rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Make vdagent able to request loading kernel module 

- Add support for cloud-init make it as unconfined domain
- Allow snmpd to run smartctl in fsadm_t domain
- remove duplicate openshift_search_lib() interface
- Allow mysqld to search openshift lib files
- Allow openshift cgroup to interact with passedin file descriptors
- Allow colord to list directories inthe users homedir
- aide executes prelink to check files
- Make sure cupsd_t creates content in /etc/cups with the correct label
- Lest dontaudit apache read all domains, so passenger will not cause this avc
- Allow gssd to connect to gssproxy
- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS
- Allow systemd-tmpfiles to relabel also lock files
- Allow useradd to add homdir in /var/lib/openshift
- Allow setfiles and semanage to write output to /run/files
This commit is contained in:
Dan Walsh 2013-06-19 15:22:03 -04:00
parent 9f52d7a4b1
commit 859a101f23
3 changed files with 829 additions and 434 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

908
policy-rawhide-base.patch
View File

File diff suppressed because it is too large Load Diff

333
policy-rawhide-contrib.patch
View File

@ -1468,7 +1468,7 @@ index 01cbb67..94a4a24 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
index 4b28ab3..cf64a9a 100644
index 4b28ab3..6e8746f 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
@ -1479,7 +1479,16 @@ index 4b28ab3..cf64a9a 100644
role aide_roles types aide_t;
type aide_log_t;
@@ -34,11 +35,16 @@ logging_log_filetrans(aide_t, aide_log_t, file)
@@ -23,7 +24,7 @@ files_type(aide_db_t)
# Local policy
#
-allow aide_t self:capability { dac_override fowner };
+allow aide_t self:capability { dac_override fowner ipc_lock };
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
@ -1494,6 +1503,10 @@ index 4b28ab3..cf64a9a 100644
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
+
+optional_policy(`
+ prelink_domtrans(aide_t)
+')
optional_policy(`
seutil_use_newrole_fds(aide_t)
@ -4511,7 +4524,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
index 1a82e29..a434dfd 100644
index 1a82e29..392480e 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@ -5199,7 +5212,7 @@ index 1a82e29..a434dfd 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -445,140 +551,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -445,140 +551,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -5275,6 +5288,7 @@ index 1a82e29..a434dfd 100644
+corecmd_exec_shell(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
@ -5427,7 +5441,7 @@ index 1a82e29..a434dfd 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -589,28 +717,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
@@ -589,28 +718,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@ -5487,7 +5501,7 @@ index 1a82e29..a434dfd 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -619,68 +769,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -619,68 +770,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@ -5572,7 +5586,7 @@ index 1a82e29..a434dfd 100644
')
tunable_policy(`httpd_setrlimit',`
@@ -690,49 +810,48 @@ tunable_policy(`httpd_setrlimit',`
@@ -690,49 +811,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -5653,7 +5667,7 @@ index 1a82e29..a434dfd 100644
')
optional_policy(`
@@ -743,14 +862,6 @@ optional_policy(`
@@ -743,14 +863,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@ -5668,7 +5682,7 @@ index 1a82e29..a434dfd 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
@@ -765,6 +876,23 @@ optional_policy(`
@@ -765,6 +877,23 @@ optional_policy(`
')
optional_policy(`
@ -5692,7 +5706,7 @@ index 1a82e29..a434dfd 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
@@ -781,34 +909,42 @@ optional_policy(`
@@ -781,34 +910,42 @@ optional_policy(`
')
optional_policy(`
@ -5746,7 +5760,7 @@ index 1a82e29..a434dfd 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -816,8 +952,18 @@ optional_policy(`
@@ -816,8 +953,18 @@ optional_policy(`
')
optional_policy(`
@ -5765,7 +5779,7 @@ index 1a82e29..a434dfd 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -826,6 +972,7 @@ optional_policy(`
@@ -826,6 +973,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@ -5773,7 +5787,7 @@ index 1a82e29..a434dfd 100644
')
optional_policy(`
@@ -836,20 +983,38 @@ optional_policy(`
@@ -836,20 +984,38 @@ optional_policy(`
')
optional_policy(`
@ -5818,7 +5832,7 @@ index 1a82e29..a434dfd 100644
')
optional_policy(`
@@ -857,6 +1022,16 @@ optional_policy(`
@@ -857,6 +1023,16 @@ optional_policy(`
')
optional_policy(`
@ -5835,7 +5849,7 @@ index 1a82e29..a434dfd 100644
seutil_sigchld_newrole(httpd_t)
')
@@ -865,11 +1040,16 @@ optional_policy(`
@@ -865,11 +1041,16 @@ optional_policy(`
')
optional_policy(`
@ -5852,7 +5866,7 @@ index 1a82e29..a434dfd 100644
udev_read_db(httpd_t)
')
@@ -877,65 +1057,166 @@ optional_policy(`
@@ -877,65 +1058,165 @@ optional_policy(`
yam_read_content(httpd_t)
')
@ -5891,7 +5905,6 @@ index 1a82e29..a434dfd 100644
+ allow httpd_t self:process setexec;
+
+ files_dontaudit_getattr_all_files(httpd_t)
+ domain_dontaudit_read_all_domains_state(httpd_t)
+ domain_getpgid_all_domains(httpd_t)
+')
+
@ -10891,7 +10904,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
index 914ee2d..6567c77 100644
index 914ee2d..770ae51 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -10904,7 +10917,7 @@ index 914ee2d..6567c77 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -32,11 +35,16 @@ files_pid_file(chronyd_var_run_t)
@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
# Local policy
#
@ -10916,13 +10929,12 @@ index 914ee2d..6567c77 100644
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
+
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -76,18 +84,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
@@ -76,18 +83,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@ -11439,21 +11451,28 @@ index 29782b8..685edff 100644
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 0000000..8a40857
index 0000000..cc740da
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,22 @@
@@ -0,0 +1,29 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
@ -11515,10 +11534,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
index 0000000..c158ef5
index 0000000..a56e579
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,196 @@
@@ -0,0 +1,296 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@ -11530,6 +11549,19 @@ index 0000000..c158ef5
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(mongod)
+cloudform_domain_template(cloud_init)
+
+type cloud_init_tmp_t;
+files_tmp_file(cloud_init_tmp_t)
+
+type cloud_init_unit_file_t;
+systemd_unit_file(cloud_init_unit_file_t)
+
+type cloud_var_lib_t;
+files_type(cloud_var_lib_t)
+
+type cloud_log_t;
+logging_log_file(cloud_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
@ -11583,6 +11615,93 @@ index 0000000..c158ef5
+
+miscfiles_read_certs(cloudform_domain)
+
+#################################
+#
+# cloud-init local policy
+#
+
+allow cloud_init_t self:capability { fowner chown fsetid dac_override };
+
+allow cloud_init_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
+
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
+
+kernel_read_network_state(cloud_init_t)
+
+corenet_tcp_connect_http_port(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+ dbus_system_bus_client(cloud_init_t)
+')
+
+optional_policy(`
+ dmidecode_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ fstools_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ hostname_exec(cloud_init_t)
+')
+
+optional_policy(`
+ mount_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ # it check file context and run restorecon
+ seutil_read_file_contexts(cloud_init_t)
+ seutil_domtrans_setfiles(cloud_init_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(cloud_init_t)
+ ssh_read_user_home_files(cloud_init_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(cloud_init_t)
+ sysnet_read_dhcpc_state(cloud_init_t)
+ sysnet_dns_name_resolve(cloud_init_t)
+')
+
+optional_policy(`
+ unconfined_domain(cloud_init_t)
+')
+
+
+########################################
+#
+# deltacloudd local policy
@ -12252,7 +12371,7 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
index 09f18e2..9d70983 100644
index 09f18e2..3547d05 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@ -12315,7 +12434,7 @@ index 09f18e2..9d70983 100644
storage_getattr_fixed_disk_dev(colord_t)
storage_getattr_removable_dev(colord_t)
@@ -98,25 +104,28 @@ storage_write_scsi_generic(colord_t)
@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t)
auth_use_nsswitch(colord_t)
@ -12337,6 +12456,7 @@ index 09f18e2..9d70983 100644
-')
+userdom_rw_user_tmpfs_files(colord_t)
+userdom_home_reader(colord_t)
+userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
optional_policy(`
@ -12354,7 +12474,7 @@ index 09f18e2..9d70983 100644
')
optional_policy(`
@@ -133,3 +142,16 @@ optional_policy(`
@@ -133,3 +143,16 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
')
@ -16587,7 +16707,7 @@ index 06da9a0..6d69a2f 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
index 9f34c2e..c7268a7 100644
index 9f34c2e..ab0eee9 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@ -16729,7 +16849,7 @@ index 9f34c2e..c7268a7 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
@@ -120,6 +145,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@ -16737,7 +16857,13 @@ index 9f34c2e..c7268a7 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
@@ -139,22 +165,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@ -16765,7 +16891,7 @@ index 9f34c2e..c7268a7 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -162,11 +189,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@ -16777,7 +16903,7 @@ index 9f34c2e..c7268a7 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
@@ -189,12 +214,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@ -16802,7 +16928,7 @@ index 9f34c2e..c7268a7 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
@@ -206,7 +239,6 @@ domain_use_interactive_fds(cupsd_t)
@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@ -16810,7 +16936,7 @@ index 9f34c2e..c7268a7 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
@@ -215,16 +247,17 @@ files_read_world_readable_files(cupsd_t)
@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@ -16830,7 +16956,7 @@ index 9f34c2e..c7268a7 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
@@ -235,6 +268,8 @@ mls_socket_write_all_levels(cupsd_t)
@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@ -16839,7 +16965,7 @@ index 9f34c2e..c7268a7 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
@@ -247,21 +282,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@ -16865,7 +16991,7 @@ index 9f34c2e..c7268a7 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
@@ -275,6 +309,8 @@ optional_policy(`
@@ -275,6 +310,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@ -16874,7 +17000,7 @@ index 9f34c2e..c7268a7 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -285,8 +321,10 @@ optional_policy(`
@@ -285,8 +322,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@ -16885,7 +17011,7 @@ index 9f34c2e..c7268a7 100644
')
')
@@ -299,8 +337,8 @@ optional_policy(`
@@ -299,8 +338,8 @@ optional_policy(`
')
optional_policy(`
@ -16895,7 +17021,7 @@ index 9f34c2e..c7268a7 100644
')
optional_policy(`
@@ -309,7 +347,6 @@ optional_policy(`
@@ -309,7 +348,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@ -16903,7 +17029,7 @@ index 9f34c2e..c7268a7 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
@@ -337,7 +374,11 @@ optional_policy(`
@@ -337,7 +375,11 @@ optional_policy(`
')
optional_policy(`
@ -16916,7 +17042,7 @@ index 9f34c2e..c7268a7 100644
')
########################################
@@ -345,12 +386,11 @@ optional_policy(`
@@ -345,12 +387,11 @@ optional_policy(`
# Configuration daemon local policy
#
@ -16932,7 +17058,7 @@ index 9f34c2e..c7268a7 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -375,18 +415,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@ -16953,7 +17079,7 @@ index 9f34c2e..c7268a7 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -395,20 +433,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@ -16974,7 +17100,7 @@ index 9f34c2e..c7268a7 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
@@ -420,11 +450,6 @@ auth_use_nsswitch(cupsd_config_t)
@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@ -16986,7 +17112,7 @@ index 9f34c2e..c7268a7 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -452,9 +477,12 @@ optional_policy(`
@@ -452,9 +478,12 @@ optional_policy(`
')
optional_policy(`
@ -17000,7 +17126,7 @@ index 9f34c2e..c7268a7 100644
')
optional_policy(`
@@ -490,10 +518,6 @@ optional_policy(`
@@ -490,10 +519,6 @@ optional_policy(`
# Lpd local policy
#
@ -17011,7 +17137,7 @@ index 9f34c2e..c7268a7 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -511,31 +535,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@ -17044,7 +17170,7 @@ index 9f34c2e..c7268a7 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
@@ -546,7 +561,6 @@ optional_policy(`
@@ -546,7 +562,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -17052,7 +17178,7 @@ index 9f34c2e..c7268a7 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -562,148 +576,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@ -17204,7 +17330,7 @@ index 9f34c2e..c7268a7 100644
########################################
#
@@ -731,7 +620,6 @@ kernel_read_kernel_sysctls(ptal_t)
@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@ -17212,7 +17338,7 @@ index 9f34c2e..c7268a7 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -741,13 +629,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -17226,7 +17352,7 @@ index 9f34c2e..c7268a7 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
@@ -755,8 +641,6 @@ fs_search_auto_mountpoints(ptal_t)
@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@ -17235,7 +17361,7 @@ index 9f34c2e..c7268a7 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -769,3 +653,4 @@ optional_policy(`
@@ -769,3 +654,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@ -38237,7 +38363,7 @@ index 6194b80..af1201e 100644
')
+
diff --git a/mozilla.te b/mozilla.te
index 6a306ee..550e8d7 100644
index 6a306ee..0a31eec 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@ -38681,7 +38807,7 @@ index 6a306ee..550e8d7 100644
')
optional_policy(`
@@ -300,221 +324,179 @@ optional_policy(`
@@ -300,221 +324,180 @@ optional_policy(`
########################################
#
@ -38888,6 +39014,7 @@ index 6a306ee..550e8d7 100644
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
+dev_rwx_zero(mozilla_plugin_t)
+dev_dontaudit_read_mtrr(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
@ -39001,7 +39128,7 @@ index 6a306ee..550e8d7 100644
')
optional_policy(`
@@ -523,36 +505,48 @@ optional_policy(`
@@ -523,36 +506,48 @@ optional_policy(`
')
optional_policy(`
@ -39063,7 +39190,7 @@ index 6a306ee..550e8d7 100644
')
optional_policy(`
@@ -560,7 +554,7 @@ optional_policy(`
@@ -560,7 +555,7 @@ optional_policy(`
')
optional_policy(`
@ -39072,7 +39199,7 @@ index 6a306ee..550e8d7 100644
')
optional_policy(`
@@ -568,108 +562,118 @@ optional_policy(`
@@ -568,108 +563,118 @@ optional_policy(`
')
optional_policy(`
@ -42420,7 +42547,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
index 9f6179e..dfa6623 100644
index 9f6179e..2b85b52 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@ -42578,7 +42705,18 @@ index 9f6179e..dfa6623 100644
')
optional_policy(`
@@ -153,29 +154,22 @@ optional_policy(`
@@ -144,6 +145,10 @@ optional_policy(`
')
optional_policy(`
+ openshift_search_lib(mysqld_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(mysqld_t)
')
@@ -153,29 +158,22 @@ optional_policy(`
#######################################
#
@ -42613,7 +42751,7 @@ index 9f6179e..dfa6623 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
@@ -187,17 +181,21 @@ dev_list_sysfs(mysqld_safe_t)
@@ -187,17 +185,21 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@ -42629,10 +42767,10 @@ index 9f6179e..dfa6623 100644
-miscfiles_read_localization(mysqld_safe_t)
+auth_read_passwd(mysqld_safe_t)
+
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
-userdom_search_user_home_dirs(mysqld_safe_t)
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
+
+mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
@ -42641,7 +42779,7 @@ index 9f6179e..dfa6623 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
@@ -205,7 +203,7 @@ optional_policy(`
@@ -205,7 +207,7 @@ optional_policy(`
########################################
#
@ -42650,7 +42788,7 @@ index 9f6179e..dfa6623 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
@@ -214,11 +212,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
@@ -214,11 +216,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@ -42668,7 +42806,7 @@ index 9f6179e..dfa6623 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
@@ -226,31 +225,22 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
@@ -226,31 +229,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@ -42699,9 +42837,9 @@ index 9f6179e..dfa6623 100644
-files_read_usr_files(mysqlmanagerd_t)
-files_search_pids(mysqlmanagerd_t)
-files_search_var_lib(mysqlmanagerd_t)
-
-miscfiles_read_localization(mysqlmanagerd_t)
-
-userdom_search_user_home_dirs(mysqlmanagerd_t)
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/mythtv.fc b/mythtv.fc
@ -49852,10 +49990,10 @@ index 0000000..bddd4b3
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
index 0000000..d94eda8
index 0000000..877c71a
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,545 @@
@@ -0,0 +1,546 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@ -50325,6 +50463,7 @@ index 0000000..d94eda8
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+########################################
+#
@ -69325,7 +69464,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
index e5212e6..ede6c81 100644
index e5212e6..74f3e1b 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@ -69514,24 +69653,24 @@ index e5212e6..ede6c81 100644
optional_policy(`
- nis_read_ypserv_config(rpcd_t)
+ domain_unconfined_signal(rpcd_t)
+')
+
+optional_policy(`
+ quota_manage_db(rpcd_t)
')
optional_policy(`
- quota_manage_db_files(rpcd_t)
+ nis_read_ypserv_config(rpcd_t)
+ quota_manage_db(rpcd_t)
')
optional_policy(`
- rgmanager_manage_tmp_files(rpcd_t)
+ quota_read_db(rpcd_t)
+ nis_read_ypserv_config(rpcd_t)
')
optional_policy(`
- unconfined_signal(rpcd_t)
+ quota_read_db(rpcd_t)
+')
+
+optional_policy(`
+ rhcs_manage_cluster_tmp_files(rpcd_t)
')
@ -69663,13 +69802,17 @@ index e5212e6..ede6c81 100644
')
optional_policy(`
@@ -306,8 +270,7 @@ optional_policy(`
@@ -306,8 +270,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
- kerberos_manage_host_rcache(gssd_t)
- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
+')
+
+optional_policy(`
+ gssproxy_stream_connect(gssd_t)
')
optional_policy(`
@ -78547,7 +78690,7 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
index 81864ce..24fe118 100644
index 81864ce..4b6b771 100644
--- a/snmp.te
+++ b/snmp.te
@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
@ -78617,11 +78760,15 @@ index 81864ce..24fe118 100644
seutil_dontaudit_search_config(snmpd_t)
@@ -131,7 +133,7 @@ optional_policy(`
@@ -131,7 +133,11 @@ optional_policy(`
')
optional_policy(`
- corosync_stream_connect(snmpd_t)
+ fstools_domtrans(snmpd_t)
+')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(snmpd_t)
')
@ -86439,7 +86586,7 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
index 77be35a..4abe2aa 100644
index 77be35a..0e9a7d1 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@ -86450,21 +86597,27 @@ index 77be35a..4abe2aa 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
@@ -43,13 +44,15 @@ dev_rw_input_dev(vdagent_t)
@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
+kernel_request_load_module(vdagent_t)
+
dev_rw_input_dev(vdagent_t)
dev_read_sysfs(vdagent_t)
dev_dontaudit_write_mtrr(vdagent_t)
-files_read_etc_files(vdagent_t)
-
init_read_state(vdagent_t)
-logging_send_syslog_msg(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
+
+term_use_virtio_console(vdagent_t)
-miscfiles_read_localization(vdagent_t)
+term_use_virtio_console(vdagent_t)
+
+logging_send_syslog_msg(vdagent_t)
userdom_read_all_users_state(vdagent_t)

22
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 52%{?dist}
Release: 53%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -97,6 +97,7 @@ SELinux policy development and man page package
%post devel
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
exit 0
%package doc
Summary: SELinux policy documentation
@ -534,6 +535,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Jun 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-53
- Make vdagent able to request loading kernel module
- Add support for cloud-init make it as unconfined domain
- Allow snmpd to run smartctl in fsadm_t domain
- remove duplicate openshift_search_lib() interface
- Allow mysqld to search openshift lib files
- Allow openshift cgroup to interact with passedin file descriptors
- Allow colord to list directories inthe users homedir
- aide executes prelink to check files
- Make sure cupsd_t creates content in /etc/cups with the correct label
- Lest dontaudit apache read all domains, so passenger will not cause this avc
- Allow gssd to connect to gssproxy
- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS
- Allow systemd-tmpfiles to relabel also lock files
- Allow useradd to add homdir in /var/lib/openshift
- Allow setfiles and semanage to write output to /run/files
* Fri Jun 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-52
- Add labeling for /dev/tgt
- Dontaudit leak fd from firewalld for modprobe
@ -726,7 +744,7 @@ SELinux Reference policy mls base module.
- Allow certwatch to read net_config_t when it executes apache
- Allow readahead to create /run/systemd and then create its own directory with the correct label
* Fri May 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-43
* Mon May 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-43
- Transition directories and files when in a user_tmp_t directory
- Change certwatch to domtrans to apache instead of just execute
- Allow virsh_t to read xen lib files