* Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182

- rename several contrib modules according to their filenames - Add interface gnome_filetrans_cert_home_content() - By default container domains should not be allowed to create devices - Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t. - Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used - Allow systemd gpt generator to read removable devices. BZ(1323458) - Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454)
2016-04-08 14:11:58 +02:00 · 2016-04-08 14:11:58 +02:00 · 4c61782def
parent c1300100ed
commit 4c61782def
4 changed files with 64 additions and 20 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -26525,10 +26525,10 @@ index 0000000..03faeac
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..31076d7
+index 0000000..bca9f3c
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,345 @@
+@@ -0,0 +1,349 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -26766,6 +26766,10 @@ index 0000000..31076d7
 +		gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
 +	')
 +
+    optional_policy(`
+        gnome_filetrans_cert_home_content(unconfined_t)
+    ')
+
 +	optional_policy(`
 +		ipsec_mgmt_dbus_chat(unconfined_t)
 +	')
@ -48023,10 +48027,10 @@ index 0000000..3380372
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..d8fdd7b
+index 0000000..6c16f21
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,920 @@
+@@ -0,0 +1,928 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -48870,11 +48874,14 @@ index 0000000..d8fdd7b
 +# systemd_gpt_generator domain
 +#
 +
+allow systemd_gpt_generator_t self:capability sys_rawio;
+
 +dev_read_sysfs(systemd_gpt_generator_t)
 +dev_write_kmsg(systemd_gpt_generator_t)
 +dev_read_nvme(systemd_gpt_generator_t)
 +
 +storage_raw_read_fixed_disk(systemd_gpt_generator_t)
+storage_raw_read_removable_device(systemd_gpt_generator_t)
 +
 +allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms;
 +systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file)
@ -48889,6 +48896,7 @@ index 0000000..d8fdd7b
 +allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
 +allow systemd_resolved_t self:process setcap;
 +allow systemd_resolved_t self:tcp_socket { accept listen };
+allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
 +
 +manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 +manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
@ -48899,9 +48907,13 @@ index 0000000..d8fdd7b
 +
 +kernel_dgram_send(systemd_resolved_t)
 +
+auth_read_passwd(systemd_resolved_t)
+
 +corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 +corenet_udp_bind_llmnr_port(systemd_resolved_t)
 +
+dev_write_kmsg(systemd_resolved_t)
+
 +sysnet_manage_config(systemd_resolved_t)
 +
 +optional_policy(`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -31776,11 +31776,11 @@ index 0000000..fc9bf19
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..b974353
+index 0000000..74ec2fd
 --- /dev/null
 +++ b/glusterd.te
@@ -0,0 +1,295 @@
-+policy_module(glusterfs, 1.1.2)
+policy_module(glusterd, 1.1.3)
 +
 +## <desc>
 +## <p>
@ -32360,7 +32360,7 @@ index e39de43..5edcb83 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index ab09d61..0734f6b 100644
+index ab09d61..980f1f6 100644
 --- a/gnome.if
 +++ b/gnome.if
@@ -1,52 +1,76 @@
@ -33409,7 +33409,7 @@ index ab09d61..0734f6b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -706,12 +815,985 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +815,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
 ##	</summary>
 ## </param>
 #
@ -34318,6 +34318,24 @@ index ab09d61..0734f6b 100644
 +    gnome_cache_filetrans($1, config_home_t, dir, "dconf")
 +')
 +
+######################################
+## <summary>
+##  File name transition for generic home content files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_filetrans_cert_home_content',`
+    gen_require(`
+            type home_cert_t;
+    ')
+
+    gnome_data_filetrans($1, home_cert_t, dir, "certificates")
+')
+
 +########################################
 +## <summary>
 +##	Create gnome directory in the /root directory
@ -67157,9 +67175,15 @@ index bf59ef7..0e33327 100644
 +')
 +
 diff --git a/passenger.te b/passenger.te
-index 08ec33b..3b92c4d 100644
+index 08ec33b..3ad995c 100644
 --- a/passenger.te
 +++ b/passenger.te
+@@ -1,4 +1,4 @@
+-policy_module(passanger, 1.1.1)
+policy_module(passenger, 1.1.2)
+ 
+ ########################################
+ #
@@ -14,6 +14,9 @@ role system_r types passenger_t;
 type passenger_log_t;
 logging_log_file(passenger_log_t)
@ -87969,11 +87993,11 @@ index 0000000..0be4cee
 +')
 diff --git a/rkhunter.te b/rkhunter.te
 new file mode 100644
-index 0000000..aa2d09e
+index 0000000..44de480
 --- /dev/null
 +++ b/rkhunter.te
@@ -0,0 +1,4 @@
-+policy_module(rhhunter, 1.0)
+policy_module(rkhunter, 1.1)
 +
 +type rkhunter_var_lib_t;
 +files_type(rkhunter_var_lib_t)
@ -103246,11 +103270,11 @@ index 0000000..80c6480
 +')
 diff --git a/stapserver.te b/stapserver.te
 new file mode 100644
-index 0000000..bc92f68
+index 0000000..e847ea3
 --- /dev/null
 +++ b/stapserver.te
@@ -0,0 +1,114 @@
-+policy_module(systemtap, 1.1.0)
+policy_module(stapserver, 1.1.1)
 +
 +########################################
 +#
@ -111647,7 +111671,7 @@ index facdee8..816d860 100644
 +        ps_process_pattern(virtd_t, $1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..2a1d3e5 100644
+index f03dcf5..5e41cd6 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,451 +1,395 @@
@ -113207,7 +113231,7 @@ index f03dcf5..2a1d3e5 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1237,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1237,354 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
 
@ -113290,7 +113314,6 @@ index f03dcf5..2a1d3e5 100644
 +manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
 +allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto };
 +virt_mounton_sandbox_file(svirt_sandbox_domain)
@ -113704,7 +113727,7 @@ index f03dcf5..2a1d3e5 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 
-@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1597,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
 
@ -113719,7 +113742,7 @@ index f03dcf5..2a1d3e5 100644
 sysnet_read_config(virt_qmf_t)
 
 optional_policy(`
-@@ -1192,7 +1616,7 @@ optional_policy(`
+@@ -1192,7 +1615,7 @@ optional_policy(`
 
 ########################################
 #
@ -113728,7 +113751,7 @@ index f03dcf5..2a1d3e5 100644
 #
 
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1625,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1624,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 181%{?dist}
+Release: 182%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -653,6 +653,15 @@ exit 0
 %endif

 %changelog
+* Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
+- rename several contrib modules according to their filenames
+- Add interface gnome_filetrans_cert_home_content()
+- By default container domains should not be allowed to create devices
+- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
+- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
+- Allow systemd gpt generator to read removable devices. BZ(1323458)
+- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands  BZ(1323454)
+
 * Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
 - Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
 - /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)