* Mon Feb 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-112

- Allow audisp to connect to system DBUS for service. - Label /dev/log correctly. - Add interface init_read_var_lib_files(). - Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)
2015-02-16 20:23:47 +01:00 · 2015-02-16 20:23:47 +01:00 · 83d645c1b0
commit 83d645c1b0
parent e793323380
3 changed files with 49 additions and 18 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -29472,7 +29472,7 @@ index bc0ffc8..7198bd9 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..b88e8a2 100644
+index 79a45f6..6c7a9d9 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -30494,7 +30494,7 @@ index 79a45f6..b88e8a2 100644
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2380,473 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2380,492 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -30968,6 +30968,25 @@ index 79a45f6..b88e8a2 100644
 +	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
 +	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
 +')
 +
 +########################################
 +## <summary>
 +##	Read systemd lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`init_read_var_lib_files',`
 +	gen_require(`
 +		type init_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +	read_files_pattern($1, init_var_lib_t, init_var_lib_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 index 17eda24..1381948 100644
 --- a/policy/modules/system/init.te
@ -34091,10 +34110,12 @@ index 446fa99..22f539c 100644
 +	plymouthd_exec_plymouth(sulogin_t)
 ')
 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..e55a556 100644
+index b50c5fe..13da95a 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -2,10 +2,13 @@
+@@ -1,11 +1,14 @@
 -/dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 +/dev/log		-l	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
@ -34180,7 +34201,7 @@ index b50c5fe..e55a556 100644
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 +
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..8de26ad 100644
+index 4e94884..6b1eae3 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -34296,8 +34317,8 @@ index 4e94884..8de26ad 100644
 +		type devlog_t;
 +	')
 +
-+	allow $1 devlog_t:sock_file manage_sock_file_perms;
+	allow $1 devlog_t:lnk_file manage_sock_file_perms;
-+	dev_filetrans($1, devlog_t, sock_file)
+	dev_filetrans($1, devlog_t, lnk_file)
 +	init_pid_filetrans($1, devlog_t, sock_file, "syslog")
 +')
 +
@ -34706,7 +34727,7 @@ index 4e94884..8de26ad 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..d9852d4 100644
+index 59b04c1..df37453 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -34858,17 +34879,18 @@ index 59b04c1..d9852d4 100644
 mls_file_write_all_levels(audisp_t)
 +mls_socket_write_all_levels(audisp_t)
 +mls_dbus_send_all_levels(audisp_t)
-+
+ 
 -logging_send_syslog_msg(audisp_t)
 +auth_use_nsswitch(audisp_t)
 logging_send_syslog_msg(audisp_t)
 -miscfiles_read_localization(audisp_t)
 +logging_send_syslog_msg(audisp_t)
 sysnet_dns_name_resolve(audisp_t)
 optional_policy(`
 	dbus_system_bus_client(audisp_t)
 +    dbus_connect_system_bus(audisp_t)
 +
 +	optional_policy(`
 +		setroubleshoot_dbus_chat(audisp_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -546,7 +546,7 @@ index 058d908..1e92177 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..34371ae 100644
+index eb50f07..d77f4a6 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -984,7 +984,7 @@ index eb50f07..34371ae 100644
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +451,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +451,58 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 dev_read_urand(abrt_retrace_worker_t)
@ -1005,7 +1005,8 @@ index eb50f07..34371ae 100644
 +# abrt_dump_oops local policy
 #
- allow abrt_dump_oops_t self:capability dac_override;
+-allow abrt_dump_oops_t self:capability dac_override;
 +allow abrt_dump_oops_t self:capability { fowner chown fsetid dac_override };
 allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
 -allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
 +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@ -1041,10 +1042,12 @@ index eb50f07..34371ae 100644
 logging_read_generic_logs(abrt_dump_oops_t)
 +logging_read_syslog_pid(abrt_dump_oops_t)
 +logging_send_syslog_msg(abrt_dump_oops_t)
 +
 +init_read_var_lib_files(abrt_dump_oops_t)
 #######################################
 #
-@@ -404,7 +508,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +510,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1053,7 +1056,7 @@ index eb50f07..34371ae 100644
 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +517,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +519,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
 corecmd_exec_bin(abrt_watch_log_t)
 logging_read_all_logs(abrt_watch_log_t)
@ -1097,7 +1100,7 @@ index eb50f07..34371ae 100644
 ')
 #######################################
-@@ -430,10 +560,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +562,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 111%{?dist}
+Release: 112%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -605,6 +605,12 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Mon Feb 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-112
 - Allow audisp to connect to system DBUS for service.
 - Label /dev/log correctly.
 - Add interface init_read_var_lib_files().
 - Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)
 * Tue Feb 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-111
 - Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004)
 - Remove automatcically running filetrans_named_content form sysnet_manage_config