* Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182

- rename several contrib modules according to their filenames
- Add interface gnome_filetrans_cert_home_content()
- By default container domains should not be allowed to create devices
- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
- Allow systemd gpt generator to read removable devices. BZ(1323458)
- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands  BZ(1323454)
This commit is contained in:
Lukas Vrabec 2016-04-08 14:11:58 +02:00
parent c1300100ed
commit 4c61782def
4 changed files with 64 additions and 20 deletions

Binary file not shown.

View File

@ -26525,10 +26525,10 @@ index 0000000..03faeac
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
index 0000000..31076d7
index 0000000..bca9f3c
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,345 @@
@@ -0,0 +1,349 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@ -26766,6 +26766,10 @@ index 0000000..31076d7
+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
+ ')
+
+ optional_policy(`
+ gnome_filetrans_cert_home_content(unconfined_t)
+ ')
+
+ optional_policy(`
+ ipsec_mgmt_dbus_chat(unconfined_t)
+ ')
@ -48023,10 +48027,10 @@ index 0000000..3380372
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..d8fdd7b
index 0000000..6c16f21
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,920 @@
@@ -0,0 +1,928 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -48870,11 +48874,14 @@ index 0000000..d8fdd7b
+# systemd_gpt_generator domain
+#
+
+allow systemd_gpt_generator_t self:capability sys_rawio;
+
+dev_read_sysfs(systemd_gpt_generator_t)
+dev_write_kmsg(systemd_gpt_generator_t)
+dev_read_nvme(systemd_gpt_generator_t)
+
+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
+storage_raw_read_removable_device(systemd_gpt_generator_t)
+
+allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms;
+systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file)
@ -48889,6 +48896,7 @@ index 0000000..d8fdd7b
+allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:process setcap;
+allow systemd_resolved_t self:tcp_socket { accept listen };
+allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
@ -48899,9 +48907,13 @@ index 0000000..d8fdd7b
+
+kernel_dgram_send(systemd_resolved_t)
+
+auth_read_passwd(systemd_resolved_t)
+
+corenet_tcp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
+
+dev_write_kmsg(systemd_resolved_t)
+
+sysnet_manage_config(systemd_resolved_t)
+
+optional_policy(`

View File

@ -31776,11 +31776,11 @@ index 0000000..fc9bf19
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
index 0000000..b974353
index 0000000..74ec2fd
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,295 @@
+policy_module(glusterfs, 1.1.2)
+policy_module(glusterd, 1.1.3)
+
+## <desc>
+## <p>
@ -32360,7 +32360,7 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index ab09d61..0734f6b 100644
index ab09d61..980f1f6 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,76 @@
@ -33409,7 +33409,7 @@ index ab09d61..0734f6b 100644
## </summary>
## <param name="domain">
## <summary>
@@ -706,12 +815,985 @@ interface(`gnome_stream_connect_gkeyringd',`
@@ -706,12 +815,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@ -34318,6 +34318,24 @@ index ab09d61..0734f6b 100644
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+')
+
+######################################
+## <summary>
+## File name transition for generic home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_cert_home_content',`
+ gen_require(`
+ type home_cert_t;
+ ')
+
+ gnome_data_filetrans($1, home_cert_t, dir, "certificates")
+')
+
+########################################
+## <summary>
+## Create gnome directory in the /root directory
@ -67157,9 +67175,15 @@ index bf59ef7..0e33327 100644
+')
+
diff --git a/passenger.te b/passenger.te
index 08ec33b..3b92c4d 100644
index 08ec33b..3ad995c 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
-policy_module(passanger, 1.1.1)
+policy_module(passenger, 1.1.2)
########################################
#
@@ -14,6 +14,9 @@ role system_r types passenger_t;
type passenger_log_t;
logging_log_file(passenger_log_t)
@ -87969,11 +87993,11 @@ index 0000000..0be4cee
+')
diff --git a/rkhunter.te b/rkhunter.te
new file mode 100644
index 0000000..aa2d09e
index 0000000..44de480
--- /dev/null
+++ b/rkhunter.te
@@ -0,0 +1,4 @@
+policy_module(rhhunter, 1.0)
+policy_module(rkhunter, 1.1)
+
+type rkhunter_var_lib_t;
+files_type(rkhunter_var_lib_t)
@ -103246,11 +103270,11 @@ index 0000000..80c6480
+')
diff --git a/stapserver.te b/stapserver.te
new file mode 100644
index 0000000..bc92f68
index 0000000..e847ea3
--- /dev/null
+++ b/stapserver.te
@@ -0,0 +1,114 @@
+policy_module(systemtap, 1.1.0)
+policy_module(stapserver, 1.1.1)
+
+########################################
+#
@ -111647,7 +111671,7 @@ index facdee8..816d860 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..2a1d3e5 100644
index f03dcf5..5e41cd6 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,395 @@
@ -113207,7 +113231,7 @@ index f03dcf5..2a1d3e5 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1237,355 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1237,354 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -113290,7 +113314,6 @@ index f03dcf5..2a1d3e5 100644
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto };
+virt_mounton_sandbox_file(svirt_sandbox_domain)
@ -113704,7 +113727,7 @@ index f03dcf5..2a1d3e5 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1597,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -113719,7 +113742,7 @@ index f03dcf5..2a1d3e5 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,7 +1616,7 @@ optional_policy(`
@@ -1192,7 +1615,7 @@ optional_policy(`
########################################
#
@ -113728,7 +113751,7 @@ index f03dcf5..2a1d3e5 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
@@ -1201,11 +1625,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1201,11 +1624,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 181%{?dist}
Release: 182%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -653,6 +653,15 @@ exit 0
%endif
%changelog
* Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
- rename several contrib modules according to their filenames
- Add interface gnome_filetrans_cert_home_content()
- By default container domains should not be allowed to create devices
- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
- Allow systemd gpt generator to read removable devices. BZ(1323458)
- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454)
* Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)