From 465d71cd8dccfacdba633f1b0995df3b827a1377 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Fri, 20 Oct 2017 11:27:02 +0200 Subject: [PATCH] * Fri Oct 20 2017 Lukas Vrabec - 3.13.1-297 - Fix typo in virt file contexts file - allow ipa_dnskey_t to read /proc/net/unix file - Allow openvswitch to run setfiles in setfiles_t domain. - Allow openvswitch_t domain to read process data of neutron_t domains - Fix typo in ipa_cert_filetrans_named_content() interface - Fix typo bug in summary of xguest SELinux module - Allow virtual machine with svirt_t label to stream connect to openvswitch. - Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t --- container-selinux.tgz | Bin 7151 -> 7147 bytes policy-rawhide-contrib.patch | 153 ++++++++++++++++++++++------------- selinux-policy.spec | 12 ++- 3 files changed, 110 insertions(+), 55 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 4ee15e8d85d43efa72388399d9b98f16705d7942..5d202570ea2c8da871b62361de046cbdb7930670 100644 GIT binary patch delta 6520 zcmb8dg+JU60{~#LF$|N_Ha*S!*u8r+-QD&64e#@L zP6Q4F0NThmC|50ex+v&Jh6k}L{0ZapdmZ9c=w3`!)`!kCKbcz~QZAjV5cHtc*T+3u z6}d?>t4ot?2|hH|UN6_BtRP8M2C3rN7<@3AtZ!Zk?GUn5hdn8$2HXSxzJK8MFdH$Y z|9uU3;dpL;SZ`_A=gPYgZEbtHF7-TFdvbaJo}WBLKdiRgG&G#FV! zBNn=Cdp?t{Do5$%x^f8?<$S*S6oF@-lT|1+aXgFZoZ2H=5pgBGjvG+cEjSuXHwqO6 z+DtUKo`nb3t$heWbhSWC&J#&u`Vc9oS-wJ+KnV7WQNC2#%rdteCjiaYormNoURdDX z5&SKk?9~ubb3tKX@6n5P` z2iL=JPi4fo?dUegqLEge;xjJ_Ck~w*1K$L$$%+)(`Jc(b1?>Ds$(Gub1QuQyufcfU zA&JdNLN5F8G!9SIB{>FiUExxuVu^oMJvM*d+Y$CNtd($9U%akT3%ngUast9R_=1E5 zo1_+0X8t2_)T*p7nKN^zN^OfF*;^|jC%LoSV+zksQPrQbnNrwoEhJz#u~uQH6$6F* zm*5eU_ZVEcmI?-a6G4x`e=*RO%@F8pRIJS-Aa}Lh-^8iJFoqS`L2JRsYUp*F zd@u0d5iKVeMpYH2k*Ml#}kzl+GHkv`Nb z?oth&4i*meH`O8o_=A98eAojQ-@db~LkWXi!zaFXcHcF$6S@**y!*=}KD@-=PhstJ zZ3zCdv`YKv5p=@8;dy%XX$%}5MvE{=xXySRZfid(vZkLk_}_v4?TN_a%~6eSyz%qX4wpp+ zV|1I`hK-<_KMOk%-najV_<>gzevOS0xw88ZsTgk38dv=v3gduc+NNrnV%_ZC37*ta z!fi{K*#gg+MtGEtUH*3?X59!%^*9aerwGI=VJs^|*>XalHg~mfzYbxTc~u(=d*1Fo9OBd0Q7@kwMROw(!kl$_yUa6S{7~vb zj1e0fz&$4kq0JFdcT??G`DGar6_F|}X#PgupTu;dBOxb)&Q_r(or;b*OxEm#)OJ+V z=t9km?N%VT=24#|ukF>^9y$Y?C!Uri2VCWFM0oN6#TX#I%VERA=8&gPXvH%c^qlX! zLE7>w8A#t;h*A7A!j}tC-pL9qsYJF$)DXiwL4>8tXpE_hlwqpU7YwDpv)0Kbo;`qSPPv`8Q6X5M#nfmg4d?VDSa zenA*jZve|_etGn%0DG}fL7U;jbqdC+H|%!B7{q~!cZuxk{$UYvM?p@EhqN`P-rl{- zuRr$GkE-)v{zR(vl(gY(2y-mxg+Mav*Lz6W0^K-_QI_Hh{?xF9_)D-->)d^K`)v}y zhLLI{q|YViJ@s5!Yf;PyRL#`34MtHKMDC8# z4#iGxox-jU4!wYft-^}8W63KIC4()PbR7GZryF+3rm;37bzwCLLEW|pu)Y`C%TGeW zEmJpCE-ihUMZqdAg1N4HlzeQjr@<(3S1oMvo+U+oM0?tSgkG`~$Y$CFww>cbV^>~H z0U)Fzo5zHD3~_e%w%-eFxEB2Nf}w_tEXyq9&3}l_lJ%5IsYa#rYfiI@3mgTz^Ai0E zYEtGmcr$z!>aGxV<{FvTAFFnaViFy=BA%A~D8%JqKP=On%l18ZVBl^yg>qj2UeN0UYla)jWoddY@pUpn6E4k3Sq*Iy3D^IC(cK{=M z&guK>k@+)Q=CUBuvmZZq>@c9Oi_)vIX2&(LW-Vd1OYFW}R_mo~hR!=irB1~GQ8Cm= z_pjA+D!=-o9Q6yGy1@aNBtmeRmKl_9Iy=GT`@Yj+w|M)e)% z5s$aaWY?vVacO2Xx4HA+vX*f}I$p}C6&gC2)Z-9^UNwcFjFohVeT3X!rXN#99Y3+} z?m3b*Gk#1n2MYt)?-OzB^&nQs%x;g^;~zAfdE4u}EEBCg?NoNu=jBq$9)MpE1_E!C zNk&4$AsH}v{~lMN;c7GPf#DQ3OxSLY+wriGN6(l1zlEDgZuHbXBoC+RimZj<1%H>e zOvNlL_S>KjUQv}B1C_>}wfnj2+o*y6lKQewFT+Bu%%S?`!uQIN{z1Qwj#BbDE@RuF z0ZMGQJdBV;^2CEq?HnTP#Ha*aSModf=Tnl&Q8YW!d708U%0kiEzh5lZ+kTRxg8-@3?YcHjINc^;Lkrw~qGM~J@yjrC<@ zQDf6t3oi@j#i#H|sd9YgmAMdf)Z)m?cXuWyK=B2>bKj&QZIh6V+14hYJ{vs%>d!3) z6?{213r}@YYnf?M00*O;)AO!g?5ml(L_N1sjH29ruYdapWPiNY$r$u90d-o%ydtE2 zhHp4h>R0CA2^?x}8`*+rr&ZiHz_fnglDh3|C|<2vO!a-!C7xWLccPz{jU-t&4(%$) zV+T31;=a5y@^R!{l<(nXb>4ecB5@;eXuS84ODFgpUs(zI*;H){Nu~s`tUO@6&)%3+ zu>57w=s5|PfHj02Q6HNcol~MVqVx{1OH|DRl&x4!^MiRE%AUSD-a{zU<6q5N3j28b z?aN?07K%mFV3X%JwLkaFPk-63Dc}H5i)DOOozOHs`Q@E|=I@S12Iv}<#ZZ^JJ5Iyw zp>P|j%^N9l%mqHTpYktDd7-U<82 zZtXFzU5R%B_IV<s{MRM=hMFm@i_aV$uj{{*q%d=M|~w`rWt>Rr~2t56$qr|>1> zK(8WF+~?ElVKtrEs$js035sB!NKw}?Va^qA1p639I5i^Su`T%*C>FV&s#yET78Bl7)G+X8H* zU%S!svZ&BLZOx$CCPR%zOL;$|r=)-0(U^}ZAg62HXPp3<8Sb%uKb1Awg=sHltaq)H z2v#%Ub5Lg9wWrah(0%dF{RdrBkaOs=657<|j;wg`BWKQhLoZrIWwm_;gU{0UbvV=eswT#FYit)c5U z%W?25Cf4Q_dg^23KOU^>b@a?32SVa+6N!tcW4)bMf6`IBkqLi?8W`u$DQ^CA&Gli& z*B$*l(BZ0+DP|ZnW{HNPM9b}vYbpB8YiDSJTr(s!p9rfMO}aF)Ks-yiupj6T8p$T; zDUcZ@YZpn&y6S6P7bfs+M)L3k4_!dG0@jfG|D}N^l61EQNvWF@+}%p=k+k$)FM>{= zhd+HLs3uZM9k7TFkfQ;OB=$?fnrc9+O|eLWCdb*};NqT;S;blXZB3c}j@?n;&(f)E zt-C9Kk%3>ET)j*sEmWh4~YjI2HBhijJ~HUn{OD@7AU8-;nya(059efnfvi=xZxM8hptUP!%M4 zLXdcj;0`2XWY~TvYEp4%l%2 z4_G?{0vM8Q3)sAFzm+0#I@2JN6ddL56wH^Ht{d0gA3HL0Qq@EBL+6cN83V_$sAU|R z2An|Ez(2=2`HgRf5|}&)KYtoi?6~$A)MXTWYL+$;mOu4%$9{f^GE9H6Vlf$ZcD=Mc z+b6C50KNv*tyIUjh&ftnqXsbsGu{}!m_CNZj3z~M>deKvOhl2uRO1{%pLbx4R>(@; z`#W1oQl$M?Gq$^@IKCs8o8Xgld0^(ebw&>hs%5`@IYF;cJ=yPt0btWjN5@4l<%TuVX5mac4rw8 zivByt1BMbZI>i({^!bNd=sD63glEp0cqwd*6euTqWmfao>`4`=?T?HKr;wgsII32?%;&*b5 z5v9ki@)V`zLb9@Yb$8HU$?r6AWeLpUfGH*!Bk=}OB@2x_bmq-9QS;rrO9DF@kn@<~ zX!#GJn19-`#Lk@{wnP3L5vZZU$d8GlG zW49lXEnTddqbgys_Qks`zG9-0#sygebIW?{KnNL~>5p|l|IVW_V7BlW^v~zPMb&)cGk-?Ah;1FJ!YI$39Ak!gI? zl4m`PgxXOB{VTrd>-^Kd&XvJQD;}DK!<`-F7#KK092YB}!?pbGQ8Myd0rq34%3A|T zg^k^qHWl@1cDuiothY8FneM41(@6O*$Z^DMhP~6~hUlYGyx=*NW#WBDkL(98V#gQu zm=yf|blvo+Xv#+Afo2t2T$n_nDkbb5z?%|XwmPL>W@X#G zPlC$tu?LL3295x-S z_Qs9*9G425noz>=fh8ODc2gswtr=!nh`C>^W!0}+>+*v;qddb?kW7kakScwv-5QO` zN(=GSNAg%{1T&2GCB`2FW_Uvr3m2q6h7Et^8BSS&>-;13#3#2oQHnk=pY86Q_m$=x zjsk)PuN*G_j*6fD)#t?7T5mpe`9XTz!UfvhxG`p53!=~kj$@v_5K}uSG===9=oE0n zWMMqd*+n)Qk}$J1#2P_-BS~;O@Me1_=hM(Y+YQ6sC|2dHbxU%WGW((B^(gXp-r<9O zR#_)M+Rmcgqmqru#Nw6!sQKLRES!v4N&-3N6c;jnqK&m;B|`1Ir}R}c-o7Y8ym zGymg^*ooqBj|pZh8MiXTX9|{P-Mm?mifE;o$E-G%MV=Z`HG^HyCKtQ8&N=ij6IEA* zLWswc&?-4U59|94mvdtv+=DA+Zv81oQF$(szI+|Pdta)u*5yq$I{l7V@4MNh2`Wd< zYI5k+BV;%_uftUpXI?dQ$xUi(lYY2?)PfrGHD9x}$2o(*9WS116p8Yz5F#*NzM)9E z1P8$lSM+Gny3#0})B%y1A2qJ&FW=;T{_*Q_nwv7o6&=evA5G?he%fX0v0?Fqbw0}M5_FDuGB6d%Rv1s^kjtv15Q4+zmW%|yIy9FBb;)|lQ;XJyY9yV1S z!)lNZC5E%oSA%Tf9A7Uw+`jzjqJtfoZCQZk6gu+rkDNODTkSYjbJKgC;?ZPR*n$Ik zm41`(-(7alD{8UvE9ILa?q)n&1m0X9@>M%dI|zr!k3`y^SlEx~(T~tis(YYCe&;-5 zOQc_j5q?WH7jkzpdw?=--LzCG*s)w;a6cTKB5S)b|D}z`v@gu2{7mB~ra*DOw>043 z?7cgw&U@9;u*FEBhc3J&4mbL}o>&io^EW6mT#x1yX1GlHC>3JJD22eWkRbOlyYl>?Su{`KvP`LfWbNtkK_{k^OX=J?* zXG1EI)ZuFt$Du0BzuEr181WOvzHhC{g-6_(SseJOa0y)sp29-DpaxFZ?|9zX?&vUu zh>pZ`2zdRNWS>68W_<}-n5vSxQ?Y^wdw(`09<~+~+6@aaDBM!pNWUuS15B0GN7WN+ zqNcn)wMxG>up-^#vWmQ6W`t}>|G*rxCw%loV3+v4t~GYRr7BpWkJlEEWrIWHQ|c?9 zx4J3W2-iZh={&ypH4D<6!cEn`1_I@HQfBNtmzrx9K(76Ko zvL+B&-SZQ#J{40)c06xu8$VM00_>{rOQX;uzf3<5K8F^(n;t>QB|^^N?R9T_>}K{r z!|z?D{~$D~6f@$co^RM)KRR73F{R`DIuR16uU6)9X)ejW?!0awT_5h&Gp0T?bImL8 zqFUSJT7XPphVoK=BdeU(q)?s`lKFQU{^}HFd5Sn?3z4rMz=i&z{2(Q|q~fcz!vNs0uyktKYhl^8m$7WS)<3&nSe@)T*<2?sW7+od!qUktp76Y1;k~Z= zOWZJl3ju&S79FAa@vi{_@|g)Naf3f)X63j?x*pk=q2BJ)Z5JW`l!|B!(T5rb-J7@# z1nEpL{OaTMrB30*Z=)C9YNm5V6Z45lsiq-F5?^7BR_8^5$ZW{6fgoLuyjS63%P-XbSM z4mUdC1Kki#FbB}_!I=f&O1XREPvTD?NTFCJhw;b(uPNYG%J|?iQQ5Nlt8aM0k9wS& zLIC|{U!8+wDOLjH{t#jM&LSiIUXh~7W_Hcp~H zICfk(`r3Ds&Vur6C8tU7?QV1EM1{cK1c+cuBQIF{$e*9 zu+w0rmfDKoOYsgXeGYfs&axMm7DG+|y&3B%<_Yw+ss1d*BlU1R*~hFyHOr}VhznMe zGCIH-YaR5QBNpI0BPQlm#nG2xo(5RmjNnJ4p+8p+s$?vKP_qQ!^=iKusjUbK7pQ0WMe_tn%5_3i$$!ON?xoPbgNf)i$~7gMFPuU3O|&MJ&_|uT zEemmlM^bWanS(NYD<-T5`$?eeN1D;RaHfWaX0(EmR-(Z|493BZ(vB3LiOu5oBQ{MqV(#qd?jV^J` z`A3Z!;KMkdF}Te~Fp%(AE^R$%$Rc+wJf^gf8CLrBNc|tfA4Sd^+szEDuCVC8;=?JN z6yaxbOk-c3-&@ZlEkp3wO$$Rf%%9c!UPx8bc;f~>;he)3o3bWTDRgT&Bq}eYWb*;u$yG4IGt(W@8^NV2-0`iyzqfWN9qdpozO^ELOaf@w%u7tJ11%f|G|b?;vXb5 z+4g(;wT_AxLl8#BXTDKA+~Bx7l{q<58Kw+8ZU$Sj<2V}UTb=LmZ%Q%VF_m1{9_~@O zBn;8rMwMJ|zEjH4HGj6T#;;wAlI}hPR)CVA8$$Z&&9l-C95;aM1#+O~er&BEV-st< z!nLq3&9({Bc5Ljbpd0DtG@3(5fEXj5cwRW_k6$r24C7zzw;mOs-!RjxGn`4}NvBew zx?z!4lK1POzf?A7Bc)BWKU#w{IRfThOyvHI*OsC4xS@t+#+lnsXOXyaXP%Qa+xeZm zp_X{9z*~>cxtW0T4B1VH>N+d70=yZ83s%bXvr{>(_ftKzj7;Ml|6iF#m0MB<=4Q

uXitdJHDR;5387Ob1t9g}OKr*R78xb(WHNntfmSRBeFd;q)GGsYh z)H}c~8h+H&Uk%^7+QB+oS-pC_gUy(bX4kdf>m>VtWDOT5{*0`!4^S;+IAPn+qeLuq z&9z*C z`enzC`vK7AVMkwLwiEsfEFZSQiX5}kxS1^BJqJ`=c31U!#X2c6snqirPAg>o2Tz`< zkH}ebC)NxEC>{mQZMbQBn6ONey+b0!cA)9 zfo(#!Wzz4412lxJW+T;k^%#*uC5ZWTq$)&(?)_o961w!-5QiTQKTo?eBkF2Bhw=hy z`pcfUguSCy{tg<-FcI-|+y=FYa9-(mG=PNS&l{B7npSY=O5RF!i6rPsL@dCiJsAq$ z7?1y2$@aG5kj6{-VSJl{^2zUjY&P9n1PU zm$K0j?U4lunA94buCw@gov5Vd%$lAEHf zKrXgTe|76S;A4B-*eo{}vQM;hM-?8*x;k>?r`^YQfmlbg)PHk9Kd108p-4LM|VYn+skR6YeuA9lA6 zh%+SeJjrQqY&@8d5+dC29>Hz9N9BnddAtqo*F9Ay z!&cOLbGp=86h2&oDuPvcFk^-$Da1#-taCrFS}q}Zz!cjSArPQ5LVcaZ4S=dyi*iz% z^L#;y#sSu@TH|Z>7i?Kgi*{-OPxTwG< zteuF&Z`7S0S2pJzXM2xHHt54*-cS1TnCb6nIEuzbyS&BCdC|#qmqLAySEn#$Xktps zdS<+cjFlH$aslTVK;3@IXy6X#o|EG-9>Ex4*D8bNH>?MH>s_0Z_55~4rx>)$I^_5; zw_$U^l5~$>cgmxYVbOt?6Zme>`;W_asKvEBqDQguY=jZoubN$UW_3v*3%~w_{!L3G zq~(&M%VM3*g$(V{MRORDADi;ed=I|^&4t-)xbV9?2Ed^eAsTawEboHxd8Hz!;cEyH zEd_sm+l0VdPQl`eBC4SW>eHNHW_{i>J_bIe%%73jMT-|GrY`W$~y|u83YvcMVy5lOop`0yENP)?Zb-+dLwph1?zxv0XqtLI&gxpo8BIgrl z12DqhX*BJiF7PQF>2}Ucjk3^N=y<4$nTIE2Ovppc>&!lzroXxt>FhmBNlz+F{aSjZ zYy2DwbfCKw&F5#odO3N&`P@s;H%5+9@N6qA{lFN>iCKmSBl?y*iNF21Mg1Z`Gl5{? zXm4twcDpL@Cb68AedjNx9!h?kcVAJ_4zMt5b7*r35wuOH_Vdm8*EN2p=t;f-xjmy# zdNDGfUzf=cE7qZ=OM>`VUvq@P>3)NKd>J|wH4vnR%5*vDGWi#ZpGL>9j_k``k-&H7Bt^ z+@BX%?-b)qR&-R}Wv-vf@=?Y9&QBEwmC`I0*g`yFtyHEVNSx z84-|^@XcpU8%3E(jlr=;3gAfnhr{rR4P9*PArIw%RbG#Ha-Z2Nxyk8*bt$qGaz?fxR*h_{irB^N;|u%(Q@TkkpznBHt481 zlfRY7-<`Hs4r-qbZ;HRO6{Z5oUWnI&<0k@Ay>Oio#Zz~2xiLWe$(0mP_-Y|_Dit0B zKzz!FKQ%06fmXlY5z%L6JEgF$pScj@5Ovdbbu;YaZ1~T;`4jltQQfM{;Cb+#7ay>F z3Wz5w^DPjH1{UhLYW|rTu#eAJ7LLb%3U7A{*hw-|pPOXrZ|-;E2&dx88`o@`|;K>48U(Q3q*$;Sa@ z!M%a)i!(hyky37ws#dXG$v1oR1oa@HFPvFIvd+K|E73{D!<85?sSerseEJFL=I3SzwdVex&I+@ zkuvNEQ~R2t>+<^NBVGy`UG;vn#&1OV_d{)h1eKEVG<;z%&NzIWzpH%6maNpzTND~_bWM|uvKBe5t)M2O&oy=LsP!$brS2m{(lhZk`zj>iEr^f zT1=vDX;QSF+8QO+R8neA^}{>)pQraf=>A4s&T0%1ind3gu2!p<)LNzZ@yr70&Eees zo;_N!Xp|;Li#1qn&E9`S^VnrMsEEN_bn1H-qgoXScvZRihL4>BE`) z#Lo-B21z@Na_)U_bs(o|T_`U)TzduAYjL{8#h;24s+z@YY1hxDJ3_zg-ZIAHVW84x zAvZ$4C^;>oFU16Od2GN6>03>fs<IjIoL=9_&d_};D)9~5Ousg5oYL$fY_@VQcdrgP^ALq@v9oTJ7@InUSf^9z7zCzY0vl%ZlcKf^awjI&oUoQTYhwivpz_a5}W%R z`bC{i3# zzuZM+daSN^(|_tv)uOppGfB=ISH{Iviyb%G=JNnd(n_DbDo?rKgL*Th%kdjitS^tT z2de7??8FFHQX($n0+UX~xleS*|HWN2VCmw$LA}JbW1BFy4$*JaI32(HoUJ3r1VE&P z>GtME;j%Y-+YK{l@$dTfl6CC{O|*nQ%af+&5Mk!-p3~5tZC1JkK@Bq>{AWhxvaZx| z+qZ!DttsltcdPODub?+v>*U8jqtbp zAJKs5Z6<6i;m+sbFM7W)sT#h^IqUqiQU47TM+pl!lnFfP;IqB5z{gP$$%-BC+5fw0 z9)dNlA0=dDwwD1dFbOOfCFo4| z4W2OJ9L^KnPE^8DfIPCCKx|XTNb_8DHgyv*y@>p>bPVPu_&LG`OF1}YljkF*k`?gz zK&}6@F^w1T_>~?sByW5<&4L_`o2?nf3Tjj0$%#abxW1aGX* zf757B{wKihxFh^SBd4}9D^T`vISjg27$V;~sg}RbU^Z-#(6C$OKOj=?c}%pV;MGSS z*)sNR zzr6VR>+is-nrx7sofzIr-lx8B+rDlX=(IxmFd*QauPF7p)kiNXKGQ61YhS>Z9;2FN z`HSno$7v=oOWGGtka}rRnka@O?{{tc+7gg>lq!HFxgy5@$V%%i{i$c#Dpf_RT9KRHS2JggH^=>o8>94&G7( zhbLat_Pkjx%nLsLR)) z%YLq(4Xq_YOzEe3>)EHM;%&*GIwHp{9Bxyr4>fPv0fkXS`1Hs|7^+`iR^E(X?tM-# z?N+buQ4`s+ZOBZe{+a=}Mr19F7vrZ%pIysir5{!7&^D8jU`@u3xj#*t1y64XZiJK! zzkd~RMbY^cw#w0pilcRwJX&2{O1L&4q_R%@ z=6(=Q7=6*NfhR&CZbAtHzq~T0EiIXhz5~CeV~r74-V~NxdrAUV+>&Bh9APLLdeEmH z3k`c$jU6ZZurzJ#Vzc0T@?e~y9=_jTo#9ZqTnE7VOnrcI9w{l%Cv<4|K{i45G&0q4iGL85dH_% Cgxlo+ diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9a30bf10..d16ef44e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5615,7 +5615,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..1362c1bc9 100644 +index 6649962b6..f6ac61e03 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -7836,7 +7836,7 @@ index 6649962b6..1362c1bc9 100644 - fs_exec_nfs_files(httpd_user_script_t) + read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) + read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) -+ allow httpd_t httpd_sys_content_type:file map; ++ allow httpd_t httpd_user_content_type:file map; ') tunable_policy(`httpd_read_user_content',` @@ -9212,7 +9212,7 @@ index 9078c3d85..2f6b2503e 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index b8355b32f..7137937b9 100644 +index b8355b32f..51ce1b60f 100644 --- a/avahi.te +++ b/avahi.te @@ -13,17 +13,21 @@ type avahi_initrc_exec_t; @@ -9235,7 +9235,7 @@ index b8355b32f..7137937b9 100644 # -allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; -+allow avahi_t self:capability { dac_read_search setgid chown fowner kill net_admin net_raw setuid sys_chroot }; ++allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; dontaudit avahi_t self:capability sys_tty_config; allow avahi_t self:process { setrlimit signal_perms getcap setcap }; allow avahi_t self:fifo_file rw_fifo_file_perms; @@ -40061,10 +40061,10 @@ index 000000000..74206edcb + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 000000000..d611c53d4 +index 000000000..72a6b78ba --- /dev/null +++ b/ipa.if -@@ -0,0 +1,309 @@ +@@ -0,0 +1,310 @@ +##

Policy for IPA services. + +######################################## @@ -40351,6 +40351,7 @@ index 000000000..d611c53d4 +interface(`ipa_cert_filetrans_named_content',` + gen_require(` + type ipa_cert_t; ++ type cert_t; + ') + + filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key") @@ -40376,10 +40377,10 @@ index 000000000..d611c53d4 +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 000000000..49295fe45 +index 000000000..653c11fb3 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,275 @@ +@@ -0,0 +1,276 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -40564,6 +40565,7 @@ index 000000000..49295fe45 + +kernel_dgram_send(ipa_dnskey_t) +kernel_read_system_state(ipa_dnskey_t) ++kernel_read_network_state(ipa_dnskey_t) + +auth_use_nsswitch(ipa_dnskey_t) + @@ -69403,7 +69405,7 @@ index 9b157305b..cb00f200a 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99ab..d11c99a93 100644 +index 44dbc99ab..7bcb16c59 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -69469,7 +69471,7 @@ index 44dbc99ab..d11c99a93 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -63,35 +67,63 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +@@ -63,35 +67,71 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) @@ -69542,6 +69544,14 @@ index 44dbc99ab..d11c99a93 100644 +optional_policy(` + plymouthd_exec_plymouth(openvswitch_t) +') ++ ++optional_policy(` ++ networkmanager_read_state(openvswitch_t) ++') ++ ++optional_policy(` ++ seutil_domtrans_setfiles(openvswitch_t) ++') diff --git a/openwsman.fc b/openwsman.fc new file mode 100644 index 000000000..00d0643d9 @@ -84816,10 +84826,10 @@ index 70ab68b02..b985b6570 100644 +/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) +/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) diff --git a/quantum.if b/quantum.if -index afc00688d..589a7fdde 100644 +index afc00688d..e974fad4b 100644 --- a/quantum.if +++ b/quantum.if -@@ -2,41 +2,295 @@ +@@ -2,41 +2,314 @@ ######################################## ## @@ -84845,13 +84855,12 @@ index afc00688d..589a7fdde 100644 +######################################## +## +## Allow read/write neutron pipes - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`neutron_rw_inherited_pipes',` + gen_require(` @@ -84864,13 +84873,13 @@ index afc00688d..589a7fdde 100644 +######################################## +## +## Send sigchld to neutron. -+## -+## + ## + ## ## --## Role allowed access. -+## Domain allowed access. -+## -+## + ## Domain allowed access. + ## + ## +-## +# +# +interface(`neutron_sigchld',` @@ -84886,7 +84895,8 @@ index afc00688d..589a7fdde 100644 +## Read neutron's log files. +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. ## ## @@ -84998,11 +85008,7 @@ index afc00688d..589a7fdde 100644 + gen_require(` + type neutron_var_lib_t; + ') - -- init_labeled_script_domtrans($1, quantum_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 quantum_initrc_exec_t system_r; -- allow $2 system_r; ++ + files_search_var_lib($1) + manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) + manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) @@ -85022,7 +85028,11 @@ index afc00688d..589a7fdde 100644 + gen_require(` + type neutron_var_lib_t; + ') -+ + +- init_labeled_script_domtrans($1, quantum_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 quantum_initrc_exec_t system_r; +- allow $2 system_r; + files_search_var_lib($1) + manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t) +') @@ -85091,6 +85101,25 @@ index afc00688d..589a7fdde 100644 + ps_process_pattern($1, neutron_t) +') + ++####################################### ++## ++## Read neutron process state files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_read_state',` ++ gen_require(` ++ type neutron_t; ++ ') ++ ++ allow $1 neutron_t:dir search_dir_perms; ++ allow $1 neutron_t:file read_file_perms; ++ allow $1 neutron_t:lnk_file read_lnk_file_perms; ++') + +######################################## +## @@ -115158,10 +115187,10 @@ index 3d11c6a3d..3590f3ef9 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bcfc..58d0a33f2 100644 +index a4f20bcfc..95abdb144 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,111 @@ +@@ -1,51 +1,113 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -115218,6 +115247,7 @@ index a4f20bcfc..58d0a33f2 100644 +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/bin/qemu-pr-helper -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) @@ -115251,6 +115281,7 @@ index a4f20bcfc..58d0a33f2 100644 +/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virt_var_run_t,s0) -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) @@ -117537,7 +117568,7 @@ index facdee8b3..2a619ba9e 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf567..c7a95a908 100644 +index f03dcf567..3fde9b1cd 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,424 @@ @@ -118150,10 +118181,10 @@ index f03dcf567..c7a95a908 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) +- +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +allow svirt_t self:process ptrace; --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; @@ -118337,12 +118368,12 @@ index f03dcf567..c7a95a908 100644 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -118442,13 +118473,13 @@ index f03dcf567..c7a95a908 100644 +sysnet_read_config(virtd_t) -userdom_read_all_users_state(virtd_t) -- --ifdef(`hide_broken_symptoms',` -- dontaudit virtd_t self:capability { sys_module sys_ptrace }; --') +systemd_dbus_chat_logind(virtd_t) +systemd_write_inhibit_pipes(virtd_t) +-ifdef(`hide_broken_symptoms',` +- dontaudit virtd_t self:capability { sys_module sys_ptrace }; +-') +- -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virtd_t) - fs_manage_fusefs_files(virtd_t) @@ -118502,7 +118533,7 @@ index f03dcf567..c7a95a908 100644 ') optional_policy(` -@@ -691,99 +653,445 @@ optional_policy(` +@@ -691,99 +653,449 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -118802,6 +118833,10 @@ index f03dcf567..c7a95a908 100644 +') + +optional_policy(` ++ openvswitch_stream_connect(svirt_t) ++') ++ ++optional_policy(` + ptchown_domtrans(virt_domain) +') + @@ -118999,7 +119034,7 @@ index f03dcf567..c7a95a908 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1102,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1106,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -119026,7 +119061,7 @@ index f03dcf567..c7a95a908 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1122,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1126,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -119060,7 +119095,7 @@ index f03dcf567..c7a95a908 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1159,20 @@ optional_policy(` +@@ -856,14 +1163,20 @@ optional_policy(` ') optional_policy(` @@ -119082,7 +119117,7 @@ index f03dcf567..c7a95a908 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1197,66 @@ optional_policy(` +@@ -888,49 +1201,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -119167,7 +119202,7 @@ index f03dcf567..c7a95a908 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1268,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1272,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -119187,7 +119222,7 @@ index f03dcf567..c7a95a908 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,15 +1289,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,15 +1293,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -119206,7 +119241,7 @@ index f03dcf567..c7a95a908 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -982,186 +1303,307 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -982,186 +1307,307 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -119643,7 +119678,7 @@ index f03dcf567..c7a95a908 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1616,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1620,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -119658,7 +119693,7 @@ index f03dcf567..c7a95a908 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1634,7 @@ optional_policy(` +@@ -1192,7 +1638,7 @@ optional_policy(` ######################################## # @@ -119667,7 +119702,7 @@ index f03dcf567..c7a95a908 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1643,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1647,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -122822,6 +122857,16 @@ index 0928c5d6a..99a430031 100644 miscfiles_read_fonts(xfs_t) userdom_dontaudit_use_unpriv_user_fds(xfs_t) +diff --git a/xguest.if b/xguest.if +index 4f1d07d71..5c819abe8 100644 +--- a/xguest.if ++++ b/xguest.if +@@ -1,4 +1,4 @@ +-## Least privledge xwindows user role. ++## Least privileged xwindows user role. + + ######################################## + ## diff --git a/xguest.te b/xguest.te index a64aad347..12dc86b2f 100644 --- a/xguest.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 2a92476a..93460779 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 296%{?dist} +Release: 297%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -722,6 +722,16 @@ exit 0 %endif %changelog +* Fri Oct 20 2017 Lukas Vrabec - 3.13.1-297 +- Fix typo in virt file contexts file +- allow ipa_dnskey_t to read /proc/net/unix file +- Allow openvswitch to run setfiles in setfiles_t domain. +- Allow openvswitch_t domain to read process data of neutron_t domains +- Fix typo in ipa_cert_filetrans_named_content() interface +- Fix typo bug in summary of xguest SELinux module +- Allow virtual machine with svirt_t label to stream connect to openvswitch. +- Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t + * Tue Oct 17 2017 Lukas Vrabec - 3.13.1-296 - Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1 - Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)