From 5ed99329f57573841d62f4cd916122686a870359 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 17 Jan 2017 18:02:49 +0100 Subject: [PATCH] * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-235 - Allow libvirt daemon to create /var/chace/libvirt dir. - Allow systemd using ProtectKernelTunables securit feature. BZ(1392161) - F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829) --- container-selinux.tgz | Bin 5492 -> 5492 bytes policy-rawhide-base.patch | 294 ++++++++++++++++++++++------------- policy-rawhide-contrib.patch | 49 +++--- selinux-policy.spec | 7 +- 4 files changed, 213 insertions(+), 137 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index d4135c69ea287e8205b0e4eb41c247b9c27fddb7..e3df1064b92ae7cb55ddaa92b48e2c027629fd71 100644 GIT binary patch literal 5492 zcmV-)6^rU0iwFSCO@3Ga1MOW~Z`?SR?pN2Z5RwLBHxfG+PXZ)8GZ=LCVIOvQM4}bY(N22OL$``b1>Xbyu;ZWph!t$z&QZ-Q` zQf}er<&RgY*a|?xKAqa&m$U!4Cuzfofu5HU+nEotY7bv7dC@DQZ1m$Hsgr$FCVTSd zCxYt9Uj{XNMXZWgos=}kPT4@OI4XQ!g!3hQmIQz|x67plp2!#zsnv|T zzQzYq?1@GrER`@gDN# z%wo55j-GLF@!BrLHP#p4Io%~S`IflO8x+oWK_0;MBBu=Jwu|W!$nq#;$i_<-<;`q_ z@BtqT_uu%c$NiZeNSbeQ7$7l_xVMsl$m4ZpVnSf~BRBUG%E99%ibJx^V7Z0q|CN-< zw!e{l8*6OOn|3nUCgG2fZVF>;!JJe|T1W6(QU#20M4@(?Vf2X0lXCwjkeDEqs`c-{ zZ;A#+Vhjb;(ix5iEOM8#U6cS}!+^sqPb1#@)_4GMhjfV{2M=|Ai}fJo7aY(YvTQ|+ zt+3#uDbBl6ZMY;BOhMtDaxP7&N|cS$BB9h#6@NFZYfWTz*_8V5|0hv(K>jDipP#V0 zadi<%d)2NjLpv+r}dJ{x$r21OKj<)z5zZ&yU~8&cU^qL!M3B zH^3Hl2poW-6BJ?&WPP}}*+)rzyNCnII}iic##FoefikjBSux4;^kMj}DRaiz-wu?( z&ZMHHDiWiWBY91V3YB%>R1Wirzlr2W6_&%gsRZ}|1j}89EfF{td(>#jd;AgUnV~Jx zky5fjk=(%Kud4Lw>;O}&u5bm6IM5a`vyw84?&{p8VDHHucCN3#sPBMB`>8X?ft-t8BO#zHWVfsd*I>`*Fu-6YK8Pzn~~cC zqsUo&iHyRZ7XB*2_vx;V#R9pDp%u$889%~YYz;)Q`x?x~Z=_^XSdE`yO&*r>0+ZO@ zZq!(R7Ry%RD1;A#vHd$Jv<->x`U|9}ww|KKUg)6MReRE(19DT8n=bF6duv3J=g|}W z?h?v9xtNWURq4%q5DKN^L5uL|95hh%O`I2Lk;CxLM-qKope3_-BQUCT9%p+kpb`V7 z-xl;`J`G(ce2OZB;y&$Eucp7R2~yd0G+`#rfDw}sEWD?S5Zcn2IThIf|xa-RdIWX99RTaj1&b$U|rplWx6jgQK?-Jt^)g^NFJ6) ze7zuK!m53)WB@2GHSF4PlI`_r#|axEXRSt+DT{Q}UAbp2Fisr(yS>A=oMNd$`i zeMA|kBzwNU5cbveXVDteH?Y;Sa{xju^XH%13h1{ya)&f{^pF;H z8u$@9QsOZ;S7K-@-`qvdY0v!S;O~(`sy%`(lFee(B)#4m0#cr}x`9?jvVYtK!Pk2Z z6~n&A{iEFkpWD2y%KapT|1`tJ+j*>~!|AkEBkFgJ3^jhxaqTa**5^VM2sELkpCbAM z25t@9h-kholR}t!(dQ4-oEcCVm+W>z)i8flz=vSC{+(-Lti1H*^~xic0|3NeU}>cZ z>+;*6;+w#lpZrrJUvQp(^t9fzNQ|P?H|C1Xci3!OIKd{fNWu z+0u^EIBD2UW;qSKrTpbLmJP<+J0)R{7wAX}qsvF8>KRCb$H&F|?E`gep5BS%y5d6c za2%DIXCN%6^Yr-q?dm+d_tRC@;VL*34T#uf)z&^{=)36)#xk1yAP;xWt*fTYC|@ub ziCjjOiD0URKO(2KZQ?Bdz1hPd6>ML}tDUe5Cgp<#UhWx!7oc*&hE_iuD(J4zRC6l1 z{pD5+e6Op5q{-oGl=E$K=jIgqR6ju{0$^=TVl<3q35QiTC$t4qk9At?u%tEJ&S*~W zwFk+XkJW2S7?L$TsYU9))<}LRogrgI!nd9#4bun=t#ROC?B@YE*xrq!_n59&e*UKo(lBzWGe-XNU)OK1-wn@yU0*+*|N0UiVQK?(H7r5`~xd4l=} zmsPODyxVz~T5a(>MWFAmlb7hw*>OMP#`rc)ucsAg?>24U(2l3u((3|}- zOq*_W_Pq0UIFGa=tlLB*xj^7?cG>-B*2I7=oJtl@VH^A@9%4Dr8qfRXhq%h=*F|o9 zl%k#TciwfY!_ev!?P4lNsX#1LYQTBFlnrgrKKe;BNCe56MPe(520 zih7YZ)PlXC9d!8BjgPeUS;Z&Za8}u8sok^ML+zW@UGSli@2sOwI;_fYfOc!?xY(5^ zQ$IYnA`IbGW>gouO{@}0QtaV;SY!w$ z(1TSH#(zKW7n!>6w)-cnsHBL*t`4t+y=mL-C@D7Y!R$@ed6Bb+=u?#Ls=G3}$zi+Q zz&8NfP{Q&o+TWB_7GYz#Gn{{0=cUdAQbOuq}YcEABoFL}Te;0hA^i zpiC*=PKwvjnoDTf&;uzmU&;OqHoJl*6rV7l26(-ac4cK{JzX@SSgA~f;eKd4+7 z@X*q1#L~3Dbk~j6Q;UN7 zs?a`RUwJxE^jRnM&Fk#e@?dUPy;zeMi3`u3^B4wZFiy26`g{>2*f_#_wHU>5D%b)U zV9GsgQ&;eOW-`eyD)^SYzYw{SD7DnHCxWxgvF=1!IX%*m4@0CQ=)$*bLm88X6>c;c=Z zI*WBvmf2?Q$>Ar#ZZpMC3IBR|eB0@U(^O%cOgLQyc$i@Iw54fl>YOO^8>Ul))7S+H za~6Ie=47E4h&x&E1>)+nWJ?22mV#rrA(F6j>DELG!gj7HyvYkHuwy6k=g!_B%&AIb zAn?3t763eJn)z_Me)!;NAR%qjK=++bh>&SKJd50$yLVd7v~F4S)%G8Mmfm^kq3k;8 zt$i^(_cy>zQpkh}5pU#q6LvXmQkR6?RrO6MIZxJppeZY?tZs?#5IKkx_(9Vh$-*i} zpSNT8kpWoD-{C1GNy_qDSSXpJeo3FoX5ysKMMkQSLX=Paw2g5)s0DGm zVr1M&EE>!ooLtIN8QS2YUE8{94&HW2N?|zDhkcQkH*Q*)nVq;+Ban33=xQKkRgF7a zo!rGdR(206a+cE@2R#q*pnNJRy~|m;v(w4*8GUwvzMfTg4rqBDjY^oaQ*k1E-?)0z z9vZ@_!>ixZt%JHl45A+0vOw)J4sx0rlZ^*v^Z!fSNjWR-_0R`ZTw_2QmdgzyBb%ft zn6OgrT~ppHA*Q?w`hnt7%B1xZi*wu#-b!LF=<|&i*K)Y2KJ1+q{)KogdbsvbxB;Ho zYu&&Et_nKBVn^Zpz%ajTW@)@u{Z=f3pr9vDdR;w@iu+U?-^6sfDbf5aNn>;a)Okiw z2ixWu{y1QK9)33X>jRY$ef+krD#pKnqNcveBZ#1@O^VISI^+)=CSJ8{0@r>9#~Q~f zfXRkJE(X!41KN>LyZG}?hq5rgsovTfa_0erFr-y@VA!myj3Sn$b{ z6cDBA*zgE59TsWpa-CLm=&}uU-kGUyQtNH^fFLD#D>Uxg`~V`T+*BhP^&btPEan%O z_0wG~^s+zk9%eP{d48Q<5&JcE3$fQ=Sb@c3Zp;p~-XH=vbm6-U0HEYjwE^+vV6CPp zZn=bFb>*oS@A|?jy%a@N9fF`ntCX6R>TOQJ6vmXRQC&=04^ zR7!i`e5J%rP4yuYUj=f8B6SE|3I8Zbn>x2!@iyFUf883fP>OtNDG)Vf5LrzE$U-@w z$3d#=o+;HQ^$fsMY$oh#REFYQWYI5w|M>UlAJCy&68(ZF=Xk1?J8f{)J5It=6?rw{ zj2YMGN1auofchz!s=Yt)JztmJ5on3I@v?}0!!LQ?H6Ry?wbOXv-X=6gv>A_wo~*Q* z^uYG_9ug&p0Lj^DPAI!QPN?QxQ{pz9;uW|tbGCDZ`xxlH<)EJt~JSMA6l>!bbIFv|CDP7ZyJ7I6jM(V+NxB0%SBYn?nl~W#?qH^5qaA(bWGX5sv#h^Ht5q(8)>W|NmUW4K z7UzK?*bYp>_JsGOs&4a|jXMbhna6bJ??V>8jWU*(yp7eZ=zQx?P^%zMD7{*>odSFk zI!Zl_HdT#gx&&x%Dv7D+p}R}Z^^0p7En{wYUo9&t^ya33R z1YHr59`o^YekRr4OOLT?X|N@|U!*6Ub%@(j?$%n*_)L|@`t(F?Dbx0NpSpL~<{Te! z2%E*ae(FSA+cjFM6C)U@ZQ5C8Q1kGVvh_>{KUaq?fuTV?%z21D5APN59o8G%VKZXO z>(mN)5O8XFBU&vHJQI#zoYwlAoE|01>1g{J469LkTP#6)R&_$4=zp=uSI<@^Tj1Uu z+Y{Z+y`Gb|8@|RgUIHgjEE#V@cO9_sxL>A46_15~(2OCDAWNCwth>Td$g7Jn5vnfa zYlWsuo~U;Ag_9>}ZZv$}*(-4k(8vKSdG2+_!6UQe#8XGwujYU=9LM^USLdvbb3a$N z@Qfsrj9(?>dpDX_vJkvC6J((}d`Th4R^iVN2|*vv5pmq1iNS)l} zOZ56i{*|nT+@fQ{*OK7mr3oo51}SD&1d@)L9&AD)j;*yLblyBCW=~dfkgi5l!&T=Y z7i@ip2(#oc4#LyuKA>Rx-tcdG!u9ol4C&4mBJLv?J_*W+4n!JQz8wbOo}%OT{JJPd z&kbRv=|5O4>j6GL_aBJOX#;U_20&372rbFwuf0DB_ zz0~i(T&o?gdJ$}2bi1cw=_ov=0Q8%+0bQvQQLNrgJ!)A#jXqY<9f?3iY+yXlVj}#8 zIZFQ8#w$gjuM0jFF${?m@&^1j)QEqqx2ol(B4!BG5`xpwuWpjH>d|;wTaYy3vxYC1 z@uWIAnT%_UM3|%(lCvn=*5qwR2!&FbxlLEMlOiBUAq#))+uM%+=q_DuPIkAQ|Ng(1 z@2;<34(|VZ_44ulzc2B*!d$lQoMt$l^;9On)aQ5OwFq$&q<+bRDY6F#jnrsnh&{|u(r2xSceSvUG;laCfNjy#U zum8RJpC5!DWLaj)Kcux-izR9*yb4Rhmep-lG<))5IxEa;{5#P2XU&!xGim}Zv!1$Z zX>kr1H7qyBT4=d5%b)WWuyLWBL?=v%m~#+Z7k@nq#!A)IL!1FEj$8&u!L6=t6VYoB zD-tObsEw!bhAE&z4o zaPTMzk3{5*b^{`^1wd+MkFpa1|uwCXSb literal 5492 zcmV-)6^rU0iwFR8*?m|51MOW~kK8tv&TH4N5bOZ%4(x8X?ZkkcnZY8Shk2MyFq5~< zuA-7yRZ6R*ib(Zk4gdE&hc{6YNl_}5?FG63yQ`(ckK`eFcy45;RmqaPB=u#!`Q}8Q zm+<-Fhd221`tA2G&7bgjef{?J58qtBe);+j!uk960sU%h(sP4x0q4KhCsWl0@H z-xRlXvL>mMZtVU4)6eSZ)96Rq?Dt9i@Yi2=B&rUid_k+GPDzv;4n>|OEU(HaRTCv5 z^3vw5mzE&tgiFI^D(V zygdK*`eJpas*4W^gI3{FH<;}WyI5fbCm1N;>{mNV$d4%_6gC)XQgTY~ARNi>fAcyG zb{F|N%AolvtLmK437kIjaXLv;LOI&mG!{#yK(j&^e4Err+VYmyAANgmqj?AYj3hpM zjSr;WQz*E}3qn=JlA4dm!ZZ78V>O>ppOev!39ic>$?<=YB<=q z#ct;uJ>%fwwOxp7tk1x6x=U*EHF2FcD4g$tJb>#(P8rT^7tpy_s z6b+2T7z(JRGaL_Cp{xTIG{ab*@_rj zVZldJoOh+#a7iqfg2FrHT$)mqC>y6mLaC!F{%%;;n#k(1DfQw1PonC8{7;I%JYjX? z>LQZ%s$G-3+y+%^Um{Az1)JyA1>&=|jYaV7EBN;s{=HdNKl|k$AHI^EgKIH|Je#&} zfGzA0H~>W_D8wAd`fzcxkCOU!5eJlaAO^0Dsdo1RWn`bSVv^_S{qS8==8Uty9VmgF zNkvOlBt|Po@|qMCD(k?h9Oe^$6UmP%EQfVd3Gf35mb(mFB5*ABsL_&l_#@IYLtCUH zrDTI5xq-=FRq55)0j5}8;R+aWpel?z{Ml3g)URo3hA*nBew@e zk+b*`8HGPB{8fbS(p?>k1#%ZdE0$q0euTN$8i-=|HJFXxNXe$K8b8CDJS^u0Cb7NU zsImSmmaW852pJ{MOJ?y#U{vWm&h}bBB?e5t zE$GX98oE&U6jcbtecGvBO@Ch#q_XR1!c3e2BPJtQhI1yyivq+QHD^|!{%>*QwX=Vd zZ!bxCyCmwaqKqyL$nCWSF>6Ar;`S0bun4ReDGG|fy1FOJbYEbiQoA5r1@=RcJS>m+ zYC*_^Rr_4Y08m_N*tO#%+vla&i!c!6T0Ua4Qb?Ej1)v@2`l-rN`8TxEft`<%2o(MM zh%!(~_I!UK?2GHqqBW>*V5?{60EAk~-Rfpp%cn4Qj6wVNFF&;v(64#q4r%b{AuZ}O z@FR4j#A9x*#L!m0xr?6Dp83nc-yw%odjwr1o5iY0dc8FSq&#bN1Fec=|F{c+ulF1( zhJBCwN4p6=w|QNa`$-D_X@-lp^H@)Z(`l_n)bAP@YW$$%+Fxv~&xI-wXhKUrMf4F2 z+#0wM(R^Dbg)sG^Pw%HWGoUgq+3kd?Vg9Iq55aK#JJ-ZmdFjpTl}9cI0EofB(n=H7 z<+nk_W%n%(w(-)&JQ??FDIXPzg@J=gIm_ciRpjXdpW(`(COv2gtN^BhmlwwS5r^Be zr5&Yl(y*P(avFF``OB{?8;rMiO2Qs5(2*8Kmyb-GApN)p>aDr>m^PRd6U85V6aut$obUcheV)Wi8URMQ4lf%_0=iBDa%_;V&eu7Q}z}lL`Xc)~B4y$fXXbYwu>$KQmNo%^D(VX6E z50W(>tJjt=Bx`z7i`0Luk^E3PL&l1PZ#_*KrV$ug99PKn%Q7b<2GeT1td_TyrJHg;JR1@9p2&~Q83^XTv z^H*Ll?yD+_=+~cqi4IlGbaeh8SCv4=rNWvrS(|;(iYF)|&!bIJPy+pN=|@mao}m80 zWfd$j?{?m$R$DyJk;xLWugX|RjB`s(zB5CjR7{)oA2DnP=`Ja^{Oz7Q2yAe=5b803 zCA67jYo5DxD^mo?TJh1jlsMP|nFkctT-l|Hy3bCbzIWLuo((u}x*LY{LA>`G^k%;d z)217pJ@337&Liyz>o(CyE)aN}U3UMOH8G$Ir;-I!*am-!hgc4@#`AvpA+B=zb&*>i zrD&)8op;^pFtj>FyO_#RDi8~m8gSk(WkVY@P&!xp@$U0pAaL7#a@cM+ z@D0E=l(0OD_BUmfMc7#G4Cmk0d8zY2`GY#S15CC7NQ_d9R1BN7ig(qd0L7}nc-Kgw zHZ-y&pe3`q8ykVz>muLhjJJcz9JcYcXxBNW)fs+t;hP^RYzyG=in|X3(O7y|0Hw(W zC{v2Jlj2ph<`SAV^gznYSF%5Y&90yc#U~7?0bZ}9U0GRKPZy0SRw`3rxF6aMxf}~N zJhU_$aWo?%5ZRWZF{A5h$G3+K=ZuUWQ9u!vhWEGy>?Nqp?6OcwY(d63-F2h&)S{ri zDzuN-SDp?OebPyN^E$h=Jeb>6FV^Hm;=;4%JcfZ8j8pB2K3xO}HjeO4Ek<#i3bsH7 zm~s!>)YZP-&v5G*CTxu~)0(Rw+uqNseenma%1d}TbL>0nt@FjaxiArX^4ti;@9OqJ zGo=UZm@!8(9QA$AtD~77ihm5_!}}n0s#8{?&PJTFj&*TDW`&5LULk&ehar33`yD&J z+Bc?&I(3x;4>)u$^lPZ}Nf)?AVF?xwAJ2bE*;< z2t03^1pv>QW(0%6m-wf)DRq<3C=D7#L2 zYhMh{{S9!F6f$8##2b0ugk4UX)FokeRecjm&XcttXvzvJt6SnbL=GYae$aGBvarh0 z=k3^iWB?ZPcX&!klCu037E0!*U(#pzuF3dq4zd#QhWePYQW>{AX1caVwlBI=bVrK9 z1BV<#H!+VTY~j~BPvf%698EBbP*P@4)2%L+Z)OylSywM)<0!^^#fK2{7RKpQnXRy6 z>=0OmDw0~!*cMxR}vuV>Yr16p23qY~!qRGbLkH?AJF zhlX(K@ap$;>!9usgQ!QhEKs|QgPf+uWaEL^{C^X7QqGEdJ@i2p*BFq7<#L0_$R=qD zCajcu*OWI)h$-)aexSINGHLz9;vBbwx009(`h4TXwH$7$4|}JDe<5Cr9$9SAm?NNF72~!aqvVrq1nFybZV8U$;gqlp>#63PepAL{^gkvQQ4_ zagge|XG--+Jp=F*n+dxbm7zEnS@i4AAAXMh1s%F2(XV)Nj;Ct5(*{?)<0L#)kyj(m zm~nl6)LA78sGpLl+WQmV^L6PRftHvXFN@eW{F3)w19G8QJB=6aZ9-#2oAG$)$x5q9 z4{U$$AyI+|ker?7gtFV?glgV3C2qqhUV$4kXFFH8kAZIA>ZGs_Qh4ZA@OhrCFp2mw z(CM`<1FJ0|hN7*=(|cQmH?nm@m1`8gimUS+#*{ca!O3=smq<(laT^0(M}gDF(I@Yn z7P>ObZOUEBh>d=qq&uK{9q4rWR=+RSS(oT% zaULjw?Z6~#Pk2wN>Nc<0xRXGTc}#cyK4jtBC}Vla+gRO-&bJN)wF>ft(yLY5DZnS8 zqtw%AQ`KmuOMv#Kl9-Afy1VpTAC}Tb!#ic=~1$rj<&DCuo|Ve#S*kp6M5;cHCeC2#`8lJPcl*8vNU`(;{G@mTl=%^2bcvXuGFx+@%oyt)_@q3S}u zR%p89iE3wGIC+BRM#JZwy%N^|jU2#|=U!(VJTgm8Jawe~Y7RKVajZ{yb*#cja~LsKdA zT<_(RSe&?;)E5EOL`IZQ9elEag+&xK`FJ=_lg<=)tS{}JMn5$*Xhp1e5Z5{7;vOy7 zok5L7VSI`AjYbxoF$R%-C_3gly17s<5$9*kYQ+<=Ie_ZTM*;K}n~TdR#{FEpj1HVC z!IyV9E~dm#W)8)rI3a77u$JSL-Sd>uP{_|b!Fk;AQD1~@QcO(60=ecqrvo#J)X81G zM6Yk;U&(67Ejl)QEeTFunvl|BkYaX4AnB;-!6qc)*jhV6=go6s_GBdo>1sqZTy-9D z!Pa+(FiQ^OAUuuk0}8h94ga<$Twf2!knU_D;y!}mlc1dFK%{}?+hG9iDLQ`7uZwc@ z+z?ip{=L<*9^mtH|AE+?HV_wQ02HNx(2`vK+WV7GUUAzk`O5rrIirn~a>3Weu28hg zim|e=GO|3`28r7-tO+9Q+4Jc4_R3^4?(WKilBSWV`{ebX7Tt$+lUObBa~0ZF>ARcW zOZ^Vawc7Ej7s2*Lw|gp2OKK)+cV(3L6?#p>PEqn72<=tC9VkqA`82F3#|CcLyvM9*w891xX`5Yxr^* zPpXrX$+*Tygh_fKIg7GwP2P5dP$;FD+jMn1DFT8NvhbI_z3upq?$YJvWOv*7@Be%G z_RX7@gZuxkuOILK`y8Ju%=Nqa?NSI5e&-}k33AWQrJJpJC%2XQT|58fEh7|f2)t@& zeO2UZ)Tgcl&ei32XD?m^qbUkt{hjcGEXz#!hqM-Ju|!RUS7B+`vbwE`W=~#BXN7rtl3gyMoqwF)>C&a zEzSX>hUMm13oUnM`E%X^HZGKt=!7W|a}I**;%{fcSgE>th%=zYk;~vHxYgBdB6FV9h<^FqZ+OK`I1|NXIpe_Ue0ex> zc%%8z@@0TA?Plsc^5My=0VYm@0K`{EK(?4IAD5Y?#<++-e78i$Q6w+ZJVd(Ef7x&m z4jv_eyo+68o?y)@Wc$)Tdga^U7Zm{RDwdH03V&g7pkNo53O(TCg#+jXGdJlr2&mhM zV47ggQnuiU#{GtWIeC&kG6IKwJHVsM;K@IsybufJ1|XC?Iu&#fqc!9h02^x01PQ>e qM>K)9^Kg_T`O^0J ## -@@ -1530,4 +1632,82 @@ interface(`domain_unconfined',` +@@ -1530,4 +1632,101 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -10388,6 +10388,25 @@ index 6a1e4d1..f23f6a6 100644 + ') + + allow $1 domain:process setrlimit; ++') ++ ++######################################## ++## ++## Allow set resource limits to all domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`domain_rlimitinh_all_domains',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:process rlimitinh; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index cf04cb5..43876e0 100644 @@ -21629,7 +21648,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..1428581 100644 +index e100d88..8139871 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -22025,7 +22044,7 @@ index e100d88..1428581 100644 ') ######################################## -@@ -2085,9 +2241,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,7 +2241,54 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -22049,13 +22068,39 @@ index e100d88..1428581 100644 + ') + + allow $1 sysctl_type:dir mounton; ++') ++ ++######################################## ++## ++## Allow attempts to mounton all filesystems used by ProtectKernelTunables systemd feature. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_mounton_systemd_ProtectKernelTunables',` ++ gen_require(` ++ type sysctl_t; ++ type sysctl_irq_t; ++ type proc_t; ++ type mtrr_device_t; ++ type debugfs_t; ++ type cgroup_t; ++ ') ++ ++ allow $1 sysctl_t:dir mounton; ++ allow $1 sysctl_irq_t:dir mounton; ++ allow $1 proc_t:dir mounton; ++ allow $1 mtrr_device_t:dir mounton; ++ allow $1 debugfs_t:dir mounton; ++ allow $1 cgroup_t:dir mounton; ++ ') -+ ######################################## - ## - ## Allow caller to read all sysctls. -@@ -2282,6 +2457,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2485,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -22081,7 +22126,7 @@ index e100d88..1428581 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2500,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2528,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -22090,7 +22135,7 @@ index e100d88..1428581 100644 ## ## # -@@ -2488,6 +2682,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2710,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -22115,11 +22160,55 @@ index e100d88..1428581 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2737,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,7 +2765,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## +-## Allow caller to relabel unlabeled files. +## Allow caller to relabel unlabeled filesystems. + ## + ## + ## +@@ -2533,18 +2773,17 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` + ## + ## + # +-interface(`kernel_relabelfrom_unlabeled_files',` ++interface(`kernel_relabelfrom_unlabeled_fs',` + gen_require(` + type unlabeled_t; + ') + +- kernel_list_unlabeled($1) +- allow $1 unlabeled_t:file { getattr relabelfrom }; ++ allow $1 unlabeled_t:filesystem relabelfrom; + ') + + ######################################## + ## +-## Allow caller to relabel unlabeled symbolic links. ++## Allow caller to relabel unlabeled files. + ## + ## + ## +@@ -2552,13 +2791,32 @@ interface(`kernel_relabelfrom_unlabeled_files',` + ## + ## + # +-interface(`kernel_relabelfrom_unlabeled_symlinks',` ++interface(`kernel_relabelfrom_unlabeled_files',` + gen_require(` + type unlabeled_t; + ') + + kernel_list_unlabeled($1) +- allow $1 unlabeled_t:lnk_file { getattr relabelfrom }; ++ allow $1 unlabeled_t:file { getattr relabelfrom }; ++') ++ ++######################################## ++## ++## Allow caller to relabel unlabeled symbolic links. +## +## +## @@ -22127,34 +22216,22 @@ index e100d88..1428581 100644 +## +## +# -+interface(`kernel_relabelfrom_unlabeled_fs',` ++interface(`kernel_relabelfrom_unlabeled_symlinks',` + gen_require(` + type unlabeled_t; + ') + -+ allow $1 unlabeled_t:filesystem relabelfrom; -+') -+ -+######################################## -+## - ## Allow caller to relabel unlabeled files. - ## - ## -@@ -2667,16 +2897,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ++ kernel_list_unlabeled($1) ++ allow $1 unlabeled_t:lnk_file { getattr relabelfrom }; + ') + + ######################################## +@@ -2667,6 +2925,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## --## Receive TCP packets from an unlabeled connection. +## Receive DCCP packets from an unlabeled connection. - ## --## --##

--## Receive TCP packets from an unlabeled connection. --##

--##

--## The corenetwork interface corenet_tcp_recv_unlabeled() should --## be used instead of this one. --##

++## +## +## +## Domain allowed access. @@ -22171,20 +22248,10 @@ index e100d88..1428581 100644 + +######################################## +## -+## Receive TCP packets from an unlabeled connection. -+## -+## -+##

-+## Receive TCP packets from an unlabeled connection. -+##

-+##

-+## The corenetwork interface corenet_tcp_recv_unlabeled() should -+## be used instead of this one. -+##

- ## - ## - ## -@@ -2694,6 +2942,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` + ## Receive TCP packets from an unlabeled connection. + ## + ## +@@ -2694,6 +2970,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -22210,7 +22277,7 @@ index e100d88..1428581 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +3070,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +3098,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -22244,7 +22311,7 @@ index e100d88..1428581 100644 ######################################## ## -@@ -2958,6 +3252,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3280,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -22269,7 +22336,7 @@ index e100d88..1428581 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3284,649 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3312,649 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -22491,7 +22558,7 @@ index e100d88..1428581 100644 + read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) + + list_dirs_pattern($1, proc_t, proc_numa_t) -+') + ') + +######################################## +## @@ -22510,7 +22577,7 @@ index e100d88..1428581 100644 + ') + + write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) - ') ++') + +######################################## +## @@ -37725,7 +37792,7 @@ index 79a45f6..6126f21 100644 + allow $1 init_var_lib_t:dir search_dir_perms; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..25e49cf 100644 +index 17eda24..9f2c792 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37905,11 +37972,12 @@ index 17eda24..25e49cf 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +212,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +212,24 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) +kernel_stream_connect(init_t) ++kernel_mounton_systemd_ProtectKernelTunables(init_t) corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) @@ -37930,15 +37998,17 @@ index 17eda24..25e49cf 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +236,25 @@ domain_signal_all_domains(init_t) +@@ -139,14 +237,26 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) +- +-files_read_etc_files(init_t) +domain_read_all_domains_state(init_t) +domain_getattr_all_domains(init_t) +domain_setrlimit_all_domains(init_t) - --files_read_etc_files(init_t) ++domain_rlimitinh_all_domains(init_t) ++ +files_read_config_files(init_t) +files_read_all_pids(init_t) +files_read_system_conf_files(init_t) @@ -37957,7 +38027,7 @@ index 17eda24..25e49cf 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +263,73 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +265,73 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -38020,10 +38090,10 @@ index 17eda24..25e49cf 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) -+ -+udev_manage_rules_files(init_t) -miscfiles_read_localization(init_t) ++udev_manage_rules_files(init_t) ++ +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) @@ -38036,7 +38106,7 @@ index 17eda24..25e49cf 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +338,275 @@ ifdef(`distro_gentoo',` +@@ -186,29 +340,275 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38275,18 +38345,18 @@ index 17eda24..25e49cf 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + lldpad_relabel_tmpfs(init_t) ') optional_policy(` +- auth_rw_login_records(init_t) + consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -38307,21 +38377,21 @@ index 17eda24..25e49cf 100644 +optional_policy(` + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) -+') -+ -+optional_policy(` -+ plymouthd_stream_connect(init_t) -+ plymouthd_exec_plymouth(init_t) -+ plymouthd_filetrans_named_content(init_t) ') optional_policy(` - nscd_use(init_t) ++ plymouthd_stream_connect(init_t) ++ plymouthd_exec_plymouth(init_t) ++ plymouthd_filetrans_named_content(init_t) ++') ++ ++optional_policy(` + ssh_getattr_server_keys(init_t) ') optional_policy(` -@@ -216,7 +614,30 @@ optional_policy(` +@@ -216,7 +616,30 @@ optional_policy(` ') optional_policy(` @@ -38353,7 +38423,7 @@ index 17eda24..25e49cf 100644 ') ######################################## -@@ -225,9 +646,9 @@ optional_policy(` +@@ -225,9 +648,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38365,7 +38435,7 @@ index 17eda24..25e49cf 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +679,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +681,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38382,7 +38452,7 @@ index 17eda24..25e49cf 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +704,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +706,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38425,7 +38495,7 @@ index 17eda24..25e49cf 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +741,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +743,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38437,7 +38507,7 @@ index 17eda24..25e49cf 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +753,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +755,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38448,7 +38518,7 @@ index 17eda24..25e49cf 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +764,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +766,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38458,7 +38528,7 @@ index 17eda24..25e49cf 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +773,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +775,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38466,7 +38536,7 @@ index 17eda24..25e49cf 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +780,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +782,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38474,7 +38544,7 @@ index 17eda24..25e49cf 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +788,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +790,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38492,7 +38562,7 @@ index 17eda24..25e49cf 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +806,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +808,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38506,7 +38576,7 @@ index 17eda24..25e49cf 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +821,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +823,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38520,7 +38590,7 @@ index 17eda24..25e49cf 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +834,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +836,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38531,7 +38601,7 @@ index 17eda24..25e49cf 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +847,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +849,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38539,7 +38609,7 @@ index 17eda24..25e49cf 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +866,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +868,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38563,7 +38633,7 @@ index 17eda24..25e49cf 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +899,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +901,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38571,7 +38641,7 @@ index 17eda24..25e49cf 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +933,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +935,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38582,7 +38652,7 @@ index 17eda24..25e49cf 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +957,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +959,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38591,7 +38661,7 @@ index 17eda24..25e49cf 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +972,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +974,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38599,7 +38669,7 @@ index 17eda24..25e49cf 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +993,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +995,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38607,7 +38677,7 @@ index 17eda24..25e49cf 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1003,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1005,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38652,7 +38722,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -559,14 +1048,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1050,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38684,7 +38754,7 @@ index 17eda24..25e49cf 100644 ') ') -@@ -577,6 +1083,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1085,39 @@ ifdef(`distro_suse',` ') ') @@ -38724,7 +38794,7 @@ index 17eda24..25e49cf 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1128,8 @@ optional_policy(` +@@ -589,6 +1130,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38733,7 +38803,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -610,6 +1151,7 @@ optional_policy(` +@@ -610,6 +1153,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38741,7 +38811,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -626,6 +1168,17 @@ optional_policy(` +@@ -626,6 +1170,17 @@ optional_policy(` ') optional_policy(` @@ -38759,7 +38829,7 @@ index 17eda24..25e49cf 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1195,13 @@ optional_policy(` +@@ -642,9 +1197,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38773,7 +38843,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -657,15 +1214,11 @@ optional_policy(` +@@ -657,15 +1216,11 @@ optional_policy(` ') optional_policy(` @@ -38791,7 +38861,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -686,6 +1239,15 @@ optional_policy(` +@@ -686,6 +1241,15 @@ optional_policy(` ') optional_policy(` @@ -38807,7 +38877,7 @@ index 17eda24..25e49cf 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1288,7 @@ optional_policy(` +@@ -726,6 +1290,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38815,7 +38885,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -743,7 +1306,13 @@ optional_policy(` +@@ -743,7 +1308,13 @@ optional_policy(` ') optional_policy(` @@ -38830,7 +38900,7 @@ index 17eda24..25e49cf 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1335,10 @@ optional_policy(` +@@ -766,6 +1337,10 @@ optional_policy(` ') optional_policy(` @@ -38841,7 +38911,7 @@ index 17eda24..25e49cf 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1348,20 @@ optional_policy(` +@@ -775,10 +1350,20 @@ optional_policy(` ') optional_policy(` @@ -38862,7 +38932,7 @@ index 17eda24..25e49cf 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1370,10 @@ optional_policy(` +@@ -787,6 +1372,10 @@ optional_policy(` ') optional_policy(` @@ -38873,7 +38943,7 @@ index 17eda24..25e49cf 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1395,6 @@ optional_policy(` +@@ -808,8 +1397,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38882,7 +38952,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -818,6 +1403,10 @@ optional_policy(` +@@ -818,6 +1405,10 @@ optional_policy(` ') optional_policy(` @@ -38893,7 +38963,7 @@ index 17eda24..25e49cf 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1416,12 @@ optional_policy(` +@@ -827,10 +1418,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38906,7 +38976,7 @@ index 17eda24..25e49cf 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1448,62 @@ optional_policy(` +@@ -857,21 +1450,62 @@ optional_policy(` ') optional_policy(` @@ -38970,7 +39040,7 @@ index 17eda24..25e49cf 100644 ') optional_policy(` -@@ -887,6 +1519,10 @@ optional_policy(` +@@ -887,6 +1521,10 @@ optional_policy(` ') optional_policy(` @@ -38981,7 +39051,7 @@ index 17eda24..25e49cf 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1533,218 @@ optional_policy(` +@@ -897,3 +1535,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index a8c9dfc3..c20e916e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -114657,10 +114657,10 @@ index facdee8..2cff369 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..8036117 100644 +index f03dcf5..d7dc78b 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,410 @@ +@@ -1,451 +1,411 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -115350,6 +115350,7 @@ index f03dcf5..8036117 100644 manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) ++files_var_filetrans(virtd_t, virt_cache_t, dir) manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) manage_files_pattern(virtd_t, virt_content_t, virt_content_t) @@ -115381,7 +115382,7 @@ index f03dcf5..8036117 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +414,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +415,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -115428,7 +115429,7 @@ index f03dcf5..8036117 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +449,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +450,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -115462,7 +115463,7 @@ index f03dcf5..8036117 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +474,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +475,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -115490,7 +115491,7 @@ index f03dcf5..8036117 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +494,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +495,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -115521,7 +115522,7 @@ index f03dcf5..8036117 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +546,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +547,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -115541,7 +115542,7 @@ index f03dcf5..8036117 100644 selinux_validate_context(virtd_t) -@@ -620,18 +568,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +569,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -115578,7 +115579,7 @@ index f03dcf5..8036117 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +596,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +597,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -115587,7 +115588,7 @@ index f03dcf5..8036117 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +621,12 @@ optional_policy(` +@@ -665,20 +622,12 @@ optional_policy(` ') optional_policy(` @@ -115608,7 +115609,7 @@ index f03dcf5..8036117 100644 ') optional_policy(` -@@ -691,20 +639,26 @@ optional_policy(` +@@ -691,20 +640,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -115639,7 +115640,7 @@ index f03dcf5..8036117 100644 ') optional_policy(` -@@ -712,11 +666,18 @@ optional_policy(` +@@ -712,11 +667,18 @@ optional_policy(` ') optional_policy(` @@ -115658,7 +115659,7 @@ index f03dcf5..8036117 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +688,18 @@ optional_policy(` +@@ -727,10 +689,18 @@ optional_policy(` ') optional_policy(` @@ -115677,7 +115678,7 @@ index f03dcf5..8036117 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +715,336 @@ optional_policy(` +@@ -746,44 +716,336 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -116036,7 +116037,7 @@ index f03dcf5..8036117 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1055,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1056,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -116063,7 +116064,7 @@ index f03dcf5..8036117 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1075,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1076,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -116097,7 +116098,7 @@ index f03dcf5..8036117 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1112,20 @@ optional_policy(` +@@ -856,14 +1113,20 @@ optional_policy(` ') optional_policy(` @@ -116119,7 +116120,7 @@ index f03dcf5..8036117 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1150,66 @@ optional_policy(` +@@ -888,49 +1151,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -116204,7 +116205,7 @@ index f03dcf5..8036117 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1221,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1222,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -116224,7 +116225,7 @@ index f03dcf5..8036117 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1242,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1243,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -116248,7 +116249,7 @@ index f03dcf5..8036117 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1267,370 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1268,370 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116764,7 +116765,7 @@ index f03dcf5..8036117 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1644,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116779,7 +116780,7 @@ index f03dcf5..8036117 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1661,7 @@ optional_policy(` +@@ -1192,7 +1662,7 @@ optional_policy(` ######################################## # @@ -116788,7 +116789,7 @@ index f03dcf5..8036117 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1670,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1671,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 85fbc1e8..24b4aa63 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 234%{?dist} +Release: 235%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,11 @@ exit 0 %endif %changelog +* Tue Jan 17 2017 Lukas Vrabec - 3.13.1-235 +- Allow libvirt daemon to create /var/chace/libvirt dir. +- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161) +- F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829) + * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-234 - After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017) - Tighten security on containe types