From 4c0ceef239a5ef92d61359e0fe7f6e0bc82bc56d Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 24 May 2016 15:22:09 +0200 Subject: [PATCH] * Tue May 24 2016 Lukas Vrabec 3.13.1-191 - Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t - Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954) - Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. - Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. - Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus - Merge pull request #125 from rhatdan/typebounds - Typebounds user domains - Allow systemd_resolved_t to check if ipv6 is disabled. - systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120 - Label /dev/xen/privcmd as xen_device_t. BZ(1334115) --- docker-selinux.tgz | Bin 4316 -> 4317 bytes policy-rawhide-base.patch | 26 +++++--- policy-rawhide-contrib.patch | 121 +++++++++++++++++++++++++---------- selinux-policy.spec | 14 +++- 4 files changed, 118 insertions(+), 43 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 6d06b4ca3a42bd5288caf764ccd498e361d3376b..77f76d54b9e0cce49977c65b8ccf983e3f7087e4 100644 GIT binary patch delta 3993 zcmV;K4`%S(A>AQBABzY8xl=?}00Zq@>yO(u63MecTtUWtsHsJ!8g}Ef)BI20aO8hxq*Lg;NQ1LbfkX%$4^gTC*a;kl_oRxfx0O? zRt0eAR9BUw^zR%ug0I$GO>=IlXfn!I1#xOqMN1#_;$A3eAEOID; z+=Ap!#kyQnpg(nqitW;)qXaflkp#Os?RmR7$zj|1%1`GGM3PTZ4rgqR0?q@0qJ%m_ zVz$77z>=8pR8?$0caIG$aIeUMIeE8+g8r~Qw`Hi@Y9y1 zqWTbT>rklrE`-jHBUrpdOx8w!VPaQQ0>;cWDcBtG;??hFK+K$Bx~SU?6gy8sIYgBF zM9~|2va4A~Y1q(F`K;VFiP^Y5W0?u zSm$DjCqaQ+=%qX?peu_)1{2b1mFRy(0qptr0cBv&a{deu_LWZ;_)ySb;do~phfQ^W zyB*AQf{*6l80+!N&p)<*hoAJxu1gh9UK^xElL{YGS4G_BzDo!L<)&6ln_BKI2mgTL zQR5MGfgBbqXKnb-1gr{$>jp*@$ocVzf?>G)@6~;@&q1Xq4)^r zM=kDLl3Kcf0LR+=VHb7W-SlsYZDq(qmhnaK30&A3rWnw4Q$(46@alrkA14GM0Lv|| zqgC}koPqPQ8<{q*QV%lApxRQy*i^(PYwM%RN6qn4UG4hCg zjMRU>zvPbALZ@kbvS9FrwC z0tun9Jh7;MCkFNsKA7NIbO3ehg=K3|IVkT$D7!ZZovZB%Rs zw&py7(u|rCt>F;a(sY$158gVHo)PlPqsFl2n;2Dp)XTn$@Ueeye3t&u!yKOBZFIBl zXPs6{G@;No+0#Okgy2bG=0PjOS8mz;G7E$%jfA$pX*`B3{g23M9u@MY@c;jGi# zK9$Aao-&FA_|;c6U79%0v`G^MD<5TnFqv>alE;qHv7;nge*ljs zTBTXa_Q9th-j=%}xJ|)~t>GIWtSMn>66Cihq5+Fk9Cx%UB{bX#h-ZE(25iZ*js-DXBu>8IcIM}(WgmWOXjL9 zoXOj-1f2>ndK%^jvd+Y&%|n@CNA7o;5C;GRCt>l>@D2X%@$9tmiw&Wd|D85=53{v@ z_jm@bm_Omb`Eh9QSszYM9sI`rHGSxQ)(P6@WOtv!`*@9cs}6(D=k^0_@_bO5Eb2VL z;4(mw#&cbld22|~{7sV~->kd8rpj=Lb%G3?>|Kw-BSFdOk>KQcqrYMQo-y}9_G$AU z8G+oL4!}@lO9w!#vWL&at<18SzdB}rXz$0RPE7lH0R1q1N56WA;h3gnY%sdOD=(XZ zmBrNO$NQenG(8$)pP)xx2=|0#^IT)%UmM-u3wgs+A?9!}hDAI04#IQ=p8_*M$)~^^ z0b;^}55l+?z4N~2jAi!~hz*VDAhSGJB|crsV-UI|??9Z1tL24p75@z(xMZt;=fb7z zUjKd_tF`Dm{Uo(f6^2^&?awljmBEM+(6-|>LRkd zY53v)p2jSr4vHOO_}gJtG~SYA02`xC(^ScX7FHPZqkt%8=^ZFxV!}(J1Wz}cgjd~5 zIMG6TQ(CIiS)Qg^840`dZWG;qk}R_sagrES^1yooKkGCOAucBtilU5krcKvV zDd(VKveQG$N6O`k2~iJ`N`Gz{tA@Z7U0mjQm67|9OW(u5L+DBKcT#%h-=Q6v7ZOfc zCQau8lZJw8m5~fINd!f!fihPjln`w0L{b|TJucDhrY@VR->qyGeiYq*=UH0ZS_JYq zH|ppy-0$?;>6EgvM*CVvyO1Yp?!k{pQhI9=@gxR5mj$J}l*L=4QC6!`_?@U!lJJ9=Z13BBon>?vwqB0aTGR4JP>kQCeyrRzR|qv)!x@~)$J zF7An;uI$?u=}R~08Wf_;s7n+cjwL4In43hU|`81y+|fEWUAvi2d7HSyp}~H=^96)mT#sF#?Li zy_d^yWGHc6B$U4#&qyb;#W#6}t^p?cof;vE3!yu3 z%kvQ%aL+%1mZtEx)x_5}IDRc8>1x?)Xtz6EF&)!|_gr!MV{0k6&ou6_%^_(AC{~dsRD4BE(ig$HtkJ)hTpy|by%|Hi-qRR5KpJ_w#M>}@rgSi>|Cs4uXz$6>!;uFLqeel;52nV?QS?H8 z-*%6L?0kWy^Co~bg^^=bbyR(r3CUPZJCZV0bYHtP{{P|(=u5E2P^7f-80m zB&i8^Ybw!(!Med>M^=akJNH9pDK>pQwif9(`~z9jb!G$$9S8uUM*x$5FY9<{Grbgg zOJ^bW{3b)^fZ{T{k7wb@8fp_|^8gT^_FrN)Z5Eb_<6LUnzWNV{m;6t4JqjxNWk&!8 zG+`Qk!@o~9AMb1Lj;HH%ovzb$x=z>WI$fvhbe*o#b-GU1|Hk!SXvKPT0C)fZPNK|1 delta 3992 zcmV;J4`=Y*A>1KBABzY8IOjQ600Zq@-H+Qg63?ssR|rXg>>iTcY&K1RP20nvy@z`^ zpt$z2fGSJ0t**XKq}J;T^1t5Bidsq}TGri{LxjUbNjVbbF4o2&EXLIH!~kAwDSs z7}KZ_@1h#%S~>EbgKw^S1UIw10aO8hc?I#NIX9iERF6nig6Fe}L2Q%3TbW#b8%kJgQ*NEw%KyA}d1kB*Csud){tNa@cmh^3%Bkk>rzC}zX34Co3fJ{ zQW~H;>vVHLio4_BZA;4N@u0Yudla;q&@#Kb!1*2sC>8;Cb_oQguLc7UMoFF)Lf0`7 z>s(CnBq)#zy_AOqbY)SO;5R59 zH6B41$YHT^)`ss)z^YKVZeUb_oF9)U_ye3m$FTqNghrvBC$NucT^9K)Pv8+2ijQ!9 z)Z)%1sihkTaIDQAc2UROP5-9YR)#!e8D9jSz=f@0iUCbGMU)ADuP*rfaY7IRu-xK0 zT2=qU88|Pyk!kZP^&qnhsx4*|;25_MGO{X{LNjm1dF7PtICq54So4usQw5Ir6!)S= zm5d6jGE3tqj_s z`;Z&cJfxDufa%_UJM1jXu_lL>l{|*URg<44{D)VT80^Q$ub>!}jirp|``5U=8s5lP zcR9piG7fIU-B9xMYzds^*gmvS$S3Nsab=n5O8U%=W1Lm$*K=(|qsXAQm|VhNyR`OCamid7Bahg} zNd5PRw~qSns}HC8?=Nu)M?cKV1Y+qkp$)HstBW@mZ)Vx3<%{4a5@+!EqmK-Z$&wp^ zgwR-?SXA)H+Qcar>n51U#CDQ2*B-e-5g$X8Js%lBPyLqv2pp z5v}y-^#%tP@>Q^oGD=`3mU(vB7k<*0L?kbZP?$o6Xcu*#FGYJuo7Ep-nuPH-DmDaL za~?ryMoo#InvV_5S|j4JAXW#2{k*uOVEOMmEL4$ts5x>@(L zPOBwyQn9Z_VAO`K=iq=|x+kFr3ROt>G(V@K)OQIf51z~hNl zX_m5m@F|G5<*o>BQ!ry|_y!1TN?4i%`E5}qK|z>E2l8(aTIvb|exr_dfXUVXiP`xh{S6!5CvTj2lTw`@NTL=Ar)LELRjQ2?80jj50o#erTTqENnvPdot zS2~z?(Y-kY!Q$$ntWDBm9p!1)@oli;PdsgCMT!LMtv`Y@4Z5?Ov$vt>)1cG~#GhS1CZP8++2+1h)5 zJOfwEpK##(I5haI52vRNeq;ZdK6F3p1nqOOyHDYLyvDp$hr#D_`++ujZj>gAI!`dT z3{a%;T-RmZ8d5ZW(`3ju>+Y|qG8|%^AVVj6*Q4-AP;z=CICU%M)&tZ-tbh2IUI~((GI?YFkQi?z)Vo`DKJNX zn6Ti3Fz!X~ystT9*?k3KLt{F~EDu(RPnYr-gf7WD5NG0Qd0|||e?tf^+3LA}a4Eaj zzhB2{E&5JBNo`bxp_YC7vy5bAFk%F>?RbsQ7Je2alSgeL1H@0<3|nB5K)SyZ ze)zwqG0UifVuu+1c9<27wRy(!tT7=M7Jb=%WOuRBu14y@ZP}BI*mh!%ZY`e=qN;gfO)5B)Adx! zIjETI^w9E=a`|FH)I+4wpIgSNAuvT3mw8@g5Pc0Nx%BBn?1vfnNU! zdt#_7`?f{;(ha%>g(x%X5`~8&tr#Ax%wfSlA9N=)$)6kJ$KT5rL3SUD8csYe8qKCA zQ5<41N1Y}Fx7JOX;75h|QTS}|=bp-pDt=p)CF5UU|5aaQsUmuRLwNXg@-YzGEWh7LN4oQoic~x--E5{4#-E2xHg%hZ{p3oC2Kdwo z=XGK>_tQX9wypei3CQJKxAEf`aX;ep$5`eulXO^GMl*C`Y)uj!KZ`>hb|8`cEm7mFtC^u;})|5hwfZ}lP z(@o`cea`#BZZbQ}k$$coPN=V{=Z7kp)C2>=yMu_4<=nmZS ze8dLa^G~3qDg13U@wE+(UkgdPTJ{>+?M_!r$8_O6SDgOXS_$CB=5Zy5y4Y0jQpxY~!-`n?f{#8#np~i!41)UZ2)TUv-?rNUcjA zTPgT!i*5Ml4e%Th4M&2&*HVmIB9gONfW;z(!d-C*fIwV#DzJA8)STUca~B z|9JP|^!NY2$aRUC@yp+2$tHgfOCEuo$(^;ik$)JmzL5{8toEe%hR9_@>&sPITuOk& z;`QrkDDrh=M6p0#7v)`8ts-SQF)yaYeHy!gxcUl-GWbOEhEfj!NT`Yfc@t>yDqNVg3HSL_%_ zQWNghRH6-ob%Vu@tPl})?uX7&Z2Ed^Ez)oJ2ePK?%m@}b5CBGx04D!l*70U%dMWgl z&O+?@O@__^#btIM&%%>6)F#U20U$o@zr<|XEG!krxzx6O^&b!~`Jd`~6jb!fjsOg3 y!ZiGbf1hkV-q+q8PuJ->U8n1Govzb$x=z>WI$fvhbe*pMjqAUO{mQ-ocmM$74(6}` diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 35a266a4..08136765 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6288,7 +6288,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..50a45cf 100644 +index b31c054..012cc6f 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6396,7 +6396,7 @@ index b31c054..50a45cf 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,11 +193,16 @@ ifdef(`distro_suse', ` +@@ -172,15 +193,21 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6413,7 +6413,12 @@ index b31c054..50a45cf 100644 /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0) -@@ -198,12 +224,27 @@ ifdef(`distro_debian',` + /dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0) ++/dev/xen/privcmd -c gen_context(system_u:object_r:xen_device_t,s0) + + ifdef(`distro_debian',` + # this is a static /dev dir "backup mount" +@@ -198,12 +225,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6444,7 +6449,7 @@ index b31c054..50a45cf 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..c542dd3 100644 +index 76f285e..5cd2702 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -8716,7 +8721,7 @@ index 76f285e..c542dd3 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5915,1019 @@ interface(`dev_unconfined',` +@@ -4851,3 +5915,1020 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -9619,6 +9624,7 @@ index 76f285e..c542dd3 100644 + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2") @@ -46330,10 +46336,10 @@ index a392fc4..78fa512 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..0e4185f +index 0000000..6cf3942 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,68 @@ +@@ -0,0 +1,69 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -46356,6 +46362,7 @@ index 0000000..0e4185f + +/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) ++/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0) +/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0) @@ -48126,10 +48133,10 @@ index 0000000..ebd6cc8 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..6c16f21 +index 0000000..f799c5b --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,928 @@ +@@ -0,0 +1,929 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49012,6 +49019,7 @@ index 0000000..6c16f21 +corenet_udp_bind_llmnr_port(systemd_resolved_t) + +dev_write_kmsg(systemd_resolved_t) ++dev_read_sysfs(systemd_resolved_t) + +sysnet_manage_config(systemd_resolved_t) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index fc313f0b..7e8426da 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -25419,7 +25419,7 @@ index 23ab808..84735a8 100644 +/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..45c70c1 100644 +index 19aa0b8..a79982c 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -25666,7 +25666,7 @@ index 19aa0b8..45c70c1 100644 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dnsmasq_initrc_exec_t system_r; -@@ -281,9 +395,13 @@ interface(`dnsmasq_admin',` +@@ -281,9 +395,36 @@ interface(`dnsmasq_admin',` files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) @@ -25680,9 +25680,32 @@ index 19aa0b8..45c70c1 100644 + dnsmasq_systemctl($1) + admin_pattern($1, dnsmasq_unit_file_t) + allow $1 dnsmasq_unit_file_t:service all_service_perms; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## dnsmasq over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnsmasq_dbus_chat',` ++ gen_require(` ++ type dnsmasq_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 dnsmasq_t:dbus send_msg; ++ allow dnsmasq_t $1:dbus send_msg; ') ++ ++ diff --git a/dnsmasq.te b/dnsmasq.te -index 37a3b7b..921056a 100644 +index 37a3b7b..0a64088 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -25731,7 +25754,7 @@ index 37a3b7b..921056a 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -98,12 +105,21 @@ optional_policy(` +@@ -98,12 +105,25 @@ optional_policy(` ') optional_policy(` @@ -25741,20 +25764,24 @@ index 37a3b7b..921056a 100644 +optional_policy(` dbus_connect_system_bus(dnsmasq_t) dbus_system_bus_client(dnsmasq_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(dnsmasq_t) ++ ') ++') ++ ++optional_policy(` ++ dnsmasq_domtrans(dnsmasq_t) ') optional_policy(` - networkmanager_read_pid_files(dnsmasq_t) -+ dnsmasq_domtrans(dnsmasq_t) -+') -+ -+optional_policy(` + networkmanager_read_conf(dnsmasq_t) + networkmanager_manage_pid_files(dnsmasq_t) ') optional_policy(` -@@ -124,6 +140,14 @@ optional_policy(` +@@ -124,6 +144,14 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -25912,10 +25939,10 @@ index 0000000..d22ed69 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..181a31b +index 0000000..f186d85 --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,87 @@ +@@ -0,0 +1,88 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -25949,8 +25976,9 @@ index 0000000..181a31b + +manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) +manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) ++manage_lnk_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) +allow dnssec_trigger_t dnssec_trigger_var_run_t:file relabelfrom_file_perms; -+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file }) ++files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file lnk_file }) + +manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t) +manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t) @@ -31935,10 +31963,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..59e84ca +index 0000000..33654d5 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,295 @@ +@@ -0,0 +1,297 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32176,6 +32204,7 @@ index 0000000..59e84ca +optional_policy(` + dbus_system_bus_client(glusterd_t) + dbus_connect_system_bus(glusterd_t) ++ unconfined_dbus_chat(glusterd_t) + + optional_policy(` + policykit_dbus_chat(glusterd_t) @@ -32221,6 +32250,7 @@ index 0000000..59e84ca + rpc_domtrans_nfsd(glusterd_t) + rpc_domtrans_rpcd(glusterd_t) + rpc_manage_nfs_state_data(glusterd_t) ++ rpc_manage_nfs_state_data_dir(glusterd_t) + rpcbind_stream_connect(glusterd_t) +') + @@ -58382,7 +58412,7 @@ index 86dc29d..7380935 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..2646460 100644 +index 55f2009..ab2d757 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -58640,7 +58670,7 @@ index 55f2009..2646460 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +260,11 @@ optional_policy(` +@@ -210,31 +260,34 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -58659,7 +58689,12 @@ index 55f2009..2646460 100644 ') ') -@@ -231,10 +276,17 @@ optional_policy(` + optional_policy(` + dnsmasq_read_pid_files(NetworkManager_t) ++ dnsmasq_dbus_chat(NetworkManager_t) + dnsmasq_delete_pid_files(NetworkManager_t) + dnsmasq_domtrans(NetworkManager_t) + dnsmasq_initrc_domtrans(NetworkManager_t) dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -58678,7 +58713,7 @@ index 55f2009..2646460 100644 ') optional_policy(` -@@ -246,10 +298,26 @@ optional_policy(` +@@ -246,10 +299,26 @@ optional_policy(` ') optional_policy(` @@ -58705,7 +58740,7 @@ index 55f2009..2646460 100644 ') optional_policy(` -@@ -257,15 +325,19 @@ optional_policy(` +@@ -257,15 +326,19 @@ optional_policy(` ') optional_policy(` @@ -58727,7 +58762,7 @@ index 55f2009..2646460 100644 ') optional_policy(` -@@ -274,10 +346,17 @@ optional_policy(` +@@ -274,10 +347,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -58745,7 +58780,7 @@ index 55f2009..2646460 100644 ') optional_policy(` -@@ -286,9 +365,12 @@ optional_policy(` +@@ -286,9 +366,12 @@ optional_policy(` openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) openvpn_signull(NetworkManager_t) @@ -58758,7 +58793,7 @@ index 55f2009..2646460 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +378,7 @@ optional_policy(` +@@ -296,7 +379,7 @@ optional_policy(` ') optional_policy(` @@ -58767,7 +58802,7 @@ index 55f2009..2646460 100644 ') optional_policy(` -@@ -307,6 +389,7 @@ optional_policy(` +@@ -307,6 +390,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -58775,7 +58810,7 @@ index 55f2009..2646460 100644 ') optional_policy(` -@@ -320,14 +403,21 @@ optional_policy(` +@@ -320,14 +404,21 @@ optional_policy(` ') optional_policy(` @@ -58802,7 +58837,7 @@ index 55f2009..2646460 100644 ') optional_policy(` -@@ -338,6 +428,13 @@ optional_policy(` +@@ -338,6 +429,13 @@ optional_policy(` vpn_relabelfrom_tun_socket(NetworkManager_t) ') @@ -58816,7 +58851,7 @@ index 55f2009..2646460 100644 ######################################## # # wpa_cli local policy -@@ -357,6 +454,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -86765,15 +86800,16 @@ index 6cf79c4..1a605f9 100644 ') diff --git a/rhev.fc b/rhev.fc new file mode 100644 -index 0000000..4b66adf +index 0000000..013d1d9 --- /dev/null +++ b/rhev.fc -@@ -0,0 +1,13 @@ +@@ -0,0 +1,14 @@ +/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) + +/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++/usr/share/ovirt-guest-agent/ovirt-guest-agent\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) + +/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0) + @@ -88928,7 +88964,7 @@ index a6fb30c..38a2f09 100644 +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + diff --git a/rpc.if b/rpc.if -index 0bf13c2..4f3c2b9 100644 +index 0bf13c2..ed393a0 100644 --- a/rpc.if +++ b/rpc.if @@ -1,4 +1,4 @@ @@ -89240,7 +89276,7 @@ index 0bf13c2..4f3c2b9 100644 ## ## ## -@@ -326,12 +345,31 @@ interface(`rpc_search_nfs_state_data',` +@@ -326,12 +345,50 @@ interface(`rpc_search_nfs_state_data',` ') files_search_var_lib($1) @@ -89270,11 +89306,30 @@ index 0bf13c2..4f3c2b9 100644 + +######################################## +## ++## Manage NFS state data in /var/lib/nfs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpc_manage_nfs_state_data_dir',` ++ gen_require(` ++ type var_lib_nfs_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 var_lib_nfs_t:dir manage_dir_perms; ++') ++ ++######################################## ++## +## Read NFS state data in /var/lib/nfs. ## ## ## -@@ -350,8 +388,7 @@ interface(`rpc_read_nfs_state_data',` +@@ -350,8 +407,7 @@ interface(`rpc_read_nfs_state_data',` ######################################## ## @@ -89284,7 +89339,7 @@ index 0bf13c2..4f3c2b9 100644 ## ## ## -@@ -366,31 +403,68 @@ interface(`rpc_manage_nfs_state_data',` +@@ -366,31 +422,68 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) @@ -89359,7 +89414,7 @@ index 0bf13c2..4f3c2b9 100644 ') allow $1 rpc_domain:process { ptrace signal_perms }; -@@ -411,7 +485,7 @@ interface(`rpc_admin',` +@@ -411,7 +504,7 @@ interface(`rpc_admin',` admin_pattern($1, rpcd_var_run_t) files_list_all($1) diff --git a/selinux-policy.spec b/selinux-policy.spec index bdb1cabf..c254865a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 190%{?dist} +Release: 191%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,18 @@ exit 0 %endif %changelog +* Tue May 24 2016 Lukas Vrabec 3.13.1-191 +- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t +- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954) +- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. +- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. +- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus +- Merge pull request #125 from rhatdan/typebounds +- Typebounds user domains +- Allow systemd_resolved_t to check if ipv6 is disabled. +- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120 +- Label /dev/xen/privcmd as xen_device_t. BZ(1334115) + * Mon May 16 2016 Lukas Vrabec 3.13.1-190 - Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. - Allow zabbix to connect to postgresql port