* Tue Aug 26 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-76

- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Add a port definition for shellinaboxd - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories - Allow thumb_t to read/write video devices - fail2ban 0.9 reads the journal by default. - Allow sandbox net domains to bind to rawip socket
2014-08-26 17:39:34 +02:00 · 2014-08-26 17:39:34 +02:00 · 45b429ef46
commit 45b429ef46
parent f9cc8e052f
3 changed files with 42 additions and 23 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5461,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..9ae3918 100644
+index b191055..68b9da6 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5721,7 +5721,7 @@ index b191055..9ae3918 100644
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
-@@ -213,68 +267,78 @@ network_port(postgrey, tcp,60000,s0)
+@@ -213,68 +267,79 @@ network_port(postgrey, tcp,60000,s0)
 network_port(pptp, tcp,1723,s0, udp,1723,s0)
 network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@ -5758,6 +5758,7 @@ index b191055..9ae3918 100644
 +network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
 network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
 +network_port(sge, tcp,6444,s0, tcp,6445,s0)
+network_port(shellinaboxd, tcp,4200,s0)
 network_port(sieve, tcp,4190,s0)
 network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
 network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
@ -5811,7 +5812,7 @@ index b191055..9ae3918 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +352,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +353,23 @@ network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
@ -5838,7 +5839,7 @@ index b191055..9ae3918 100644
 
 ########################################
 #
-@@ -333,6 +401,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +402,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5847,7 +5848,7 @@ index b191055..9ae3918 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -345,9 +415,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +416,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -44850,10 +44851,10 @@ index 5fe902d..fcc9efe 100644
 +	rpm_transition_script(unconfined_service_t, system_r)
 ')
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..8f5380f 100644
+index db75976..1ee08ec 100644
 --- a/policy/modules/system/userdomain.fc
 +++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,34 @@
+@@ -1,4 +1,36 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
@ -44877,6 +44878,8 @@ index db75976..8f5380f 100644
 +HOME_DIR/\.texlive2012(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
 +HOME_DIR/\.texlive2013(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
 +HOME_DIR/\.texlive2014(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
+HOME_DIR/\.tmp			-d	gen_context(system_u:object_r:user_tmp_t,s0)
+HOME_DIR/tmp			-d	gen_context(system_u:object_r:user_tmp_t,s0)
 +
 +/tmp/\.X0-lock		--	gen_context(system_u:object_r:user_tmp_t,s0)
 +/tmp/\.X11-unix(/.*)?		gen_context(system_u:object_r:user_tmp_t,s0)
@ -44890,7 +44893,7 @@ index db75976..8f5380f 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..c198c77 100644
+index 9dc60c6..ce8b28d 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -48183,7 +48186,7 @@ index 9dc60c6..c198c77 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3435,4 +4482,1684 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4482,1686 @@ interface(`userdom_dbus_send_all_users',`
 	')
 
 	allow $1 userdomain:dbus send_msg;
@ -48206,7 +48209,7 @@ index 9dc60c6..c198c77 100644
 +	')
 +
 +	allow $1 userdomain:process rlimitinh;
- ')
+')
 +
 +########################################
 +## <summary>
@ -49669,6 +49672,7 @@ index 9dc60c6..c198c77 100644
 +            type home_bin_t;
 +            type audio_home_t;
 +            type home_cert_t;
+            type user_tmp_t;
 +    ')
 +
 +    userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
@ -49677,6 +49681,8 @@ index 9dc60c6..c198c77 100644
 +    userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
 +    userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
 +    userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
+    userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp")
+    userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp")
 +')
 +
 +########################################
@ -49866,10 +49872,9 @@ index 9dc60c6..c198c77 100644
 +	optional_policy(`
 +		samhain_run($1, $2)
 +	')
-+')
-+
+ ')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..6c2695d 100644
+index f4ac38d..7f49cde 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@ -49958,7 +49963,7 @@ index f4ac38d..6c2695d 100644
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
-@@ -70,26 +83,392 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,394 @@ ubac_constrained(user_home_dir_t)
 
 type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
 typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -50131,6 +50136,8 @@ index f4ac38d..6c2695d 100644
 +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
 +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
 +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
 +
 +optional_policy(`
 +	gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -26998,7 +26998,7 @@ index 50d0084..94e1936 100644
 
 	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..a743483 100644
+index cf0e567..9ebb247 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@ -27026,12 +27026,13 @@ index cf0e567..a743483 100644
 files_list_var(fail2ban_t)
 files_dontaudit_list_tmp(fail2ban_t)
 
-@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t)
+@@ -92,24 +90,38 @@ fs_getattr_all_fs(fail2ban_t)
 auth_use_nsswitch(fail2ban_t)
 
 logging_read_all_logs(fail2ban_t)
 +logging_read_audit_log(fail2ban_t)
 logging_send_syslog_msg(fail2ban_t)
+logging_read_syslog_pid(fail2ban_t)
 +logging_dontaudit_search_audit_logs(fail2ban_t)
 
 -miscfiles_read_localization(fail2ban_t)
@ -27068,7 +27069,7 @@ index cf0e567..a743483 100644
 	iptables_domtrans(fail2ban_t)
 ')
 
-@@ -118,6 +129,10 @@ optional_policy(`
+@@ -118,6 +130,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -27079,7 +27080,7 @@ index cf0e567..a743483 100644
 	shorewall_domtrans(fail2ban_t)
 ')
 
-@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +147,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
 
@ -98911,10 +98912,10 @@ index 0000000..c1fd8b4
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..ebb001b
+index 0000000..bc96302
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,158 @@
+@@ -0,0 +1,160 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -98990,6 +98991,8 @@ index 0000000..ebb001b
 +dev_read_urand(thumb_t)
 +dev_dontaudit_rw_dri(thumb_t)
 +dev_rw_xserver_misc(thumb_t)
+dev_read_video_dev(thumb_t)
+dev_write_video_dev(thumb_t)
 +
 +domain_use_interactive_fds(thumb_t)
 +domain_dontaudit_read_all_domains_state(thumb_t)
@ -103604,7 +103607,7 @@ index facdee8..c43ef2e 100644
 +	typeattribute $1 sandbox_caps_domain;
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..eef3cb7 100644
+index f03dcf5..329e056 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,227 @@
@ -105568,7 +105571,7 @@ index f03dcf5..eef3cb7 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1508,218 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1508,219 @@ kernel_read_network_state(virt_bridgehelper_t)
 
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 
@ -105774,6 +105777,7 @@ index f03dcf5..eef3cb7 100644
 +
 +corenet_tcp_bind_generic_node(sandbox_net_domain)
 +corenet_udp_bind_generic_node(sandbox_net_domain)
+corenet_raw_bind_generic_node(sandbox_net_domain)
 +corenet_tcp_sendrecv_all_ports(sandbox_net_domain)
 +corenet_udp_sendrecv_all_ports(sandbox_net_domain)
 +corenet_udp_bind_all_ports(sandbox_net_domain)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 75%{?dist}
+Release: 76%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,14 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue Aug 26 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-76
+- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
+- Add a port definition for shellinaboxd
+- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories
+- Allow thumb_t to read/write video devices
+- fail2ban 0.9 reads the journal by default.
+- Allow sandbox net domains to bind to rawip socket
+
 * Fri Aug 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-75
 - Allow haproxy to read /dev/random and /dev/urandom.
 - Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.