* Wed Dec 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229

- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
- Allot tlp domain to create unix_dgram sockets BZ(1401233)
- Allow antivirus domain to create lnk_files in /tmp
- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
- Allow svnserve_t domain to read /dev/random BZ(1401827)
- Allow lircd to use nsswitch. BZ(1401375)
- Allow hostname_t domain to manage cluster_tmp_t files
This commit is contained in:
Lukas Vrabec 2016-12-07 12:46:00 +01:00
parent cb2fd77b56
commit 68b689158d
4 changed files with 61 additions and 18 deletions

Binary file not shown.

View File

@ -35720,7 +35720,7 @@ index 187f04f..cf0af09 100644
interface(`hostname_exec',` interface(`hostname_exec',`
gen_require(` gen_require(`
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 24a7889..a3d8f1a 100644 index 24a7889..619b32e 100644
--- a/policy/modules/system/hostname.te --- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te
@@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config; @@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config;
@ -35763,7 +35763,7 @@ index 24a7889..a3d8f1a 100644
sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t) sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t) sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
@@ -57,6 +60,14 @@ sysnet_read_config(hostname_t) @@ -57,10 +60,22 @@ sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t) sysnet_dns_name_resolve(hostname_t)
optional_policy(` optional_policy(`
@ -35778,6 +35778,14 @@ index 24a7889..a3d8f1a 100644
nis_use_ypbind(hostname_t) nis_use_ypbind(hostname_t)
') ')
optional_policy(`
+ rhcs_manage_cluster_tmp_files(hostname_t)
+')
+
+optional_policy(`
xen_append_log(hostname_t)
xen_dontaudit_use_fds(hostname_t)
')
diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
index caf736b..91c4c6f 100644 index caf736b..91c4c6f 100644
--- a/policy/modules/system/hotplug.fc --- a/policy/modules/system/hotplug.fc

View File

@ -3203,10 +3203,10 @@ index 0000000..36251b9
+') +')
diff --git a/antivirus.te b/antivirus.te diff --git a/antivirus.te b/antivirus.te
new file mode 100644 new file mode 100644
index 0000000..6bd2eb9 index 0000000..c679dd3
--- /dev/null --- /dev/null
+++ b/antivirus.te +++ b/antivirus.te
@@ -0,0 +1,273 @@ @@ -0,0 +1,274 @@
+policy_module(antivirus, 1.0.0) +policy_module(antivirus, 1.0.0)
+ +
+######################################## +########################################
@ -3298,7 +3298,8 @@ index 0000000..6bd2eb9
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } ) +manage_lnk_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir lnk_file sock_file } )
+ +
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) +manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) +manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
@ -20913,7 +20914,7 @@ index 3023be7..5afde80 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
') ')
diff --git a/cups.te b/cups.te diff --git a/cups.te b/cups.te
index c91813c..c3820a5 100644 index c91813c..6f66ea4 100644
--- a/cups.te --- a/cups.te
+++ b/cups.te +++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@ -21095,7 +21096,8 @@ index c91813c..c3820a5 100644
manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) -files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file lnk_file })
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; +allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@ -45951,7 +45953,7 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t) init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te diff --git a/lircd.te b/lircd.te
index 483c87b..0a54c6d 100644 index 483c87b..f68ee3a 100644
--- a/lircd.te --- a/lircd.te
+++ b/lircd.te +++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@ -45992,7 +45994,7 @@ index 483c87b..0a54c6d 100644
+term_use_unallocated_ttys(lircd_t) +term_use_unallocated_ttys(lircd_t)
-logging_send_syslog_msg(lircd_t) -logging_send_syslog_msg(lircd_t)
+auth_read_passwd(lircd_t) +auth_use_nsswitch(lircd_t)
-miscfiles_read_localization(lircd_t) -miscfiles_read_localization(lircd_t)
+logging_send_syslog_msg(lircd_t) +logging_send_syslog_msg(lircd_t)
@ -91366,6 +91368,20 @@ index 2da9fca..6935f5c 100644
kerberos_use(gssd_t) kerberos_use(gssd_t)
') ')
diff --git a/rpcbind.fc b/rpcbind.fc
index d31220e..c84a461 100644
--- a/rpcbind.fc
+++ b/rpcbind.fc
@@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+/usr/lib/systemd/system/rpcbind\.service -- gen_context(system_u:object_r:rpcbind_unit_file_t,s0)
+
/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+/bin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
diff --git a/rpcbind.if b/rpcbind.if diff --git a/rpcbind.if b/rpcbind.if
index 3b5e9ee..ff1163f 100644 index 3b5e9ee..ff1163f 100644
--- a/rpcbind.if --- a/rpcbind.if
@ -91521,7 +91537,7 @@ index 3b5e9ee..ff1163f 100644
+ admin_pattern($1, rpcbind_var_run_t) + admin_pattern($1, rpcbind_var_run_t)
') ')
diff --git a/rpcbind.te b/rpcbind.te diff --git a/rpcbind.te b/rpcbind.te
index 54de77c..0ee4cc1 100644 index 54de77c..4ce4fb9 100644
--- a/rpcbind.te --- a/rpcbind.te
+++ b/rpcbind.te +++ b/rpcbind.te
@@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t) @@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
@ -91534,7 +91550,15 @@ index 54de77c..0ee4cc1 100644
type rpcbind_var_run_t; type rpcbind_var_run_t;
files_pid_file(rpcbind_var_run_t) files_pid_file(rpcbind_var_run_t)
init_daemon_run_dir(rpcbind_var_run_t, "rpcbind") init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
@@ -24,11 +27,15 @@ files_type(rpcbind_var_lib_t) @@ -19,16 +22,23 @@ init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
type rpcbind_var_lib_t;
files_type(rpcbind_var_lib_t)
+type rpcbind_unit_file_t;
+systemd_unit_file(rpcbind_unit_file_t)
+
########################################
#
# Local policy # Local policy
# #
@ -91551,7 +91575,7 @@ index 54de77c..0ee4cc1 100644
manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file }) files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
@@ -42,7 +49,6 @@ kernel_read_system_state(rpcbind_t) @@ -42,7 +52,6 @@ kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t) kernel_read_network_state(rpcbind_t)
kernel_request_load_module(rpcbind_t) kernel_request_load_module(rpcbind_t)
@ -91559,7 +91583,7 @@ index 54de77c..0ee4cc1 100644
corenet_all_recvfrom_netlabel(rpcbind_t) corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t) corenet_tcp_sendrecv_generic_if(rpcbind_t)
corenet_udp_sendrecv_generic_if(rpcbind_t) corenet_udp_sendrecv_generic_if(rpcbind_t)
@@ -68,7 +74,11 @@ auth_use_nsswitch(rpcbind_t) @@ -68,7 +77,11 @@ auth_use_nsswitch(rpcbind_t)
logging_send_syslog_msg(rpcbind_t) logging_send_syslog_msg(rpcbind_t)
@ -105766,7 +105790,7 @@ index 2ac91b6..a97033d 100644
') ')
+ +
diff --git a/svnserve.te b/svnserve.te diff --git a/svnserve.te b/svnserve.te
index 49d688d..f07cc80 100644 index 49d688d..451a647 100644
--- a/svnserve.te --- a/svnserve.te
+++ b/svnserve.te +++ b/svnserve.te
@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) @@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
@ -105810,11 +105834,12 @@ index 49d688d..f07cc80 100644
corenet_all_recvfrom_unlabeled(svnserve_t) corenet_all_recvfrom_unlabeled(svnserve_t)
corenet_all_recvfrom_netlabel(svnserve_t) corenet_all_recvfrom_netlabel(svnserve_t)
corenet_tcp_sendrecv_generic_if(svnserve_t) corenet_tcp_sendrecv_generic_if(svnserve_t)
@@ -52,8 +60,8 @@ corenet_tcp_sendrecv_svn_port(svnserve_t) @@ -52,8 +60,9 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
corenet_udp_bind_svn_port(svnserve_t) corenet_udp_bind_svn_port(svnserve_t)
corenet_udp_sendrecv_svn_port(svnserve_t) corenet_udp_sendrecv_svn_port(svnserve_t)
-logging_send_syslog_msg(svnserve_t) -logging_send_syslog_msg(svnserve_t)
+dev_read_rand(svnserve_t)
+dev_read_urand(svnserve_t) +dev_read_urand(svnserve_t)
-miscfiles_read_localization(svnserve_t) -miscfiles_read_localization(svnserve_t)
@ -109267,10 +109292,10 @@ index 0000000..46f12a4
+') +')
diff --git a/tlp.te b/tlp.te diff --git a/tlp.te b/tlp.te
new file mode 100644 new file mode 100644
index 0000000..7c81c68 index 0000000..98e708a
--- /dev/null --- /dev/null
+++ b/tlp.te +++ b/tlp.te
@@ -0,0 +1,54 @@ @@ -0,0 +1,55 @@
+policy_module(tlp, 1.0.0) +policy_module(tlp, 1.0.0)
+ +
+######################################## +########################################
@ -109295,6 +109320,7 @@ index 0000000..7c81c68
+allow tlp_t self:capability { net_admin sys_rawio }; +allow tlp_t self:capability { net_admin sys_rawio };
+allow tlp_t self:unix_stream_socket create_stream_socket_perms; +allow tlp_t self:unix_stream_socket create_stream_socket_perms;
+allow tlp_t self:udp_socket create_socket_perms; +allow tlp_t self:udp_socket create_socket_perms;
+allow tlp_t self:unix_dgram_socket create_socket_perms;
+ +
+manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t) +manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
+manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t) +manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 228%{?dist} Release: 229%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -675,6 +675,15 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Dec 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229
- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
- Allot tlp domain to create unix_dgram sockets BZ(1401233)
- Allow antivirus domain to create lnk_files in /tmp
- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
- Allow svnserve_t domain to read /dev/random BZ(1401827)
- Allow lircd to use nsswitch. BZ(1401375)
- Allow hostname_t domain to manage cluster_tmp_t files
* Mon Dec 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-228 * Mon Dec 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-228
- Fix some boolean descriptions. - Fix some boolean descriptions.
- Add fwupd_dbus_chat() interface - Add fwupd_dbus_chat() interface