* Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-281

- Allow domains reading raw memory also use mmap.
2017-09-11 09:50:18 +02:00 · 2017-09-11 09:50:18 +02:00 · 65f16bbe30
parent b9bc43a953
commit 65f16bbe30
4 changed files with 74 additions and 55 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -6866,7 +6866,7 @@ index b31c05491..a7b0f009a 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285ea6..ac044aea2 100644
+index 76f285ea6..c28d65c08 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -7649,7 +7649,15 @@ index 76f285ea6..ac044aea2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2532,6 +3038,24 @@ interface(`dev_read_raw_memory',`
+@@ -2525,6 +3031,7 @@ interface(`dev_read_raw_memory',`
+ 	')
+ 
+ 	read_chr_files_pattern($1, device_t, memory_device_t)
+	allow $1 memory_device_t:chr_file map;
+ 
+ 	allow $1 self:capability sys_rawio;
+ 	typeattribute $1 memory_raw_read;
+@@ -2532,6 +3039,24 @@ interface(`dev_read_raw_memory',`
 
 ########################################
 ## <summary>
@ -7674,7 +7682,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Do not audit attempts to read raw memory devices
 ##	(e.g. /dev/mem).
 ## </summary>
-@@ -2573,6 +3097,24 @@ interface(`dev_write_raw_memory',`
+@@ -2573,6 +3098,24 @@ interface(`dev_write_raw_memory',`
 
 ########################################
 ## <summary>
@ -7699,7 +7707,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Read and execute raw memory devices (e.g. /dev/mem).
 ## </summary>
 ## <param name="domain">
-@@ -2587,7 +3129,7 @@ interface(`dev_rx_raw_memory',`
+@@ -2587,7 +3130,7 @@ interface(`dev_rx_raw_memory',`
 	')
 
 	dev_read_raw_memory($1)
@ -7708,7 +7716,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -2606,7 +3148,7 @@ interface(`dev_wx_raw_memory',`
+@@ -2606,7 +3149,7 @@ interface(`dev_wx_raw_memory',`
 	')
 
 	dev_write_raw_memory($1)
@ -7717,7 +7725,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -2725,7 +3267,7 @@ interface(`dev_write_misc',`
+@@ -2725,7 +3268,7 @@ interface(`dev_write_misc',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -7726,7 +7734,7 @@ index 76f285ea6..ac044aea2 100644
 ##	</summary>
 ## </param>
 #
-@@ -2811,7 +3353,7 @@ interface(`dev_rw_modem',`
+@@ -2811,7 +3354,7 @@ interface(`dev_rw_modem',`
 
 ########################################
 ## <summary>
@ -7735,7 +7743,7 @@ index 76f285ea6..ac044aea2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2819,17 +3361,17 @@ interface(`dev_rw_modem',`
+@@ -2819,17 +3362,17 @@ interface(`dev_rw_modem',`
 ##	</summary>
 ## </param>
 #
@ -7757,7 +7765,7 @@ index 76f285ea6..ac044aea2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2837,17 +3379,17 @@ interface(`dev_getattr_mouse_dev',`
+@@ -2837,17 +3380,17 @@ interface(`dev_getattr_mouse_dev',`
 ##	</summary>
 ## </param>
 #
@ -7779,7 +7787,7 @@ index 76f285ea6..ac044aea2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2855,12 +3397,84 @@ interface(`dev_setattr_mouse_dev',`
+@@ -2855,12 +3398,84 @@ interface(`dev_setattr_mouse_dev',`
 ##	</summary>
 ## </param>
 #
@ -7867,7 +7875,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -2903,20 +3517,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3518,20 @@ interface(`dev_getattr_mtrr_dev',`
 
 ########################################
 ## <summary>
@ -7892,7 +7900,7 @@ index 76f285ea6..ac044aea2 100644
 ##	</p>
 ## </desc>
 ## <param name="domain">
-@@ -2925,43 +3539,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3540,34 @@ interface(`dev_getattr_mtrr_dev',`
 ##	</summary>
 ## </param>
 #
@ -7948,7 +7956,7 @@ index 76f285ea6..ac044aea2 100644
 ##	range registers (MTRR).
 ## </summary>
 ## <param name="domain">
-@@ -2970,13 +3575,32 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3576,32 @@ interface(`dev_write_mtrr',`
 ##	</summary>
 ## </param>
 #
@ -7984,7 +7992,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -3144,6 +3768,80 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3769,80 @@ interface(`dev_create_null_dev',`
 
 ########################################
 ## <summary>
@ -8065,7 +8073,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Do not audit attempts to get the attributes
 ##	of the BIOS non-volatile RAM device.
 ## </summary>
-@@ -3163,6 +3861,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3862,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
 
 ########################################
 ## <summary>
@ -8090,7 +8098,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Read and write BIOS non-volatile RAM.
 ## </summary>
 ## <param name="domain">
-@@ -3254,7 +3970,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3971,25 @@ interface(`dev_rw_printer',`
 
 ########################################
 ## <summary>
@ -8117,7 +8125,7 @@ index 76f285ea6..ac044aea2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3262,12 +3996,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3997,13 @@ interface(`dev_rw_printer',`
 ##	</summary>
 ## </param>
 #
@ -8134,7 +8142,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -3399,7 +4134,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4135,7 @@ interface(`dev_dontaudit_read_rand',`
 
 ########################################
 ## <summary>
@ -8143,7 +8151,7 @@ index 76f285ea6..ac044aea2 100644
 ##	number generator devices (e.g., /dev/random)
 ## </summary>
 ## <param name="domain">
-@@ -3413,7 +4148,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4149,7 @@ interface(`dev_dontaudit_append_rand',`
 		type random_device_t;
 	')
 
@ -8152,7 +8160,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -3633,6 +4368,7 @@ interface(`dev_read_sound',`
+@@ -3633,6 +4369,7 @@ interface(`dev_read_sound',`
 	')
 
 	read_chr_files_pattern($1, device_t, sound_device_t)
@ -8160,7 +8168,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -3669,6 +4405,7 @@ interface(`dev_read_sound_mixer',`
+@@ -3669,6 +4406,7 @@ interface(`dev_read_sound_mixer',`
 	')
 
 	read_chr_files_pattern($1, device_t, sound_device_t)
@ -8168,7 +8176,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -3855,7 +4592,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4593,7 @@ interface(`dev_getattr_sysfs_dirs',`
 
 ########################################
 ## <summary>
@ -8177,7 +8185,7 @@ index 76f285ea6..ac044aea2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3863,91 +4600,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4601,89 @@ interface(`dev_getattr_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -8288,7 +8296,7 @@ index 76f285ea6..ac044aea2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3955,60 +4690,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,60 +4691,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -8525,7 +8533,7 @@ index 76f285ea6..ac044aea2 100644
 	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
-@@ -4016,6 +4906,81 @@ interface(`dev_rw_sysfs',`
+@@ -4016,6 +4907,81 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
@ -8607,7 +8615,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Read and write the TPM device.
 ## </summary>
 ## <param name="domain">
-@@ -4113,6 +5078,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +5079,25 @@ interface(`dev_write_urand',`
 
 ########################################
 ## <summary>
@ -8633,7 +8641,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Getattr generic the USB devices.
 ## </summary>
 ## <param name="domain">
-@@ -4123,7 +5107,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5108,7 @@ interface(`dev_write_urand',`
 #
 interface(`dev_getattr_generic_usb_dev',`
 	gen_require(`
@ -8642,7 +8650,7 @@ index 76f285ea6..ac044aea2 100644
 	')
 
 	getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5393,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5394,9 @@ interface(`dev_rw_usbfs',`
 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 ')
 
@ -8654,7 +8662,7 @@ index 76f285ea6..ac044aea2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4419,17 +5403,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5404,17 @@ interface(`dev_rw_usbfs',`
 ##	</summary>
 ## </param>
 #
@ -8677,7 +8685,7 @@ index 76f285ea6..ac044aea2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4437,12 +5421,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5422,12 @@ interface(`dev_getattr_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -8693,7 +8701,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -4539,6 +5523,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5524,134 @@ interface(`dev_write_video_dev',`
 
 ########################################
 ## <summary>
@ -8828,7 +8836,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Allow read/write the vhost net device
 ## </summary>
 ## <param name="domain">
-@@ -4557,6 +5669,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5670,24 @@ interface(`dev_rw_vhost',`
 
 ########################################
 ## <summary>
@ -8853,7 +8861,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Read and write VMWare devices.
 ## </summary>
 ## <param name="domain">
-@@ -4589,7 +5719,7 @@ interface(`dev_rwx_vmware',`
+@@ -4589,7 +5720,7 @@ interface(`dev_rwx_vmware',`
 	')
 
 	dev_rw_vmware($1)
@ -8862,7 +8870,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -4630,6 +5760,24 @@ interface(`dev_write_watchdog',`
+@@ -4630,6 +5761,24 @@ interface(`dev_write_watchdog',`
 
 ########################################
 ## <summary>
@ -8887,7 +8895,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Read and write the the wireless device.
 ## </summary>
 ## <param name="domain">
-@@ -4762,6 +5910,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5911,44 @@ interface(`dev_rw_xserver_misc',`
 
 ########################################
 ## <summary>
@ -8932,7 +8940,7 @@ index 76f285ea6..ac044aea2 100644
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
-@@ -4794,7 +5980,7 @@ interface(`dev_rwx_zero',`
+@@ -4794,7 +5981,7 @@ interface(`dev_rwx_zero',`
 	')
 
 	dev_rw_zero($1)
@ -8941,7 +8949,7 @@ index 76f285ea6..ac044aea2 100644
 ')
 
 ########################################
-@@ -4851,3 +6037,1064 @@ interface(`dev_unconfined',`
+@@ -4851,3 +6038,1064 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
@ -39239,7 +39247,7 @@ index c42fbc329..bf211dbee 100644
 +	files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
 +')
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e6c..91d1296b8 100644
+index be8ed1e6c..73e51f7ef 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
@ -39367,7 +39375,7 @@ index be8ed1e6c..91d1296b8 100644
 ')
 
 optional_policy(`
-@@ -110,7 +138,15 @@ optional_policy(`
+@@ -110,7 +138,16 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -39380,10 +39388,11 @@ index be8ed1e6c..91d1296b8 100644
 +optional_policy(`
 	modutils_run_insmod(iptables_t, iptables_roles)
 +    modutils_list_module_config(iptables_t)
+    modutils_read_module_config(iptables_t)
 ')
 
 optional_policy(`
-@@ -119,11 +155,25 @@ optional_policy(`
+@@ -119,11 +156,25 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -39409,7 +39418,7 @@ index be8ed1e6c..91d1296b8 100644
 ')
 
 optional_policy(`
-@@ -135,9 +185,9 @@ optional_policy(`
+@@ -135,9 +186,9 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -47515,15 +47515,19 @@ index dd8e01af3..9cd6b0b8e 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84b3..882160882 100644
+index be0ab84b3..9ca958706 100644
 --- a/logrotate.te
 +++ b/logrotate.te
-@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
+@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0)
 # Declarations
 #
 
 -attribute_role logrotate_roles;
 -roleattribute system_r logrotate_roles;
+gen_require(`
+    class passwd passwd;
+')
+
 +## <desc>
 +## <p>
 +## Allow logrotate to manage nfs files
@ -47552,7 +47556,7 @@ index be0ab84b3..882160882 100644
 
 type logrotate_lock_t;
 files_lock_file(logrotate_lock_t)
-@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t)
+@@ -25,21 +42,33 @@ files_tmp_file(logrotate_tmp_t)
 type logrotate_var_lib_t;
 files_type(logrotate_var_lib_t)
 
@ -47575,6 +47579,8 @@ index be0ab84b3..882160882 100644
 +
 +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 +
+allow logrotate_t self:passwd { passwd };
+
 +# Set a context other than the default one for newly created files.
 +allow logrotate_t self:process setfscreate;
 +
@ -47590,7 +47596,7 @@ index be0ab84b3..882160882 100644
 allow logrotate_t self:shm create_shm_perms;
 allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +77,54 @@ allow logrotate_t self:msg { send receive };
 allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
 
@ -47650,7 +47656,7 @@ index be0ab84b3..882160882 100644
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +136,57 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +142,58 @@ mls_process_write_to_clearance(logrotate_t)
 selinux_get_fs_mount(logrotate_t)
 selinux_get_enforce_mode(logrotate_t)
 
@ -47662,6 +47668,7 @@ index be0ab84b3..882160882 100644
 
 init_all_labeled_script_domtrans(logrotate_t)
 +init_reload_services(logrotate_t)
+init_reload_transient_unit(logrotate_t)
 
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
@ -47714,7 +47721,7 @@ index be0ab84b3..882160882 100644
 ')
 
 optional_policy(`
-@@ -135,16 +201,17 @@ optional_policy(`
+@@ -135,16 +208,17 @@ optional_policy(`
 
 optional_policy(`
 	apache_read_config(logrotate_t)
@ -47734,7 +47741,7 @@ index be0ab84b3..882160882 100644
 ')
 
 optional_policy(`
-@@ -170,6 +237,11 @@ optional_policy(`
+@@ -170,6 +244,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47746,7 +47753,7 @@ index be0ab84b3..882160882 100644
 	fail2ban_stream_connect(logrotate_t)
 ')
 
-@@ -178,7 +250,8 @@ optional_policy(`
+@@ -178,7 +257,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47756,7 +47763,7 @@ index be0ab84b3..882160882 100644
 ')
 
 optional_policy(`
-@@ -198,17 +271,18 @@ optional_policy(`
+@@ -198,17 +278,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47778,7 +47785,7 @@ index be0ab84b3..882160882 100644
 ')
 
 optional_policy(`
-@@ -216,6 +290,14 @@ optional_policy(`
+@@ -216,6 +297,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -47793,7 +47800,7 @@ index be0ab84b3..882160882 100644
 	samba_exec_log(logrotate_t)
 ')
 
-@@ -228,26 +310,50 @@ optional_policy(`
+@@ -228,26 +317,50 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -73824,7 +73831,7 @@ index 000000000..9c27847b2
 +')
 +
 diff --git a/plymouthd.fc b/plymouthd.fc
-index 735500fd1..2ba6832cc 100644
+index 735500fd1..7f694728c 100644
 --- a/plymouthd.fc
 +++ b/plymouthd.fc
@@ -1,15 +1,14 @@
@ -73842,7 +73849,7 @@ index 735500fd1..2ba6832cc 100644
 
 -/var/lib/plymouth(/.*)?	gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
 +/var/run/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-+/var/log/boot\.log			gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+/var/log/boot\.log.*			gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
 
 -/var/log/boot\.log.*	--	gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
 +/usr/sbin/plymouthd		--	gen_context(system_u:object_r:plymouthd_exec_t,s0)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 280%{?dist}
+Release: 281%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -681,6 +681,9 @@ exit 0
 %endif

 %changelog
+* Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-281
+- Allow domains reading raw memory also use mmap.
+
 * Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280
 - Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
 - Fix denials during ipa-server-install process on F27+