* Thu Dec 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-230

- Label /usr/bin/rpcbind as rpcbind_exec_t - Dontaudit mozilla plugin rawip socket creation. BZ(1275961) - Merge pull request #174 from rhatdan/netlink
2016-12-08 16:30:38 +01:00 · 2016-12-08 16:30:38 +01:00 · 6319c499e4
commit 6319c499e4
parent 68b689158d
3 changed files with 74 additions and 31 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -38661,10 +38661,10 @@ index 0000000..419d280
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..1a30961
+index 0000000..ddbc007
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,235 @@
+@@ -0,0 +1,252 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@ -38705,6 +38705,23 @@ index 0000000..1a30961
 +
 +########################################
 +## <summary>
 +##	Connect to ipa-ods-exporter over a unix stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`ipa_stream_connect_ods_exporter',`
 +	gen_require(`
 +		type ipa_ods_exporter_t;
 +	')
 +    allow $1 ipa_ods_exporter_t:unix_stream_socket connectto;
 +')
 +
 +########################################
 +## <summary>
 +##	Execute ipa-helper in the ipa_helper domain.
 +## </summary>
 +## <param name="domain">
@ -52349,7 +52366,7 @@ index 6194b80..e27c53d 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..9336364 100644
+index 11ac8e4..7d5d385 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@ -52802,7 +52819,7 @@ index 11ac8e4..9336364 100644
 ')
 optional_policy(`
-@@ -300,259 +339,257 @@ optional_policy(`
+@@ -300,259 +339,258 @@ optional_policy(`
 ########################################
 #
@ -52816,6 +52833,7 @@ index 11ac8e4..9336364 100644
 +dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config };
 +dontaudit mozilla_plugin_t self:capability2 block_suspend;
 +dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace };
 +dontaudit mozilla_plugin_t self:rawip_socket create_socket_perms;
 +
 +
 +allow mozilla_plugin_t self:cap_userns {sys_admin sys_chroot};
@ -53206,7 +53224,7 @@ index 11ac8e4..9336364 100644
 ')
 optional_policy(`
-@@ -560,7 +597,11 @@ optional_policy(`
+@@ -560,7 +598,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -53219,7 +53237,7 @@ index 11ac8e4..9336364 100644
 ')
 optional_policy(`
-@@ -568,108 +609,144 @@ optional_policy(`
+@@ -568,108 +610,144 @@ optional_policy(`
 ')
 optional_policy(`
@ -64674,10 +64692,10 @@ index 0000000..7c08157
 +')
 diff --git a/opendnssec.te b/opendnssec.te
 new file mode 100644
-index 0000000..e246d45
+index 0000000..3a760d7
 --- /dev/null
 +++ b/opendnssec.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,69 @@
 +policy_module(opendnssec, 1.0.0)
 +
 +########################################
@ -64744,6 +64762,7 @@ index 0000000..e246d45
 +
 +optional_policy(`
 +    ipa_manage_lib(opendnssec_t)
 +    ipa_stream_connect_ods_exporter(opendnssec_t)
 +')
 +
 diff --git a/openfortivpn.fc b/openfortivpn.fc
@ -76617,7 +76636,7 @@ index cd8b8b9..2cfa88a 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
 ')
 diff --git a/ppp.te b/ppp.te
-index d616ca3..e4fc9c0 100644
+index d616ca3..b03d137 100644
 --- a/ppp.te
 +++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@ -76892,7 +76911,7 @@ index d616ca3..e4fc9c0 100644
 allow pptp_t pppd_etc_t:dir list_dir_perms;
 allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +266,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +266,45 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
 allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
 allow pptp_t pppd_etc_rw_t:file read_file_perms;
 allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@ -76921,6 +76940,8 @@ index d616ca3..e4fc9c0 100644
 kernel_signal(pptp_t)
 +dev_read_sysfs(pptp_t)
 +dev_read_rand(pptp_t)
 +dev_read_urand(pptp_t)
 +
 corecmd_exec_shell(pptp_t)
 corecmd_read_bin_symlinks(pptp_t)
@ -76949,7 +76970,7 @@ index d616ca3..e4fc9c0 100644
 fs_getattr_all_fs(pptp_t)
 fs_search_auto_mountpoints(pptp_t)
-@@ -282,12 +310,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +312,12 @@ term_ioctl_generic_ptys(pptp_t)
 term_search_ptys(pptp_t)
 term_use_ptmx(pptp_t)
@ -76964,7 +76985,7 @@ index d616ca3..e4fc9c0 100644
 sysnet_exec_ifconfig(pptp_t)
 userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +327,10 @@ optional_policy(`
+@@ -299,6 +329,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -91369,10 +91390,10 @@ index 2da9fca..6935f5c 100644
 ')
 diff --git a/rpcbind.fc b/rpcbind.fc
-index d31220e..c84a461 100644
+index d31220e..0b6894a 100644
 --- a/rpcbind.fc
 +++ b/rpcbind.fc
-@@ -1,6 +1,9 @@
+@@ -1,8 +1,12 @@
 /etc/rc\.d/init\.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
 +/usr/lib/systemd/system/rpcbind\.service	--	gen_context(system_u:object_r:rpcbind_unit_file_t,s0)
@ -91381,6 +91402,9 @@ index d31220e..c84a461 100644
 +/bin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
 /usr/sbin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
 +/usr/bin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
 /var/cache/rpcbind(/.*)?	gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
 diff --git a/rpcbind.if b/rpcbind.if
 index 3b5e9ee..ff1163f 100644
@ -103093,7 +103117,7 @@ index 1499b0b..e695a62 100644
 -	spamassassin_role($2, $1)
 ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..963d86c 100644
+index cc58e35..1e34535 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@ -103557,7 +103581,7 @@ index cc58e35..963d86c 100644
 ')
 optional_policy(`
-@@ -267,36 +384,40 @@ optional_policy(`
+@@ -267,48 +384,54 @@ optional_policy(`
 ########################################
 #
@ -103615,7 +103639,13 @@ index cc58e35..963d86c 100644
 logging_log_filetrans(spamd_t, spamd_log_t, file)
 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +429,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+ manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
 manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
 -files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
 +manage_lnk_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
 +files_spool_filetrans(spamd_t, spamd_spool_t, { file dir lnk_file })
 manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@ -103625,7 +103655,7 @@ index cc58e35..963d86c 100644
 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +439,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +440,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@ -103642,7 +103672,7 @@ index cc58e35..963d86c 100644
 corenet_all_recvfrom_netlabel(spamd_t)
 corenet_tcp_sendrecv_generic_if(spamd_t)
 corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +455,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +456,60 @@ corenet_udp_sendrecv_generic_node(spamd_t)
 corenet_tcp_sendrecv_all_ports(spamd_t)
 corenet_udp_sendrecv_all_ports(spamd_t)
 corenet_tcp_bind_generic_node(spamd_t)
@ -103747,7 +103777,7 @@ index cc58e35..963d86c 100644
 ')
 optional_policy(`
-@@ -421,21 +527,13 @@ optional_policy(`
+@@ -421,21 +528,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -103771,7 +103801,7 @@ index cc58e35..963d86c 100644
 ')
 optional_policy(`
-@@ -443,8 +541,8 @@ optional_policy(`
+@@ -443,8 +542,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -103781,7 +103811,7 @@ index cc58e35..963d86c 100644
 ')
 optional_policy(`
-@@ -455,7 +553,17 @@ optional_policy(`
+@@ -455,7 +554,17 @@ optional_policy(`
 optional_policy(`
 	razor_domtrans(spamd_t)
 	razor_read_lib_files(spamd_t)
@ -103800,7 +103830,7 @@ index cc58e35..963d86c 100644
 ')
 optional_policy(`
-@@ -463,9 +571,10 @@ optional_policy(`
+@@ -463,9 +572,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -103812,7 +103842,7 @@ index cc58e35..963d86c 100644
 ')
 optional_policy(`
-@@ -474,32 +583,32 @@ optional_policy(`
+@@ -474,32 +584,32 @@ optional_policy(`
 ########################################
 #
@ -103855,7 +103885,7 @@ index cc58e35..963d86c 100644
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t)
 domain_use_interactive_fds(spamd_update_t)
@ -114575,7 +114605,7 @@ index facdee8..2cff369 100644
 +	domtrans_pattern($1,container_file_t, $2)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..af39887 100644
+index f03dcf5..9bde200 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,451 +1,403 @@
@ -116159,7 +116189,7 @@ index f03dcf5..af39887 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1260,364 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1260,372 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -116530,6 +116560,14 @@ index f03dcf5..af39887 100644
 +	allow container_t self:netlink_socket create_socket_perms;
 +	allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +	allow container_t self:netlink_kobject_uevent_socket create_socket_perms;
 +	allow container_t self:netlink_connector_socket create_socket_perms;
 +	allow container_t self:netlink_crypto_socket create_socket_perms;
 +	allow container_t self:netlink_fib_lookup_socket create_socket_perms;
 +	allow container_t self:netlink_generic_socket create_socket_perms;
 +	allow container_t self:netlink_iscsi_socket create_socket_perms;
 +	allow container_t self:netlink_netfilter_socket create_socket_perms;
 +	allow container_t self:netlink_rdma_socket create_socket_perms;
 +	allow container_t self:netlink_scsitransport_socket create_socket_perms;
 +', `
 +	logging_dontaudit_send_audit_msgs(container_t)
 +')
@ -116668,7 +116706,7 @@ index f03dcf5..af39887 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1630,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1638,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -116683,7 +116721,7 @@ index f03dcf5..af39887 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,7 +1648,7 @@ optional_policy(`
+@@ -1192,7 +1656,7 @@ optional_policy(`
 ########################################
 #
@ -116692,7 +116730,7 @@ index f03dcf5..af39887 100644
 #
 allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1657,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1665,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 229%{?dist}
+Release: 230%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,11 @@ exit 0
 %endif
 %changelog
 * Thu Dec 08 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-230
 - Label /usr/bin/rpcbind as rpcbind_exec_t
 - Dontaudit mozilla plugin rawip socket creation. BZ(1275961)
 - Merge pull request #174 from rhatdan/netlink
 * Wed Dec 07 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-229
 - Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
 - Allot tlp domain to create unix_dgram sockets BZ(1401233)