,14 +38288,14 @@ index a392fc4..b0a854f 100644
+files_dontaudit_read_root_files(ifconfig_t)
+files_rw_inherited_tmp_file(ifconfig_t)
+files_dontaudit_rw_var_files(ifconfig_t)
+
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -299,24 +375,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
@@ -299,33 +377,50 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@ -38292,8 +38323,13 @@ index a392fc4..b0a854f 100644
+userdom_use_inherited_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
+optional_policy(`
+ hostname_exec(ifconfig_t)
+')
+
ifdef(`distro_ubuntu',`
@@ -325,7 +399,22 @@ ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(ifconfig_t)
')
')
@ -38316,7 +38352,7 @@ index a392fc4..b0a854f 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
@@ -336,7 +425,11 @@ ifdef(`hide_broken_symptoms',`
@@ -336,7 +431,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@ -38329,7 +38365,7 @@ index a392fc4..b0a854f 100644
')
optional_policy(`
@@ -350,7 +443,15 @@ optional_policy(`
@@ -350,7 +449,15 @@ optional_policy(`
')
optional_policy(`
@ -38346,7 +38382,7 @@ index a392fc4..b0a854f 100644
')
optional_policy(`
@@ -371,3 +472,13 @@ optional_policy(`
@@ -371,3 +478,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@ -38417,10 +38453,10 @@ index 0000000..916c8ed
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..8bca1d7
index 0000000..24b2af3
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,1440 @@
@@ -0,0 +1,1458 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@ -38792,6 +38828,24 @@ index 0000000..8bca1d7
+
+######################################
+## <summary>
+## Dontaudit attempts to write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',`
+ gen_require(`
+ type systemd_logind_sessions_t;
+ ')
+
+ dontaudit $1 systemd_logind_sessions_t:fifo_file write;
+')
+
+######################################
+## <summary>
+## Write systemd inhibit pipes.
+## </summary>
+## <param name="domain">

View File

@ -19874,7 +19874,7 @@ index dda905b..ccd0ba9 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
index 62d22cb..2b84a85 100644
index 62d22cb..89671dd 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@ -19999,7 +19999,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -103,91 +129,82 @@ template(`dbus_role_template',`
@@ -103,91 +129,84 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
@ -20021,6 +20021,8 @@ index 62d22cb..2b84a85 100644
- files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+
+ dev_read_urand($1)
+ # For connecting to the bus
files_search_pids($1)
@ -20123,7 +20125,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',`
@@ -195,15 +214,18 @@ interface(`dbus_connect_spec_session_bus',`
## </summary>
## </param>
#
@ -20148,7 +20150,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -211,57 +231,39 @@ interface(`dbus_session_bus_client',`
@@ -211,57 +233,39 @@ interface(`dbus_session_bus_client',`
## </summary>
## </param>
#
@ -20220,7 +20222,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -269,15 +271,19 @@ interface(`dbus_spec_session_bus_client',`
@@ -269,15 +273,19 @@ interface(`dbus_spec_session_bus_client',`
## </summary>
## </param>
#
@ -20246,7 +20248,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -285,44 +291,52 @@ interface(`dbus_send_session_bus',`
@@ -285,44 +293,52 @@ interface(`dbus_send_session_bus',`
## </summary>
## </param>
#
@ -20313,7 +20315,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -330,18 +344,18 @@ interface(`dbus_send_spec_session_bus',`
@@ -330,18 +346,18 @@ interface(`dbus_send_spec_session_bus',`
## </summary>
## </param>
#
@ -20337,7 +20339,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -349,20 +363,18 @@ interface(`dbus_read_config',`
@@ -349,20 +365,18 @@ interface(`dbus_read_config',`
## </summary>
## </param>
#
@ -20363,7 +20365,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -370,26 +382,20 @@ interface(`dbus_read_lib_files',`
@@ -370,26 +384,20 @@ interface(`dbus_read_lib_files',`
## </summary>
## </param>
#
@ -20396,7 +20398,7 @@ index 62d22cb..2b84a85 100644
## <param name="domain">
## <summary>
## Type to be used as a domain.
@@ -397,81 +403,67 @@ interface(`dbus_manage_lib_files',`
@@ -397,81 +405,67 @@ interface(`dbus_manage_lib_files',`
## </param>
## <param name="entry_point">
## <summary>
@ -20506,7 +20508,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -479,18 +471,18 @@ interface(`dbus_spec_session_domain',`
@@ -479,18 +473,18 @@ interface(`dbus_spec_session_domain',`
## </summary>
## </param>
#
@ -20530,7 +20532,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -498,98 +490,80 @@ interface(`dbus_connect_system_bus',`
@@ -498,98 +492,80 @@ interface(`dbus_connect_system_bus',`
## </summary>
## </param>
#
@ -20657,7 +20659,7 @@ index 62d22cb..2b84a85 100644
## </summary>
## <param name="domain">
## <summary>
@@ -597,28 +571,49 @@ interface(`dbus_use_system_bus_fds',`
@@ -597,28 +573,49 @@ interface(`dbus_use_system_bus_fds',`
## </summary>
## </param>
#
@ -22165,7 +22167,7 @@ index c697edb..31d45bf 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
index 98a24b9..36e32aa 100644
index 98a24b9..5b576ff 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@ -22194,23 +22196,39 @@ index 98a24b9..36e32aa 100644
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t)
@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
-miscfiles_read_localization(dhcpd_t)
-
+sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
sysnet_use_ldap(dhcpd_t)
')
userdom_dontaudit_search_user_home_dirs(dhcpd_t)
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
tunable_policy(`dhcpd_use_ldap',`
- sysnet_use_ldap(dhcpd_t)
+ allow dhcpd_t self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+ corenet_tcp_sendrecv_generic_if(dhcpd_t)
+ corenet_tcp_sendrecv_generic_node(dhcpd_t)
+ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+ corenet_tcp_connect_ldap_port(dhcpd_t)
+ corenet_sendrecv_ldap_client_packets(dhcpd_t)
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+ ldap_read_certs(dhcpd_t)
+')
+
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
')
optional_policy(`
+ # used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
@ -24089,10 +24107,10 @@ index 0000000..1048292
+')
diff --git a/docker.te b/docker.te
new file mode 100644
index 0000000..acaabd3
index 0000000..4b54a05
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,267 @@
@@ -0,0 +1,268 @@
+policy_module(docker, 1.0.0)
+
+########################################
@ -24319,6 +24337,7 @@ index 0000000..acaabd3
+modutils_domtrans_insmod(docker_t)
+
+systemd_status_all_unit_files(docker_t)
+systemd_start_systemd_services(docker_t)
+
+userdom_stream_connect(docker_t)
+userdom_search_user_home_content(docker_t)
@ -28246,10 +28265,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
index 0000000..e6a1c7c
index 0000000..7f1639a
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,101 @@
@@ -0,0 +1,105 @@
+policy_module(gear, 1.0.0)
+
+########################################
@ -28277,7 +28296,7 @@ index 0000000..e6a1c7c
+#
+# gear local policy
+#
+allow gear_t self:capability chown;
+allow gear_t self:capability { chown net_admin fowner dac_override };
+allow gear_t self:capability2 block_suspend;
+allow gear_t self:process { getattr signal_perms };
+allow gear_t self:fifo_file rw_fifo_file_perms;
@ -28351,6 +28370,10 @@ index 0000000..e6a1c7c
+optional_policy(`
+ docker_stream_connect(gear_t)
+')
+
+optional_policy(`
+ openshift_manage_lib_files(gear_t)
+')
diff --git a/geoclue.fc b/geoclue.fc
new file mode 100644
index 0000000..a97f14f
@ -28946,11 +28969,20 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
index 5cd0909..a304d35 100644
index 5cd0909..1464b4d 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.1.0)
@@ -5,10 +5,16 @@ policy_module(glance, 1.1.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow glance domain to manage fuse files
+## </p>
+## </desc>
+gen_tunable(glance_use_fusefs, false)
+
attribute glance_domain;
-type glance_registry_t, glance_domain;
@ -28959,7 +28991,7 @@ index 5cd0909..a304d35 100644
init_daemon_domain(glance_registry_t, glance_registry_exec_t)
type glance_registry_initrc_exec_t;
@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t)
@@ -17,8 +23,10 @@ init_script_file(glance_registry_initrc_exec_t)
type glance_registry_tmp_t;
files_tmp_file(glance_registry_tmp_t)
@ -28972,7 +29004,7 @@ index 5cd0909..a304d35 100644
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
@@ -41,6 +49,7 @@ files_pid_file(glance_var_run_t)
# Common local policy
#
@ -28980,7 +29012,7 @@ index 5cd0909..a304d35 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
@@ -56,29 +58,29 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
@@ -56,29 +65,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@ -29011,6 +29043,15 @@ index 5cd0909..a304d35 100644
-
sysnet_dns_name_resolve(glance_domain)
+tunable_policy(`glance_use_fusefs',`
+ fs_manage_fusefs_dirs(glance_domain)
+ fs_manage_fusefs_files(glance_domain)
+ fs_read_fusefs_symlinks(glance_domain)
+ fs_getattr_fusefs(glance_domain)
+')
+
+
+
+optional_policy(`
+ mysql_read_db_lnk_files(glance_domain)
+')
@ -29018,7 +29059,7 @@ index 5cd0909..a304d35 100644
########################################
#
# Registry local policy
@@ -88,8 +90,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
@@ -88,8 +106,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@ -29033,7 +29074,7 @@ index 5cd0909..a304d35 100644
logging_send_syslog_msg(glance_registry_t)
@@ -108,13 +116,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
@@ -108,13 +132,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@ -43398,10 +43439,10 @@ index 0000000..8d0e473
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
index 0000000..6568bfe
index 0000000..f5b98e6
--- /dev/null
+++ b/mock.if
@@ -0,0 +1,310 @@
@@ -0,0 +1,311 @@
+## <summary>policy for mock</summary>
+
+########################################
@ -43457,6 +43498,7 @@ index 0000000..6568bfe
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
@ -43714,10 +43756,10 @@ index 0000000..6568bfe
+')
diff --git a/mock.te b/mock.te
new file mode 100644
index 0000000..fc64201
index 0000000..1bf717f
--- /dev/null
+++ b/mock.te
@@ -0,0 +1,276 @@
@@ -0,0 +1,277 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@ -43912,7 +43954,7 @@ index 0000000..fc64201
+#
+# mock_build local policy
+#
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
+dontaudit mock_build_t self:capability audit_write;
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@ -43989,6 +44031,7 @@ index 0000000..fc64201
+
+libs_exec_ldconfig(mock_build_t)
+
+term_use_all_inherited_terms(mock_build_t)
+userdom_use_inherited_user_ptys(mock_build_t)
+
+tunable_policy(`mock_enable_homedirs',`
@ -79241,7 +79284,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
index d32e1a2..c820b6f 100644
index d32e1a2..54838ad 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@ -79262,7 +79305,7 @@ index d32e1a2..c820b6f 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
@@ -50,25 +49,49 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -50,25 +49,50 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@ -79271,6 +79314,7 @@ index d32e1a2..c820b6f 100644
+kernel_read_sysctl(rhsmcertd_t)
+
+corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
+corenet_tcp_connect_squid_port(rhsmcertd_t)
corecmd_exec_bin(rhsmcertd_t)
@ -88224,7 +88268,7 @@ index 12700b4..fde3c8d 100644
+ unconfined_domain(unconfined_sendmail_t)
')
diff --git a/sensord.fc b/sensord.fc
index 8185d5a..97926d2 100644
index 8185d5a..9be989a 100644
--- a/sensord.fc
+++ b/sensord.fc
@@ -1,5 +1,9 @@
@ -88234,7 +88278,7 @@ index 8185d5a..97926d2 100644
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
+/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0)
+/var/log/sensor.* gen_context(system_u:object_r:sensord_log_t,s0)
+
/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/sensord.if b/sensord.if
@ -89414,7 +89458,7 @@ index e2544e1..d3fbd78 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
index 7292dc0..41c780f 100644
index 7292dc0..ce903d6 100644
--- a/slocate.te
+++ b/slocate.te
@@ -62,7 +62,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
@ -89425,6 +89469,15 @@ index 7292dc0..41c780f 100644
ifdef(`enable_mls',`
files_dontaudit_getattr_all_dirs(locate_t)
@@ -71,3 +70,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
+
+optional_policy(`
+ mock_getattr_lib(locate_t)
+')
+
diff --git a/slpd.if b/slpd.if
index ca32e89..98278dd 100644
--- a/slpd.if
@ -91463,7 +91516,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
index cc58e35..c76586c 100644
index cc58e35..4f35a1b 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@ -91937,17 +91990,17 @@ index cc58e35..c76586c 100644
allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket { accept connectto listen };
-allow spamd_t self:tcp_socket { accept listen };
-
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
-
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@ -92130,7 +92183,7 @@ index cc58e35..c76586c 100644
')
optional_policy(`
@@ -455,7 +533,12 @@ optional_policy(`
@@ -455,7 +533,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@ -92141,10 +92194,15 @@ index cc58e35..c76586c 100644
+ tunable_policy(`spamd_enable_home_dirs',`
+ razor_manage_user_home_files(spamd_t)
+ ')
+')
+
+optional_policy(`
+ spamassassin_filetrans_home_content(spamd_t)
+ spamassassin_filetrans_admin_home_content(spamd_t)
')
optional_policy(`
@@ -463,9 +546,9 @@ optional_policy(`
@@ -463,9 +551,9 @@ optional_policy(`
')
optional_policy(`
@ -92155,7 +92213,7 @@ index cc58e35..c76586c 100644
')
optional_policy(`
@@ -474,32 +557,32 @@ optional_policy(`
@@ -474,32 +562,32 @@ optional_policy(`
########################################
#
@ -92198,7 +92256,7 @@ index cc58e35..c76586c 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
@@ -508,25 +591,21 @@ dev_read_urand(spamd_update_t)
@@ -508,25 +596,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@ -95958,7 +96016,7 @@ index 5406b6e..dc5b46e 100644
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
index d010963..5ecc3bf 100644
index d010963..3822bc7 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@ -95970,8 +96028,11 @@ index d010963..5ecc3bf 100644
allow tgtd_t self:capability2 block_suspend;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -58,13 +58,13 @@ kernel_read_system_state(tgtd_t)
@@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
+kernel_read_network_state(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
-corenet_all_recvfrom_unlabeled(tgtd_t)
@ -95985,7 +96046,7 @@ index d010963..5ecc3bf 100644
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_client_packets(tgtd_t)
@@ -72,16 +72,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
dev_read_sysfs(tgtd_t)
@ -101047,7 +101108,7 @@ index facdee8..88dcafb 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..fe84861 100644
index f03dcf5..25f4104 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,212 @@
@ -101909,7 +101970,7 @@ index f03dcf5..fe84861 100644
tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files(virtd_t)
+ fs_manage_nfs_files(virtd_t)
+ fs_manage_cifs_dirs(virtd_t)
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
@ -102020,16 +102081,7 @@ index f03dcf5..fe84861 100644
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
+allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow virsh_t self:process { getcap getsched setsched setcap signal };
-allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
-allow virsh_t self:tcp_socket { accept listen };
-
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+dontaudit virt_domain virt_content_t:file write_file_perms;
@ -102047,17 +102099,30 @@ index f03dcf5..fe84861 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
+
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow virsh_t self:process { getcap getsched setsched setcap signal };
-allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
-allow virsh_t self:tcp_socket { accept listen };
-
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@ -102089,18 +102154,15 @@ index f03dcf5..fe84861 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+dontaudit virt_domain virt_tmpfs_type:file { read write };
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-allow virsh_t svirt_lxc_domain:process transition;
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-allow virsh_t svirt_lxc_domain:process transition;
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@ -102132,7 +102194,7 @@ index f03dcf5..fe84861 100644
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
+
+fs_getattr_xattr_fs(virt_domain)
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
@ -102221,7 +102283,7 @@ index f03dcf5..fe84861 100644
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
+')
+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 47%{?dist}
Release: 48%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -588,6 +588,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Fri Apr 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-48
- Fix virt_use_samba boolean
- Looks like all domains that use dbus libraries are now reading /dev/urand
- Add glance_use_fusefs() boolean
- Allow tgtd to read /proc/net/psched
- Additional access required for gear management of openshift directories
- Allow sys_ptrace for mock-build
- Fix mock_read_lib_files() interface
- Allow mock-build to write all inherited ttys and ptys
- Allow spamd to create razor home dirs with correct labeling
- Clean up sysnet_use_ldap()
- systemd calling needs to be optional
- Allow init_t to setattr/relabelfrom dhcp state files
* Wed Apr 23 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-47
- mongod should not be a part of cloudforms.pp
- Fix labeling in snapper.fc