From 5e78b003939663ea460c2b0ff7e3ccd1a1171cf3 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 16 May 2016 17:29:54 +0200 Subject: [PATCH] * Mon May 16 2016 Lukas Vrabec 3.13.1-190 - Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. - Allow zabbix to connect to postgresql port - Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149) - Allow systemd to read efivarfs. Resolve: #121 --- docker-selinux.tgz | Bin 4317 -> 4316 bytes policy-rawhide-base.patch | 104 +++++++++++++++++++---------------- policy-rawhide-contrib.patch | 66 +++++++++++++++------- selinux-policy.spec | 8 ++- 4 files changed, 108 insertions(+), 70 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 43d010fd0ac6e47027deb46aa1360fc32ca36a32..6d06b4ca3a42bd5288caf764ccd498e361d3376b 100644 GIT binary patch delta 4032 zcmV;x4?pnTA>1KBABzY8IOjQ600Zq@-H+Qg63?ssR|rXg>>iTcY&K1RP20nvy@z`^ zpt$z2fGSJ0t**XKq}J;T^1t5S$}#2H!!_GBE#3PB6UuIYn^68sjX)4%bj7QrYq@xbiCA@HK5)-{EOT~%Hn?om1H|kQ^gp8_+K?w^qjEl|$FWip`(buU zaSuKZk7w!ni}hqSY-7pLHa)_M`Apv9iTg*eePCtE)gK^ZimrU5WDi|*5a09c&lUMTSwU>humfL4V3GxPlh497TwuaNuLa%BNDUxn&g+K}#HS z5zXmJ@P=^~QR?Z6xAps45!qcbr$7AvImFv2|0w(ZIjbAr6p_^Gc16-+GpSq0GokF) zw3ycUM0lfCL+ihJ3;(X+-@79^Qa}IWr>C$JaPOl^lNtL!-4q_H0yuQ4tIAROcYlr> za#2#>9iERF6nig6Fe}L2Q%3TbW#b8%kJgQ*NEw%KyA}d1krzD!0WigzvXdH88lXGtbaO$9yW`+( zOUmf+ptzTN6ttSqGP}FL`F|b=C>8;Cb_oQguLc7UMoFF)Lf0`7>s(CnBq)#zy_AOq zbY)S$YHT^)`ss) zz^YKVZeUb_oF9)U_ye3m$FTqNghrvBC$NucT^9K)Pv8+2ijQ!9)Z)%1sihkTaIDQA zc2UROP5-9YR)#!e8D9jSz=f@0iUCbGMU)AzF8KU$LJ$J5+~PV~RsX{oI4`@AY4a-e zAhQgrEoKzp7`G5IvVSUqj_s`;Z&cJfxDufa%^l z>@3W&CWn@lJch+plbQ^o zGD=`3mU(vB7k<*0L?kbZP?$o6Xcu*#FGYJuo7Ep-nuPH-DmDaLa~?ryMoo#InvV_5S|j4JA7-$nS?zc)Thf9PQj&+s<7S@*L}t0i*dxI%F8xjABW z*O`OL&VS;kxGB#|&N_q^cbmWvJ<8vFsQny+D@!8yGIjEB)@knX@UHAbgfp|*R>Qn9 zB zQ!ry|_y!1TN?4i%`E5}qK|z>E2l8(aTIvb|exr_dfXUVXiP`xh{ zS6!5CvTj2lTw`@NTL=BrS(>Me_ekXds;5_-)1cG~#GhS1CZP8++2+1h(N16RzSaNztnH2AC! zr>72nWB-~ybU*6^?Q^obPvL#M#=KRB!GGs-`++ujZj>gAI!`dT3{a%;T-RmZ8d5ZW z(`3ju>+Y|qG8|%^AVVj6*Q4-AP;z=CICr!!5D#(&r+ z=#dw~Jz?2A*O>U%M)&tZ-tbh2IUI~((GI?YFkQi?z)Vo`DKJNXn6Ti3Fz!X~ystT9 z*?k3KLt{F~EDu(RPnYr-gf7WD5NG0Qd0|||e?tf^+3LA)DZAIdU&m@K`c6MdZB&J! zmVNuPjAUgnVg$79c#Y5&eikH?M}KW11H@0<3|nB5K)SyZe)zwqG0UifVuu+1 zc9<27wRy( z!tT7=M7Jc%Y(|_UMwLA9-oVc~jYEjbiG`x*C`5mNd8cX9^;F6^sF>{Z(0}rga`|FH z)I+4wpIgSNAuvT3mw8@g^WkKib}s;j)~D4vUZVt=SB`?f{;(ha%> zg(x%X5`~8&tr#Ax%wfSlA9N=)$)6kJ$KT5rL3SUD8csYe8qKCAQ5<41N1Y}Fx7JOX z;75h|QTS}|=bp-pDt=p)CF5UU|5aaQsUmvgqiIqJEI&}lyg%75-vfI!k4{urete=s zc=&blF%a7_tQX9wypei z3CQJKxAEf`aX;ep$5`eulXO^G%R9!c-P)}>fW@P9zf&Bb)oj20LMCK9OC z%nelo$cd{VyW>`Y)uj!KZ`>hb|8`cEm7mFtC^u;})|5hwfZ}lP(@o`cea`#BZZbQ}k$$coPN=V{uEZ`p{aZ{&8h~h%%4&3s5#0K2+PoSkK{B1Sy zwGED63rV_K_J11M?M_!r$8_O6SDgOXS_$CB=5Zy5y4Y0jQ zpxY~!-`n?gki+j#Jgr)hyJ%)C<-IqB@Q8dJ~#Jc*x!=0fSUWmVbDoA6K?yLS!wZJq;(N%Dhh^ zv=r3kQ*EktZQ(n<4KV75C98(2Yyo~1uR5BJqbLO7ZQH2dA{IuJy<^2cuA({4!FL5T zEFQX~olU?+lt=M4EjpX8sGoH8u}*8UgSAWCgMaB2Nu&3ljtA|dF1V*&h)pu;6+ycjaJQ>3<57wwol0V*cKpo3xWta^cRaJ%%U^ zUpa7AzHmnp~i!41)UZ2)TUv-?rNUcjATPgT!i*5Ml4e%T< zF!X$9C$6ub+ zEPr{_HNrP+In-OM+HA~LY$-SXmdH?Pmne*!UHfFR%`AY@aj6T-NQ&qRvbHM8y<4dF zG=>h4M&2&*HVmIB9gONfW;z(!d-C*f&sPITuOk&;`QrkDDrh=M6p0# z7v)`C(aT*!3B^zj=-@ZIq{@$Gr&{(m0Y z-SQF)yaYeHy!gxcUl-GWbOEhEfj!NT`Yfc@t>yDqNVg3HSL_%_QWNghRH6-ob%Vu@ ztPl})?uX7&Z2Ed^Ez)oJ2ePK?%m@}b5CBGx04D!l*70U~DfE`kLhSiXhRy-SWp*FW z!jm=BCd%dkAU^HC#BACuEEUJO)Iqj=^&b!~`Jd`~6jb!fjsOg3!ZiGbf1hkV-q+q8 mPuJ->U8n1Govzb$x=z>WI$fvhbe*pMjqAUO{mQ-ocmM!lwEDRK delta 4033 zcmV;y4?ghRA>AQBABzY82JbLe00Zq@>yO(u63yuysS$}&3A7FZcM24?nMe3Xa*E-DzRb5JI zF8X6?>XQ;LSD!Bf(YUi)M$J)j*Fb zWV(%N@?^x!M>A2-f_8$Kvy?JaV5gKNiv4?Zbw>EI;`RZ&(^s{(rhns4G47nSB5}G- zNq-_YPu%rL*K+X=6S3;ZeBhq@Smx{iZE)GB2Z-4r=zm5{K-M&*1^k7K1I_QULy z;vRe+9?#PC7wgGv*v68fZF+a0M-7If@WR;lRg;l~1KybIU3uf|fYu zBAU~c;0@y}qSVtBZ|nE9BC@+=PJj6SbBMQ5{!#Y*b5=LLDI%%W?TVzuW>U9~XF}Pp zX)&$yiSS0PhSq;`1OMK@zqdzpq<;R#PfuYd;NC}-CNuVdx+y$X1#sw8SCymm?|&RO zg0I$GO>=IlXfn!I1#xOqMN1#_;$A3dCawvh^g5*!dx?EJCKXr+U z?b4&81U6BT1iL!zdAm8uVcYr2Pk-kQM3PTZ4rgqR0?q@0qJ%m_Vz$77z>=8pR8?$0 zcaIG$aIeUMIeE8+g8r~Qw`Hi@Y9y1qWTbT>rklrE`-jH zBUrpdOx8wWVpmiG#>_P-*c|cV)$e9N%$#AmsM`$`J5NG6M3nqQ(HncRtAANXY1q(F z`K;V+#LsR zTT(`k2gSYIqoCDFiP^Y5W0?uSm$DjCqaQ+=%qX? zpeu_)1{2b1mFRy(0qptr0cBv&a{deu_LWZ;_)ySb;do~phfQ^WyB*AQf{*6l80+!N z&p)<@pY+MDOBGLE8>B^(3LjHfMcn4TO9%tyrdCXwTJ9|e|A69A<9`u!fgBbqXKnb- z1gr{$>jp*@$ocVzf?>G)@6~;@&q1Xq4)^rM=kDLl3Kcf0LR+= zVHb7W-SlsYZDq(qmhnaK30&A3rWnw4Q$(5Y>VnT7Cj=n?%Pp>>RrNodf%CE(nKrLd z4>HT3+G0ilj&TbiBY&%MDKztDoL5fSj&n!&j5QyLHC5nQy*i^(PYwM%RN6qn4UG4hCgjMRU>zj4%mU%xxm ze}9QfIQn5;CJ;-X32k^4Twh#WT+Omk%NM~kSSp5%SBU#<1p_7**8EzKig&e{X!2{?Nl5p5bkDv+ie|R!ii@afRUGb92P% zt}_RfoqxqoaZ{d`oOK8-?lyrTdX&HUQ2RLsSC&NZW$NVNtkc}%;a%B>2xn%qt%iAJ z$OC?u47{<=u%;ar_-QdAfkXE06?3FJOvb){>E^fTESOF{N@WZ5&9gq0#owMXibF%T zKeJja27UO|S2bOlIM1|669p?DWq~l6a6gjAj(^gzqa<5@0FNhHrCG}M!KWbJmb)Uj zO~H(<;Ts^VDPd_6DT+0VZ1mBxciGy@BOZ>D8KKus>y( zUUgBn$+``JaE;a7Y#sDdXK9`?-XoO0sVP_vR1;i>rsS zHh)Qvb(E)F$D3fqpLp8PiWCXhTYm&+8gyqlXKzE%r%7E)=Bg~5$=k04oeD5|8s-PG z&cvq8Lz!Vm?su9H2LJ>oVe!!L4gT)&?6mQV4WXC+oi=t4v$gkl2CkSt;lTNEXz*Dd zPEQ^D#{M;Z=zi7-+UI0O8^VGC+~Wb6uBtYe>=j zO_L$tth>La%5aEvf()JPU5~;eLCNWn;N*FuzhVELG510CY4aZ$f!v)Az))pN2SBW{ zhtI^V%(9ukI%a6^$E8k8`+5NVFnveAdWhkere$m}y1*+hn}U_a)aS?hp3XEq8h>M- zphsQ^_k?BhTw~&28{OXvdBam7=5R2EMLYNo!gK|n0y9C$r@$NmV#0zC!nhZ`^S3CrRLO)ERv7c6fGB3^9VlU9!b_qAPdA%{SKUiE(L#GuTB_4oo~BwE z3A^)d6Wx+5vl(%c7*+DXdjmh~G!7vyCl-pLqY(W8=AEWZ*HbCypklJqLx0Oh%H@j* zQ4f(ye{LD8hQJhET;_R|k^7KK-^0K|=t=W;QhMg!p&gnR5>8nrP3HoWhJtIAkqk6R z1VyWXGFKv$5Nz&5QX3XMF466#E}N>~t!x&46y4`pTHIO$@;Eo@=rP>y^xNr_va&|| zT1UH(Cu;7&k4RE_YZCD!27f-61*N-`#ap9MR<77H1Yad7cP5B@M@E$b7)`tdZ#JEw zwS`f*RvbO2845AhYF;8ewNO+kn=+6T+z_SfK7ym@s;=^`qj)aviGQK4?AsRUOE>5m z6r#+iOB5cCv|@O$GKU5Ke9)cHB!6y3$F^ZsPNd=Ko^JUUTf`SFPk z;o;ZG$3See{C+1L>3_~gDpK*VbhDXG7=Io%+0<j zGdENXASbSd?2cOnR+ly`zHx_${o7etR(>WoqTHm_SW^ly0*b@Em&w=i9n*#PTygqiYbm(THq)2me<)|$fL>;+uFuBfLUhM;G{E*I zfo`u@esAAbdJa6@A@f!_Xiuw>XH%fbjq#5Pgsj{55=|R;LajRh_K?C&%N^q9yTa$= ztEW$PJ5E(gSF=$6QZHB=i0U-T>rH3^;URmg1PoFgS%2b`AQcz>Cs4wWOih9@j_6+LlI%9A&IacBISjq#$aq8)*OIbTt_8^ zI8Iq~h}#O&7JtE4Th^fI#g@%REt-0*-j#!KrGG0-+HR60iurqYZqiOp$%Q+w_86ix zeC5Dd`NBO#49qP5+B(z-KKILWhsxP{FS7JJd3{@5$4{kp~W=MnT69rpC`v^g`cukA&=efu{2&fHj4Y zV^wujeV7T!SWP>UGF5b6yEOj);u12ySbsm}iw(o?e_Xw}dGoFP{>R(*r@#OIMXpQC zj9>mHOE&p?Sn>$uOzy1B2lksk)mDQdU-w?TMXnna#i%SWxSiF8c4Mo0=j3^e! z>!Q3XvnD66g^iq!X};&Ifx%0Xz&`wk!ngR+osyrjp9`7Jm_B}^2);XhC%!!o-GARh zyIWp@ftTQCmluCI|LbBJkS?GVD6pp)QlEv?y0v`%3hB0i;EEjsNovB~no6``ux_x} zkrg7s&i&9?icMdStws6`|3KDsof*MG2Liz85y0f%%R1gnFNNOHS%^Kq$policy for glusterd + @@ -31830,6 +31832,24 @@ index 0000000..fc9bf19 + +###################################### +## ++## Dontaudit Read /var/lib/glusterd files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_dontaudit_read_lib_dirs',` ++ gen_require(` ++ type glusterd_var_lib_t; ++ ') ++ ++ dontaudit $1 glusterd_var_lib_t:dir list_dir_perms; ++') ++ ++###################################### ++## +## Read and write /var/lib/glusterd files. +## +## @@ -31915,10 +31935,10 @@ index 0000000..fc9bf19 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..afabf8c +index 0000000..59e84ca --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,297 @@ +@@ -0,0 +1,295 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32002,10 +32022,8 @@ index 0000000..afabf8c +allow glusterd_t glusterd_tmp_t:dir mounton; + +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+logging_log_filetrans(glusterd_t, glusterd_log_t, dir) ++manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir }) + +manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) @@ -45368,7 +45386,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..3c99496 100644 +index be0ab84..688605e 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -45493,7 +45511,7 @@ index be0ab84..3c99496 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +126,52 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +126,54 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -45524,6 +45542,8 @@ index be0ab84..3c99496 100644 +miscfiles_read_hwdata(logrotate_t) -userdom_use_user_terminals(logrotate_t) ++term_dontaudit_use_unallocated_ttys(logrotate_t) ++ +userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) @@ -45552,7 +45572,7 @@ index be0ab84..3c99496 100644 ') optional_policy(` -@@ -135,16 +186,17 @@ optional_policy(` +@@ -135,16 +188,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -45572,7 +45592,7 @@ index be0ab84..3c99496 100644 ') optional_policy(` -@@ -170,6 +222,11 @@ optional_policy(` +@@ -170,6 +224,11 @@ optional_policy(` ') optional_policy(` @@ -45584,7 +45604,7 @@ index be0ab84..3c99496 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +235,7 @@ optional_policy(` +@@ -178,7 +237,7 @@ optional_policy(` ') optional_policy(` @@ -45593,7 +45613,7 @@ index be0ab84..3c99496 100644 ') optional_policy(` -@@ -198,17 +255,18 @@ optional_policy(` +@@ -198,17 +257,18 @@ optional_policy(` ') optional_policy(` @@ -45615,7 +45635,7 @@ index be0ab84..3c99496 100644 ') optional_policy(` -@@ -216,6 +274,14 @@ optional_policy(` +@@ -216,6 +276,14 @@ optional_policy(` ') optional_policy(` @@ -45630,7 +45650,7 @@ index be0ab84..3c99496 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +294,43 @@ optional_policy(` +@@ -228,26 +296,43 @@ optional_policy(` ') optional_policy(` @@ -117642,7 +117662,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..b23f29d 100644 +index 7f496c6..fccb7b1 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -117860,7 +117880,7 @@ index 7f496c6..b23f29d 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -170,6 +185,26 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) +@@ -170,6 +185,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) corenet_tcp_connect_ssh_port(zabbix_agent_t) corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) @@ -117880,6 +117900,10 @@ index 7f496c6..b23f29d 100644 +corenet_tcp_connect_pop_port(zabbix_agent_t) +corenet_tcp_sendrecv_pop_port(zabbix_agent_t) + ++corenet_sendrecv_postgresql_client_packets(zabbix_agent_t) ++corenet_tcp_connect_postgresql_port(zabbix_agent_t) ++corenet_tcp_sendrecv_postgresql_port(zabbix_agent_t) ++ +corenet_sendrecv_smtp_client_packets(zabbix_agent_t) +corenet_tcp_connect_smtp_port(zabbix_agent_t) +corenet_tcp_sendrecv_smtp_port(zabbix_agent_t) @@ -117887,7 +117911,7 @@ index 7f496c6..b23f29d 100644 corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) corenet_tcp_connect_zabbix_port(zabbix_agent_t) corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) -@@ -177,21 +212,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +216,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6adb1539..bdb1cabf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 189%{?dist} +Release: 190%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,12 @@ exit 0 %endif %changelog +* Mon May 16 2016 Lukas Vrabec 3.13.1-190 +- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. +- Allow zabbix to connect to postgresql port +- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149) +- Allow systemd to read efivarfs. Resolve: #121 + * Tue May 10 2016 Lukas Vrabec 3.13.1-189 - Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed