* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173

- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759 - Allow keepalived to create netlink generic sockets. rhbz#1311756 - Allow modemmanager to read /etc/passwd file. - Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t. - Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255 - Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019 - Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444 - Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
2016-02-26 13:34:18 +01:00 · 2016-02-26 13:34:18 +01:00 · 7ac3a50aaf
commit 7ac3a50aaf
parent 352a55a547
4 changed files with 58 additions and 35 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -35871,7 +35871,7 @@ index 0d4c8d3..537aa42 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..34f5262 100644
+index 312cd04..324b3af 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -35978,7 +35978,7 @@ index 312cd04..34f5262 100644
 
 dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
-@@ -157,24 +178,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +178,31 @@ files_dontaudit_search_home(ipsec_t)
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
 
@ -36004,16 +36004,15 @@ index 312cd04..34f5262 100644
 
 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
 userdom_dontaudit_search_user_home_dirs(ipsec_t)
- 
- optional_policy(`
-+    iptables_domtrans(ipsec_t)
-+')
+userdom_read_home_certs(ipsec_t)
 +
 +optional_policy(`
- 	seutil_sigchld_newrole(ipsec_t)
- ')
+    iptables_domtrans(ipsec_t)
+')
 
-@@ -182,19 +211,30 @@ optional_policy(`
+ optional_policy(`
+ 	seutil_sigchld_newrole(ipsec_t)
+@@ -182,19 +212,30 @@ optional_policy(`
 	udev_read_db(ipsec_t)
 ')
 
@ -36048,7 +36047,7 @@ index 312cd04..34f5262 100644
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +249,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
 
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@ -36064,7 +36063,7 @@ index 312cd04..34f5262 100644
 
 # _realsetup needs to be able to cat /var/run/pluto.pid,
 # run ps on that pid, and delete the file
-@@ -246,6 +288,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
 kernel_getattr_core_if(ipsec_mgmt_t)
 kernel_getattr_message_if(ipsec_mgmt_t)
 
@ -36081,7 +36080,7 @@ index 312cd04..34f5262 100644
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
 
-@@ -255,6 +307,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
 corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
 
@ -36090,7 +36089,7 @@ index 312cd04..34f5262 100644
 dev_read_rand(ipsec_mgmt_t)
 dev_read_urand(ipsec_mgmt_t)
 
-@@ -269,6 +323,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
 files_read_etc_files(ipsec_mgmt_t)
 files_exec_etc_files(ipsec_mgmt_t)
 files_read_etc_runtime_files(ipsec_mgmt_t)
@ -36098,7 +36097,7 @@ index 312cd04..34f5262 100644
 files_read_usr_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +333,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
 fs_list_tmpfs(ipsec_mgmt_t)
 
 term_use_console(ipsec_mgmt_t)
@ -36110,7 +36109,7 @@ index 312cd04..34f5262 100644
 
 init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +344,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +345,28 @@ init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
 
@ -36144,7 +36143,7 @@ index 312cd04..34f5262 100644
 
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +389,10 @@ optional_policy(`
+@@ -322,6 +390,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -36155,7 +36154,7 @@ index 312cd04..34f5262 100644
 	modutils_domtrans_insmod(ipsec_mgmt_t)
 ')
 
-@@ -335,7 +406,7 @@ optional_policy(`
+@@ -335,7 +407,7 @@ optional_policy(`
 #
 
 allow racoon_t self:capability { net_admin net_bind_service };
@ -36164,7 +36163,7 @@ index 312cd04..34f5262 100644
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +441,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +442,12 @@ kernel_request_load_module(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
 
@ -36184,7 +36183,7 @@ index 312cd04..34f5262 100644
 corenet_udp_bind_isakmp_port(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
 
-@@ -401,10 +471,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +472,10 @@ locallogin_use_fds(racoon_t)
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
 
@ -36197,7 +36196,7 @@ index 312cd04..34f5262 100644
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +508,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +509,8 @@ corenet_setcontext_all_spds(setkey_t)
 
 locallogin_use_fds(setkey_t)
 
@ -43785,7 +43784,7 @@ index a392fc4..78fa512 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..b53de2b
+index 0000000..849cdb8
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,61 @@
@ -43839,7 +43838,7 @@ index 0000000..b53de2b
 +/var/lib/random-seed 		gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
 +/usr/var/lib/random-seed 	gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
 +
-+/var/run/nologin		gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/.*nologin.*		gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 +/var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 +/var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
 +/var/run/systemd/shutdown(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
@ -43852,10 +43851,10 @@ index 0000000..b53de2b
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..300bf59
+index 0000000..21f7c14
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1676 @@
+@@ -0,0 +1,1678 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -44970,6 +44969,7 @@ index 0000000..300bf59
 +		type systemd_logind_var_run_t;
 +		type hostname_etc_t;
 +		type systemd_home_t;
+		type systemd_rfkill_var_lib_t;
 +	')
 +
 +	files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
@ -44978,6 +44978,7 @@ index 0000000..300bf59
 +	init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
 +	files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
 +	files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
+	init_var_lib_filetrans($1, systemd_rfkill_var_lib_t, dir, "rfkill" )
 +')
 +
 +########################################
@ -45534,10 +45535,10 @@ index 0000000..300bf59
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..eb1b3c3
+index 0000000..bf93dba
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,842 @@
+@@ -0,0 +1,843 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -45687,7 +45688,7 @@ index 0000000..eb1b3c3
 +manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
 +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
 +init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
-+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, { file dir })
 +files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin")
 +
 +manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
@ -45896,6 +45897,7 @@ index 0000000..eb1b3c3
 +fs_read_xenfs_files(systemd_networkd_t)
 +
 +dev_read_sysfs(systemd_networkd_t)
+dev_write_kmsg(systemd_networkd_t)
 +
 +logging_send_syslog_msg(systemd_networkd_t)
 +
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2267,7 +2267,7 @@ index 7f4dfbc..e5c9f45 100644
 /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
 
 diff --git a/amanda.te b/amanda.te
-index 519051c..f5784a5 100644
+index 519051c..0f871e6 100644
 --- a/amanda.te
 +++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@ -2330,7 +2330,15 @@ index 519051c..f5784a5 100644
 
 files_read_etc_runtime_files(amanda_t)
 files_list_all(amanda_t)
-@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -130,6 +137,7 @@ fs_list_all(amanda_t)
+ storage_raw_read_fixed_disk(amanda_t)
+ storage_read_tape(amanda_t)
+ storage_write_tape(amanda_t)
+storage_write_scsi_generic(amanda_t)
+ 
+ auth_use_nsswitch(amanda_t)
+ auth_read_shadow(amanda_t)
+@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t)
 corecmd_exec_shell(amanda_recover_t)
 corecmd_exec_bin(amanda_recover_t)
 
@ -2338,7 +2346,7 @@ index 519051c..f5784a5 100644
 corenet_all_recvfrom_netlabel(amanda_recover_t)
 corenet_tcp_sendrecv_generic_if(amanda_recover_t)
 corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t)
 
 auth_use_nsswitch(amanda_recover_t)
 
@ -41006,10 +41014,10 @@ index 0000000..bd7e7fa
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..8ab40b5
+index 0000000..66e747b
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,92 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@ -41038,6 +41046,7 @@ index 0000000..8ab40b5
 +allow keepalived_t self:capability { net_admin net_raw kill };
 +allow keepalived_t self:process { signal_perms };
 +allow keepalived_t self:netlink_socket create_socket_perms;
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
 +allow keepalived_t self:netlink_route_socket nlmsg_write;
 +allow keepalived_t self:packet_socket create_socket_perms;
 +allow keepalived_t self:rawip_socket create_socket_perms;
@ -49397,7 +49406,7 @@ index b1ac8b5..24782b3 100644
 +	')
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..25f2cfe 100644
+index d15eb5b..6e2a403 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@ -49410,7 +49419,7 @@ index d15eb5b..25f2cfe 100644
 ########################################
 #
 # Local policy
-@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
+@@ -19,20 +22,24 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
 allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
 allow modemmanager_t self:process { getsched signal };
 allow modemmanager_t self:fifo_file rw_fifo_file_perms;
@ -49420,6 +49429,8 @@ index d15eb5b..25f2cfe 100644
 
 kernel_read_system_state(modemmanager_t)
 
+auth_read_passwd(modemmanager_t)
+
 +corecmd_exec_bin(modemmanager_t)
 +
 dev_read_sysfs(modemmanager_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 172%{?dist}
+Release: 173%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -673,6 +673,16 @@ exit 0
 %endif

 %changelog
+* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
+- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
+- Allow keepalived to create netlink generic sockets. rhbz#1311756
+- Allow modemmanager to read /etc/passwd file.
+- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
+- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
+- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
+- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
+- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
+
 * Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
 - Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
 - Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033