* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173

- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
- Allow keepalived to create netlink generic sockets. rhbz#1311756
- Allow modemmanager to read /etc/passwd file.
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
This commit is contained in:
Lukas Vrabec 2016-02-26 13:34:18 +01:00
parent 352a55a547
commit 7ac3a50aaf
4 changed files with 58 additions and 35 deletions

Binary file not shown.

View File

@ -35871,7 +35871,7 @@ index 0d4c8d3..537aa42 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd04..34f5262 100644
index 312cd04..324b3af 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -35978,7 +35978,7 @@ index 312cd04..34f5262 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
@@ -157,24 +178,32 @@ files_dontaudit_search_home(ipsec_t)
@@ -157,22 +178,31 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@ -36004,16 +36004,15 @@ index 312cd04..34f5262 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
optional_policy(`
+ iptables_domtrans(ipsec_t)
+')
+userdom_read_home_certs(ipsec_t)
+
+optional_policy(`
seutil_sigchld_newrole(ipsec_t)
')
+ iptables_domtrans(ipsec_t)
+')
@@ -182,19 +211,30 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(ipsec_t)
@@ -182,19 +212,30 @@ optional_policy(`
udev_read_db(ipsec_t)
')
@ -36048,7 +36047,7 @@ index 312cd04..34f5262 100644
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
@@ -208,12 +249,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -36064,7 +36063,7 @@ index 312cd04..34f5262 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
@@ -246,6 +288,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
@@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@ -36081,7 +36080,7 @@ index 312cd04..34f5262 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +307,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@ -36090,7 +36089,7 @@ index 312cd04..34f5262 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
@@ -269,6 +323,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
@@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@ -36098,7 +36097,7 @@ index 312cd04..34f5262 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -278,9 +333,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
@@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@ -36110,7 +36109,7 @@ index 312cd04..34f5262 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
@@ -288,17 +344,28 @@ init_exec_script_files(ipsec_mgmt_t)
@@ -288,17 +345,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@ -36144,7 +36143,7 @@ index 312cd04..34f5262 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
@@ -322,6 +389,10 @@ optional_policy(`
@@ -322,6 +390,10 @@ optional_policy(`
')
optional_policy(`
@ -36155,7 +36154,7 @@ index 312cd04..34f5262 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -335,7 +406,7 @@ optional_policy(`
@@ -335,7 +407,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@ -36164,7 +36163,7 @@ index 312cd04..34f5262 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
@@ -370,13 +441,12 @@ kernel_request_load_module(racoon_t)
@@ -370,13 +442,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@ -36184,7 +36183,7 @@ index 312cd04..34f5262 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -401,10 +471,10 @@ locallogin_use_fds(racoon_t)
@@ -401,10 +472,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@ -36197,7 +36196,7 @@ index 312cd04..34f5262 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
@@ -438,9 +508,8 @@ corenet_setcontext_all_spds(setkey_t)
@@ -438,9 +509,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@ -43785,7 +43784,7 @@ index a392fc4..78fa512 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
index 0000000..b53de2b
index 0000000..849cdb8
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,61 @@
@ -43839,7 +43838,7 @@ index 0000000..b53de2b
+/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
+/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
+
+/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/.*nologin.* gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
+/var/run/systemd/shutdown(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
@ -43852,10 +43851,10 @@ index 0000000..b53de2b
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..300bf59
index 0000000..21f7c14
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,1676 @@
@@ -0,0 +1,1678 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@ -44970,6 +44969,7 @@ index 0000000..300bf59
+ type systemd_logind_var_run_t;
+ type hostname_etc_t;
+ type systemd_home_t;
+ type systemd_rfkill_var_lib_t;
+ ')
+
+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
@ -44978,6 +44978,7 @@ index 0000000..300bf59
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
+ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
+ init_var_lib_filetrans($1, systemd_rfkill_var_lib_t, dir, "rfkill" )
+')
+
+########################################
@ -45534,10 +45535,10 @@ index 0000000..300bf59
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..eb1b3c3
index 0000000..bf93dba
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,842 @@
@@ -0,0 +1,843 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -45687,7 +45688,7 @@ index 0000000..eb1b3c3
+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, { file dir })
+files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin")
+
+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
@ -45896,6 +45897,7 @@ index 0000000..eb1b3c3
+fs_read_xenfs_files(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+dev_write_kmsg(systemd_networkd_t)
+
+logging_send_syslog_msg(systemd_networkd_t)
+

View File

@ -2267,7 +2267,7 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
index 519051c..f5784a5 100644
index 519051c..0f871e6 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@ -2330,7 +2330,15 @@ index 519051c..f5784a5 100644
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
@@ -130,6 +137,7 @@ fs_list_all(amanda_t)
storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
+storage_write_scsi_generic(amanda_t)
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@ -2338,7 +2346,7 @@ index 519051c..f5784a5 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@ -41006,10 +41014,10 @@ index 0000000..bd7e7fa
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
index 0000000..8ab40b5
index 0000000..66e747b
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,91 @@
@@ -0,0 +1,92 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@ -41038,6 +41046,7 @@ index 0000000..8ab40b5
+allow keepalived_t self:capability { net_admin net_raw kill };
+allow keepalived_t self:process { signal_perms };
+allow keepalived_t self:netlink_socket create_socket_perms;
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
+allow keepalived_t self:netlink_route_socket nlmsg_write;
+allow keepalived_t self:packet_socket create_socket_perms;
+allow keepalived_t self:rawip_socket create_socket_perms;
@ -49397,7 +49406,7 @@ index b1ac8b5..24782b3 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
index d15eb5b..25f2cfe 100644
index d15eb5b..6e2a403 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@ -49410,7 +49419,7 @@ index d15eb5b..25f2cfe 100644
########################################
#
# Local policy
@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
@@ -19,20 +22,24 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
allow modemmanager_t self:process { getsched signal };
allow modemmanager_t self:fifo_file rw_fifo_file_perms;
@ -49420,6 +49429,8 @@ index d15eb5b..25f2cfe 100644
kernel_read_system_state(modemmanager_t)
+auth_read_passwd(modemmanager_t)
+
+corecmd_exec_bin(modemmanager_t)
+
dev_read_sysfs(modemmanager_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 172%{?dist}
Release: 173%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -673,6 +673,16 @@ exit 0
%endif
%changelog
* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
- Allow keepalived to create netlink generic sockets. rhbz#1311756
- Allow modemmanager to read /etc/passwd file.
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
* Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033