* Wed Dec 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229

- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service - Allot tlp domain to create unix_dgram sockets BZ(1401233) - Allow antivirus domain to create lnk_files in /tmp - Allow cupsd_t to create lnk_files in /tmp. BZ(1401634) - Allow svnserve_t domain to read /dev/random BZ(1401827) - Allow lircd to use nsswitch. BZ(1401375) - Allow hostname_t domain to manage cluster_tmp_t files
2016-12-07 12:46:00 +01:00 · 2016-12-07 12:46:00 +01:00 · 68b689158d
commit 68b689158d
parent cb2fd77b56
4 changed files with 61 additions and 18 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -35720,7 +35720,7 @@ index 187f04f..cf0af09 100644
 interface(`hostname_exec',`
 	gen_require(`
 diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index 24a7889..a3d8f1a 100644
+index 24a7889..619b32e 100644
 --- a/policy/modules/system/hostname.te
 +++ b/policy/modules/system/hostname.te
@@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config;
@ -35763,7 +35763,7 @@ index 24a7889..a3d8f1a 100644
 
 sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
 sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
-@@ -57,6 +60,14 @@ sysnet_read_config(hostname_t)
+@@ -57,10 +60,22 @@ sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
 optional_policy(`
@ -35778,6 +35778,14 @@ index 24a7889..a3d8f1a 100644
 	nis_use_ypbind(hostname_t)
 ')
 
+ optional_policy(`
+    rhcs_manage_cluster_tmp_files(hostname_t)
+')
+
+optional_policy(`
+ 	xen_append_log(hostname_t)
+ 	xen_dontaudit_use_fds(hostname_t)
+ ')
 diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
 index caf736b..91c4c6f 100644
 --- a/policy/modules/system/hotplug.fc
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3203,10 +3203,10 @@ index 0000000..36251b9
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..6bd2eb9
+index 0000000..c679dd3
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,274 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@ -3298,7 +3298,8 @@ index 0000000..6bd2eb9
 +manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
 +manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
 +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
-+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
+manage_lnk_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir lnk_file sock_file } )
 +
 +manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
 +manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
@ -20913,7 +20914,7 @@ index 3023be7..5afde80 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
 ')
 diff --git a/cups.te b/cups.te
-index c91813c..c3820a5 100644
+index c91813c..6f66ea4 100644
 --- a/cups.te
 +++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@ -21095,7 +21096,8 @@ index c91813c..c3820a5 100644
 manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 +manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+-files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file lnk_file })
 
 +allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
 manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@ -45951,7 +45953,7 @@ index dff21a7..b6981c8 100644
 	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/lircd.te b/lircd.te
-index 483c87b..0a54c6d 100644
+index 483c87b..f68ee3a 100644
 --- a/lircd.te
 +++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@ -45992,7 +45994,7 @@ index 483c87b..0a54c6d 100644
 +term_use_unallocated_ttys(lircd_t)
 
 -logging_send_syslog_msg(lircd_t)
-+auth_read_passwd(lircd_t)
+auth_use_nsswitch(lircd_t)
 
 -miscfiles_read_localization(lircd_t)
 +logging_send_syslog_msg(lircd_t)
@ -91366,6 +91368,20 @@ index 2da9fca..6935f5c 100644
 	kerberos_use(gssd_t)
 ')
 
+diff --git a/rpcbind.fc b/rpcbind.fc
+index d31220e..c84a461 100644
+--- a/rpcbind.fc
+++ b/rpcbind.fc
+@@ -1,6 +1,9 @@
+ /etc/rc\.d/init\.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+ 
+/usr/lib/systemd/system/rpcbind\.service	--	gen_context(system_u:object_r:rpcbind_unit_file_t,s0)
+
+ /sbin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+/bin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
+ /usr/sbin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
 diff --git a/rpcbind.if b/rpcbind.if
 index 3b5e9ee..ff1163f 100644
 --- a/rpcbind.if
@ -91521,7 +91537,7 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
 ')
 diff --git a/rpcbind.te b/rpcbind.te
-index 54de77c..0ee4cc1 100644
+index 54de77c..4ce4fb9 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
@@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
@ -91534,7 +91550,15 @@ index 54de77c..0ee4cc1 100644
 type rpcbind_var_run_t;
 files_pid_file(rpcbind_var_run_t)
 init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
-@@ -24,11 +27,15 @@ files_type(rpcbind_var_lib_t)
+@@ -19,16 +22,23 @@ init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
+ type rpcbind_var_lib_t;
+ files_type(rpcbind_var_lib_t)
+ 
+type rpcbind_unit_file_t;
+systemd_unit_file(rpcbind_unit_file_t)
+
+ ########################################
+ #
 # Local policy
 #
 
@ -91551,7 +91575,7 @@ index 54de77c..0ee4cc1 100644
 manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
 manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
 files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
-@@ -42,7 +49,6 @@ kernel_read_system_state(rpcbind_t)
+@@ -42,7 +52,6 @@ kernel_read_system_state(rpcbind_t)
 kernel_read_network_state(rpcbind_t)
 kernel_request_load_module(rpcbind_t)
 
@ -91559,7 +91583,7 @@ index 54de77c..0ee4cc1 100644
 corenet_all_recvfrom_netlabel(rpcbind_t)
 corenet_tcp_sendrecv_generic_if(rpcbind_t)
 corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -68,7 +74,11 @@ auth_use_nsswitch(rpcbind_t)
+@@ -68,7 +77,11 @@ auth_use_nsswitch(rpcbind_t)
 
 logging_send_syslog_msg(rpcbind_t)
 
@ -105766,7 +105790,7 @@ index 2ac91b6..a97033d 100644
 ')
 +
 diff --git a/svnserve.te b/svnserve.te
-index 49d688d..f07cc80 100644
+index 49d688d..451a647 100644
 --- a/svnserve.te
 +++ b/svnserve.te
@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
@ -105810,11 +105834,12 @@ index 49d688d..f07cc80 100644
 corenet_all_recvfrom_unlabeled(svnserve_t)
 corenet_all_recvfrom_netlabel(svnserve_t)
 corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -52,8 +60,8 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
+@@ -52,8 +60,9 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
 corenet_udp_bind_svn_port(svnserve_t)
 corenet_udp_sendrecv_svn_port(svnserve_t)
 
 -logging_send_syslog_msg(svnserve_t)
+dev_read_rand(svnserve_t)
 +dev_read_urand(svnserve_t)
 
 -miscfiles_read_localization(svnserve_t)
@ -109267,10 +109292,10 @@ index 0000000..46f12a4
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 0000000..7c81c68
+index 0000000..98e708a
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,55 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@ -109295,6 +109320,7 @@ index 0000000..7c81c68
 +allow tlp_t self:capability { net_admin sys_rawio };
 +allow tlp_t self:unix_stream_socket create_stream_socket_perms;
 +allow tlp_t self:udp_socket create_socket_perms;
+allow tlp_t self:unix_dgram_socket create_socket_perms;
 +
 +manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
 +manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 228%{?dist}
+Release: 229%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,15 @@ exit 0
 %endif

 %changelog
+* Wed Dec 07 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-229
+- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
+- Allot tlp domain to create unix_dgram sockets BZ(1401233)
+- Allow antivirus domain to create lnk_files in /tmp
+- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
+- Allow svnserve_t domain to read /dev/random BZ(1401827)
+- Allow lircd to use nsswitch. BZ(1401375)
+- Allow hostname_t domain to manage cluster_tmp_t files
+
 * Mon Dec 05 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-228
 - Fix some boolean descriptions.
 - Add fwupd_dbus_chat() interface