* Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-292

- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)
- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)
- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)
- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)
- Allow systemd to maange sysfs BZ(1471361)
This commit is contained in:
Lukas Vrabec 2017-10-03 17:11:40 +02:00
parent 65c1dc9f4d
commit 75b1898128
4 changed files with 99 additions and 76 deletions

Binary file not shown.

View File

@ -34767,7 +34767,7 @@ index 3efd5b669..a8cb6df3d 100644
+ allow $1 login_pgm:key manage_key_perms; + allow $1 login_pgm:key manage_key_perms;
+') +')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791dcc..598dd5ed1 100644 index 09b791dcc..78d158ca9 100644
--- a/policy/modules/system/authlogin.te --- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -35067,8 +35067,7 @@ index 09b791dcc..598dd5ed1 100644
+ allow nsswitch_domain self:tcp_socket create_socket_perms; + allow nsswitch_domain self:tcp_socket create_socket_perms;
+') +')
+ +
tunable_policy(`authlogin_nsswitch_use_ldap',` +tunable_policy(`authlogin_nsswitch_use_ldap',`
- files_list_var_lib(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_if(nsswitch_domain) + corenet_tcp_sendrecv_generic_if(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_node(nsswitch_domain) + corenet_tcp_sendrecv_generic_node(nsswitch_domain)
+ corenet_tcp_sendrecv_ldap_port(nsswitch_domain) + corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
@ -35076,7 +35075,8 @@ index 09b791dcc..598dd5ed1 100644
+ corenet_sendrecv_ldap_client_packets(nsswitch_domain) + corenet_sendrecv_ldap_client_packets(nsswitch_domain)
+') +')
+ +
+tunable_policy(`authlogin_nsswitch_use_ldap',` tunable_policy(`authlogin_nsswitch_use_ldap',`
- files_list_var_lib(nsswitch_domain)
+ # Support for LDAPS + # Support for LDAPS
+ dev_read_rand(nsswitch_domain) + dev_read_rand(nsswitch_domain)
+ # LDAP Configuration using encrypted requires + # LDAP Configuration using encrypted requires
@ -35109,7 +35109,7 @@ index 09b791dcc..598dd5ed1 100644
optional_policy(` optional_policy(`
kerberos_use(nsswitch_domain) kerberos_use(nsswitch_domain)
') ')
@@ -456,10 +520,159 @@ optional_policy(` @@ -456,10 +520,163 @@ optional_policy(`
optional_policy(` optional_policy(`
sssd_stream_connect(nsswitch_domain) sssd_stream_connect(nsswitch_domain)
@ -35134,6 +35134,10 @@ index 09b791dcc..598dd5ed1 100644
samba_dontaudit_write_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain)
') ')
+ +
+optional_policy(`
+ virt_read_lib_files(nsswitch_domain)
+')
+
+####################################### +#######################################
+# +#
+# Login Program local policy +# Login Program local policy
@ -37885,7 +37889,7 @@ index 79a45f62e..6ed0c399a 100644
+ allow $1 init_var_lib_t:dir search_dir_perms; + allow $1 init_var_lib_t:dir search_dir_perms;
+') +')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda2480..f049f18e3 100644 index 17eda2480..fa8d5f276 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(` @@ -11,10 +11,31 @@ gen_require(`
@ -38084,7 +38088,7 @@ index 17eda2480..f049f18e3 100644
+corenet_udp_bind_all_ports(init_t) +corenet_udp_bind_all_ports(init_t)
+ +
+dev_create_all_chr_files(init_t) +dev_create_all_chr_files(init_t)
+dev_rw_sysfs(init_t) +dev_manage_sysfs(init_t)
+dev_read_urand(init_t) +dev_read_urand(init_t)
+dev_read_raw_memory(init_t) +dev_read_raw_memory(init_t)
# Early devtmpfs # Early devtmpfs
@ -38311,7 +38315,7 @@ index 17eda2480..f049f18e3 100644
+allow init_t self:unix_dgram_socket { create_socket_perms sendto }; +allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec }; +allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
+allow init_t self:process { getcap setcap }; +allow init_t self:process { getcap setcap };
+allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
+allow init_t self:netlink_kobject_uevent_socket create_socket_perms; +allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow init_t self:netlink_selinux_socket create_socket_perms; +allow init_t self:netlink_selinux_socket create_socket_perms;
+allow init_t self:unix_dgram_socket lock; +allow init_t self:unix_dgram_socket lock;

View File

@ -21367,7 +21367,7 @@ index 3023be7f6..5afde8039 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
') ')
diff --git a/cups.te b/cups.te diff --git a/cups.te b/cups.te
index c91813ccb..05ea50b72 100644 index c91813ccb..774431956 100644
--- a/cups.te --- a/cups.te
+++ b/cups.te +++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@ -21644,7 +21644,7 @@ index c91813ccb..05ea50b72 100644
selinux_compute_access_vector(cupsd_t) selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t) selinux_validate_context(cupsd_t)
@@ -244,22 +289,29 @@ auth_dontaudit_read_pam_pid(cupsd_t) @@ -244,22 +289,30 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t) auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t) auth_use_nsswitch(cupsd_t)
@ -21653,6 +21653,7 @@ index c91813ccb..05ea50b72 100644
+libs_exec_ldconfig(cupsd_t) +libs_exec_ldconfig(cupsd_t)
+libs_exec_ld_so(cupsd_t) +libs_exec_ld_so(cupsd_t)
+libs_use_ld_so(cupsd_t) +libs_use_ld_so(cupsd_t)
+libs_legacy_use_ld_so(cupsd_t)
logging_send_audit_msgs(cupsd_t) logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t) logging_send_syslog_msg(cupsd_t)
@ -21679,7 +21680,7 @@ index c91813ccb..05ea50b72 100644
optional_policy(` optional_policy(`
apm_domtrans_client(cupsd_t) apm_domtrans_client(cupsd_t)
@@ -272,6 +324,8 @@ optional_policy(` @@ -272,6 +325,8 @@ optional_policy(`
optional_policy(` optional_policy(`
dbus_system_bus_client(cupsd_t) dbus_system_bus_client(cupsd_t)
@ -21688,7 +21689,7 @@ index c91813ccb..05ea50b72 100644
userdom_dbus_send_all_users(cupsd_t) userdom_dbus_send_all_users(cupsd_t)
optional_policy(` optional_policy(`
@@ -279,11 +333,17 @@ optional_policy(` @@ -279,11 +334,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -21706,7 +21707,7 @@ index c91813ccb..05ea50b72 100644
') ')
') ')
@@ -296,8 +356,8 @@ optional_policy(` @@ -296,8 +357,8 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -21716,7 +21717,7 @@ index c91813ccb..05ea50b72 100644
') ')
optional_policy(` optional_policy(`
@@ -306,7 +366,6 @@ optional_policy(` @@ -306,7 +367,6 @@ optional_policy(`
optional_policy(` optional_policy(`
lpd_exec_lpr(cupsd_t) lpd_exec_lpr(cupsd_t)
@ -21724,7 +21725,7 @@ index c91813ccb..05ea50b72 100644
lpd_read_config(cupsd_t) lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t) lpd_relabel_spool(cupsd_t)
') ')
@@ -316,6 +375,10 @@ optional_policy(` @@ -316,6 +376,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -21735,7 +21736,7 @@ index c91813ccb..05ea50b72 100644
samba_read_config(cupsd_t) samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t) samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t) samba_stream_connect_nmbd(cupsd_t)
@@ -326,7 +389,7 @@ optional_policy(` @@ -326,7 +390,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -21744,7 +21745,7 @@ index c91813ccb..05ea50b72 100644
') ')
optional_policy(` optional_policy(`
@@ -334,7 +397,11 @@ optional_policy(` @@ -334,7 +398,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -21757,7 +21758,7 @@ index c91813ccb..05ea50b72 100644
') ')
######################################## ########################################
@@ -342,12 +409,11 @@ optional_policy(` @@ -342,12 +410,11 @@ optional_policy(`
# Configuration daemon local policy # Configuration daemon local policy
# #
@ -21773,7 +21774,7 @@ index c91813ccb..05ea50b72 100644
allow cupsd_config_t cupsd_t:process signal; allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t) ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -367,23 +433,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) @@ -367,23 +434,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms; allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@ -21801,7 +21802,7 @@ index c91813ccb..05ea50b72 100644
corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -392,20 +458,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) @@ -392,20 +459,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t)
@ -21822,7 +21823,7 @@ index c91813ccb..05ea50b72 100644
fs_search_auto_mountpoints(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t)
@@ -417,11 +475,6 @@ auth_use_nsswitch(cupsd_config_t) @@ -417,11 +476,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t)
@ -21834,7 +21835,7 @@ index c91813ccb..05ea50b72 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t)
@@ -449,9 +502,12 @@ optional_policy(` @@ -449,9 +503,12 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -21848,7 +21849,7 @@ index c91813ccb..05ea50b72 100644
') ')
optional_policy(` optional_policy(`
@@ -467,6 +523,10 @@ optional_policy(` @@ -467,6 +524,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -21859,7 +21860,7 @@ index c91813ccb..05ea50b72 100644
rpm_read_db(cupsd_config_t) rpm_read_db(cupsd_config_t)
') ')
@@ -487,10 +547,6 @@ optional_policy(` @@ -487,10 +548,6 @@ optional_policy(`
# Lpd local policy # Lpd local policy
# #
@ -21870,7 +21871,7 @@ index c91813ccb..05ea50b72 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -508,15 +564,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) @@ -508,15 +565,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t)
@ -21888,7 +21889,7 @@ index c91813ccb..05ea50b72 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
@@ -537,9 +593,6 @@ auth_use_nsswitch(cupsd_lpd_t) @@ -537,9 +594,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t)
@ -21898,7 +21899,7 @@ index c91813ccb..05ea50b72 100644
optional_policy(` optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
') ')
@@ -549,9 +602,9 @@ optional_policy(` @@ -549,9 +603,9 @@ optional_policy(`
# Pdf local policy # Pdf local policy
# #
@ -21910,7 +21911,7 @@ index c91813ccb..05ea50b72 100644
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -566,148 +619,23 @@ fs_search_auto_mountpoints(cups_pdf_t) @@ -566,148 +620,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t) kernel_read_system_state(cups_pdf_t)
@ -22062,7 +22063,7 @@ index c91813ccb..05ea50b72 100644
######################################## ########################################
# #
@@ -735,7 +663,6 @@ kernel_read_kernel_sysctls(ptal_t) @@ -735,7 +664,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t) kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t) kernel_read_proc_symlinks(ptal_t)
@ -22070,7 +22071,7 @@ index c91813ccb..05ea50b72 100644
corenet_all_recvfrom_netlabel(ptal_t) corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -745,13 +672,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) @@ -745,13 +673,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -22084,7 +22085,7 @@ index c91813ccb..05ea50b72 100644
files_read_etc_runtime_files(ptal_t) files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t) fs_getattr_all_fs(ptal_t)
@@ -759,8 +684,6 @@ fs_search_auto_mountpoints(ptal_t) @@ -759,8 +685,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t) logging_send_syslog_msg(ptal_t)
@ -22093,7 +22094,7 @@ index c91813ccb..05ea50b72 100644
sysnet_read_config(ptal_t) sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -773,3 +696,4 @@ optional_policy(` @@ -773,3 +697,4 @@ optional_policy(`
optional_policy(` optional_policy(`
udev_read_db(ptal_t) udev_read_db(ptal_t)
') ')
@ -29731,7 +29732,7 @@ index c62c5670a..a74f123da 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms; + allow $1 firewalld_unit_file_t:service all_service_perms;
') ')
diff --git a/firewalld.te b/firewalld.te diff --git a/firewalld.te b/firewalld.te
index 98072a3a1..04cd1a61b 100644 index 98072a3a1..dc0aeb347 100644
--- a/firewalld.te --- a/firewalld.te
+++ b/firewalld.te +++ b/firewalld.te
@@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t) @@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t)
@ -29789,9 +29790,11 @@ index 98072a3a1..04cd1a61b 100644
corecmd_exec_bin(firewalld_t) corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t) corecmd_exec_shell(firewalld_t)
@@ -63,20 +79,27 @@ dev_search_sysfs(firewalld_t) @@ -62,21 +78,29 @@ dev_read_urand(firewalld_t)
dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t) domain_use_interactive_fds(firewalld_t)
+domain_obj_id_change_exemption(firewalld_t)
-files_read_etc_files(firewalld_t) -files_read_etc_files(firewalld_t)
-files_read_usr_files(firewalld_t) -files_read_usr_files(firewalld_t)
@ -29824,7 +29827,7 @@ index 98072a3a1..04cd1a61b 100644
optional_policy(` optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t) dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -91,10 +114,15 @@ optional_policy(` @@ -91,10 +115,15 @@ optional_policy(`
optional_policy(` optional_policy(`
networkmanager_dbus_chat(firewalld_t) networkmanager_dbus_chat(firewalld_t)
@ -76895,7 +76898,7 @@ index ded95ec3a..210018ce4 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
') ')
diff --git a/postfix.te b/postfix.te diff --git a/postfix.te b/postfix.te
index 5cfb83eca..708c908d1 100644 index 5cfb83eca..6835f1e58 100644
--- a/postfix.te --- a/postfix.te
+++ b/postfix.te +++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@ -77073,9 +77076,8 @@ index 5cfb83eca..708c908d1 100644
-######################################## -########################################
-# -#
-# Common postfix user domain local policy -# Common postfix user domain local policy
+# Postfix master process local policy -#
# -
-allow postfix_user_domains self:capability dac_override; -allow postfix_user_domains self:capability dac_override;
- -
-domain_use_interactive_fds(postfix_user_domains) -domain_use_interactive_fds(postfix_user_domains)
@ -77083,8 +77085,9 @@ index 5cfb83eca..708c908d1 100644
-######################################## -########################################
-# -#
-# Master local policy -# Master local policy
-# +# Postfix master process local policy
- #
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+dontaudit postfix_master_t self:capability { net_admin }; +dontaudit postfix_master_t self:capability { net_admin };
+# chown is to set the correct ownership of queue dirs +# chown is to set the correct ownership of queue dirs
@ -77273,7 +77276,7 @@ index 5cfb83eca..708c908d1 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -363,37 +256,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool @@ -363,74 +256,89 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
######################################## ########################################
# #
@ -77320,8 +77323,12 @@ index 5cfb83eca..708c908d1 100644
optional_policy(` optional_policy(`
mailman_read_data_files(postfix_cleanup_t) mailman_read_data_files(postfix_cleanup_t)
@@ -401,36 +291,50 @@ optional_policy(` ')
+optional_policy(`
+ milter_stream_connect_all(postfix_cleanup_t)
+')
+
######################################## ########################################
# #
-# Local local policy -# Local local policy
@ -77380,7 +77387,7 @@ index 5cfb83eca..708c908d1 100644
') ')
optional_policy(` optional_policy(`
@@ -442,16 +346,25 @@ optional_policy(` @@ -442,16 +350,25 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -77406,7 +77413,7 @@ index 5cfb83eca..708c908d1 100644
procmail_domtrans(postfix_local_t) procmail_domtrans(postfix_local_t)
') ')
@@ -466,15 +379,17 @@ optional_policy(` @@ -466,15 +383,17 @@ optional_policy(`
######################################## ########################################
# #
@ -77431,7 +77438,7 @@ index 5cfb83eca..708c908d1 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
@@ -484,14 +399,15 @@ kernel_read_kernel_sysctls(postfix_map_t) @@ -484,14 +403,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t)
@ -77451,7 +77458,7 @@ index 5cfb83eca..708c908d1 100644
corecmd_list_bin(postfix_map_t) corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t)
@@ -500,7 +416,6 @@ corecmd_read_bin_pipes(postfix_map_t) @@ -500,7 +420,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t) files_list_home(postfix_map_t)
@ -77459,7 +77466,7 @@ index 5cfb83eca..708c908d1 100644
files_read_etc_runtime_files(postfix_map_t) files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t) files_dontaudit_search_var(postfix_map_t)
@@ -508,21 +423,24 @@ auth_use_nsswitch(postfix_map_t) @@ -508,21 +427,24 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t) logging_send_syslog_msg(postfix_map_t)
@ -77487,7 +77494,7 @@ index 5cfb83eca..708c908d1 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -532,21 +450,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; @@ -532,21 +454,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@ -77513,7 +77520,7 @@ index 5cfb83eca..708c908d1 100644
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
@@ -557,6 +475,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -557,6 +479,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
corecmd_exec_bin(postfix_pipe_t) corecmd_exec_bin(postfix_pipe_t)
optional_policy(` optional_policy(`
@ -77524,7 +77531,7 @@ index 5cfb83eca..708c908d1 100644
dovecot_domtrans_deliver(postfix_pipe_t) dovecot_domtrans_deliver(postfix_pipe_t)
') ')
@@ -584,19 +506,28 @@ optional_policy(` @@ -584,19 +510,28 @@ optional_policy(`
######################################## ########################################
# #
@ -77558,7 +77565,7 @@ index 5cfb83eca..708c908d1 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t)
@@ -611,10 +542,7 @@ optional_policy(` @@ -611,10 +546,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
') ')
@ -77570,7 +77577,7 @@ index 5cfb83eca..708c908d1 100644
optional_policy(` optional_policy(`
fstools_read_pipes(postfix_postdrop_t) fstools_read_pipes(postfix_postdrop_t)
') ')
@@ -629,17 +557,24 @@ optional_policy(` @@ -629,17 +561,24 @@ optional_policy(`
####################################### #######################################
# #
@ -77598,7 +77605,7 @@ index 5cfb83eca..708c908d1 100644
init_sigchld_script(postfix_postqueue_t) init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t)
@@ -655,69 +590,80 @@ optional_policy(` @@ -655,69 +594,80 @@ optional_policy(`
######################################## ########################################
# #
@ -77696,7 +77703,7 @@ index 5cfb83eca..708c908d1 100644
') ')
optional_policy(` optional_policy(`
@@ -730,28 +676,32 @@ optional_policy(` @@ -730,28 +680,32 @@ optional_policy(`
######################################## ########################################
# #
@ -77737,7 +77744,7 @@ index 5cfb83eca..708c908d1 100644
optional_policy(` optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect_auth(postfix_smtpd_t)
@@ -764,6 +714,7 @@ optional_policy(` @@ -764,6 +718,7 @@ optional_policy(`
optional_policy(` optional_policy(`
milter_stream_connect_all(postfix_smtpd_t) milter_stream_connect_all(postfix_smtpd_t)
@ -77745,7 +77752,7 @@ index 5cfb83eca..708c908d1 100644
') ')
optional_policy(` optional_policy(`
@@ -774,31 +725,101 @@ optional_policy(` @@ -774,31 +729,101 @@ optional_policy(`
sasl_connect(postfix_smtpd_t) sasl_connect(postfix_smtpd_t)
') ')
@ -117242,7 +117249,7 @@ index facdee8b3..2a619ba9e 100644
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index f03dcf567..a287ebdf0 100644 index f03dcf567..844aa6e9e 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -1,451 +1,424 @@ @@ -1,451 +1,424 @@
@ -117855,10 +117862,10 @@ index f03dcf567..a287ebdf0 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+allow svirt_t self:process ptrace; +allow svirt_t self:process ptrace;
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
+# it was a part of auth_use_nsswitch +# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; +allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
@ -118034,20 +118041,20 @@ index f03dcf567..a287ebdf0 100644
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -can_exec(virtd_t, virt_tmp_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+# libvirtd is permitted to talk to virtlogd +# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
-can_exec(virtd_t, virt_tmp_t)
-
-kernel_read_crypto_sysctls(virtd_t) -kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t) kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t) kernel_read_network_state(virtd_t)
@ -118207,7 +118214,7 @@ index f03dcf567..a287ebdf0 100644
') ')
optional_policy(` optional_policy(`
@@ -691,99 +653,437 @@ optional_policy(` @@ -691,99 +653,441 @@ optional_policy(`
dnsmasq_kill(virtd_t) dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t) dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t) dnsmasq_create_pid_dirs(virtd_t)
@ -118352,6 +118359,10 @@ index f03dcf567..a287ebdf0 100644
+') +')
+ +
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(virtlogd_t)
+')
+
+optional_policy(`
+ systemd_write_inhibit_pipes(virtlogd_t) + systemd_write_inhibit_pipes(virtlogd_t)
+') +')
+ +
@ -118696,7 +118707,7 @@ index f03dcf567..a287ebdf0 100644
kernel_read_system_state(virsh_t) kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t) kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t) kernel_read_kernel_sysctls(virsh_t)
@@ -794,25 +1094,18 @@ kernel_write_xen_state(virsh_t) @@ -794,25 +1098,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t) corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t) corecmd_exec_shell(virsh_t)
@ -118723,7 +118734,7 @@ index f03dcf567..a287ebdf0 100644
fs_getattr_all_fs(virsh_t) fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t) fs_manage_xenfs_dirs(virsh_t)
@@ -821,23 +1114,25 @@ fs_search_auto_mountpoints(virsh_t) @@ -821,23 +1118,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t) storage_raw_read_fixed_disk(virsh_t)
@ -118757,7 +118768,7 @@ index f03dcf567..a287ebdf0 100644
tunable_policy(`virt_use_nfs',` tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_dirs(virsh_t)
@@ -856,14 +1151,20 @@ optional_policy(` @@ -856,14 +1155,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -118779,7 +118790,7 @@ index f03dcf567..a287ebdf0 100644
xen_stream_connect(virsh_t) xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t) xen_stream_connect_xenstore(virsh_t)
') ')
@@ -888,49 +1189,66 @@ optional_policy(` @@ -888,49 +1193,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t) kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t)
@ -118864,7 +118875,7 @@ index f03dcf567..a287ebdf0 100644
corecmd_exec_bin(virtd_lxc_t) corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t)
@@ -942,17 +1260,16 @@ dev_read_urand(virtd_lxc_t) @@ -942,17 +1264,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t)
@ -118884,7 +118895,7 @@ index f03dcf567..a287ebdf0 100644
fs_getattr_all_fs(virtd_lxc_t) fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -964,15 +1281,11 @@ fs_rw_cgroup_files(virtd_lxc_t) @@ -964,15 +1285,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -118903,7 +118914,7 @@ index f03dcf567..a287ebdf0 100644
term_use_generic_ptys(virtd_lxc_t) term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t) term_use_ptmx(virtd_lxc_t)
@@ -982,186 +1295,307 @@ auth_use_nsswitch(virtd_lxc_t) @@ -982,186 +1299,307 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t)
@ -119340,7 +119351,7 @@ index f03dcf567..a287ebdf0 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1608,12 @@ dev_read_sysfs(virt_qmf_t) @@ -1174,12 +1612,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t) dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t) dev_read_urand(virt_qmf_t)
@ -119355,7 +119366,7 @@ index f03dcf567..a287ebdf0 100644
sysnet_read_config(virt_qmf_t) sysnet_read_config(virt_qmf_t)
optional_policy(` optional_policy(`
@@ -1192,7 +1626,7 @@ optional_policy(` @@ -1192,7 +1630,7 @@ optional_policy(`
######################################## ########################################
# #
@ -119364,7 +119375,7 @@ index f03dcf567..a287ebdf0 100644
# #
allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:process { setcap getcap };
@@ -1201,11 +1635,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; @@ -1201,11 +1639,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 291%{?dist} Release: 292%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -682,6 +682,14 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-292
- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)
- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)
- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)
- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)
- Allow systemd to maange sysfs BZ(1471361)
* Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-291 * Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-291
- Switch default value of SELinux boolean httpd_graceful_shutdown to off. - Switch default value of SELinux boolean httpd_graceful_shutdown to off.