- Allow glusterd to interact with gluster tools running in a user domain

- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
This commit is contained in:
Miroslav Grepl 2015-06-18 19:28:19 +02:00
parent 8f46225b71
commit 66628cef58
3 changed files with 407 additions and 204 deletions

View File

@ -2744,7 +2744,7 @@ index 99e3903..fa68362 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1..0dbda7d 100644 index 1d732f1..6a6da75 100644
--- a/policy/modules/admin/usermanage.te --- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t; @@ -26,6 +26,7 @@ type chfn_exec_t;
@ -2973,13 +2973,16 @@ index 1d732f1..0dbda7d 100644
userdom_use_unpriv_users_fds(passwd_t) userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds # make sure that getcon succeeds
userdom_getattr_all_users(passwd_t) userdom_getattr_all_users(passwd_t)
@@ -352,6 +383,15 @@ userdom_read_user_tmp_files(passwd_t) @@ -352,6 +383,18 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search # user generally runs this from their home directory, so do not audit a search
# on user home dir # on user home dir
userdom_dontaudit_search_user_home_content(passwd_t) userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t) +userdom_stream_connect(passwd_t)
+userdom_rw_stream(passwd_t) +userdom_rw_stream(passwd_t)
+ +
+# needed by gnome-keyring
+userdom_manage_user_tmp_files(passwd_t)
+
+optional_policy(` +optional_policy(`
+ gnome_exec_keyringd(passwd_t) + gnome_exec_keyringd(passwd_t)
+ gnome_manage_cache_home_dir(passwd_t) + gnome_manage_cache_home_dir(passwd_t)
@ -2989,7 +2992,7 @@ index 1d732f1..0dbda7d 100644
optional_policy(` optional_policy(`
nscd_run(passwd_t, passwd_roles) nscd_run(passwd_t, passwd_roles)
@@ -401,9 +441,10 @@ dev_read_urand(sysadm_passwd_t) @@ -401,9 +444,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t)
@ -3002,7 +3005,7 @@ index 1d732f1..0dbda7d 100644
auth_manage_shadow(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t)
@@ -416,7 +457,6 @@ files_read_usr_files(sysadm_passwd_t) @@ -416,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t)
@ -3010,7 +3013,7 @@ index 1d732f1..0dbda7d 100644
files_relabel_etc_files(sysadm_passwd_t) files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups # for nscd lookups
@@ -426,12 +466,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) @@ -426,12 +469,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp. # correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t) init_dontaudit_rw_utmp(sysadm_passwd_t)
@ -3023,7 +3026,7 @@ index 1d732f1..0dbda7d 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t) userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search # user generally runs this from their home directory, so do not audit a search
# on user home dir # on user home dir
@@ -446,7 +483,8 @@ optional_policy(` @@ -446,7 +486,8 @@ optional_policy(`
# Useradd local policy # Useradd local policy
# #
@ -3033,7 +3036,7 @@ index 1d732f1..0dbda7d 100644
dontaudit useradd_t self:capability sys_tty_config; dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate; allow useradd_t self:process setfscreate;
@@ -461,6 +499,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; @@ -461,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto; allow useradd_t self:unix_stream_socket connectto;
@ -3044,7 +3047,7 @@ index 1d732f1..0dbda7d 100644
# for getting the number of groups # for getting the number of groups
kernel_read_kernel_sysctls(useradd_t) kernel_read_kernel_sysctls(useradd_t)
@@ -468,29 +510,28 @@ corecmd_exec_shell(useradd_t) @@ -468,29 +513,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t) corecmd_exec_bin(useradd_t)
@ -3084,7 +3087,7 @@ index 1d732f1..0dbda7d 100644
auth_run_chk_passwd(useradd_t, useradd_roles) auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t) auth_rw_lastlog(useradd_t)
@@ -498,6 +539,7 @@ auth_rw_faillog(useradd_t) @@ -498,6 +542,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t) auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above # these may be unnecessary due to the above
# domtrans_chk_passwd() call. # domtrans_chk_passwd() call.
@ -3092,7 +3095,7 @@ index 1d732f1..0dbda7d 100644
auth_manage_shadow(useradd_t) auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t) auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t)
@@ -508,33 +550,32 @@ init_rw_utmp(useradd_t) @@ -508,33 +553,32 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t) logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t) logging_send_syslog_msg(useradd_t)
@ -3137,7 +3140,7 @@ index 1d732f1..0dbda7d 100644
optional_policy(` optional_policy(`
apache_manage_all_user_content(useradd_t) apache_manage_all_user_content(useradd_t)
') ')
@@ -549,10 +590,19 @@ optional_policy(` @@ -549,10 +593,19 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -3157,7 +3160,7 @@ index 1d732f1..0dbda7d 100644
tunable_policy(`samba_domain_controller',` tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t) samba_append_log(useradd_t)
') ')
@@ -562,3 +612,12 @@ optional_policy(` @@ -562,3 +615,12 @@ optional_policy(`
rpm_use_fds(useradd_t) rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t) rpm_rw_pipes(useradd_t)
') ')
@ -3343,7 +3346,7 @@ index 7590165..d81185e 100644
+ fs_mounton_fusefs(seunshare_domain) + fs_mounton_fusefs(seunshare_domain)
') ')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 33e0f8d..c5c1122 100644 index 33e0f8d..d41bb39 100644
--- a/policy/modules/kernel/corecommands.fc --- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@ @@ -1,9 +1,10 @@
@ -3683,7 +3686,7 @@ index 33e0f8d..c5c1122 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
@@ -387,17 +469,33 @@ ifdef(`distro_suse', ` @@ -387,17 +469,34 @@ ifdef(`distro_suse', `
# #
# /var # /var
# #
@ -3705,6 +3708,7 @@ index 33e0f8d..c5c1122 100644
/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
+ +
ifdef(`distro_suse',` ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
@ -23857,7 +23861,7 @@ index fe0c682..3ad1b1f 100644
+ ps_process_pattern($1, sshd_t) + ps_process_pattern($1, sshd_t)
+') +')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7..66bf790 100644 index cc877c7..b8e6e98 100644
--- a/policy/modules/services/ssh.te --- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@ -24193,7 +24197,7 @@ index cc877c7..66bf790 100644
') ')
optional_policy(` optional_policy(`
@@ -266,6 +327,15 @@ optional_policy(` @@ -266,6 +327,19 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24205,11 +24209,15 @@ index cc877c7..66bf790 100644
+ gitosis_manage_lib_files(sshd_t) + gitosis_manage_lib_files(sshd_t)
+') +')
+ +
+optional_policy(`
+ gnome_exec_keyringd(sshd_t)
+')
+
+optional_policy(` +optional_policy(`
inetd_tcp_service_domain(sshd_t, sshd_exec_t) inetd_tcp_service_domain(sshd_t, sshd_exec_t)
') ')
@@ -275,10 +345,26 @@ optional_policy(` @@ -275,10 +349,26 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24236,7 +24244,7 @@ index cc877c7..66bf790 100644
rpm_use_script_fds(sshd_t) rpm_use_script_fds(sshd_t)
') ')
@@ -289,13 +375,93 @@ optional_policy(` @@ -289,13 +379,93 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -24330,7 +24338,7 @@ index cc877c7..66bf790 100644
######################################## ########################################
# #
# ssh_keygen local policy # ssh_keygen local policy
@@ -304,19 +470,33 @@ optional_policy(` @@ -304,19 +474,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time # ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t # and by sysadm_t
@ -24365,7 +24373,7 @@ index cc877c7..66bf790 100644
dev_read_urand(ssh_keygen_t) dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t)
@@ -332,7 +512,9 @@ auth_use_nsswitch(ssh_keygen_t) @@ -332,7 +516,9 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t)
@ -24375,7 +24383,7 @@ index cc877c7..66bf790 100644
optional_policy(` optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t) seutil_sigchld_newrole(ssh_keygen_t)
@@ -341,3 +523,148 @@ optional_policy(` @@ -341,3 +527,148 @@ optional_policy(`
optional_policy(` optional_policy(`
udev_read_db(ssh_keygen_t) udev_read_db(ssh_keygen_t)
') ')
@ -42591,10 +42599,10 @@ index 0000000..d2a8fc7
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..3c4ffa35 index 0000000..0401ad8
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,720 @@ @@ -0,0 +1,721 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -42768,6 +42776,7 @@ index 0000000..3c4ffa35
+init_halt(systemd_logind_t) +init_halt(systemd_logind_t)
+init_undefined(systemd_logind_t) +init_undefined(systemd_logind_t)
+init_signal_script(systemd_logind_t) +init_signal_script(systemd_logind_t)
+init_getattr_script_status_files(systemd_logind_t)
+ +
+getty_systemctl(systemd_logind_t) +getty_systemctl(systemd_logind_t)
+ +

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 129%{?dist} Release: 130%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -602,6 +602,34 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Thu Jun 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-130
- Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-129 * Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-129
- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489) - We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489)